Correct link to Roberto's repository

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.common

@@ -411,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+    modules=$(find_file helpers)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

Shorewall-lite/install.sh

@@ -426,6 +426,11 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+
+    for f in modules.*; do
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    done
 fi
 
 if [ -f helpers ]; then
@@ -433,11 +438,6 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
-for f in modules.*; do
-    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-done
-
 #
 # Install the Man Pages
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -201,6 +201,13 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
+    my $raw_matches = get_inline_matches(1);
+
+    if ( $raw_matches =~ s/^\s*+// ) {
+	$prerule = $raw_matches;
+    } else {
+	$rule .= $raw_matches;
+    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -242,9 +249,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action eq 'INLINE' ) {
-	    $rule .= get_inline_matches(1);
-	} else {
+	} elsif ( $action ne 'INLINE' ) {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,13 +47,13 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;
+our $export;          # True when compiling for export
 
-our $test;
+our $test;            # True when running regression tests
 
-our $family;
+our $family;          # IP address family (4 or 6)
 
-our $have_arptables;
+our $have_arptables;  # True if we have arptables rules
 
 #
 # Initilize the package-globals in the other modules
@@ -384,7 +384,7 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file( 'helpers' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
 	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';

Shorewall/Perl/Shorewall/Config.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -396,7 +396,7 @@ our %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT', BLACKLIST_LOGLEVEL => 'BLACKLIST
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOAD_HELPERS_ONLY LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR LOCKFILE SUBSYSLOCK LOG_VERBOSITY RESTART/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -684,6 +684,7 @@ our $shorewall_dir;          # Shorewall Directory; if non-empty, search here fi
 
 our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
+our $update;                 # True if this is an update
 
 our $family;                 # Protocol family (4 or 6)
 our $export;                 # True when compiling for export
@@ -731,18 +732,19 @@ our %converted = (
 #
 # Eliminated options
 #
-our %eliminated = ( LOGRATE          => 1,
-		    LOGBURST         => 1,
-		    EXPORTPARAMS     => 1,
-		    LEGACY_FASTSTART => 1,
-		    IPSECFILE        => 1,
-		    WIDE_TC_MARKS    => 1,
-		    HIGH_ROUTE_MARKS => 1,
-		    BLACKLISTNEWONLY => 1,
-		    CHAIN_SCRIPTS    => 1,
-                    MODULE_SUFFIX    => 1,
-                    MAPOLDACTIONS    => 1,
-		    INLINE_MATCHES   => 1,
+our %eliminated = ( LOGRATE	      => 1,
+		    LOGBURST	      => 1,
+		    EXPORTPARAMS      => 1,
+		    LEGACY_FASTSTART  => 1,
+		    IPSECFILE	      => 1,
+		    WIDE_TC_MARKS     => 1,
+		    HIGH_ROUTE_MARKS  => 1,
+		    BLACKLISTNEWONLY  => 1,
+		    CHAIN_SCRIPTS     => 1,
+		    MODULE_SUFFIX     => 1,
+		    MAPOLDACTIONS     => 1,
+		    INLINE_MATCHES    => 1,
+		    LOAD_HELPERS_ONLY => 1,
 		  );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
@@ -980,7 +982,6 @@ sub initialize( $;$$$) {
 	  OPTIMIZE_ACCOUNTING => undef,
 	  ACCOUNTING_TABLE => undef,
 	  DYNAMIC_BLACKLIST => undef,
-	  LOAD_HELPERS_ONLY => undef,
 	  REQUIRE_INTERFACE => undef,
 	  FORWARD_CLEAR_MARK => undef,
 	  COMPLETE => undef,
@@ -1191,6 +1192,7 @@ sub initialize( $;$$$) {
 
     $debug = 0;
     $confess = 0;
+    $update = 0;
 
     %params = ();
 
@@ -4021,9 +4023,9 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Save Raw Image
+	    # Save Raw Image if we are updating
 	    #
-	    $rawcurrentline = $currentline;
+	    $rawcurrentline = $currentline if $update;
 	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
@@ -4451,7 +4453,7 @@ sub load_kernel_modules( ) {
 	push @moduledirectories, $_ if -d $_;
     }
 
-    if ( $moduleloader &&  @moduledirectories && open_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' ) ) {
+    if ( $moduleloader &&  @moduledirectories && open_file( 'helpers' ) ) {
 	my %loadedmodules;
 
 	$loadedmodules{$_}++ for split_list( $config{DONT_LOAD}, 'module' );
@@ -5250,111 +5252,6 @@ sub determine_capabilities() {
 	    qt1( "$iptables $iptablesw -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
 
