IPv6 Samples use logical interface names

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/configure

@@ -1,8 +1,8 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall configuration program - V5.2
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
@@ -109,9 +109,6 @@ if [ -z "$vendor" ]; then
 	    opensuse)
 		vendor=suse
 		;;
-	    alt|basealt|altlinux)
-		vendor=alt
-		;;
 	    *)
 		vendor="$ID"
 		;;
@@ -135,8 +132,6 @@ if [ -z "$vendor" ]; then
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		ls -l /sbin/init | fgrep -q systemd &&  rcfile=shorewallrc.debian.systemd || rcfile=shorewallrc.debian.sysvinit
-	    elif [ -f /etc/altlinux-release ] ; then
-		params[HOST]=alt
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat

Shorewall-core/configure.pl

@@ -1,6 +1,6 @@
 #! /usr/bin/perl -w
 #
-#     Shorewall Packet Filtering Firewall configuration program - V5.2
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -74,8 +74,6 @@ unless ( defined $vendor ) {
 	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
 	    my $init = `ls -l /sbin/init`;
 	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
-	} elsif ( $id eq 'alt' || $id eq 'basealt' || $id eq 'altlinux' ) {
-	    $vendor = 'alt';
 	} else {
 	    $vendor = $id;
 	}
@@ -119,9 +117,6 @@ if ( defined $vendor ) {
 	} else {
 	    $rcfilename = 'shorewallrc.debian.sysvinit';
 	}
-    } elsif ( -f '/etc/altlinux-release' ){
-	$vendor = 'alt';
-	$rcfilename = 'shorewallrc.alt';
     } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';

Shorewall-core/install.sh

@@ -2,7 +2,7 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -172,9 +172,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -183,8 +180,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -243,7 +238,7 @@ case "$HOST" in
     apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt|alt)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse|openwrt)
 	;;
     *)
 	fatal_error "Unknown HOST \"$HOST\""
@@ -340,8 +335,9 @@ for f in lib.* ; do
 done
 
 if [ $SHAREDIR != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/shorewall/lib.cli
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.core
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.cli
 fi
 
 #

Shorewall-core/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.base
+# Shorewall 5.1 -- /usr/share/shorewall/lib.base
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.cli

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.cli
+# Shorewall 5.0 -- /usr/share/shorewall/lib.cli.
 #
-#     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50106
 
 if [ -z "$g_basedir" ]; then
     #
@@ -47,10 +47,6 @@ startup_error() {
     exit 1
 }
 
-only_root() {
-    [ "$(id -u)" != 0 ] && fatal_error "The '$COMMAND' command may only be run by root"
-}
-
 #
 # Display a chain if it exists
 #
@@ -87,8 +83,6 @@ showchain() # $1 = name of chain
 #
 validate_restorefile() # $* = label
 {
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
     case $RESTOREFILE in
 	*/*)
 	    error_message "ERROR: $@ must specify a simple file name: $RESTOREFILE"
@@ -417,9 +411,9 @@ resolve_arptables() {
 savesets() {
     local supported
 
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it $g_firewall savesets ${g_restorepath}-ipsets 
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets 
 }
 
 #
@@ -428,9 +422,9 @@ savesets() {
 savesets1() {
     local supported
 
-    supported=$(run_it $g_firewall help | fgrep savesets )
+    supported=$(run_it ${VARDIR}/firewall help | fgrep savesets )
 
-    [ -n "$supported" ] && run_it $g_firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
+    [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save"
 }
 
 #
@@ -441,9 +435,9 @@ do_save() {
     local arptables
     status=0
 
-    if [ -f $g_firewall ]; then
+    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | grep -v -- '-A dynamic.* -j ACCEPT' > ${VARDIR}/restore-$$; then
-	    cp -f $g_firewall $g_restorepath
+	    cp -f ${VARDIR}/firewall $g_restorepath
 	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
 	    chmod 700 $g_restorepath
 	    chmod 600 ${g_restorepath}-iptables
@@ -455,7 +449,7 @@ do_save() {
 	    status=1
 	fi
     else
-	echo "   ERROR: $g_firewall does not exist" >&2
+	echo "   ERROR: ${VARDIR}/firewall does not exist" >&2
 	status=1
     fi
 
@@ -640,7 +634,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -6 -o route list table $table | grep -vF cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -653,7 +647,7 @@ show_routing() {
     else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -6 -o route list | grep -vF cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -1191,32 +1185,6 @@ show_ipsec_command() {
     show_ipsec
 }
 
-show_saves_command() {
-    local f
-    local fn
-    local mtime
-
-    echo "$g_product $SHOREWALL_VERSION Saves at $g_hostname - $(date)"
-    echo "Saved snapshots are:"
-    echo
-
-    for f in ${VARDIR}/*-iptables; do
-	case $f in
-	    *\**)
-	        ;;
-	    *)
-		fn=$(basename $f)
-		fn=${fn%-iptables}
-		mtime=$(ls -lt $f | tail -n 1 | cut -d ' ' -f '6 7 8' )
-		[ $fn = "$RESTOREFILE" ] && fn="$fn (default)"
-		echo "   $mtime ${fn%-iptables}"
-		;;
-	esac
-    done
-
-    echo
-}
-
 #
 # Show Command Executor
 #
@@ -1235,7 +1203,6 @@ show_command() {
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
 	if [ -n "$foo" ]; then
-	    macro=$(basename $macro)
 	    macro=${macro#*.}
 	    foo=${foo%.*}
 	    if [ ${#macro} -gt 5 ]; then
@@ -1330,47 +1297,37 @@ show_command() {
 
     [ -n "$g_debugging" ] && set -x
 
-    COMMAND="$COMMAND $1"
-
     case "$1" in
 	connections)
-	    only_root
 	    eval show_connections $@ $g_pager
 	    ;;
 	nat)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_nat $g_pager
 	    ;;
 	raw)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_raw $g_pager
 	    ;;
 	tos|mangle)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_mangle $g_pager
 	    ;;
 	log)
 	    [ $# -gt 2 ] && too_many_arguments $2
 
-	    only_root
 	    setup_logread
 	    eval show_log $g_pager
 	    ;;
 	tc)
-	    only_root
 	    [ $# -gt 2 ] && too_many_arguments $2
 	    eval show_tc $@ $g_pager
 	    ;;
 	classifiers|filters)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_classifiers_command $g_pager
 	    ;;
 	zones)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    if [ -f ${VARDIR}/zones ]; then
 		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
@@ -1394,7 +1351,6 @@ show_command() {
 	    fi
 	    ;;
 	capabilities)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    determine_capabilities
 	    VERBOSITY=2
@@ -1431,50 +1387,33 @@ show_command() {
 	    fi
 	    ;;
 	chain)
-	    only_root
 	    shift
 	    eval show_chain $@ $g_pager
 	    ;;
 	vardir)
 	    echo $VARDIR;
 	    ;;
-        rc)
-            shift
-	    [ $# -gt 1 ] && too_many_arguments $2
-            if [ -n "$1" -a -d "$1" ]; then
-                cat $1/shorewallrc
-            elif [ -n "$g_basedir" -a -d "$g_basedir" ]; then
-                cat $g_basedir/shorewallrc
-            else
-                fatal_error "Can not determine the location of the shorewallrc file."
-            fi
-            ;;
 	policies)
-	    only_root
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_policies $g_pager
 	    ;;
 	ipa)
-	    only_root
 	    [ $g_family -eq 4 ] || fatal_error "'show ipa' is now available in $g_product"
 	    [ $# -gt 1 ] && too_many_arguments $2
 	    eval show_ipa $g_pager
 	    ;;
 	marks)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_nfacct_command $g_pager
 	    ;;
 	arptables)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    resolve_arptables
 	    if [ -n "$arptables" -a -x $arptables ]; then
 		eval show_arptables $g_pager
@@ -1484,7 +1423,6 @@ show_command() {
 	    ;;
 	event)
 	    [ $# -gt 1 ] || too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
 	    echo
 	    shift
@@ -1492,18 +1430,14 @@ show_command() {
 	    ;;
 	events)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_events_command $g_pager
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
-	    setup_dbl
 	    eval show_blacklists $g_pager
 	    ;;
 	opens)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    echo "$g_product $SHOREWALL_VERSION Temporarily opened connections at $g_hostname - $(date)"
 
