Add empty target files 5.2.3.7

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/Shorewall-core-targetname

@@ -0,0 +1 @@
+5.2.3.7

Shorewall-core/manpages/shorewall.xml

@@ -1141,7 +1141,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>When no <replaceable>verbosity</replaceable> is specified,
           each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1162,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>Each instance of this option causes 1 to be subtracted from
           the effective verbosity.</para>
@@ -1199,7 +1199,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
           A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
@@ -1214,7 +1214,7 @@
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5)) allows a single ipset to
           handle entries for multiple interfaces. When that option is
           specified for a zone, the <command>add</command> command has the
           alternative syntax in which the <replaceable>zone</replaceable> name
@@ -1332,7 +1332,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1440,7 +1440,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1458,7 +1458,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are a host or network address.</para>
 
@@ -1466,7 +1466,7 @@
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
           allows a single ipset to handle entries for multiple interfaces.
           When that option is specified for a zone, the
           <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1493,7 @@
           command removes any routes added from <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
           any traffic shaping configuration for the interface.</para>
         </listitem>
       </varlistentry>
@@ -1554,7 +1554,7 @@
           adds any route specified in <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
           and installs the interface's traffic shaping configuration, if
           any.</para>
         </listitem>
@@ -1599,7 +1599,7 @@
           given then the file specified by RESTOREFILE in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -1684,7 +1684,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,7 +1700,7 @@
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
           and produces an audible alarm when new Shorewall messages are
           logged. The <emphasis role="bold">-m</emphasis> option causes the
           MAC address of each packet source to be displayed if that
@@ -1723,7 +1723,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1878,13 +1878,13 @@
                 INLINE_MATCHES is set to Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>
 
                 <para>The <option>-C</option> option was added in Shorewall
                 4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 If an existing firewall script is used and if that script was
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
@@ -2006,7 +2006,7 @@
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2071,8 +2071,8 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2104,7 +2104,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -2144,8 +2144,8 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2177,7 +2177,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2304,7 +2304,7 @@
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <caution>
             <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2460,7 @@
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>The <option>-C</option> option, added in Shorewall 4.6.5,
           causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2477,7 @@
           the SAVE_IPSETS option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command may be used to proactively save your ipset contents in
           the event that a system failure occurs prior to issuing a
           <command>stop</command> command.</para>
@@ -2645,7 +2645,7 @@
                 accounting counters (<ulink
                 url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                 (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -2669,7 +2669,7 @@
                 file specified by the LOGFILE option in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 The <emphasis role="bold">-m</emphasis> option causes the MAC
                 address of each packet source to be displayed if that
                 information is available.</para>
@@ -2851,7 +2851,7 @@
                   in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                   will be restored if that saved configuration exists and has
                   been modified more recently than the files in
                   /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2862,7 @@
                   option was added to <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When LEGACY_FASTSTART=No, the modification times of files in
                   /etc/shorewall are compared with that of
                   /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2881,7 @@
                   overriding the AUTOMAKE setting in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When both <option>-f</option> and <option>-c</option>are
                   present, the result is determined by the option that appears
                   last.</para>
@@ -2897,7 +2897,7 @@
                   INLINE_MATCHES is set to Yes in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
                   <para>The <option>-C</option> option was added in Shorewall
                   4.6.5 and is only meaningful when the <option>-f</option>

Shorewall-lite/Shorewall-lite-targetname

@@ -0,0 +1 @@
+5.2.3.7

Shorewall/Actions/action.IfEvent

@@ -115,8 +115,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
     
-    print "Resetting....\n";
-    
     my $mark = $globals{EVENT_MARK};
     #
     # The event mark bit must be within 32 bits

Shorewall/Perl/Shorewall/Chains.pm

@@ -536,6 +536,9 @@ our $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
+#
+# Chain optimization flags
+#
 use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
 
 our %dscpmap = ( CS0  => 0x00,
@@ -1140,16 +1143,30 @@ sub set_rule_option( $$$ ) {
 	#
 	# Consider each subtype as a separate type
 	#
-	my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+	if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+	    my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
 
-	if ( $invert eq '!' ) {
-	    assert( ! supplied $rest );
-	    $option = join( ' ', $option, $invert, $subtype );
-	    $value  = $val;
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $subtype );
+		$value  = join( ' ', $invert, $val );
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $invert , $option );
+		$value   = $invert;
+	    }
 	} else {
-	    assert( ! supplied $val );
-	    $option  = join( ' ', $option, $invert );
-	    $value   = $subtype;
+	    my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $invert, $subtype );
+		$value  = $val;
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $option, $invert );
+		$value   = $subtype;
+	    }
 	}
 
 	$opttype = EXCLUSIVE;
@@ -1422,7 +1439,7 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies
+    # Don't combine rules where each specifies
     #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
@@ -3366,13 +3383,13 @@ sub initialize_chain_table($) {
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS           ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
-	$chainref = new_standard_chain( 'DOCKER-USER'   );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+	$chainref = new_standard_chain( 'DOCKER-USER'      );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER              ] && cat ${VARDIR}/.filter_DOCKER-USER      >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION         ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
@@ -4991,10 +5008,10 @@ sub do_proto( $$$;$ )
 
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
-			    $output .= get_set_flags( $ports, 'src' );
+			    $output .= get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5207,8 +5224,8 @@ sub do_iproto( $$$ )
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
-			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			if ( $sports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -7652,11 +7669,13 @@ sub isolate_source_interface( $ ) {
 		) {
 	    $iiface = $1;
 	    $inets  = $2;
+	    $inets =~ s/\]-\[/-/;
 	} elsif ( $source =~ /:/ ) {
 	    if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
 		$inets = $source;
 	    } elsif ( $source =~ /^\[(.+)\]$/ ) {
 		$inets = $1;
+		$inets =~ s/\]-\[/-/;
 	    } else {
 		$inets = $source;
 	    }
@@ -7774,6 +7793,7 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
+	    $dnets =~ s/\]-\[/-/;
 	} elsif (  $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
 		   $dest =~ /^(.+?):(!?\+.+)$/    ||
 		   $dest =~ /^(.+?):(!?[&%].+)$/  ||
@@ -7786,6 +7806,7 @@ sub isolate_dest_interface( $$$$ ) {
 		$dnets = $dest;
 	    } elsif ( $dest =~ /^\[(.+)\]$/ ) {
 		$dnets = $1;
+	        $dnets =~ s/\]-\[/-/;
 	    } else {
 		$dnets = $dest;
 	    }
@@ -8694,22 +8715,17 @@ sub save_docker_rules($) {
     emit( qq(if [ -n "\$g_docker" ]; then),
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
-	  qq(    [ -n "\$g_dockeruser" ]    && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    rm -f \${VARDIR}/.filter_DOCKER-*),
+	  qq(    [ -n "\$g_dockeringress"  ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+	  qq(    [ -n "\$g_dockeruser"     ] && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    [ -n "\$g_dockeriso"      ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
 	  qq(),
-	  qq(    case "\$g_dockernetwork" in),
-	  qq(        One\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
-	  qq(            ;;),
-	  qq(        Two\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
-	  qq(            ;;),
-	  qq(    esac),
+	  qq(    if [ -n "\$g_dockerisostage" ]; then),
+	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+	  qq(    fi),
 	  qq(),
 	);
 