     $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';
-
-    unless ( $config{ LOAD_HELPERS_ONLY } ) {
-	#
-	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
-	# functions but it ensures that %detect_capability is initialized properly.
-	#
-	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
-	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
-	$capabilities{NAT_INPUT_CHAIN} = detect_capability( 'NAT_INPUT_CHAIN' );
-	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
-	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
-	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
-	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
-	} else {
-	    $capabilities{NEW_CONNTRACK_MATCH} = '';
-	    $capabilities{OLD_CONNTRACK_MATCH} = '';
-	}
-
-	$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
-	$capabilities{EMULTIPORT}   = detect_capability( 'EMULTIPORT' );
-	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
-
-	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
-	    $capabilities{PHYSDEV_BRIDGE} = detect_capability( 'PHYSDEV_BRIDGE' );
-	} else {
-	    $capabilities{PHYSDEV_BRIDGE} = '';
-	}
-
-	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
-	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
-	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
-	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
-	$capabilities{OWNER_NAME_MATCH}
-                                       = detect_capability( 'OWNER_NAME_MATCH' );
-	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
-	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
-	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
-	$capabilities{OLD_IPP2P_MATCH} = detect_capability( 'OLD_IPP2P_MATCH' );
-	$capabilities{LENGTH_MATCH}    = detect_capability( 'LENGTH_MATCH' );
-	$capabilities{ENHANCED_REJECT} = detect_capability( 'ENHANCED_REJECT' );
-	$capabilities{COMMENTS}        = detect_capability( 'COMMENTS' );
-	$capabilities{OLD_HL_MATCH}    = detect_capability( 'OLD_HL_MATCH' );
-	$capabilities{HASHLIMIT_MATCH} = detect_capability( 'HASHLIMIT_MATCH' );
-	$capabilities{MARK}            = detect_capability( 'MARK' );
-	$capabilities{XMARK}           = detect_capability( 'XMARK' );
-	$capabilities{EXMARK}          = detect_capability( 'EXMARK' );
-	$capabilities{CONNMARK}        = detect_capability( 'CONNMARK' );
-	$capabilities{XCONNMARK}       = detect_capability( 'XCONNMARK' );
-	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
-	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
-	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
-	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
-	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
-	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
-	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
-	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
-	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
-	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
-	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
-	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
-	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
-	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
-	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
-	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
-	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
-	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
-	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
-	$capabilities{HEADER_MATCH}    = detect_capability( 'HEADER_MATCH' );
-	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
-	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
-	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
-	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
-	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
-	$capabilities{BASIC_EMATCH}    = detect_capability( 'BASIC_EMATCH' );
-	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
-	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
-	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
-	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
-	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
-	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
-	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
-	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
-	$capabilities{ARPTABLESJF}     = detect_capability( 'ARPTABLESJF' );
-	$capabilities{MASQUERADE_TGT}  = detect_capability( 'MASQUERADE_TGT' );
-	$capabilities{UDPLITEREDIRECT} = detect_capability( 'UDPLITEREDIRECT' );
-	$capabilities{NEW_TOS_MATCH}   = detect_capability( 'NEW_TOS_MATCH' );
-	$capabilities{TARPIT_TARGET}   = detect_capability( 'TARPIT_TARGET' );
-	$capabilities{IFACE_MATCH}     = detect_capability( 'IFACE_MATCH' );
-	$capabilities{TCPMSS_TARGET}   = detect_capability( 'TCPMSS_TARGET' );
-	$capabilities{CPU_FANOUT}      = detect_capability( 'CPU_FANOUT' );
-	$capabilities{NETMAP_TARGET}   = detect_capability( 'NETMAP_TARGET' );
-	$capabilities{NFLOG_SIZE}      = detect_capability( 'NFLOG_SIZE' );
-	$capabilities{RESTORE_WAIT_OPTION}
-				       = detect_capability( 'RESTORE_WAIT_OPTION' );
-
-	unless ( have_capability 'CT_TARGET' ) {
-	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-	}
-
-    }
 }
 
 #
@@ -5696,8 +5593,8 @@ EOF
 #
 # Small functions called by get_configuration. We separate them so profiling is more useful
 #
-sub process_shorewall_conf( $$ ) {
-    my ( $update, $annotate ) = @_;
+sub process_shorewall_conf( $ ) {
+    my ( $annotate ) = @_;
     my $file   = find_file "$product.conf";
     my @vars;
 
@@ -6278,7 +6175,7 @@ sub convert_to_version_5_2() {
 #
 sub get_configuration( $$$ ) {
 
-    my ( $export, $update, $annotate ) = @_;
+    ( my $export, $update, my $annotate ) = @_;
 
     $globals{EXPORT} = $export;
 
@@ -6340,7 +6237,7 @@ sub get_configuration( $$$ ) {
 
     get_params( $export );
 
-    process_shorewall_conf( $update, $annotate );
+    process_shorewall_conf( $annotate );
 
     ensure_config_path;
 
@@ -6348,11 +6245,6 @@ sub get_configuration( $$$ ) {
 
     unshift @INC, @config_path;
 
-    #
-    # get_capabilities requires that the true settings of these options be established
-    #
-    default_yes_no 'LOAD_HELPERS_ONLY'          , 'Yes';
-
     if ( ! $export && $> == 0 ) {
 	get_capabilities($have_capabilities);
     }
@@ -6405,8 +6297,6 @@ sub get_configuration( $$$ ) {
 	$capabilities{$_}    = 0 for grep /_HELPER/ , keys %capabilities;
     }
 
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
     #
     # Now initialize the used capabilities hash
     #
@@ -7144,8 +7034,6 @@ sub get_configuration( $$$ ) {
     }
 
     convert_to_version_5_2 if $update;
-
-    cleanup_iptables if $sillyname && ! $config{LOAD_HELPERS_ONLY};
 }
 