 	    if chain_exists dynamic; then
@@ -1514,13 +1448,8 @@ show_command() {
 	    ;;
 	ipsec)
 	    [ $# -gt 1 ] && too_many_arguments $2
-	    only_root
 	    eval show_ipsec_command $g_pager
 	    ;;
-	saves)
-	    [ $# -gt 1 ] && too_many_arguments $2
-	    show_saves_command
-	    ;;
 	*)
 	    case "$PRODUCT" in
 		*-lite)
@@ -1567,8 +1496,6 @@ show_command() {
 		    ;;
 	    esac
 
-	    only_root
-
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
@@ -1886,7 +1813,7 @@ do_dump_command() {
 
     echo
 
-    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netstat -tunap; }
+    qt mywhich ss && ss -${g_family}tunap || { qt mywhich netstat && netatat -tunap; }
 
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -2000,6 +1927,41 @@ show_proc() # $1 = name of a file
     [ -f $1 ] && echo "   $1 = $(cat $1)"
 }
 
+read_yesno_with_timeout() {
+    local timeout
+    timeout=${1:-60}
+
+    case $timeout in
+	*s)
+	    ;;
+	*m)
+	    timeout=$((${timeout%m} * 60))
+	    ;;
+	*h)
+	    timeout=$((${timeout%h} * 3600))
+	    ;;
+    esac
+
+    read -t $timeout yn 2> /dev/null
+    if [ $? -eq 2 ]
+    then
+	# read doesn't support timeout
+	test -x /bin/bash || return 2 # bash is not installed so the feature is not available
+	/bin/bash -c "read -t $timeout yn ; if [ \"\$yn\" == \"y\" ] ; then exit 0 ; else exit 1 ; fi" # invoke bash and use its version of read
+	return $?
+    else
+	# read supports timeout
+	case "$yn" in
+	    y|Y)
+		return 0
+		;;
+	    *)
+		return 1
+		;;
+	esac
+    fi
+}
+
 #
 # Create the appropriate -q option to pass onward
 #
@@ -2583,114 +2545,109 @@ hits_command() {
     fi
 }
 
-#
-# Issue an error message and terminate if the firewall isn't started
-#
-require_started() {
-    if ! product_is_started; then
-	error_message "ERROR: $g_product is not started"
-	exit 2
-    fi
-}
-
 #
 # 'allow' command executor
 #
 allow_command() {
 
-    local allowed
-    local which
-    which='-s'
-    local range
-    range='--src-range'
-    local dynexists
-
     [ -n "$g_debugging" ] && set -x
     [ $# -eq 1 ] && missing_argument
 
-    if [ -n "$g_blacklistipset" ]; then
-	case ${IPSET:=ipset} in
-	    */*)
-		if [ ! -x "$IPSET" ]; then
-		    fatal_error "IPSET=$IPSET does not exist or is not executable"
-		fi
-		;;
-	    *)
-		IPSET="$(mywhich $IPSET)"
-		[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-		;;
-	esac
-    fi
+    if product_is_started ; then
+	local allowed
+	local which
+	which='-s'
+	local range
+	range='--src-range'
+	local dynexists
 
-    if chain_exists dynamic; then
-	dynexists=Yes
-    elif [ -z "$g_blacklistipset" ]; then
-	require_started
-	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
-    fi
+	if [ -n "$g_blacklistipset" ]; then
 
-    [ -n "$g_nolock" ] || mutex_on
-
-    while [ $# -gt 1 ]; do
-	shift
-
-	allowed=''
-
-	case $1 in
-	    from)
-		which='-s'
-		range='--src-range'
-		continue
-		;;
-	    to)
-		which='-d'
-		range='--dst-range'
-		continue
-		;;
-	    *-*)
-		if [ -n "$g_blacklistipset" ]; then
-		    if qt $IPSET -D $g_blacklistipset $1; then
-			allowed=Yes
+	    case ${IPSET:=ipset} in
+		*/*)
+		    if [ ! -x "$IPSET" ]; then
+			fatal_error "IPSET=$IPSET does not exist or is not executable"
 		    fi
-		fi
-
-		if [ -n "$dynexists" ]; then
-		    if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $g_tool -D dynamic -m iprange $range $1 -j logreject
-		    then
-			allowed=Yes
-		    fi
-		fi
-		;;
-	    *)
-		if [ -n "$g_blacklistipset" ]; then
-		    if qt $IPSET -D $g_blacklistipset $1; then
-			allowed=Yes
-		    fi
-		fi
-
-		if [ -n "$dynexists" ]; then
-		    if  qt $g_tool -D dynamic $which $1 -j reject    ||\
-		        qt $g_tool -D dynamic $which $1 -j DROP      ||\
-			qt $g_tool -D dynamic $which $1 -j logdrop   ||\
-			qt $g_tool -D dynamic $which $1 -j logreject
-		    then
-			allowed=Yes
-		    fi
-		fi
-		;;
-	esac
-
-	if [ -n "$allowed" ]; then
-	    progress_message2 "$1 Allowed"
-	else
-	    error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+		    ;;
+		*)
+		    IPSET="$(mywhich $IPSET)"
+		    [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+		    ;;
+	    esac
 	fi
-    done
 
-    [ -n "$g_nolock" ] || mutex_off
+	if chain_exists dynamic; then
+	    dynexists=Yes
+	elif [ -z "$g_blacklistipset" ]; then
+	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
+	fi
+
+	[ -n "$g_nolock" ] || mutex_on
+
+	while [ $# -gt 1 ]; do
+	    shift
+
+	    allowed=''
+
+	    case $1 in
+		from)
+		    which='-s'
+		    range='--src-range'
+		    continue
+		    ;;
+		to)
+		    which='-d'
+		    range='--dst-range'
+		    continue
+		    ;;
+		*-*)
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic -m iprange $range $1 -j reject    ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j DROP      ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic -m iprange $range $1 -j logreject
+			then
+			    allowed=Yes
+			fi
+		    fi
+		    ;;
+		*)
+		    if [ -n "$g_blacklistipset" ]; then
+			if qt $IPSET -D $g_blacklistipset $1; then
+			    allowed=Yes
+			fi
+		    fi
+
+		    if [ -n "$dynexists" ]; then
+			if  qt $g_tool -D dynamic $which $1 -j reject    ||\
+			    qt $g_tool -D dynamic $which $1 -j DROP      ||\
+			    qt $g_tool -D dynamic $which $1 -j logdrop   ||\
+			    qt $g_tool -D dynamic $which $1 -j logreject
+			then
+			    allowed=Yes
+			fi
+		    fi
+		    ;;
+	    esac
+
+	    if [ -n "$allowed" ]; then
+		progress_message2 "$1 Allowed"
+	    else
+		error_message "WARNING: $1 already allowed (not dynamically blacklisted)"
+	    fi
+	done
+
+	[ -n "$g_nolock" ] || mutex_off
+    else
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
 }
 