@@ -9230,10 +9246,10 @@ sub create_netfilter_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9345,11 +9361,11 @@ sub preview_netfilter_load() {
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode1;
-			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode1;
-			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode1;
@@ -9446,10 +9462,10 @@ sub create_stop_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );

Shorewall/Perl/Shorewall/Compiler.pm

@@ -268,13 +268,10 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
-	      '    g_dockernetwork=One',
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
-	      '    g_dockernetwork=Two',
-	      'fi' );
+	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
     }
 
     pop_indent;

Shorewall/Perl/Shorewall/Config.pm

@@ -162,6 +162,7 @@ our @EXPORT = qw(
 
 		 have_capability
 		 require_capability
+		 require_mangle_capability
 		 report_used_capabilities
 		 kernel_version
 
@@ -684,7 +685,6 @@ our $shorewall_dir;          # Shorewall Directory; if non-empty, search here fi
 
 our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
-our $update;                 # True if this is an update
 
 our $family;                 # Protocol family (4 or 6)
 our $export;                 # True when compiling for export
@@ -805,7 +805,7 @@ sub add_variables( \% );
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$$$) {
+sub initialize($;$$$) {
     ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
@@ -1192,7 +1192,6 @@ sub initialize( $;$$$) {
 
     $debug = 0;
     $confess = 0;
-    $update = 0;
 
     %params = ();
 
@@ -4023,9 +4022,9 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Save Raw Image if we are updating
+	    # Save Raw Image
 	    #
-	    $rawcurrentline = $currentline if $update;
+	    $rawcurrentline = $currentline;
 	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
@@ -4075,14 +4074,16 @@ sub process_shorewallrc( $$ ) {
     my ( $shorewallrc , $product ) = @_;
 
     $shorewallrc{PRODUCT} = $product;
+    $variables{PRODUCT}   = $product;
 
     if ( open_file $shorewallrc ) {
-	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK | EXPAND_VARIABLES ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_shorewallrc_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
+		$variables{$var}   = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
@@ -4603,7 +4604,11 @@ sub New_Conntrack_Match() {
 }
 
 sub Old_Conntrack_Match() {
-    ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    if ( $family == F_IPV4 ) {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    } else {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+    }
 }
 
 sub Multiport() {
@@ -5263,6 +5268,16 @@ sub require_capability( $$$ ) {
     fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
 }
 
+sub require_mangle_capability( $$$ ) {
+    my ( $capability, $description, $singular ) = @_;
+
+    if ( $config{MANGLE_ENABLED} ) {
+	&require_capability( @_ );
+    } else {
+	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
+    }
+}
+
 #
 # Return Kernel Version
 #
@@ -5441,6 +5456,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5593,8 +5609,8 @@ EOF
 #
 # Small functions called by get_configuration. We separate them so profiling is more useful
 #
-sub process_shorewall_conf( $ ) {
-    my ( $annotate ) = @_;
+sub process_shorewall_conf( $$ ) {
+    my ( $update, $annotate ) = @_;
     my $file   = find_file "$product.conf";
     my @vars;
 
@@ -6175,7 +6191,7 @@ sub convert_to_version_5_2() {
 #
 sub get_configuration( $$$ ) {
 
-    ( my $export, $update, my $annotate ) = @_;
+    my ( $export, $update, $annotate ) = @_;
 
     $globals{EXPORT} = $export;
 
@@ -6237,7 +6253,7 @@ sub get_configuration( $$$ ) {
 
     get_params( $export );
 
-    process_shorewall_conf( $annotate );
+    process_shorewall_conf( $update, $annotate );
 
     ensure_config_path;
 
@@ -6606,6 +6622,7 @@ sub get_configuration( $$$ ) {
     if ( supplied $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+	fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
     } else {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
@@ -6681,7 +6698,7 @@ sub get_configuration( $$$ ) {
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
-    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
+    require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS'         , 8, 0;
     numeric_option 'MASK_BITS'       , 8, 0;
@@ -6925,7 +6942,7 @@ sub get_configuration( $$$ ) {
 
     if ( $config{TC_ENABLED} ) {
 	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
-	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+	require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
     }
 
     if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@@ -6942,9 +6959,7 @@ sub get_configuration( $$$ ) {
     }
 
     default 'RESTOREFILE'           , 'restore';
-
     default 'DROP_DEFAULT'          , 'none';
-
     default 'REJECT_DEFAULT'        , 'none';
     default 'BLACKLIST_DEFAULT'     , 'none';
     default 'QUEUE_DEFAULT'         , 'none';
@@ -7008,9 +7023,9 @@ sub get_configuration( $$$ ) {
     }
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's'                 ) if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's'        ) if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'             ) if $config{TC_ENABLED};
 
     if ( $config{WARNOLDCAPVERSION} ) {
 	if ( $capabilities{CAPVERSION} ) {

Shorewall/Perl/Shorewall/Misc.pm

@@ -97,7 +97,7 @@ sub setup_ecn()
     if ( my $fn = open_file 'ecn' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
@@ -679,18 +679,10 @@ sub create_docker_rules() {
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
-    add_commands( $chainref ,
-		  '',
-		  'case "$g_dockernetwork" in',
-		  '    One)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
-		  '        ;;',
-		  '    Two)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
-		  '        ;;',
-		  'esac' );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ]  && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]     && echo "-A FORWARD -j DOCKER-USER" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeriso" ]      && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
 
     if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );

Shorewall/Perl/Shorewall/Nat.pm

@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Providers.pm

@@ -594,7 +594,7 @@ sub process_a_provider( $ ) {
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -714,7 +714,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
@@ -1180,14 +1180,14 @@ CEOF
 	emit "fi\n";
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
+	    my $variable = get_interface_address( $interface );
 
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	    emit( "echo $variable > \${VARDIR}/${physical}.address" );
 	}
 
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	    my $variable = get_interface_gateway( $interface );
+	    emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
     } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -2323,22 +2323,22 @@ sub handle_optional_interfaces() {
 		emit( 'fi' );
 
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
+		    my $variable = get_interface_address( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
+		    my $variable = get_interface_gateway( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );

Shorewall/Perl/Shorewall/Rules.pm

@@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
+sub handle_nfqueue( $ ) {
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -721,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -736,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	$policy = handle_nfqueue( $queue );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -836,11 +838,15 @@ sub process_a_policy() {
 
     my ( $intrazone, $clientlist, $serverlist );
 
-    if ( $clientlist = ( $clients =~ /,/ ) ) {
+    if ( $clients =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $clientlist = ( $clients =~ /,/ ) ) {
 	$intrazone = ( $clients =~ s/\+$// );
     }
 
-    if ( $serverlist = ( $servers =~ /,/ ) ) {
+    if ( $servers =~ /^all(\+)?!/ ) {
+	$intrazone = $1;
+    } elsif ( $serverlist = ( $servers =~ /,/ ) ) {
 	$intrazone ||= ( $servers =~ s/\+$// );
     }	
 
@@ -857,7 +863,7 @@ sub process_a_policy() {
 	    }
 	}
     } else {
-	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, 0 );
+	process_a_policy1( $clients, $servers, $policy, $loglevel, $synparams, $connlimit, $intrazone );
     }
 }
 