 #

Shorewall/Perl/Shorewall/Nat.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/s*\+// ) {
+    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }

Shorewall/Perl/Shorewall/Providers.pm

@@ -170,7 +170,6 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
-
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -715,7 +714,6 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {

Shorewall/Perl/Shorewall/Raw.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /^s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Rules.pm

@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -292,6 +292,8 @@ our $mangle;
 
 our $sticky;
 
+our $excludefw;
+
 our $divertref; # DIVERT chain
 
 our %validstates = ( NEW                => 0,
@@ -365,6 +367,10 @@ sub initialize( $ ) {
     #
     %actions           = ();
     #
+    # Count of 'all[+]=' encountered
+    #
+    $excludefw         = 0;
+    #
     # Action variants actually used. Key is <action>:<loglevel>:<tag>:<caller>:<params>; value is corresponding chain name
     #
     %usedactions       = ();
@@ -672,14 +678,42 @@ sub process_a_policy1($$$$$$$) {
 
     my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit, $intrazone ) = @_;
 
-    my $clientwild = ( "\L$client" =~ /^all(\+)?$/ );
+    my $clientwild = ( "\L$client" =~ /^all(\+)?(?:!(.+))?$/ );
+    my $clientexclude;
+    my %clientexcluded;
 
-    $intrazone  ||= $clientwild && $1;
+    if ( $clientwild ) {
+	$intrazone ||= $1;
+
+	if ( $clientexclude = $2 ) {
+	    for my $client ( split_list( $clientexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($client)" unless defined_zone( $client );
+		$clientexcluded{$client} = 1;
+	    }
+
+	    $client = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
 
-    my $serverwild = ( "\L$server" =~ /^all(\+)?/ );
-    $intrazone   ||= ( $serverwild && $1 );
+    my $serverwild = ( "\L$server" =~ /^all(\+)?(?:!(.+))?/ );
+    my $serverexclude;
+    my %serverexcluded;
+
+
+    if ( $serverwild ) {
+	$intrazone ||= $1;
+
+	if ( $serverexclude = $2 ) {
+	    for my $server ( split_list( $serverexclude, 'zone' ) ) {
+		fatal_error "Undefined zone ($server)" unless defined_zone( $server );
+		$serverexcluded{$server} = 1;
+	    }
+
+	    $server = 'all';
+	}
+    }
 
     fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
 
@@ -762,20 +796,20 @@ sub process_a_policy1($$$$$$$) {
 
     if ( $clientwild ) {
 	if ( $serverwild ) {
-	    for my $zone ( @zonelist ) {
-		for my $zone1 ( @zonelist ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, @zonelist ) ) {
+		for my $zone1 ( grep( ! $serverexcluded{zone}, @zonelist ) ) {
 		    set_policy_chain $zone, $zone1, $chainref, $policy, $intrazone;
 		    print_policy $zone, $zone1, $originalpolicy, $chain;
 		}
 	    }
 	} else {
-	    for my $zone ( all_zones ) {
+	    for my $zone ( grep( ! $clientexcluded{$_}, all_zones ) ) {
 		set_policy_chain $zone, $server, $chainref, $policy, $intrazone;
 		print_policy $zone, $server, $originalpolicy, $chain;
 	    }
 	}
     } elsif ( $serverwild ) {
-	for my $zone ( @zonelist ) {
+	for my $zone ( grep( ! $serverexcluded{$_}, @zonelist ) ) {
 	    set_policy_chain $client, $zone, $chainref, $policy, $intrazone;
 	    print_policy $client, $zone, $originalpolicy, $chain;
 	}
@@ -816,7 +850,9 @@ sub process_a_policy() {
 
     if ( $clientlist || $serverlist ) {
 	for my $client ( split_list( $clients, 'zone' ) ) {
+	    fatal_error "'all' is not allowed in a source zone list" if $clientlist && $client =~ /^all\b/;
 	    for my $server ( split_list( $servers, 'zone' ) ) {
+		fatal_error "'all' is not allowed in a destination zone list" if $serverlist && $server =~ /^all\b/;
 		process_a_policy1( $client, $server, $policy, $loglevel, $synparams, $connlimit, $intrazone ) if $intrazone || $client ne $server;
 	    }
 	}
@@ -2609,7 +2645,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }
@@ -3659,6 +3695,7 @@ sub next_section() {
 #
 sub build_zone_list( $$$\$\$ ) {
     my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
+    my $original_input = $input;
     my $any = ( $input =~ s/^any/all/ );
     my $exclude;
     my $rest;
@@ -3687,9 +3724,25 @@ sub build_zone_list( $$$\$\$ ) {
 	    if ( $input eq 'all+' ) {
 		$$intrazoneref = 1;
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
+		    } else {
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
+		    }
+		}
+
 		$$intrazoneref = 1;
 		$exclude{$fw} = 1;
 	    } elsif ( $input eq 'all-' ) {
+		unless ( $excludefw++ ) {
+		    if ( $any ) {
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
+		    } else {
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+		    }
+		}
+
 		$exclude{$fw} = 1;
 	    } else {
 		fatal_error "Invalid $which ($input)";
@@ -4889,7 +4942,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
     #
     # Handle early matches
     #
-    if ( $raw_matches =~ s/s*\+// ) {
+    if ( $raw_matches =~ s/^s*\+// ) {
 	$prerule = $raw_matches;
 	$raw_matches = '';
     }