 #
@@ -2766,7 +2723,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)
 
 	if [ -z "$g_tool" ]; then
-	    fatal_error "No executable $tool binary can be found on your PATH"
+	    fatal-error "No executable $tool binary can be found on your PATH"
 	fi
     fi
 
@@ -2810,6 +2767,7 @@ determine_capabilities() {
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
+    USEPKTTYPE=
     KLUDGEFREE=
     MARK=
     XMARK=
@@ -2905,7 +2863,6 @@ determine_capabilities() {
 		qt $g_tool -t nat -A $chain -j NETMAP --to 2001:470:B:227::/64 && NETMAP_TARGET=Yes
 	    fi
 	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
-	    qt $g_tool -t nat -L INPUT -n && NAT_INPUT_CHAIN=Yes
 	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
@@ -3156,6 +3113,7 @@ determine_capabilities() {
 	fi
     fi
 
+    qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
     qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
     qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
     qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@@ -3269,6 +3227,7 @@ report_capabilities_unsorted() {
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
 	[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
     fi
+    report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
     report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
     report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
     report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@@ -3278,8 +3237,8 @@ report_capabilities_unsorted() {
     [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
-    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
     if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
 	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
@@ -3372,7 +3331,6 @@ report_capabilities_unsorted() {
     report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
-    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3385,6 +3343,8 @@ report_capabilities() {
 	report_capabilities_unsorted | sort
     fi
 
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
 }
 
 report_capabilities_unsorted1() {
@@ -3401,6 +3361,7 @@ report_capabilities_unsorted1() {
     report_capability1 CONNTRACK_MATCH
     report_capability1 NEW_CONNTRACK_MATCH
     report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
     report_capability1 PHYSDEV_BRIDGE
@@ -3478,7 +3439,6 @@ report_capabilities_unsorted1() {
     report_capability1 NETMAP_TARGET
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
-    report_capability1 NAT_INPUT_CHAIN
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3775,7 +3735,7 @@ ipcalc_command() {
     elif [ $# -eq 3 ]; then
 	address=$2
 	vlsm=$(ip_vlsm $3)
-    elif [ $# -eq 1 ]; then
+    elif [ $# -eq 0 ]; then
 	missing_argument
     else
 	too_many_arguments $4
@@ -3821,7 +3781,7 @@ iprange_command() {
 }
 
 ipdecimal_command() {
-    if [ $# -eq 1 ]; then
+    if [ $# eq 1 ]; then
 	missing_argument
     else
 	[ $# -eq 2 ] || too_many_arguments $3
@@ -3864,7 +3824,7 @@ noiptrace_command() {
 verify_firewall_script() {
     if [ ! -f $g_firewall ]; then
 	echo "   ERROR: $g_product is not properly installed" >&2
-	if [ -h $g_firewall ]; then
+	if [ -L $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
@@ -3964,7 +3924,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4118,15 +4078,15 @@ start_command() {
 	rc=0
 	[ -n "$g_nolock" ] || mutex_on
 
-	if [ -x $g_firewall ]; then
-	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
+	if [ -x ${VARDIR}/firewall ]; then
+	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! ${VARDIR}/firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
 		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it ${VARDIR}/firewall $g_debugging start
 	    fi
 	    rc=$?
 	else
-	    error_message "$g_firewall is missing or is not executable"
+	    error_message "${VARDIR}/firewall is missing or is not executable"
 	    mylogger kern.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4255,11 +4215,11 @@ restart_command() {
 
     [ -n "$g_nolock" ] || mutex_on
 
-    if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+    if [ -x ${VARDIR}/firewall ]; then
+	run_it ${VARDIR}/firewall $g_debugging $COMMAND
 	rc=$?
     else
-	error_message "$g_firewall is missing or is not executable"
+	error_message "${VARDIR}/firewall is missing or is not executable"
 	mylogger kern.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
@@ -4269,10 +4229,10 @@ restart_command() {
 }
 
 run_command() {
-    if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+    if [ -x ${VARDIR}/firewall ] ; then
+	run_it ${VARDIR}/firewall $g_debugging $@
     else
-	fatal_error "$g_firewall does not exist or is not executable"
+	fatal_error "${VARDIR}/firewall does not exist or is not executable"
     fi
 }
 
@@ -4330,6 +4290,7 @@ usage() # $1 = exit status
 
     echo "   open <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   reenable <interface>"
+    ecko "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
     echo "   reject <address> ..."
 
     if [ -n "$g_lite" ]; then
@@ -4339,11 +4300,9 @@ usage() # $1 = exit status
     fi
 
     if [ -z "$g_lite" ]; then
-	echo "   remote-getrc [ -T ] [ -c ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-getcaps [ -T ] [ -R ] [ -r <root-name> ] [ [ -D ] <directory> ] [ <system> ]"
-	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
-	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] [ <system> ]"
+	echo "   remote-reload [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-restart [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
+	echo "   remote-start [ -n ] [ -s ] [ -c ] [ -r <root-name> ] [ -T ] [ -i ] [ <directory> ] <system>"
     fi
 
     echo "   reset [ <chain> ... ]"
@@ -4386,9 +4345,7 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] nfacct"
     echo "   [ show | list | ls ] opens"
     echo "   [ show | list | ls ] policies"
-    echo "   [ show | list | ls ] rc"
     echo "   [ show | list | ls ] routing"
-    echo "   [ show | list | ls ] saves"
     echo "   [ show | list | ls ] tc [ device ]"
     echo "   [ show | list | ls ] vardir"
     echo "   [ show | list | ls ] zones"
@@ -4437,6 +4394,7 @@ shorewall_cli() {
     g_use_verbosity=
     g_debug=
     g_export=
+    g_refreshchains=:none:
     g_confess=
     g_update=
     g_annotate=
@@ -4455,7 +4413,6 @@ shorewall_cli() {
     g_nopager=
     g_blacklistipset=
     g_disconnect=
-    g_havemutex=
 