@@ -1600,8 +1606,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
-    my @subparts = split /:/, $subordinate;
+    my @supparts = split_list2( $superior ,    'Action' );
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 
@@ -2694,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	$action = handle_nfqueue( $param );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -3726,9 +3730,9 @@ sub build_zone_list( $$$\$\$ ) {
 	    } elsif ( ( $input eq 'all+-' ) || ( $input eq 'all-+' ) ) {
 		unless ( $excludefw++ ) {
 		    if ( $any ) {
-			warning message "$original_input is deprecated in favor of 'any+!\$FW'";
+			warning_message "$original_input is deprecated in favor of 'any+!\$FW'";
 		    } else {
-			warning message "$original_input is deprecated in favor of 'all+!\$FW'";
+			warning_message "$original_input is deprecated in favor of 'all+!\$FW'";
 		    }
 		}
 
@@ -3737,9 +3741,9 @@ sub build_zone_list( $$$\$\$ ) {
 	    } elsif ( $input eq 'all-' ) {
 		unless ( $excludefw++ ) {
 		    if ( $any ) {
-			warning message "any- is deprecated in favor of 'any!\$FW'";
+			warning_message "any- is deprecated in favor of 'any!\$FW'";
 		    } else {
-			warning message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
+			warning_message "all- is deprecated in favor of 'all!\$FW'" unless $excludefw++;
 		    }
 		}
 
@@ -5763,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;
 
 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;

Shorewall/Perl/Shorewall/Tc.pm

@@ -2455,7 +2455,7 @@ sub setup_tc( $ ) {
 		}
 	    }
 	} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-	    warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
+	    warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

Shorewall/Perl/prog.footer

@@ -148,7 +148,8 @@ g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
-g_dockernetwork=
+g_dockeriso=
+g_dockerisostage=
 g_forcereload=
 g_fallback=
 

Shorewall/Shorewall-targetname

@@ -0,0 +1 @@
+5.2.3.7

Shorewall/helpers

@@ -16,25 +16,6 @@
 
 # Helpers
 #
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-#
-# 2.6.20+ helpers
-#
 loadmodule nf_conntrack_ftp
 loadmodule nf_conntrack_h323
 loadmodule nf_conntrack_irc

Shorewall/install.sh

@@ -1241,6 +1241,14 @@ if [ $PRODUCT = shorewall ]; then
     rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/deprecated/macro.SMTPTraps
 fi
 
+#
+# Remove unneeded modules files
+#
+
+if [ -n "$first_install" ]; then
+    rm -f ${DESTDIR}${SHAREDIR}/${PRODUCT}/modules*
+fi
+
 if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
     if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then

Shorewall/manpages/shorewall-files.xml

@@ -901,7 +901,7 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
     reload</command> or <command>shorewall restart</command>. This may be
     accomplished using the SWITCH column in <ulink
     url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or <ulink
-    url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5). Using
+    url="manpages/shorewall-rules.html">shorewall6-rules</ulink> (5). Using
     this column requires that your kernel and iptables include
     <firstterm>Condition Match Support</firstterm> and you must be running
     Shorewall 4.4.24 or later. See the output of <command>shorewall show

Shorewall/manpages/shorewall-init.xml

@@ -18,7 +18,7 @@
 
   <refsynopsisdiv>
     <cmdsynopsis>
-      <command>/etc/init.d/shorewall-init</command>
+      <command>shorewall-init</command>
 
       <arg>start|stop</arg>
     </cmdsynopsis>
@@ -149,7 +149,7 @@
     want to make both interfaces optional and set the REQUIRE_INTERFACE option
     to Yes in <ulink url="/manpages/shorewall.conf.html">shorewall.conf
     </ulink>(5) or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). This
+    url="/manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). This
     causes the firewall to remain stopped until at least one of the interfaces
     comes up.</para>
   </refsect1>

Shorewall/manpages/shorewall-interfaces.xml

@@ -155,7 +155,7 @@ loc     eth2            -</programlisting>
           <para>Beginning with Shorewall 4.5.17, if you specify a zone for the
           'lo' interface, then that zone must be defined as type
           <option>local</option> in <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5).</para>
         </listitem>
       </varlistentry>
 

Shorewall/manpages/shorewall-logging.xml

@@ -276,7 +276,7 @@
 
     <para>By setting the LOGTAGONLY option to Yes in <ulink
     url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
-    url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+    url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
     disposition ('DROP' in the above example) will be omitted. Consider the
     following rule:</para>
 
@@ -373,7 +373,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
     <para>Beginning with Shorewall 4.6.4, you can configure the backend using
     the LOG_BACKEND option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
   </refsect1>
 
   <refsect1>

Shorewall/manpages/shorewall-nat.xml

@@ -35,7 +35,7 @@
       in many cases, Proxy ARP (<ulink
       url="/manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5))
       or Proxy-NDP(<ulink
-      url="/manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp</ulink>(5))
+      url="/manpages/shorewall-proxyndp.html">shorewall6-proxyndp</ulink>(5))
       is a better solution that one-to-one NAT.</para>
     </warning>
 

Shorewall/manpages/shorewall-policy.xml

@@ -131,7 +131,7 @@
         role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
-        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
+        role="bold">NFQUEUE</emphasis>[([<replaceable>queuenumber</replaceable>1[:<replaceable>queuenumber2</replaceable>[c]][,bypass]]|bypass)]|<emphasis
         role="bold">NONE</emphasis>}[<emphasis
         role="bold">:</emphasis>{[+]<emphasis>policy-action</emphasis>[:level][,...]|<emphasis
         role="bold">None</emphasis>}]</term>
@@ -236,7 +236,18 @@
                 given queues. This is useful for multicore systems: start
                 multiple instances of the userspace program on queues x, x+1,
                 .. x+n and use "x:x+n". Packets belonging to the same
-                connection are put into the same nfqueue.</para>
+                connection are put into the same nfqueue. Beginning with
+                Shorewall 5.1.0, queuenumber2 may be followed by the letter
+                'c' to indicate that the CPU ID will be used as an index to
+                map packets to the queues. The idea is that you can improve
+                performance if there's a queue per CPU. Requires the NFQUEUE
+                CPU Fanout capability in your kernel and iptables.</para>
+
+                <para>Beginning with Shorewall 4.6.10, the keyword <emphasis
+                role="bold">bypass</emphasis> can be given. By default, if no
+                userspace program is listening on an NFQUEUE, then all packets
+                that are to be queued are dropped. When this option is used,
+                the NFQUEUE rule behaves like ACCEPT instead.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall-rules.xml

@@ -545,7 +545,7 @@
                 the<replaceable>
                 ip6tables-</replaceable><replaceable>target</replaceable> as a
                 builtin action in <ulink
-                url="/manpages6/shorewall6-actions.html">shorewall-actions</ulink>(5).</para>
+                url="/manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
 