Shorewall/Perl/Shorewall/Zones.pm

@@ -304,7 +304,7 @@ our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 ,
 #
 # Maximum value for options that accept a range of values
 #
-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 300 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );
 
 our %validhostoptions;
 

Shorewall/Perl/compiler.pl

@@ -34,6 +34,8 @@
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
+#         --test                      # Used by the regression library to omit versions and time/dates
+#                                     # from the generated script
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #         --shorewallrc=<path>        # Path to global shorewallrc file.

Shorewall/Perl/lib.runtime

@@ -1,4 +1,4 @@
-#   (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#   (c) 1999-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #	This program is part of Shorewall.
 #
@@ -874,7 +874,6 @@ detect_dynamic_gateway() { # $1 = interface
     GATEWAYS=
     local gateway
     local file
-    local nmcli
 
     gateway=$(run_findgw_exit $1);
 

Shorewall/Samples/Universal/shorewall.conf

@@ -191,8 +191,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/one-interface/shorewall.conf

@@ -202,8 +202,6 @@ IP_FORWARDING=Off
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -199,8 +199,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -202,8 +202,6 @@ IP_FORWARDING=On
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/configfiles/shorewall.conf

@@ -191,8 +191,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=No
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall/helpers

@@ -16,25 +16,6 @@
 
 # Helpers
 #
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-#
-# 2.6.20+ helpers
-#
 loadmodule nf_conntrack_ftp
 loadmodule nf_conntrack_h323
 loadmodule nf_conntrack_irc

Shorewall/install.sh

@@ -466,17 +466,6 @@ if [ -z "$first_install" ]; then
     fi
 fi
 
-#
-# Install the Modules file
-#
-run_install $OWNERSHIP -m 0644 modules ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules
-echo "Modules file installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules"
-
-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f
-    echo "Modules file $f installed as ${DESTDIR}${SHAREDIR}/${PRODUCT}/$f"
-done
-
 #
 # Install the Module Helpers file
 #
@@ -1252,6 +1241,14 @@ if [ $PRODUCT = shorewall ]; then
     rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
 fi
 
+#
+# Remove unneeded modules files
+#
+
+if [ -n "$first_install" ]; then
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules*
+fi
+
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then

Shorewall/lib.cli-std

@@ -300,19 +300,6 @@ get_config() {
 	    ;;
     esac
 
-    case $LOAD_HELPERS_ONLY in
-	Yes|yes)
-	    ;;
-	No|no)
-	    LOAD_HELPERS_ONLY=
-	    ;;
-	*)
-	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
-		fatal_error "Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)"
-	    fi
-	    ;;
-    esac
-
     if [ -n "$WORKAROUNDS" ]; then
 	case $WORKAROUNDS in
 	    [Yy]es)

Shorewall/manpages/shorewall-modules.xml

@@ -38,6 +38,12 @@
     <filename>helpers</filename> file is used when
     LOAD_HELPERS_ONLY=Yes</para>
 
+    <important>
+      <para>Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY option has
+      been removed and the behavior is the same as if LOAD_HELPERS_ONLY=Yes
+      was specified.</para>
+    </important>
+
     <para>Each record in the files has the following format:</para>
 
     <cmdsynopsis>

Shorewall/manpages/shorewall-policy.xml

@@ -68,32 +68,35 @@
         <term><emphasis role="bold">SOURCE</emphasis> -
         <emphasis>zone</emphasis>[,...[+]]|<emphasis
         role="bold">$FW</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
-        role="bold">all+</emphasis></term>
+        role="bold">all[+][!<replaceable>ezone</replaceable>[,...]]</emphasis></term>
 
         <listitem>
           <para>Source zone. Must be the name of a zone defined in <ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           $FW, "all" or "all+".</para>
 
-          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
-          not override the implicit intra-zone ACCEPT policy while "all+"
-          does.</para>
+          <para>Support for <emphasis role="bold">all+</emphasis> was added in
+          Shorewall 4.5.17. <emphasis role="bold">all</emphasis> does not
+          override the implicit intra-zone ACCEPT policy while <emphasis
+          role="bold">all+</emphasis> does.</para>
 
           <para>Beginning with Shorewall 5.0.12, multiple zones may be listed
           separated by commas. As above, if '+' is specified after two or more
           zone names, then the policy overrides the implicit intra-zone ACCEPT
           policy if the same <replaceable>zone</replaceable> appears in both
           the SOURCE and DEST columns.</para>
+
+          <para>Beginning with Shorewall 5.2.3, a comma-separated list of
+          excluded zones preceded by "!" may follow <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">all+.</emphasis></para>
         </listitem>
       </varlistentry>
 