     VERBOSE=
     VERBOSITY=1
@@ -4628,14 +4585,12 @@ shorewall_cli() {
 
     case "$COMMAND" in
 	start)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    start_command $@
 	    ;;
 	stop|clear)
 	    [ $# -ne 1 ] && too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4643,7 +4598,6 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
-	    only_root
 	    get_config
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4652,22 +4606,19 @@ shorewall_cli() {
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
-	    only_root
 	    get_config Yes Yes
 	    shift
 	    restart_command $@
 	    ;;
 	disable|enable|reenable)
-	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it ${VARDIR}/firewall $g_debugging $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	blacklist)
-	    only_root
 	    get_config Yes
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
@@ -4676,7 +4627,6 @@ shorewall_cli() {
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
-	    only_root
 	    get_config Yes
 	    run_command $@
 	    ;;
@@ -4686,20 +4636,18 @@ shorewall_cli() {
     	    show_command $@
 	    ;;
 	status)
-	    only_root
+	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
 	    shift
 	    status_command $@
 	    ;;
 	dump)
-	    only_root
 	    get_config Yes No Yes
     	    shift
     	    dump_command $@
 	    ;;
 	hits)
 	    [ $g_family -eq 6 ] && fatal_error "$g_product does not support the hits command"
-	    only_root
 	    get_config Yes No Yes
 	    [ -n "$g_debugging" ] && set -x
 	    shift
@@ -4710,63 +4658,53 @@ shorewall_cli() {
 	    version_command $@
 	    ;;
 	logwatch)
-	    only_root
 	    get_config Yes Yes Yes
 	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    drop_command $@
 	    ;;
 	logdrop)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    logdrop_command $@
 	    ;;
 	reject|logreject)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    [ $# -eq 1 ] && missing_argument
 	    reject_command $@
 	    ;;
 	open|close)
-	    only_root
 	    get_config
 	    shift
 	    open_close_command $@
 	    ;;
 	allow)
-	    only_root
 	    get_config
 	    allow_command $@
 	    ;;
 	add)
-	    only_root
 	    get_config
 	    shift
 	    add_command $@
 	    ;;
 	delete)
-	    only_root
 	    get_config
 	    shift
 	    delete_command $@
 	    ;;
 	save)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    save_command $@
 	    ;;
 	forget)
-	    only_root
 	    get_config
 	    forget_command $@
 	    ;;
@@ -4783,13 +4721,11 @@ shorewall_cli() {
 	    ipdecimal_command $@
 	    ;;
 	restore)
-	    only_root
 	    get_config
 	    shift
 	    restore_command $@
             ;;
 	call)
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    #
@@ -4827,20 +4763,17 @@ shorewall_cli() {
 	    usage
 	    ;;
 	iptrace)
-	    only_root
 	    get_config
 	    shift
 	    iptrace_command $@
 	    ;;
 	noiptrace)
-	    only_root
 	    get_config
 	    shift
 	    noiptrace_command $@
 	    ;;
 	savesets)
 	    [ $# -eq 1 ] || too_many_arguments $2
-	    only_root
 	    get_config
 	    [ -n "$g_debugging" ] && set -x
 	    savesets1

Shorewall-core/lib.common

@@ -1,7 +1,7 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.common
+# Shorewall 5.1 -- /usr/share/shorewall/lib.common.
 #
-#     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2017 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -411,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
     done
 
-    modules=$(find_file helpers)
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
 
     if [ -f $modules -a -n "$moduledirectories" ]; then
 	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -419,7 +419,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
 	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
 	    cp -f $modules ${VARDIR}/.modules
 	fi
     elif [ $savemoduleinfo = Yes ]; then
@@ -501,7 +501,7 @@ ip_network() {
 
 #
 # The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives do not support XOR ("^").
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
 #
 ip_broadcast() {
     local x
@@ -751,44 +751,36 @@ mutex_on()
     lockf=${LOCKFILE:=${VARDIR}/lock}
     local lockpid
     local lockd
-    local lockbin
-    local openwrt
 
     MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 
-    if [ -z "$g_havemutex" -a $MUTEX_TIMEOUT -gt 0 ]; then
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 
 	lockd=$(dirname $LOCKFILE)
 
 	[ -d "$lockd" ] || mkdir -p "$lockd"
 
-	lockbin=$(mywhich lock)
-	[ -n "$lockbin" -a -h "$lockbin" ] && openwrt=Yes
-
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" ] || [ $lockpid = 0 ]; then
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ -z "$openwrt" ]; then
-		if [ $lockpid -eq $$ ]; then
-                    fatal_error "Mutex_on confusion"
-		elif ! qt ps --pid ${lockpid}; then
-		    rm -f ${lockf}
-		    error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-		fi
+	    elif [ $lockpid -eq $$ ]; then
+                return 0
+	    elif ! ps | grep -v grep | qt grep ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
 	fi
 
-	if [ -n "$openwrt" ]; then
-	    lock ${lockf} || fatal_error "Can't lock ${lockf}"
-	    g_havemutex="lock -u ${lockf}"
-	elif qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf} || fatal_error "Can't lock ${lockf}"
-	    g_havemutex="rm -f ${lockf}"
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
+	elif qt mywhich lock; then
+            lock ${lockf}
+            chmod u=r ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -798,15 +790,10 @@ mutex_on()
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
-		g_havemutex="rm -f ${lockf}"
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
-
-	if [ -n "$g_havemutex" ]; then
-	    trap mutex_off EXIT
-	fi
     fi
 }
 
@@ -815,10 +802,7 @@ mutex_on()
 #
 mutex_off()
 {
-    if [ -n "$g_havemutex" ]; then
-	eval $g_havemutex
-	g_havemutex=
-	trap '' exit
-    fi
+    [ -f ${CONFDIR}/rc.common ] && lock -u ${LOCKFILE:=${VARDIR}/lock}
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 

Shorewall-core/lib.core

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.core
+# Shorewall 5.1 -- /usr/share/shorewall/lib.core
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-core/lib.installer

@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)

Shorewall-core/lib.uninstaller

@@ -1,5 +1,6 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/lib.installer
+#
+# Shorewall 5.1 -- /usr/share/shorewall/lib.installer.
 #
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
@@ -60,7 +61,7 @@ mywhich() {
 remove_file() # $1 = file to remove
 {
     if [ -n "$1" ] ; then
-        if [ -f $1 -o -h $1 ] ; then
+        if [ -f $1 -o -L $1 ] ; then
             rm -f $1
             echo "$1 Removed"
         fi
@@ -84,7 +85,7 @@ remove_file_with_wildcard() # $1 = file with wildcard to remove
             if [ -d $f ] ; then
                 rm -rf $f
                 echo "$f Removed"
-            elif [ -f $f -o -h $f ] ; then
+            elif [ -f $f -o -L $f ] ; then
                 rm -f $f
                 echo "$f Removed"
             fi

Shorewall-core/manpages/shorewall.xml

@@ -405,6 +405,20 @@
       <replaceable>provider</replaceable> }</arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>options</arg>
+
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
+      rep="repeat"><replaceable>chain</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -445,54 +459,6 @@
       <arg><replaceable>directory</replaceable></arg>
     </cmdsynopsis>
 
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getcaps</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-R</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
-    <cmdsynopsis>
-      <command>shorewall[6]</command>
-
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
-      <arg choice="plain"><option>remote-getrc</option></arg>
-
-      <arg><option>-s</option></arg>
-
-      <arg><option>-c</option></arg>
-
-      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
-
-      <arg><option>-T</option></arg>
-
-      <arg><option>-i</option></arg>
-
-      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
-
-      <arg choice="plain"><arg><replaceable>system</replaceable></arg></arg>
-    </cmdsynopsis>
-
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
@@ -847,7 +813,7 @@
 