                 <important>
                   <para>If you specify REJECT as the
@@ -674,15 +674,15 @@
                 the keyword <emphasis role="bold">bypass</emphasis> can be
                 given. By default, if no userspace program is listening on an
                 NFQUEUE, then all packets that are to be queued are dropped.
-                When this option is used, the NFQUEUE rule is silently
-                bypassed instead. The packet will move on to the next rule.
-                Also beginning in Shorewall 4.6.10, a second queue number
-                (<replaceable>queuenumber2</replaceable>) may be specified.
-                This specifies a range of queues to use. Packets are then
-                balanced across the given queues. This is useful for multicore
-                systems: start multiple instances of the userspace program on
-                queues x, x+1, .. x+n and use "x:x+n". Packets belonging to
-                the same connection are put into the same nfqueue.</para>
+                When this option is used, the NFQUEUE rule behaves like ACCEPT
+                instead. Also beginning in Shorewall 4.6.10, a second queue
+                number (<replaceable>queuenumber2</replaceable>) may be
+                specified. This specifies a range of queues to use. Packets
+                are then balanced across the given queues. This is useful for
+                multicore systems: start multiple instances of the userspace
+                program on queues x, x+1, .. x+n and use "x:x+n". Packets
+                belonging to the same connection are put into the same
+                nfqueue.</para>
 
                 <para>Beginning with Shorewall 5.1.0, queuenumber2 may be
                 followed by the letter 'c' to indicate that the CPU ID will be

Shorewall6-lite/Shorewall6-lite-targetname

@@ -0,0 +1 @@
+5.2.3.7

Shorewall6/Shorewall6-targetname

@@ -0,0 +1 @@
+5.2.3.7

docs/Accounting.xml

@@ -54,9 +54,7 @@
     <quote>tcpflags</quote> and <quote>maclist</quote>.</para>
 
     <para>The columns in the accounting file are described in <ulink
-    url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
-    and <ulink
-    url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
+    url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
     (5).</para>
 
     <para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,

docs/Actions.xml

@@ -499,16 +499,12 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
       <title>Mangle Actions</title>
 
       <para>Beginning with Shorewall 5.0.7, actions may be used in <ulink
-      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink> and
-      <ulink
-      url="manpages6/shorewall6-mangle.html">shorewall6-mangle(5)</ulink>.
+      url="manpages/shorewall-mangle.html">shorewall-mangle(5)</ulink>.
       Because the rules and mangle files have different column layouts,
       actions can be defined to be used in one file or the other but not in
       both. To designate an action to be used in the mangle file, specify the
       <option>mangle</option> option in the action's entry in <ulink
-      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5) or
-      <ulink
-      url="manpages6/shorewall6-actions.html">shorewall6-actions</ulink>(5).</para>
+      url="manpages/shorewall-actions.html">shorewall-actions</ulink>(5).</para>
 
       <para>To create a mangle action, follow the steps in the preceding
       section, but use the

docs/Build.xml

@@ -46,7 +46,7 @@
   <section>
     <title>Git Taxonomy</title>
 
-    <para>The Shorewall Git tree at Sourceforge serves as the master
+    <para>The Shorewall Git tree at Gitlab serves as the master
     repository for Shorewall 4.4 and later versions. It is not possible to
     simply export a directory from Git and run the
     <command>install.sh</command> script in that directory. A build step is
@@ -56,7 +56,7 @@
     <para>My local git repositories are:</para>
 
     <section>
-      <title>trunk (clone of Code)</title>
+      <title>code (clone of Code)</title>
 
       <para>The development branch of each product is kept here.</para>
 
@@ -91,7 +91,7 @@
     </section>
 
     <section>
-      <title>trunk/docs</title>
+      <title>code/docs</title>
 
       <para>The stable release XML documents. Depending on the point in the
       release cycle, these documents may also apply to the current development
@@ -101,7 +101,7 @@
     <section>
       <title>tools (Clone of Tools)</title>
 
-      <para>This is where the release and build tools are kept. There are two
+      <para>This is where the release and build tools are kept. There are four
       subordinate directories:</para>
 
       <variablelist>
@@ -113,6 +113,22 @@
           </listitem>
         </varlistentry>
 
+        <varlistentry>
+          <term>tools/files</term>
+
+          <listitem>
+            <para>Files that are used during the release process.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>tools/testing</term>
+
+          <listitem>
+            <para>Tools for testing.</para>
+          </listitem>
+        </varlistentry>
+
         <varlistentry>
           <term>tools/web</term>
 
@@ -167,7 +183,7 @@
       <title>build45, build46 and build50</title>
 
       <para>These are the scripts that respectively build Shorewall 4.5,
-      Shorewall 4.6 and Shorewall 5.0 packages from Git.</para>
+      Shorewall 4.6 and Shorewall 5.[012] packages from Git.</para>
 
       <para>The scripts copy content from Git using the <command>git
       archive</command> command. They then use that content to build the
@@ -432,7 +448,7 @@
           <term><emphasis>products</emphasis></term>
 
           <listitem>
-            <para>specifes the products to upload. If not given, all products
+            <para>specifies the products to upload. If not given, all products
             are uploaded. This option is generally given only when uploading a
             patch release.</para>
 
@@ -559,12 +575,12 @@
         </listitem>
 
         <listitem>
-          <para>OPENWRT - OpenWRT (Shorewall-core, Shorewall6-lite ad
-          Shorewall6-lite only)</para>
+          <para>OPENWRT - OpenWRT (Shorewall-core, Shorewall-lite,
+          Shorewall6-lite and Shorewall-init only)</para>
         </listitem>
       </itemizedlist>
 
-      <para>See the <ulink url="Insall.htm">installation article</ulink> for
+      <para>See the <ulink url="Install.htm">installation article</ulink> for
       additional information</para>
     </section>
   </section>

docs/Docker.xml

@@ -13,6 +13,10 @@
 
         <surname>Eastep</surname>
       </author>
+
+      <author>
+        <surname>J Cliff Armstrong</surname>
+      </author>
     </authorgroup>
 
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
@@ -20,6 +24,8 @@
     <copyright>
       <year>2016</year>
 
+      <year>2020</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -57,6 +63,35 @@
     <command>restart</command> or <command>reload</command> operation and
     restores those rules along with the Shorewall-generated ruleset.</para>
 
+    <important>
+      <para>Shorewall currently doesn't support Docker Swarm mode.</para>
+    </important>
+
+    <warning>
+      <para>On Debian and Debian-derived systems, <command>systemctl restart
+      shorewall</command> will lose Docker rules. You can work around this
+      issue using a method provided by J Cliff Armstrong:</para>
+
+      <para>Type as root:</para>
+
+      <programlisting><command>systemctl edit shorewall.service</command></programlisting>
+
+      <para>This will open the default terminal editor to a blank file in
+      which you can paste the following:</para>
+
+      <programlisting>[Service]
+# reset ExecStop
+ExecStop=
+# set ExecStop to "stop" instead of "clear"
+ExecStop=/sbin/shorewall $OPTIONS stop
+</programlisting>
+
+      <para> Then type <command>systemctl daemon-reload </command>to activate
+      the changes. This change will survive future updates of the shorewall
+      package from apt repositories. The override file itself will be saved to
+      `/etc/systemd/system/shorewall.service.d/`. </para>
+    </warning>
+
     <para>This support assumes that the default Docker bridge (docker0) is
     being used. It is recommended that this bridge be defined to Shorewall in
     <ulink

docs/Documentation_Index.xml

@@ -45,11 +45,7 @@
           </row>
 
           <row>
-            <entry><ulink url="Manpages.html">IPv4 Manpages</ulink></entry>
-          </row>
-
-          <row>
-            <entry><ulink url="Manpages6.html">IPv6 Manpages</ulink></entry>
+            <entry><ulink url="Manpages.html">Manpages</ulink></entry>
           </row>
 