       <varlistentry>
         <term><emphasis role="bold">DEST</emphasis> -
         <emphasis>zone</emphasis>[,...[+]]|<emphasis
-        role="bold">$FW</emphasis>|<emphasis
-        role="bold">all</emphasis>|<emphasis
-        role="bold">all+</emphasis></term>
+        role="bold">$FW</emphasis>|all[+][!<replaceable>ezone</replaceable>[,...]]</term>
 
         <listitem>
           <para>Destination zone. Must be the name of a zone defined in <ulink
@@ -112,6 +115,11 @@
           zone names, then the policy overrides the implicit intra-zone ACCEPT
           policy if the same <replaceable>zone</replaceable> appears in both
           the SOURCE and DEST columns.</para>
+
+          <para>Beginning with Shorewall 5.2.3, a comma-separated list of
+          excluded zones preceded by "!" may follow <emphasis
+          role="bold">all</emphasis> or <emphasis
+          role="bold">all+</emphasis>.</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-providers.xml

@@ -450,7 +450,7 @@
                 </note>
 
                 <important>
-                  <para>RESTORE_DEFAULT_OPTION=Yes in shorewall[6].conf is not
+                  <para>RESTORE_DEFAULT_ROUTE=Yes in shorewall[6].conf is not
                   recommended when the <option>persistent</option> option is
                   used, as restoring default routes to the main routing table
                   can prevent link status monitors such as foolsm from

Shorewall/manpages/shorewall-rules.xml

@@ -993,19 +993,18 @@
 
                 <variablelist>
                   <varlistentry>
-                    <term>all[+][-]</term>
+                    <term>all[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
+                      "-" means "All Zones, including the firewall zone".
                       Normally all omits intra-zone traffic, but intra-zone
                       traffic can be included specifying "+".</para>
                     </listitem>
                   </varlistentry>
 
                   <varlistentry>
-                    <term>any[+][-]</term>
+                    <term>any[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">any</emphasis> is equivalent
@@ -1259,6 +1258,15 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>all+!$FW</term>
+
+              <listitem>
+                <para>All but the firewall zone and applies to intrazone
+                traffic.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term>net:^CN</term>
 
@@ -1349,19 +1357,18 @@
 
                 <variablelist>
                   <varlistentry>
-                    <term>all[+][-]</term>
+                    <term>all[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">all</emphasis>, without the
-                      "-" means "All Zones, including the firewall zone". If
-                      the "-" is included, the firewall zone is omitted.
+                      "-" means "All Zones, including the firewall zone".
                       Normally all omits intra-zone traffic, but intra-zone
                       traffic can be included specifying "+".</para>
                     </listitem>
                   </varlistentry>
 
                   <varlistentry>
-                    <term>any[+][-]</term>
+                    <term>any[+]</term>
 
                     <listitem>
                       <para><emphasis role="bold">any</emphasis> is equivalent
@@ -1573,7 +1580,7 @@
           <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
           then either:<orderedlist numeration="loweralpha">
               <listitem>
-                <para>the SOURCE must be <option>all[+][-]</option>, or</para>
+                <para>the SOURCE must be <option>all[+]</option>, or</para>
               </listitem>
 
               <listitem>

Shorewall/manpages/shorewall.conf.xml

@@ -1382,7 +1382,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           of modules loaded by shorewall to those listed in
           <filename>/var/lib/shorewall[6]/helpers</filename> and those that
           are actually used. When not set, or set to the empty value,
-          LOAD_HELPERS_ONLY=No is assumed.</para>
+          LOAD_HELPERS_ONLY=No is assumed in Shorewall versions 5.2.2 and
+          earlier. Beginning with Shorewall 5.2.3, the LOAD_HELPERS_ONLY
+          option is removed, and the behavior is as if LOAD_HELPERS_ONLY=Yes
+          had been specified.</para>
         </listitem>
       </varlistentry>
 

Shorewall/modules

@@ -1,39 +0,0 @@
-#
-# Shorewall version 5 - Modules File
-#
-# /usr/share/shorewall/modules
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-INCLUDE modules.essential
-#
-# Other xtables modules
-#
-INCLUDE modules.xtables
-#
-# Helpers
-#
-INCLUDE helpers
-#
-# Ipset
-#
-INCLUDE modules.ipset
-#
-# Traffic Shaping
-#
-INCLUDE modules.tc
-#
-# Extensions
-#
-INCLUDE modules.extensions

Shorewall/modules.essential

@@ -1,32 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.essential
-#
-# Essential Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-loadmodule nfnetlink
-loadmodule x_tables
-loadmodule ip_tables
-loadmodule iptable_filter
-loadmodule iptable_mangle
-loadmodule ip_conntrack
-loadmodule nf_conntrack
-loadmodule nf_conntrack_ipv4
-loadmodule iptable_nat
-loadmodule nf_nat
-loadmodule nf_nat_ipv4
-loadmodule iptable_raw
-loadmodule xt_state
-loadmodule xt_tcpudp