       <arg choice="req"><option>show | list | ls </option></arg>
 
-      <arg choice="plain"><option>saves</option></arg>
+      <arg choice="plain"><option>tc</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -1350,7 +1316,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -1807,6 +1773,63 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">refresh </emphasis> [-<option>n</option>]
+        [-<option>d</option>] [-<option>T</option>] [-i] [-<option>D
+        </option><replaceable>directory</replaceable> ] [
+        <replaceable>chain</replaceable>... ]</term>
+
+        <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
+          <para>All steps performed by <command>restart</command> are
+          performed by <command>refresh</command> with the exception that
+          <command>refresh</command> only recreates the chains specified in
+          the command while <command>restart</command> recreates the entire
+          Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
+          the static blacklisting chain <emphasis
+          role="bold">blacklst</emphasis> is assumed.</para>
+
+          <para>The listed chains are assumed to be in the filter table. You
+          can refresh chains in other tables by prefixing the chain name with
+          the table name followed by ":" (e.g., nat:net_dnat). Chain names
+          which follow are assumed to be in that table until the end of the
+          list or until an entry in the list names another table. Built-in
+          chains such as FORWARD may not be refreshed.</para>
+
+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d</option> option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
+          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
+
+          <para>The <emphasis role="bold">refresh</emphasis> command has
+          slightly different behavior. When no chain name is given to the
+          <emphasis role="bold">refresh</emphasis> command, the mangle table
+          is refreshed along with the blacklist chain (if any). This allows
+          you to modify <filename>/etc/shorewall/tcrules </filename>and
+          install the changes using <emphasis
+          role="bold">refresh</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">reject</emphasis><replaceable>
         address</replaceable></term>
@@ -1918,57 +1941,6 @@
         </listitem>
       </varlistentry>
 
-      <varlistentry>
-        <term><emphasis role="bold">remote-getcaps</emphasis>
-        [-<option>R</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command executes <emphasis
-          role="bold">shorewall[6]-lite show capabilities -f &gt;
-          /var/lib/shorewall[6]-lite/capabilities</emphasis> on the remote
-          <replaceable>system</replaceable> via ssh then the generated file is
-          copied to <replaceable>directory</replaceable> on the local system.
-          If no <replaceable>directory</replaceable> is given, the current
-          working directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-R</emphasis> is included, the remote
-          shorewallrc file is also copied to
-          <replaceable>directory</replaceable>.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">remote-getrc</emphasis>
-        [-<option>c</option>] [-<option>r</option>
-        <replaceable>root-user-name</replaceable>] [ [ -D ]
-        <replaceable>directory</replaceable> ] [
-        <replaceable>system</replaceable> ]</term>
-
-        <listitem>
-          <para>Added in Shoreall 5.2.0, this command copies the shorewallrc
-          file from the remote <replaceable>system</replaceable> to
-          <replaceable>directory</replaceable> on the local system. If no
-          <replaceable>directory</replaceable> is given, the current working
-          directory is assumed.</para>
-
-          <para>if <emphasis role="bold">-c</emphasis> is included, the remote
-          capabilities are also copied to
-          <replaceable>directory</replaceable>, as is done by the
-          <command>remote-getcaps</command> command.</para>
-
-          <para>If <option>-r</option> is included, it specifies that the root
-          user on <replaceable>system</replaceable> is named
-          <replaceable>root-user-name</replaceable> rather than "root".</para>
-        </listitem>
-      </varlistentry>
-
       <varlistentry>
         <term><emphasis role="bold">remote-start</emphasis>
         [-<option>n</option>] [-<option>s</option>] [-<option>c</option>]
@@ -2020,9 +1992,9 @@
           role="bold">shorewall-lite save</emphasis> via ssh.</para>
 
           <para>if <emphasis role="bold">-c</emphasis> is included, the
-          command <emphasis role="bold">shorewall[6]-lite show capabilities -f
-          &gt; /var/lib/shorewall[6]-lite/capabilities</emphasis> is executed
-          via ssh then the generated file is copied to
+          command <emphasis role="bold">shorewall-lite show capabilities -f
+          &gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
+          ssh then the generated file is copied to
           <replaceable>directory</replaceable> using scp. This step is
           performed before the configuration is compiled.</para>
 
@@ -2033,6 +2005,13 @@
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
           compiler-generated error and warning message.</para>
+
+          <para>The <option>-i</option> option was added in Shorewall 4.6.0
+          and causes a warning message to be issued if the current line
+          contains alternative input specifications following a semicolon
+          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
+          set to Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -2451,11 +2430,11 @@
         <replaceable>filename</replaceable> ]</term>
 
         <listitem>
-          <para>Creates a snapshot of the currently running firewall. The
-          dynamic blacklist is stored in /var/lib/shorewall/save. The state of
-          the firewall is stored in
+          <para>The dynamic blacklist is stored in /var/lib/shorewall/save.
+          The state of the firewall is stored in
           /var/lib/shorewall/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall restore</emphasis> command. If
+          <emphasis role="bold">shorewall restore</emphasis> and <emphasis
+          role="bold">shorewall -f start</emphasis> commands. If
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
@@ -2758,15 +2737,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><emphasis role="bold">rc</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Displays the contents of
-                $SHAREDIR/shorewall/shorewallrc.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term>[-<option>c</option>]<emphasis role="bold">
               routing</emphasis></term>
@@ -2792,20 +2762,6 @@
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term>saves</term>
-
-              <listitem>
-                <para>Added in Shorewall 5.2.0. Lists snapshots created by the
-                <command>save</command> command. Each snapshot is listed with
-                the date and time when it was taken. If there is a snapshot
-                with the name specified in the RESTOREFILE option in <ulink
-                url="shorewall.conf.html">shorewall.conf(5</ulink>), that
-                snapshot is listed as the <emphasis>default</emphasis>
-                snapshot for the <command>restore</command> command.</para>
-              </listitem>
-            </varlistentry>
-
             <varlistentry>
               <term><emphasis role="bold">tc</emphasis></term>
 
@@ -2965,7 +2921,7 @@
           by the compiled script that executed the last successful <emphasis
           role="bold">start</emphasis>, <emphasis
           role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
+          role="bold">refresh</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -3216,38 +3172,30 @@
   <refsect1>
     <title>FILES</title>
 
-    <para>/etc/shorewall/*</para>
+    <para>/etc/shorewall/</para>
 
-    <para>/etc/shorewall6/*</para>
+    <para>/etc/shorewall6/</para>
   </refsect1>
 
   <refsect1>
     <title>See ALSO</title>
 
-    <simplelist>
-      <member><ulink
-      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
-      - Describes operational aspects of Shorewall.</member>
+    <para><ulink
+    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
 
-      <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -
-      Describes the various configuration files along with features and
-      conventions common to those files.</member>
-
-      <member><ulink url="shorewall-names.html">shorewall-names(5)</ulink> -
-      Describes naming of objects within a Shorewall configuration.</member>
-
-      <member><ulink
-      url="shorewall-addresses.html">shorewall-addresses(5)</ulink> -
-      Describes how to specify addresses within a Shorewall
-      configuration.</member>
-
-      <member><ulink
-      url="shorewall-exclusion.html">shorewall-exclusion(5)</ulink> -
-      Describes how to exclude certain hosts and/or networks from matching a
-      rule.</member>
-
-      <member><ulink url="shorewall-nesting.html">shorewall-nesting(5)</ulink>
-      - Describes how to nest one Shorewall zone inside another.</member>
-    </simplelist>
+    <para>shorewall-accounting(5), shorewall-actions(5),
+    shorewall-arprules(5), shorewall-blrules(5), shorewall.conf(5),
+    shorewall-conntrack(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall-hosts(5), shorewall-init(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-logging(), shorewall-maclist(5),
+    shorewall-mangle(5), shorewall-masq(5), shorewall-modules(5),
+    shorewall-nat(5), shorewall-nesting(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall6-proxyndp(5), shorewall-routes(5),
+    shorewall-rtrules(5), shorewall-rtrules(5), shorewall-rules(5),
+    shorewall-secmarks(5), shorewall-snat(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcfilters(5), shorewall-tcinterfaces(5),
+    shorewall-tcpri(5), shorewall-tunnels(5), shorewall-vardir(5),
+    shorewall-zones(5)</para>
   </refsect1>
 </refentry>