           <row>

docs/FTP.xml

@@ -431,7 +431,7 @@ CT:helper:ftp           loc             -               tcp     21</programlisti
     <para><filename>/etc/shorewall/rules:</filename></para>
 
     <programlisting>#ACTION         SOURCE         DEST                 PROTO     DPORT
-DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }the</programlisting>
+DNAT            net            loc:192.168.1.2:21   tcp       12345  { helper=ftp }</programlisting>
 
     <para>That entry will accept ftp connections on port 12345 from the net
     and forward them to host 192.168.1..2 and port 21 in the loc zone.</para>

docs/IPSEC-2.6.xml

@@ -364,6 +364,12 @@ ACCEPT     vpn:134.28.54.2  $FW</programlisting>
       <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
 vpn     ipsec   mode=tunnel             <emphasis role="bold">mss=1400</emphasis></programlisting>
 
+      <para>Note that if you are using ipcomp, you should omit the mode
+      specification:</para>
+
+      <programlisting>#ZONE   TYPE    OPTIONS                 IN_OPTIONS              OUT_OPTIONS
+vpn     ipsec   -                       <emphasis role="bold">mss=1400</emphasis></programlisting>
+
       <para>You should also set FASTACCEPT=No in shorewall.conf to ensure that
       both the SYN and SYN,ACK packets have their MSS field adjusted.</para>
 

docs/IPv6Support.xml

@@ -178,7 +178,7 @@
             <para>Set KEEP_RT_TABLES=No in <ulink
             url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and
             set KEEP_RT_TABLES=Yes in <ulink
-            url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+            url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
           </listitem>
         </itemizedlist>
 
@@ -469,9 +469,9 @@ ACCEPT          net:wlan0:&lt;2002:ce7c:92b4::3&gt;   $FW             tcp     22
           <para>The Linux IPv6 stack does not support balancing (multi-hop)
           routes. Thehe <option>balance</option> and <option>fallback</option>
           options in <ulink
-          url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
+          url="manpages/shorewall-providers.html">shorewall6-providers</ulink>(5)
           and USE_DEFAULT_RT=Yes in <ulink
-          url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) are
+          url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5) are
           supported, but at most one provider can have the
           <option>balance</option> option and at most one provider can have
           the <option>fallback</option> option.</para>

docs/ISO-3661.xml

@@ -84,7 +84,7 @@
     any future ability to install the database at another location, Shorewall
     supports a GEOIPDIR option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). The
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
     default value of that option is
     <filename>/usr/share/xt_geoip/LE</filename>.</para>
 

docs/Introduction.xml

@@ -16,7 +16,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2015</year>
+      <year>2003-2020</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -170,17 +170,21 @@ dmz     ipv4</programlisting>
     file. In the three-interface sample, the three zones are defined using
     that file as follows:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
-net        eth0          detect        dhcp,routefilter
-loc        eth1          detect
-dmz        eth2          detect</programlisting>
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0, the
     <emphasis>loc</emphasis> zone as all IPv4 hosts interfacing through eth1
     and the <emphasis>dmz</emphasis> as all IPv4 hosts interfacing through
-    eth2. It is important to note that the composition of a zone is defined in
-    terms of a combination of addresses <emphasis role="bold">and</emphasis>
+    eth2. The interface names shown in the INTERFACE column are <emphasis>
+    logical</emphasis> names which are used throughout the configuration to
+    refer to the individual interfaces. The actual interface names are
+    specified using the <emphasis role="bold">physical</emphasis> option. It
+    is important to note that the composition of a zone is defined in terms of
+    a combination of addresses <emphasis role="bold">and</emphasis>
     interfaces. When using the <ulink
     url="manpages/shorewall-interfaces.html"><filename>/etc/shorewall/interfaces</filename></ulink>
     file to define a zone, all addresses are included; when you want to define
@@ -190,10 +194,12 @@ dmz        eth2          detect</programlisting>
     file or you may use the nets= option in
     <filename>/etc/shorewall/interfaces</filename>:</para>
 
-    <programlisting>#ZONE      INTERFACE     BROADCAST     OPTIONS
-net        eth0          detect        dhcp,routefilter,nets=(!192.168.0.0/23)
-loc        eth1          detect        nets=(192.168.0.0/24)
-dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
+    <programlisting>#ZONE   INTERFACE       OPTIONS
+net     NET_IF          tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0,physical=eth0
+loc     LOC_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth1,<emphasis
+        role="bold">nets=172.20.1.0/24</emphasis>
+dmz     DMZ_IF          tcpflags,nosmurfs,routefilter,logmartians,physical=eth2
+</programlisting>
 
     <para>The above file defines the <emphasis>net</emphasis> zone as all IPv4
     hosts interfacing to the firewall through eth0 <emphasis>except</emphasis>

docs/Manpages.xml

@@ -5,7 +5,7 @@
   <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
 
   <articleinfo>
-    <title>Shorewall 5.0 Manpages</title>
+    <title>Shorewall 5.* Manpages</title>
 
     <authorgroup>
       <author>
@@ -18,7 +18,7 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2007-2017</year>
+      <year>2007-2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -53,6 +53,10 @@
         <member><ulink url="manpages/shorewall-actions.html">actions</ulink> -
         Declare user-defined actions.</member>
 
+        <member><ulink
+        url="/manpages/shorewall-addresses.html">addresses</ulink> - Describes
+        how IP address and ports are specified in Shorewall</member>
+
         <member><ulink url="manpages/shorewall-arprules.html">arprules</ulink>
         - (Added in Shorewall 4.5.12) Define arpfilter rules.</member>
 
@@ -71,6 +75,9 @@
         url="manpages/shorewall-exclusion.html">exclusion</ulink> - Excluding
         hosts from a network or zone</member>
 
+        <member><ulink url="/manpages/shorewall-files.html">files</ulink> -
+        Describes the shorewall configuration files</member>
+
         <member><ulink url="manpages/shorewall-hosts.html">hosts</ulink> -
         Define multiple zones accessed through a single interface</member>
 
@@ -96,7 +103,11 @@
         Define Masquerade/SNAT (deprecated)</member>
 
         <member><ulink url="manpages/shorewall-modules.html">modules</ulink> -
-        Specify which kernel modules to load.</member>
+        Specify which kernel modules to load (Removed in Shorewall
+        5.2.3)</member>
+
+        <member><ulink url="/manpages/shorewall-names.html">names</ulink> -
+        Describes object naming in Shorewall configuration files</member>
 
         <member><ulink url="manpages/shorewall-nat.html">nat</ulink> - Define
         one-to-one NAT.</member>
@@ -120,9 +131,8 @@
         <member><ulink url="manpages/shorewall-proxyarp.html">proxyarp</ulink>
         - Define Proxy ARP (IPv4)</member>
 