Shorewall/modules.extensions

@@ -1,59 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.extensions
-#
-# Extensions Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule ipt_addrtype
-loadmodule ipt_ah
-loadmodule ipt_CLASSIFY
-loadmodule ipt_CLUSTERIP
-loadmodule ipt_comment
-loadmodule ipt_connmark
-loadmodule ipt_CONNMARK
-loadmodule ipt_conntrack
-loadmodule ipt_dscp
-loadmodule ipt_DSCP
-loadmodule ipt_ecn
-loadmodule ipt_ECN
-loadmodule ipt_esp
-loadmodule ipt_hashlimit
-loadmodule ipt_helper
-loadmodule ipt_ipp2p
-loadmodule ipt_iprange
-loadmodule ipt_length
-loadmodule ipt_limit
-loadmodule ipt_mac
-loadmodule ipt_mark
-loadmodule ipt_MARK
-loadmodule ipt_MASQUERADE
-loadmodule ipt_multiport
-loadmodule ipt_NETMAP
-loadmodule ipt_NOTRACK
-loadmodule ipt_owner
-loadmodule ipt_physdev
-loadmodule ipt_pkttype
-loadmodule ipt_policy
-loadmodule ipt_realm
-loadmodule ipt_recent
-loadmodule ipt_REDIRECT
-loadmodule ipt_REJECT
-loadmodule ipt_SAME
-loadmodule ipt_sctp
-loadmodule ipt_set
-loadmodule ipt_state
-loadmodule ipt_tcpmss
-loadmodule ipt_TCPMSS
-loadmodule ipt_tos
-loadmodule ipt_TOS
-loadmodule ipt_ttl
-loadmodule ipt_TTL

Shorewall/modules.ipset

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.ipset
-#
-# IP Set Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_set
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_ipporthash
-loadmodule ip_set_iptree
-loadmodule ip_set_iptreemap
-loadmodule ip_set_macipmap
-loadmodule ip_set_nethash
-loadmodule ip_set_portmap
-loadmodule ipt_SET
-loadmodule ipt_set

Shorewall/modules.tc

@@ -1,27 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.tc
-#
-# Traffic Shaping Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule sch_sfq
-loadmodule sch_ingress
-loadmodule sch_hfsc
-loadmodule sch_htb
-loadmodule sch_prio
-loadmodule sch_tbf
-loadmodule sch_fq_codel
-loadmodule cls_u32
-loadmodule cls_fw
-loadmodule cls_flow
-loadmodule cls_basic
-loadmodule act_police

Shorewall/modules.xtables

@@ -1,53 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/modules.xtables
-#
-# Xtables Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_AUDIT
-loadmodule xt_CLASSIFY
-loadmodule xt_connmark
-loadmodule xt_CONNMARK
-loadmodule xt_conntrack
-loadmodule xt_dccp
-loadmodule xt_dscp
-loadmodule xt_DSCP
-loadmodule xt_hashlimit
-loadmodule xt_helper
-loadmodule xt_ipp2p
-loadmodule xt_iprange
-loadmodule xt_length
-loadmodule xt_limit
-loadmodule xt_mac
-loadmodule xt_mark
-loadmodule xt_MARK
-loadmodule xt_multiport
-loadmodule xt_nat
-loadmodule xt_NFQUEUE
-loadmodule xt_owner
-loadmodule xt_physdev
-loadmodule xt_pkttype
-loadmodule xt_policy
-loadmodule xt_sctp
-loadmodule xt_tcpmss
-loadmodule xt_TCPMSS
-loadmodule xt_time
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
-#
-# From xtables-addons
-#
-loadmodule xt_condition
-loadmodule xt_geoip
-loadmodule xt_ipp2p
-loadmodule xt_LOGMARK
-loadmodule xt_RAWNAT

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -179,8 +179,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/configfiles/shorewall6.conf

@@ -178,8 +178,6 @@ IP_FORWARDING=Keep
 
 KEEP_RT_TABLES=Yes
 
-LOAD_HELPERS_ONLY=Yes
-
 MACLIST_TABLE=filter
 
 MACLIST_TTL=

Shorewall6/modules

@@ -1,39 +0,0 @@
-#
-# Shorewall6 version 5 - Modules File
-#
-# /usr/share/shorewall6/modules
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-INCLUDE modules.essential
-#
-# Other xtables modules
-#
-INCLUDE modules.xtables
-#
-# Helpers
-#
-INCLUDE helpers
-#
-# Ipset
-#
-INCLUDE modules.ipset
-#
-# Traffic Shaping
-#
-INCLUDE modules.tc
-#
-# Extensions
-#
-INCLUDE modules.extensions

Shorewall6/modules.essential

@@ -1,28 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.essential
-#
-# Essential Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule nfnetlink
-loadmodule x_tables
-loadmodule ip6_tables
-loadmodule ip6table_filter
-loadmodule ip6table_mangle
-loadmodule ip6table_raw
-loadmodule xt_conntrack
-loadmodule nf_conntrack_ipv6
-loadmodule nf_nat
-loadmodule nf_nat_ipv6
-loadmodule xt_state
-loadmodule xt_tcpudp
-loadmodule ip6t_REJECT

Shorewall6/modules.extensions

@@ -1,16 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.extension
-#
-# Extensions Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule ip6_queue

Shorewall6/modules.ipset

@@ -1,27 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.ipset
-#
-# IP Set Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall6 and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_set
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_ipporthash
-loadmodule ip_set_iptree
-loadmodule ip_set_iptreemap
-loadmodule ip_set_macipmap
-loadmodule ip_set_nethash
-loadmodule ip_set_portmap
-loadmodule ipt_SET
-loadmodule ipt_set