Shorewall-core/shorewall

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall Packet Filtering Firewall Control Program - V5.2
+#     Shorewall Packet Filtering Firewall Control Program - V5.1
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)

Shorewall-core/shorewallrc.alt

@@ -1,25 +0,0 @@
-#
-# ALT/BaseALT/ALTLinux Shorewall 5.2 rc file
-#
-BUILD=                                  #Default is to detect the build system
-HOST=alt
-PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
-PERLLIBDIR=${SHAREDIR}/perl5            #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                            #Directory where subsystem configurations are installed
-SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
-INITDIR=${CONFDIR}/rc.d/init.d          #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
-INITSOURCE=init.alt.sh                  #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
-SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
-SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
-SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
-SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
-DEFAULT_PAGER=/usr/bin/less             #Pager to use if none specified in shorewall[6].conf

Shorewall-core/shorewallrc.apple

@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 5.2 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple

Shorewall-core/shorewallrc.archlinux

@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 5.2 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux

Shorewall-core/shorewallrc.cygwin

@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 5.2 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin

Shorewall-core/shorewallrc.debian.systemd

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=					#Default is to detect the build system
 HOST=debian
@@ -13,9 +13,9 @@ MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
 INITDIR=				#Directory where SysV init scripts are installed.
 INITFILE=				#Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
-ANNOTATED=				#If non-empty, annotated configuration files are installed
-SYSCONFFILE=default.debian.systemd	#Name of the distributed file to be installed in $SYSCONFDIR
-SERVICEFILE=$PRODUCT.service.debian	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian.systemd		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
 SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR

Shorewall-core/shorewallrc.debian.sysvinit

@@ -1,5 +1,5 @@
 #
-# Debian Shorewall 5.2 rc file
+# Debian Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian

Shorewall-core/shorewallrc.default

@@ -1,5 +1,5 @@
 #
-# Default Shorewall 5.2 rc file
+# Default Shorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=linux                              #Generic Linux

Shorewall-core/shorewallrc.openwrt

@@ -1,5 +1,5 @@
 #
-# OpenWRT/LEDE Shorewall 5.2 rc file
+# OpenWRT Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=openwrt

Shorewall-core/shorewallrc.redhat

@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 5.2 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat

Shorewall-core/shorewallrc.sandbox

@@ -1,28 +0,0 @@
-#
-# Shorewall 5.2 rc file for installing into a Sandbox
-#
-BUILD=                                       # Default is to detect the build system
-HOST=linux
-INSTALLDIR=				     # Set this to the directory where you want Shorewall installed
-PREFIX=${INSTALLDIR}/usr		     # Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share		     # Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share		     # Directory for executable scripts.	
-PERLLIBDIR=${PREFIX}/share/shorewall	     # Directory to install Shorewall Perl module directory	
-CONFDIR=${INSTALLDIR}/etc		     # Directory where subsystem configurations are installed				
-SBINDIR=${INSTALLDIR}/sbin		     # Directory where system administration programs are installed			
-MANDIR=		     			     # Leave empty
-INITDIR=				     # Leave empty				     				
-INITSOURCE=				     # Leave empty
-INITFILE=				     # Leave empty
-AUXINITSOURCE=				     # Leave empty
-AUXINITFILE=				     # Leave empty
-SERVICEDIR=				     # Leave empty
-SERVICEFILE=    			     # Leave empty
-SYSCONFFILE=				     # Leave empty
-SYSCONFDIR=				     # Leave empty			
-SPARSE=					     # Leave empty			
-ANNOTATED=				     # If non-empty, annotated configuration files are installed				
-VARLIB=${INSTALLDIR}/var/lib		     # Directory where product variable data is stored.				
-VARDIR=${VARLIB}/$PRODUCT		     # Directory where product variable data is stored.		
-DEFAULT_PAGER=/usr/bin/less		     # Pager to use if none specified in shorewall[6].conf
-SANDBOX=Yes				     # Indicates SANDBOX installation

Shorewall-core/shorewallrc.slackware

@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 5.2 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware

Shorewall-core/shorewallrc.suse

@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 5.2 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse

Shorewall-core/wait4ifup

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall interface helper utility - V5.2
+#     Shorewall interface helper utility - V4.2
 #
 #     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-init/init.alt.sh

@@ -1,150 +0,0 @@
-#!/bin/sh
-#
-# Shorewall init script
-#
-# chkconfig: - 09 91
-# description: Initialize the shorewall firewall at boot time
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-Start: $local_fs
-# Required-Stop: $local_fs
-# Default-Start: 3 4 5
-# Default-Stop:  0 1 2 6
-# Short-Description: Initialize the shorewall firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.
-### END INIT INFO
-
-# Do not load RH compatibility interface.
-WITHOUT_RC_COMPAT=1
-
-# Source function library.
-. /etc/init.d/functions
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-NAME="Shorewall-init firewall"
-PROG="shorewall-init"
-SHOREWALL="$SBINDIR/$PROG"
-LOGGER="logger -i -t $PROG"
-
-# Get startup options (override default)
-OPTIONS=
-
-LOCKFILE=/var/lock/subsys/shorewall-init
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]; then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]; then
-		echo "No PRODUCTS configured"
-		exit 6
-	fi
-else
-	echo "/etc/sysconfig/shorewall-init not found"
-	exit 6
-fi
-
-RETVAL=0
-
-# set the STATEDIR variable
-setstatedir() {
-	local statedir
-	if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-		statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-	fi
-
-	[ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
-
-	if [ -x ${STATEDIR}/firewall ]; then
-		return 0
-	elif [ $PRODUCT = shorewall ]; then
-		${SBINDIR}/shorewall compile
-	elif [ $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/shorewall -6 compile
-	else
-		return 1
-	fi
-}
-
-start() {
-	local PRODUCT
-	local STATEDIR
-
-	printf "Initializing \"Shorewall-based firewalls\": "
-
-	for PRODUCT in $PRODUCTS; do
-		if setstatedir; then
-			$STATEDIR/$PRODUCT/firewall ${OPTIONS} stop 2>&1 | "$LOGGER"
-			RETVAL=$?
-		else
-			RETVAL=6
-			break
-		fi
-	done
-
-	if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-		ipset -R < "$SAVE_IPSETS"
-	fi
-
-	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
-	return $RETVAL
-}
-
-stop() {
-	local PRODUCT
-	local STATEDIR
-
-	printf "Clearing \"Shorewall-based firewalls\": "
-	for PRODUCT in $PRODUCTS; do
-		if setstatedir; then
-			${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | "$LOGGER"
-			RETVAL=$?
-		else
-			RETVAL=6
-			break
-		fi
-	done
-
-	if [ -n "$SAVE_IPSETS" ]; then
-		mkdir -p $(dirname "$SAVE_IPSETS")
-		if ipset -S > "${SAVE_IPSETS}.tmp"; then
-			grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-		else
-			rm -f "${SAVE_IPSETS}.tmp"
-		fi
-	fi
-
-	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start)
-	    start
-	    ;;
-	stop)
-	    stop
-	    ;;
-	restart|reload|condrestart|condreload)
-	    # "Not implemented"
-	    ;;
-	condstop)
-	    if [ -e "$LOCKFILE" ]; then
-		stop
-	    fi
-	    ;;
-	status)
-	    status "$PROG"
-	     RETVAL=$?
-	    ;;
-	*)
-	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|condrestart|condstop|status}"
-	    RETVAL=1
-esac
-
-exit $RETVAL