-        <member><ulink
-        url="manpages6/shorewall-proxyndp.html">proxyndp</ulink> - Define
-        Proxy NDP (IPv6)</member>
+        <member><ulink url="manpages/shorewall-proxyndp.html">proxyndp</ulink>
+        - Define Proxy NDP (IPv6)</member>
 
         <member><ulink url="manpages/shorewall-rtrules.html">rtrules</ulink> -
         Define routing rules.</member>
@@ -168,7 +178,7 @@
         values for global Shorewall options.</member>
 
         <member><ulink
-        url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
+        url="manpages/shorewall.conf.html">shorewall6.conf</ulink> - Specify
         values for global Shorewall6 options.</member>
 
         <member><ulink
@@ -201,7 +211,7 @@
       <simplelist>
         <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
         /sbin/shorewall, /sbin/shorewall6/, /sbin/shorewall-lite and
-        /sbin/shorewall6-line command syntax and semantics.</member>
+        /sbin/shorewall6-lite command syntax and semantics.</member>
       </simplelist>
     </blockquote>
   </section>

docs/Manpages6.xml

@@ -1,182 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
-
-  <articleinfo>
-    <title>Shorewall6 5.0 Manpages</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2007-2014</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <warning>
-    <para>These manpages are for Shorewall6 5.0 and later only. They describe
-    features and options not available on earlier releases.The manpages for
-    Shorewall 4.4-4.6 are available <ulink
-    url="/manpages4/Manpages.html">here</ulink>.</para>
-  </warning>
-
-  <section id="Section5">
-    <title>Section 5 — Files and Concepts</title>
-
-    <blockquote>
-      <simplelist>
-        <member><ulink
-        url="manpages6/shorewall6-accounting.html">accounting</ulink> - Define
-        IP accounting rules.</member>
-
-        <member><ulink url="manpages6/shorewall6-actions.html">actions</ulink>
-        - Declare user-defined actions.</member>
-
-        <member><ulink url="manpages6/shorewall6-blrules.html">blrules</ulink>
-        - shorewall6 Blacklist file.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-conntrack.html">conntrack</ulink> - Specify
-        helpers for connections or exempt certain traffic from netfilter
-        connection tracking.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-exclusion.html">exclusion</ulink> -
-        Excluding hosts from a network or zone</member>
-
-        <member><ulink url="manpages6/shorewall6-hosts.html">hosts</ulink> -
-        Define multiple zones accessed through a single interface</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-interfaces.html">interfaces</ulink> - Define
-        the interfaces on the system and optionally associate them with
-        zones.</member>
-
-        <member><ulink url="manpages6/shorewall6-maclist.html">maclist</ulink>
-        - Define MAC verification.</member>
-
-        <member><ulink url="manpages6/shorewall6-mangle.html">mangle</ulink> -
-        Supersedes tcrules and describes packet/connection marking.</member>
-
-        <member><ulink url="manpages6/shorewall6-masq.html">masq</ulink> -
-        Define Masquerade/SNAT</member>
-
-        <member><ulink url="manpages6/shorewall6-modules.html">modules</ulink>
-        - Specify which kernel modules to load.</member>
-
-        <member><ulink url="manpages6/shorewall6-nat.html">nat</ulink> -
-        (added in Shorewall 4.6.4) Specify 1:1 NAT</member>
-
-        <member><ulink url="manpages6/shorewall6-nesting.html">nesting</ulink>
-        - How to define nested zones.</member>
-
-        <member><ulink url="manpages6/shorewall6-params.html">params</ulink> -
-        Assign values to shell variables used in other files.</member>
-
-        <member><ulink url="manpages6/shorewall6-policy.html">policy</ulink> -
-        Define high-level policies for connections between zones.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-providers.html">providers</ulink> - Define
-        routing tables, usually for multiple Internet links.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-proxyndp.html">proxyndp</ulink> - Defines
-        Proxy NDP</member>
-
-        <member><ulink url="manpages6/shorewall6-rtrules.html">rtrules</ulink>
-        - Define routing rules.</member>
-
-        <member><ulink url="manpages6/shorewall6-routes.html">routes</ulink> -
-        (Added in Shorewall 4.4.15) Add additional routes to provider routing
-        tables.</member>
-
-        <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
-        Specify exceptions to policies, including DNAT and REDIRECT.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
-        an SELinux context to a packet.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-stoppedrules.html">stoppedrules</ulink> -
-        Specify connections to be permitted when Shorewall6 is in the stopped
-        state (Added in Shoreall 4.5.8).</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
-        htb classes for traffic shaping.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-tcdevices.html">tcdevices</ulink> - Specify
-        speed of devices for traffic shaping.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-tcinterfaces.html">tcinterfaces</ulink> -
-        Specify interfaces for simplified traffic shaping.</member>
-
-        <member><ulink url="manpages6/shorewall6-tcpri.html">tcpri</ulink> -
-        Classify traffic for simplified traffic shaping.</member>
-
-        <member><ulink url="manpages6/shorewall6-tunnels.html">tunnels</ulink>
-        - Define VPN connections with endpoints on the firewall.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> - Specify
-        values for global Shorewall6 options.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>
-        - Specify values for global Shorewall6 Lite options.</member>
-
-        <member><ulink url="manpages6/shorewall6-vardir.html">vardir</ulink> -
-        Redefine the directory where Shorewall6 keeps its state
-        information.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-lite-vardir.html">vardir-lite</ulink> -
-        Redefine the directory where Shorewall6 Lite keeps its state
-        information.</member>
-
-        <member><ulink url="manpages6/shorewall6-zones.html">zones</ulink> -
-        Declare Shorewall6 zones.</member>
-      </simplelist>
-    </blockquote>
-  </section>
-
-  <section id="Section8">
-    <title>Section 8 — Administrative Commands</title>
-
-    <blockquote>
-      <simplelist>
-        <member><ulink url="manpages6/shorewall6.html">shorewall6</ulink> -
-        /sbin/shorewall6 command syntax and semantics.</member>
-
-        <member><ulink
-        url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink> -
-        /sbin/shorewall6-lite command syntax and semantics.</member>
-      </simplelist>
-    </blockquote>
-  </section>
-</article>

docs/PacketMarking.xml

@@ -63,8 +63,7 @@
     <command>ethereal</command> or any other packet sniffing program. They can
     be seen in an iptables/ip6tables trace -- see the
     <command>iptrace</command> command in <ulink
-    url="manpages/shorewall.html">shorewall</ulink>(8) and <ulink
-    url="manpages6/shorewall6.html">shorewall6</ulink>(8).</para>
+    url="manpages/shorewall.html">shorewall</ulink>(8).</para>
 
     <para>Example (output has been folded for display ):</para>
 

docs/ProxyARP.xml

@@ -311,7 +311,7 @@ shorewall start</programlisting>
     <itemizedlist>
       <listitem>
         <para>The configuration file is /etc/shorewall6/proxyndp (see <ulink
-        url="manpages6/shorewall6-proxyndp.html">shorewall6-proxyndp
+        url="manpages/shorewall-proxyndp.html">shorewall6-proxyndp
         </ulink>(5)).</para>
       </listitem>
 

docs/SharedConfig.xml

@@ -348,7 +348,7 @@ ZONE_BITS=0
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#  http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

docs/configuration_file_basics.xml

@@ -283,8 +283,8 @@
 
         <listitem>
           <para><filename>/usr/share/shorewall/modules</filename> — Specifies
-          the kernel modules to be loaded during shorewall
-          start/restart.</para>
+          the kernel modules to be loaded during shorewall start/restart
+          (removed in Shorewall 5.2.3).</para>
         </listitem>
 