Shorewall6/modules.tc

@@ -1,27 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.tc
-#
-# Traffic Shaping Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule sch_sfq
-loadmodule sch_ingress
-loadmodule sch_htb
-loadmodule sch_hfsc
-loadmodule sch_prio
-loadmodule sch_tbf
-loadmodule sch_fq_codel
-loadmodule cls_u32
-loadmodule cls_fw
-loadmodule cls_flow
-loadmodule cls_basic
-loadmodule act_police

Shorewall6/modules.xtables

@@ -1,51 +0,0 @@
-#
-# Shorewall6 -- /usr/share/shorewall6/modules.xtables
-#
-# Xtables Modules File
-#
-# This file loads the modules that may be needed by the firewall.
-#
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1
-# before you load M2.
-#
-# If you need to modify this file, copy it to /etc/shorewall and modify the
-# copy.
-#
-###############################################################################
-loadmodule xt_AUDIT
-loadmodule xt_CLASSIFY
-loadmodule xt_connmark
-loadmodule xt_CONNMARK
-loadmodule xt_conntrack
-loadmodule xt_dccp
-loadmodule xt_dscp
-loadmodule xt_DSCP
-loadmodule xt_hashlimit
-loadmodule xt_helper
-loadmodule xt_iprange
-loadmodule xt_length
-loadmodule xt_limit
-loadmodule xt_mac
-loadmodule xt_mark
-loadmodule xt_MARK
-loadmodule xt_multiport
-loadmodule xt_NFQUEUE
-loadmodule xt_owner
-loadmodule xt_physdev
-loadmodule xt_pkttype
-loadmodule xt_policy
-loadmodule xt_sctp
-loadmodule xt_tcpmss
-loadmodule xt_TCPMSS
-loadmodule xt_time
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
-#
-# From xtables-addons
-#
-loadmodule xt_condition
-loadmodule xt_geoip
-loadmodule xt_ipp2p
-loadmodule xt_LOGMARK
-loadmodule xt_RAWNAT

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 5.0 Manpages</title>
+    <title>Shorewall 5.* Manpages</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2007-2017</year>
+      <year>2007-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -53,6 +53,10 @@
         <member><ulink url="manpages/shorewall-actions.html">actions</ulink> -
         Declare user-defined actions.</member>
 
+        <member><ulink
+        url="/manpages/shorewall-addresses.html">addresses</ulink> - Describes
+        how IP address and ports are specified in Shorewall</member>
+
         <member><ulink url="manpages/shorewall-arprules.html">arprules</ulink>
         - (Added in Shorewall 4.5.12) Define arpfilter rules.</member>
 
@@ -71,6 +75,9 @@
         url="manpages/shorewall-exclusion.html">exclusion</ulink> - Excluding
         hosts from a network or zone</member>
 
+        <member><ulink url="/manpages/shorewall-files.html">files</ulink> -
+        Describes the shorewall configuration files</member>
+
         <member><ulink url="manpages/shorewall-hosts.html">hosts</ulink> -
         Define multiple zones accessed through a single interface</member>
 
@@ -96,7 +103,11 @@
         Define Masquerade/SNAT (deprecated)</member>
 
         <member><ulink url="manpages/shorewall-modules.html">modules</ulink> -
-        Specify which kernel modules to load.</member>
+        Specify which kernel modules to load (Removed in Shorewall
+        5.2.3)</member>
+
+        <member><ulink url="/manpages/shorewall-names.html">names</ulink> -
+        Describes object naming in Shorewall configuration files</member>
 
         <member><ulink url="manpages/shorewall-nat.html">nat</ulink> - Define
         one-to-one NAT.</member>

docs/Shorewall-Lite.xml

@@ -386,6 +386,10 @@
         <filename>modules</filename> or <filename>helpers</filename> file
         found on the CONFIG_PATH on the Administrative System during
         compilation will be used.</para>
+
+        <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and
+        the behavior is that which was formerly obtained by setting
+        LOAD_HELPERS_ONLY=Yes.</para>
       </section>
 
       <section id="Converting">

docs/configuration_file_basics.xml

@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2001-2017</year>
+      <year>2001-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -56,7 +56,7 @@
     Shorewall</ulink> is required reading for being able to use this article
     effectively. For information about setting up your first Shorewall-based
     firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
+    Guides</ulink>.in</para>
   </section>
 
   <section id="Files">
@@ -283,8 +283,8 @@
 
         <listitem>
           <para><filename>/usr/share/shorewall/modules</filename> — Specifies
-          the kernel modules to be loaded during shorewall
-          start/restart.</para>
+          the kernel modules to be loaded during shorewall start/restart
+          (removed in Shorewall 5.2.3).</para>
         </listitem>
 
         <listitem>
@@ -802,9 +802,9 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
         <term>INLINE</term>
 
         <listitem>
-          <para>INLINE, added in Shorewall 4. is available in the mangle, masq
-          and rules files and allows you to specify ip[6]table text following
-          a semicolon to the right of the column-oriented
+          <para>INLINE, added in Shorewall 4. is available in the mangle, snat
+          (masq) and rules files and allows you to specify ip[6]table text
+          following two semicolons to the right of the column-oriented
           specifications.</para>
 