Shorewall-init/init.debian.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -73,16 +73,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
+    if [ $PRODUCT = shorewall ]; then
+	${SBINDIR}/shorewall compile
+    elif [ $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/shorewall -6 compile
     else
-        if [ $PRODUCT = shorewall ]; then
-            ${SBINDIR}/shorewall compile
-        elif [ $PRODUCT = shorewall6 ]; then
-            ${SBINDIR}/shorewall -6 compile
-        else
-            return 1
-        fi
+	return 0
     fi
 }
 
@@ -112,14 +108,16 @@ shorewall_start () {
 
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-          #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  (
-	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/firewall ${OPTIONS} stop
-	      fi
-	  )
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
+	  fi
       fi
   done
 
@@ -147,7 +145,9 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 

Shorewall-init/init.fedora.sh

@@ -44,14 +44,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -77,11 +75,15 @@ start () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
     done
@@ -108,11 +110,15 @@ stop () {
 	retval=$?
 
 	if [ $retval -eq 0 ]; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
+	    fi
 	else
-	    retval=6 #Product not configured
 	    break
 	fi
     done

Shorewall-init/init.openwrt.sh

@@ -1,5 +1,5 @@
 #!/bin/sh /etc/rc.common
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2016           - Matt Darfeuille (matdarf@gmail.com)
@@ -75,14 +75,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 1
+	return 0
     fi
 }
 
@@ -94,8 +92,10 @@ start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -103,8 +103,6 @@ start () {
   if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
       ipset -R < "$SAVE_IPSETS"
   fi
-
-  return 0
 }
 
 boot () {
@@ -119,7 +117,9 @@ stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
     done
 
@@ -131,7 +131,5 @@ stop () {
 	    rm -f "${SAVE_IPSETS}.tmp"
 	fi
     fi
-
-    return 0
 }
 

Shorewall-init/init.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -69,12 +69,10 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
     else
-	return 1
+	return 0
     fi
 }
 
@@ -86,8 +84,10 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall ${OPTIONS} stop
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -107,7 +107,9 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 

Shorewall-init/init.suse.sh

@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -79,14 +79,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-	return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
     else
-	return 6
+	return 0
     fi
 }
 
@@ -98,8 +96,10 @@ shorewall_start () {
   printf "Initializing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
       fi
   done
@@ -117,7 +117,9 @@ shorewall_stop () {
   printf "Clearing \"Shorewall-based firewalls\": "
   for PRODUCT in $PRODUCTS; do
       if setstatedir; then
-	  ${STATEDIR}/firewall ${OPTIONS} clear
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
       fi
   done
 

Shorewall-init/install.sh

@@ -181,9 +181,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -194,8 +191,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -258,9 +253,6 @@ case "$HOST" in
     openwrt)
 	echo "Installing Openwrt-specific configuration..."
 	;;
-    alt)
-	echo "Installing ALT-specific configuration...";
-	;;
     linux)
 	fatal_error "Shorewall-init is not supported on this system"
 	;;

Shorewall-init/shorewall-init

@@ -1,5 +1,5 @@
 #!/bin/bash
-#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
@@ -33,12 +33,12 @@ setstatedir() {
 
     [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
 
-    if [ -x ${STATEDIR}/firewall ]; then
-        return 0
-    elif [ $PRODUCT = shorewall ]; then
+    if [ $PRODUCT = shorewall ]; then
 	${SBINDIR}/shorewall compile
     elif [ $PRODUCT = shorewall6 ]; then
 	${SBINDIR}/shorewall -6 compile
+    else
+	return 0
     fi
 }
 
@@ -67,14 +67,16 @@ shorewall_start () {
     printf "Initializing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
+	    if [ -x ${STATEDIR}/firewall ]; then
+		#
+		# Run in a sub-shell to avoid name collisions
+		#
+		(
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+			${STATEDIR}/firewall ${OPTIONS} stop
+		    fi
+		)
+	    fi
 	fi
     done
 
@@ -93,7 +95,9 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
 	fi
     done
 

Shorewall-lite/init.alt.sh

@@ -1,117 +0,0 @@
-#!/bin/sh
-#
-# Shorewall-Lite init script
-#
-# chkconfig: - 28 90
-# description: Packet filtering firewall
-#
-### BEGIN INIT INFO
-# Provides: shorewall-lite
-# Required-Start: $local_fs $remote_fs $syslog $network
-# Should-Start: $time $named
-# Required-Stop:
-# Default-Start: 3 4 5
-# Default-Stop:  0 1 2 6
-# Short-Description: Packet filtering firewall
-# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
-#              Netfilter (iptables) based firewall
-### END INIT INFO
-
-# Do not load RH compatibility interface.
-WITHOUT_RC_COMPAT=1
-
-# Source function library.
-. /etc/init.d/functions
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-NAME="Shorewall-Lite firewall"
-PROG="shorewall"
-SHOREWALL="$SBINDIR/$PROG -l"
-LOGGER="logger -i -t $PROG"
-
-# Get startup options (override default)
-OPTIONS=
-
-SourceIfNotEmpty $SYSCONFDIR/${PROG}-lite
-
-LOCKFILE="/var/lock/subsys/${PROG}-lite"
-RETVAL=0
-
-start() {
-	action $"Applying $NAME rules:" "$SHOREWALL" "$OPTIONS" start "$STARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && touch "$LOCKFILE"
-	return $RETVAL
-}
-
-stop() {
-	action $"Stoping $NAME :" "$SHOREWALL" "$OPTIONS" stop "$STOPOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	[ $RETVAL -eq 0 ] && rm -f "$LOCKFILE"
-	return $RETVAL
-}
-
-restart() {
-	action $"Restarting $NAME rules: " "$SHOREWALL" "$OPTIONS" restart "$RESTARTOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-reload() {
-	action $"Reloadinging $NAME rules: " "$SHOREWALL" "$OPTIONS" reload "$RELOADOPTIONS" 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-clear() {
-	action $"Clearing $NAME rules: " "$SHOREWALL" "$OPTIONS" clear 2>&1 | "$LOGGER"
-	RETVAL=$?
-	return $RETVAL
-}
-
-# See how we were called.
-case "$1" in
-	start)
-	    start
-	    ;;
-	stop)
-	    stop
-	    ;;
-	restart)
-	    restart
-	    ;;
-	reload)
-	    reload
-	    ;;
-	clear)
-	    clear
-	    ;;
-	condrestart)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condreload)
-	    if [ -e "$LOCKFILE" ]; then
-		restart
-	    fi
-	    ;;
-	condstop)
-	    if [ -e "$LOCKFILE" ]; then
-		stop
-	    fi
-	    ;;
-	status)
-	    "$SHOREWALL" status
-	     RETVAL=$?
-	    ;;
-	*)
-	    echo $"Usage: ${0##*/}  {start|stop|restart|reload|clear|condrestart|condstop|status}"
-	    RETVAL=1
-esac
-
-exit $RETVAL

Shorewall-lite/init.openwrt.sh

@@ -1,6 +1,6 @@
 #!/bin/sh /etc/rc.common
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2015 - Matt Darfeuille - (matdarf@gmail.com)