         <listitem>
@@ -802,9 +802,9 @@ DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting
         <term>INLINE</term>
 
         <listitem>
-          <para>INLINE, added in Shorewall 4. is available in the mangle, masq
-          and rules files and allows you to specify ip[6]table text following
-          a semicolon to the right of the column-oriented
+          <para>INLINE, added in Shorewall 4. is available in the mangle, snat
+          (masq) and rules files and allows you to specify ip[6]table text
+          following two semicolons to the right of the column-oriented
           specifications.</para>
 
           <para>INLINE takes one optional parameter which, if present, must be
@@ -856,9 +856,9 @@ INLINE               net              $FW ;; -m recent --rcheck 10 --hitcount 5
           support was extended to the conntrack file.</para>
 
           <caution>
-            <para>INLINE_MATCHES=Yes is deprecated and will no longer be
-            supported in Shorewall 5.2 and beyond. Use two adjacent semicolons
-            to introduce inline matches.</para>
+            <para>INLINE_MATCHES=Yes is deprecated and is not supported in
+            Shorewall 5.2 and beyond. Use two adjacent semicolons to introduce
+            inline matches.</para>
           </caution>
 
           <para>Example from the masq file that spits outgoing SNAT between

docs/docs-targetname

@@ -0,0 +1 @@
+5.2.3.7

docs/html.css

@@ -1,48 +1,188 @@
-div.informalexample        { background-color: #d5dee3;
-                             border-top-width: 2px;
-                             border-top-style: double;
-                             border-top-color: #d3d3d3;
-                             border-bottom-width: 2px;
-                             border-bottom-style: double;
-                             border-bottom-color: #d3d3d3;
-                             padding: 4px;
-                             margin: 0em;
-                             margin-left: 2em;
-                           }
+/* global styles */
+body {
+  font-family: sans-serif;
+}
+div {
+  border: 0;
+  padding: 0.5em;
+}
+img {
+  border: 0;
+}
+hr {
+  color: #8b8b8b;
+}
+h4 {
+  text-align: center;
+  font-weight: bold;
+  padding: 0.25em 0.5em;
+  margin: 0 0 1px;
+}
+.quote {
+  font-style: italic;
+  text-align: center;
+}
+.strong {
+  font-weight: bold;
+}
+.warning {
+  font-weight: bold;
+  color: #ff0000;
+}
+a {
+  display: block;
+  border-width: 0;
+  text-decoration: none;
+  color: #0060b5;
+  background: #ffffff;
+}
+a:hover {
+  color: #ffffff;
+  background: #0060b5;
+}
+/* header styles */
+div#header {
+  position: absolute;
+  font-size: small;
+  top: 0;
+  left: 0;
+  height: 100px;
+  width: 95%;
+  margin: 10px;
+}
+div#header p {
+  text-align: center;
+}
+div#header div#search-form {
+  float: left;
+  margin: 0;
+  padding: 0;
+}
+div#header div#search-form input#search-text {
+  background-color: #ffffff;
+  color: #0060b5;
+  font-size: small;
+  border: 1px solid;
+  vertical-align: middle;
+}
+div#header div#search-form input#submit-button {
+  background-color: #ffffff;
+  color: #0060b5;
+  font-size: small;
+  font-weight: bold;
+  -moz-border-radius: 5px;
+  -webkit-border-radius: 5px;
+  border-radius:6px;
+  text-decoration: none;
+  cursor: pointer;
+  border: 1px solid;
+  vertical-align: middle;
+}
+div#header div#search-form input#submit-button:hover {
+  border: 1px solid;
+  background-color: #0060b5;
+  color: #ffffff;
+  box-shadow: 0px 0px 1px #777;
+}
+div#header div#ml-search {
+  float: right;
+  margin: 0;
+  padding: 0;
+}
+div#header div#logo {
+  margin: 0;
+  padding: 0;
+  clear: both;
+}
+/* sidebar styles */
+div#sidebar {
+  position: fixed;
+  top: 125px;
+  left: 0;
+  width: 15%;
+  margin: 10px;
+  font-size: small;
+}
+div#sidebar:hover {
+  background-position: 0px 0px;
+}
+div#sidebar a {
+  text-align: center;
+  -moz-border-radius: 5px;
+  -webkit-border-radius: 5px;
+  border-radius:6px;
+}
+/* menu styles */
+/* main panel styles */
+div#main {
+  position: absolute;
+  top: 150px;
+  left: 16%;
+  width: 62%;
+  margin: 10px;
+}
+div#main a {
+  display: inline;
+  padding: 0;
+}
+div#main a:hover {
+  color: #0060b5;
+  background: #ffffff;
+  text-decoration: underline;
+}
+/* content styles */
+div#content div {
+  padding: 0;
+}
+div#content code, pre {
+  font: 100% monospace;
+}
+div#content table {
+  width: 100%;
+}
+div#content table#changelog {
+  font-size: x-small;
+}
+/* footer styles */
+div#footer p {
+  text-align: center;
+  font-size: small;
+}
+div#footer table {
+  margin-left: auto;
+  margin-right: auto;
+}
+/* doc panel styles */
+div#doc {
+  float: right;
+  top: 125px;
+  left: 80%;
+  width: 15%;
+  margin: 125px 10px 10px 10px;
+  font-size: small;
+}
+div#doc:hover {
+  background-position: 0px 0px;
+}
+div#doc a {
+  padding: 0 5px 0 5px;
+  -moz-border-radius: 5px;
+  -webkit-border-radius: 5px;
+  border-radius:6px;
+}
+div#doc p.go-top, div#doc p.go-top a, div#doc p.go-top a:hover {
+  opacity: 0.75;
+  filter:alpha(opacity=75); /* For IE8 and earlier */
+  position: fixed;
+  bottom: 0.5em;
+  right: 0.5em;
+  text-decoration: none;
+  font-size: small;
+  padding: 0;
+  display: block;
+}
+div#doc p.go-top a:hover {
+  opacity: 1.0;
+  filter:alpha(opacity=100); /* For IE8 and earlier */
+}
 