           <para>INLINE takes one optional parameter which, if present, must be
@@ -852,12 +852,13 @@ INLINE               net              $FW ;; -m recent --rcheck 10 --hitcount 5
           column=value specifications. In Shorewall 5.0.0 and later, inline
           matches are allowed in mangle, masq and rules following two adjacent
           semicolons (";;"). If alternate input is present, the adjacent
-          semicolons should follow that input.</para>
+          semicolons should follow that input. In Shorewall 5.2.2, this
+          support was extended to the conntrack file.</para>
 
           <caution>
-            <para>INLINE_MATCHES=Yes is deprecated and will no longer be
-            supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
-            to introduce inline matches.</para>
+            <para>INLINE_MATCHES=Yes is deprecated and is not supported in
+            Shorewall 5.2 and beyond. Use two adjacent semicolons to introduce
+            inline matches.</para>
           </caution>
 
           <para>Example from the masq file that spits outgoing SNAT between

docs/standalone.xml

@@ -486,6 +486,11 @@ root@lists:~# </programlisting>
     <filename>/usr/share/shorewall/modules</filename>. That file does not set
     <emphasis role="bold">sip_direct_media=0</emphasis>.</para>
 
+    <important>
+      <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed and
+      the behavior is the same as if LOAD_HELPERS_ONLY=Yes.</para>
+    </important>
+
     <para>If you need to modify either
     <filename>/usr/share/shorewall/helpers</filename> or
     <filename>/usr/share/shorewall/modules</filename> then copy the file to

docs/three-interface.xml

@@ -799,6 +799,12 @@ root@lists:~# </programlisting>
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+
+    <important>
+      <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed, and
+      the behavior is the same as if LOAD_HELPERS_ONLY=Yes was
+      specified.</para>
+    </important>
   </section>
 
   <section id="DNAT">

docs/two-interface.xml

@@ -751,6 +751,12 @@ root@lists:~# </programlisting>
     <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF"/></para>
 
     <para>Modify the setting of LOAD_HELPER_ONLY as necessary.</para>
+
+    <important>
+      <para>In Shorewall 5.2.3, the LOAD_HELPERS_ONLY option was removed, and
+      the behavior is the same as if LOAD_HELPERS_ONLY=Yes was
+      specified.</para>
+    </important>
   </section>
 
   <section id="DNAT">

docs/useful_links.xml

@@ -10,7 +10,9 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2009</year>
+      <year>2003-2013</year>
+
+      <year>2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -79,7 +81,7 @@
 
         <row rowsep="0" valign="middle">
           <entry>Debian apt-get sources for Shorewall: <ulink
-          url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
+          url="http://people.connexer.com/~roberto/debian/">http://people.connexer.com/~roberto/debian/</ulink></entry>
         </row>
 
         <row rowsep="0" valign="middle">
@@ -88,45 +90,51 @@
         </row>
 
         <row rowsep="0" valign="middle">
-          <entry>Tom's 2005 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2005 LinuxFest NW Presentation - "Shorewall and Native
+          IPsec" : <ulink
           url="http://www.shorewall.net/LinuxFest2005.pdf">http://www.shorewall.net/LinuxFest2005.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2006 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2006 LinuxFest NW Presentation - "OpenVPN" : <ulink
           url="http://www.shorewall.net/LinuxFest2006.pdf">http://www.shorewall.net/LinuxFest2006.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2007 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2007 LinuxFest NW Presentation - "Xen and the Art of
+          Consolidation" : <ulink
           url="http://www.shorewall.net/Linuxfest-2007.pdf">http://www.shorewall.net/Linuxfest-2007.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2008 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2008 LinuxFest NW Presentation - "Kernel-mode Virtual
+          Machine (KVM)" : <ulink
           url="http://www.shorewall.net/Linuxfest-2008.pdf">http://www.shorewall.net/Linuxfest-2008.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2009 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2009 LinuxFest NW Presentation - "Introduction to IPv6"
+          : <ulink
           url="http://www.shorewall.net/Linuxfest-2009.pdf">http://www.shorewall.net/LinuxFestNW-2009.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2010 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2010 LinuxFest NW Presentation - "Managing Multiple
+          Internet Connections with Shorewall" : <ulink
           url="http://www.shorewall.net/LinuxfestNW-2010.pdf">http://www.shorewall.net/LinuxFestNW-2010.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2011 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2011 LinuxFest NW Presentation - "LXC - Linux
+          Containers" : <ulink
           url="http://www.shorewall.net/Linuxfest2011.pdf">http://www.shorewall.net/LinuxFest2011.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2013 SeaGL Presentation: <ulink
+          <entry>Tom's 2013 SeaGL Presentation - "AN INTRODUCTION TO LINUX
+          POLICY ROUTING" : <ulink
           url="http://www.shorewall.net/SeaGL2013.pdf">http://www.shorewall.net/SeaGL2013.pdf</ulink></entry>
         </row>
-
       </tbody>
     </tgroup>
   </informaltable>