-pre.programlisting         { whitespace: pre;
-                             font-family: monospace;
-                             background-color: #BEE1F6;
-                             border-top-width: 1px;
-                             border-top-style: single;
-                             border-top-color: #d3d3d3;
-                             border-bottom-width: 1px;
-                             border-bottom-style: single;
-                             border-bottom-color: #d3d3d3;
-                             padding: 4px;
-                             margin: 0em;
-                           }
-
-div.sidebar         	{ whitespace: pre;
-                             font-family: monospace;
-                             background-color: #A6D5EC;
-                             border-top-width: 1px;
-                             border-top-style: single;
-                             border-top-color: #d3d3d3;
-                             border-bottom-width: 1px;
-                             border-bottom-style: single;
-                             border-bottom-color: #d3d3d3;
-                             padding: 4px;
-                             margin: 0em;
-                           }
-
-div.informalexample pre    { whitespace: pre;
-                             font-family: monospace;
-                             border-top-width: 0px;
-                             border-bottom-width: 0px;
-                             padding: 0px;
-                           }
-
-div.caution h3            { color:#CC3333; }
-
-div.note h3               { color:#000066; }

docs/images/docs-images-targetname

@@ -0,0 +1 @@
+5.2.3.7

docs/ipsets.xml

@@ -28,6 +28,8 @@
 
       <year>2017</year>
 
+      <year>2019</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -182,7 +184,7 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     together with the ipsets supporting dynamic zones are saved. Shorewall6
     support for the SAVE_IPSETS option was also added in 4.6.4. When
     SAVE_IPSETS=Yes in <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, only ipv6
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, only ipv6
     ipsets are saved. For Shorewall, if SAVE_IPSETS=ipv4 in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>, then only
     ipv4 ipsets are saved. Both features require ipset version 5 or
@@ -201,9 +203,9 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     <para>Ipset support in Shorewall6 was added in Shorewall 4.4.21.</para>
 
     <para>Beginning with Shorewall 4.6.4, SAVE_IPSETS is available in <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6-conf(5)</ulink>. When set
-    to Yes, the ipv6 ipsets will be saved. You can also save selective ipsets
-    by setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
+    url="manpages/shorewall.conf.html">shorewall6-conf(5)</ulink>. When set to
+    Yes, the ipv6 ipsets will be saved. You can also save selective ipsets by
+    setting SAVE_IPSETS to a comma-separated list of ipset names.</para>
 
     <para>Prior to Shorewall 4.6.4, SAVE_IPSETS=Yes in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> won't work
@@ -221,7 +223,7 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
 
     <para>If you configure SAVE_IPSETS in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and/or <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> then do
-    not set SAVE_IPSETS in shorewall-init.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> then do not
+    set SAVE_IPSETS in shorewall-init.</para>
   </section>
 </article>

docs/shorewall_logging.xml

@@ -431,7 +431,7 @@ sync=1</programlisting>
     <para>Beginning with Shorewall 4.6.4, you can configure the backend using
     the LOG_BACKEND option in <ulink
     url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
+    url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>.</para>
   </section>
 
   <section id="Syslog-ng">
@@ -477,7 +477,7 @@ sync=1</programlisting>
 
       <para>By setting the LOGTAGONLY option to Yes in <ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> or <ulink
-      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>, the
+      url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>, the
       disposition ('DROP' in the above example) will be omitted. Consider the
       following rule:</para>
 
@@ -511,7 +511,7 @@ REJECT(icmp-proto-unreachable):notice:IPv6,tunneling loc             net
 
       <para><ulink
       url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink> and <ulink
-      url="manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink> have a
+      url="manpages/shorewall.conf.html">shorewall6.conf(5)</ulink> have a
       number of options whose values are log levels. Beginning with Shorewall
       5.0.0, these specifcations may include a log tag as described <link
       linkend="LogTags">above</link>.</para>

docs/traffic_shaping.xml

@@ -1049,7 +1049,7 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
 
         <listitem>
           <para>Set TC_ENABLED=Shared in <ulink
-          url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+          url="manpages/shorewall.conf.html">shorewall6.conf</ulink>
           (5).</para>
         </listitem>
 

docs/upgrade_issues.xml

@@ -771,7 +771,7 @@
         <para>If your <ulink
         url="manpages/shorewall-params.html">/etc/shorewall/params</ulink> (or
         <ulink
-        url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
+        url="manpages/shorewall-params.html">/etc/shorewall6/params</ulink>)
         file sends output to Standard Output, you need to be aware that the
         output will be redirected to Standard Error beginning with Shorewall
         4.4.16.</para>
@@ -782,7 +782,7 @@
         deprecated. With EXPORTPARAMS=No, the variables set by <ulink
         url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
         (<ulink
-        url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
+        url="manpages/shorewall-params.html">/etc/shorewall6/params</ulink>)
         at compile time are now available in the compiled firewall
         script.</para>
       </listitem>

docs/useful_links.xml

@@ -10,7 +10,9 @@
     <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
 
     <copyright>
-      <year>2003-2009</year>
+      <year>2003-2013</year>
+
+      <year>2019</year>
 
       <holder>Thomas M. Eastep</holder>
     </copyright>
@@ -79,7 +81,7 @@
 
         <row rowsep="0" valign="middle">
           <entry>Debian apt-get sources for Shorewall: <ulink
-          url="http://people.connexer.com/~roberto/debian/"></ulink>http://people.connexer.com/~roberto/debian/</entry>
+          url="http://people.connexer.com/~roberto/debian/">http://people.connexer.com/~roberto/debian/</ulink></entry>
         </row>
 
         <row rowsep="0" valign="middle">
@@ -88,45 +90,51 @@
         </row>
 
         <row rowsep="0" valign="middle">
-          <entry>Tom's 2005 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2005 LinuxFest NW Presentation - "Shorewall and Native
+          IPsec" : <ulink
           url="http://www.shorewall.net/LinuxFest2005.pdf">http://www.shorewall.net/LinuxFest2005.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2006 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2006 LinuxFest NW Presentation - "OpenVPN" : <ulink
           url="http://www.shorewall.net/LinuxFest2006.pdf">http://www.shorewall.net/LinuxFest2006.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2007 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2007 LinuxFest NW Presentation - "Xen and the Art of
+          Consolidation" : <ulink
           url="http://www.shorewall.net/Linuxfest-2007.pdf">http://www.shorewall.net/Linuxfest-2007.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2008 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2008 LinuxFest NW Presentation - "Kernel-mode Virtual
+          Machine (KVM)" : <ulink
           url="http://www.shorewall.net/Linuxfest-2008.pdf">http://www.shorewall.net/Linuxfest-2008.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2009 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2009 LinuxFest NW Presentation - "Introduction to IPv6"
+          : <ulink
           url="http://www.shorewall.net/Linuxfest-2009.pdf">http://www.shorewall.net/LinuxFestNW-2009.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2010 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2010 LinuxFest NW Presentation - "Managing Multiple
+          Internet Connections with Shorewall" : <ulink
           url="http://www.shorewall.net/LinuxfestNW-2010.pdf">http://www.shorewall.net/LinuxFestNW-2010.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2011 LinuxFest NW Presentation: <ulink
+          <entry>Tom's 2011 LinuxFest NW Presentation - "LXC - Linux
+          Containers" : <ulink
           url="http://www.shorewall.net/Linuxfest2011.pdf">http://www.shorewall.net/LinuxFest2011.pdf</ulink></entry>
         </row>
 
         <row>
-          <entry>Tom's 2013 SeaGL Presentation: <ulink
+          <entry>Tom's 2013 SeaGL Presentation - "AN INTRODUCTION TO LINUX
+          POLICY ROUTING" : <ulink
           url="http://www.shorewall.net/SeaGL2013.pdf">http://www.shorewall.net/SeaGL2013.pdf</ulink></entry>
         </row>
-
       </tbody>
     </tgroup>
   </informaltable>