Shorewall-lite/init.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/init.suse.sh

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.2
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall-lite/install.sh

@@ -190,9 +190,6 @@ if [ -z "$BUILD" ]; then
 		    opensuse)
 			BUILD=suse
 			;;
-		    alt|basealt|altlinux)
-			BUILD=alt
-			;;
 		    *)
 			BUILD="$ID"
 			;;
@@ -201,8 +198,6 @@ if [ -z "$BUILD" ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
-	    elif [ -f /etc/altlinux-release ]; then
-		BUILD=alt
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -271,9 +266,6 @@ case "$HOST" in
     openwrt)
 	echo "Installing OpenWRT-specific configuration..."
 	;;
-    alt)
-	echo "Installing ALT-specific configuration...";
-	;;
     linux)
 	;;
     *)
@@ -426,11 +418,6 @@ echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shor
 if [ -f modules ]; then
     install_file modules ${DESTDIR}${SHAREDIR}/$PRODUCT/modules 0600
     echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
-
-    for f in modules.*; do
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
-    done
 fi
 
 if [ -f helpers ]; then
@@ -438,6 +425,11 @@ if [ -f helpers ]; then
     echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 
+for f in modules.*; do
+    install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+done
+
 #
 # Install the Man Pages
 #

Shorewall-lite/lib.base

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall-lite/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #

Shorewall-lite/uninstall.sh

@@ -151,7 +151,7 @@ fi
 
 remove_file ${SBINDIR}/$PRODUCT
 
-if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
+if [ -L ${SHAREDIR}/$PRODUCT/init ]; then
     if [ $HOST = openwrt ]; then
 	if [ $configure -eq 1 ] && /etc/init.d/$PRODUCT enabled; then
 	    /etc/init.d/$PRODUCT disable

Shorewall/Actions/action.A_AllowICMPs.deprecated

@@ -0,0 +1,9 @@
+#
+# Shorewall6 -- /usr/share/shorewall/action.A_AllowICMPs
+#
+# This action A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE		DEST	PROTO		DPORT
+
+AllowICMPs(A_ACCEPT)

Shorewall/Actions/action.A_Drop.deprecated

@@ -0,0 +1,57 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Drop
+#
+# The audited default DROP common rules
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_Drop default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+Auth(A_DROP)
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Don't log broadcasts and multicasts
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep

Shorewall/Actions/action.A_REJECT

@@ -1,11 +1,11 @@
 #
-# Shorewall -- /usr/share/shorewall/action.A_REJECT
+# Shorewall -- /usr/share/shorewall/action.A_REJECTWITH
 #
 # A_REJECT Action.
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_REJECT!

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.A_Reject.deprecated

@@ -0,0 +1,54 @@
+#
+# Shorewall -- /usr/share/shorewall/action.A_Reject
+#
+# The audited default REJECT action common rules
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+?require AUDIT_TARGET
+?warning "You are using the deprecated A_REJECT default action. Please see http://www.shorewall.net/Actions.html
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before broadcast Drop.
+#
+A_AllowICMPs	-	-	icmp
+#
+# Drop Broadcasts and multicasts so they don't clutter up the log
+# (these must *not* be rejected).
+#
+dropBcast(audit)
+dropMcast(audit)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep

Shorewall/Actions/action.AllowICMPs

@@ -13,6 +13,7 @@ DEFAULTS ACCEPT
     @1	-	-	icmp	time-exceeded		{comment="Needed ICMP types"}
 ?else
 ?COMMENT Needed ICMP types (RFC4890)
+
     @1	-		-	ipv6-icmp	destination-unreachable
     @1	-		-	ipv6-icmp	packet-too-big
     @1	-		-	ipv6-icmp	time-exceeded
@@ -37,7 +38,7 @@ DEFAULTS ACCEPT
     @1	-		-	ipv6-icmp	148	# Certificate path solicitation
     @1	-		-	ipv6-icmp	149	# Certificate path advertisement
 
-# The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
+# The following should have a link local source address and a ttl of 1 and must be allowed to transit abridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement
     @1	fe80::/10	-	ipv6-icmp	152	# Multicast router solicitation
     @1	fe80::/10	-	ipv6-icmp	153	# Multicast router termination

Shorewall/Actions/action.Broadcast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.DNSAmp

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Drop.deprecated

@@ -0,0 +1,84 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Drop
+#
+# The former default DROP common rules. Use of this action is now deprecated
+#
+# This action is invoked before a DROP policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing special
+#     with them.
+# 3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+?warning "You are using the deprecated Drop default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_DROP,A_ACCEPT,A_DROP,A_DROP
+    ?else
+        ?error The first parameter to Drop must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,DROP,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special Handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Don't log broadcasts or multicasts
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+Invalid(DROP,@1)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)

Shorewall/Actions/action.Established

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.FIN

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #
@@ -30,4 +30,4 @@
 
 DEFAULTS ACCEPT,-
 
-@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN ACK,FIN
+@1	 -	-	;;+ -p 6 --tcp-flags ACK,FIN,PSH ACK,FIN,PSH

Shorewall/Actions/action.IfEvent

@@ -135,7 +135,7 @@ if ( $command & $RESET_CMD ) {
     #
     # if the event is armed, remove it and perform the action
     #
-    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event $srcdst" );
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
 } elsif ( $command & $UPDATE_CMD ) {
     perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
 } else {

Shorewall/Actions/action.Invalid

@@ -4,7 +4,7 @@
 # Invalid Action
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Multicast

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.New

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.NotSyn

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.RST

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2012-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Reject.deprecated

@@ -0,0 +1,85 @@
+#
+# Shorewall -- /usr/share/shorewall/action.Reject
+#
+# The former default REJECT action common rules. Use of this action is deprecated.
+#
+# This action is invoked before a REJECT policy is enforced. The purpose
+# of the action is:
+#
+# a) Avoid logging lots of useless cruft.
+# b) Ensure that certain ICMP packets that are necessary for successful
+#    internet operation are always ACCEPTed.
+#
+# The action accepts six optional parameters:
+#
+# 1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#     actions.
+# 2 - Action to take with Auth requests. Default is to do nothing
+#     special with them.
+# 3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#     depending on the setting of the first parameter.
+# 4 - Action to take with required ICMP packets. Default is ACCEPT or
+#     A_ACCEPT depending on the first parameter.
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
+#     is DROP or A_DROP depending on the first parameter.
+# 6 - Action to take with UPnP packets. Default is DROP or A_DROP
+#     depending on the first parameter.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+?warning "You are using the deprecated Reject default action. Please see http://www.shorewall.net/Actions.html#Default"
+
+?if passed(@1)
+    ?if @1 eq 'audit'
+DEFAULTS -,-,A_REJECT,A_ACCEPT,A_DROP,A_DROP
+    ?else
+	?error The first parameter to Reject must be 'audit' or '-'
+    ?endif
+?else
+DEFAULTS -,-,REJECT,ACCEPT,DROP,DROP
+?endif
+
+#ACTION		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Special handling for Auth
+#
+?if passed(@2)
+Auth(@2)
+?endif
+#
+# ACCEPT critical ICMP types
+#
+# For IPv6 connectivity ipv6-icmp broadcasting is required so
+# AllowICMPs must be before silent broadcast Drop.
+#
+AllowICMPs(@4)	-	-	icmp
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+Broadcast(DROP,@1)
+Multicast(DROP,@1)
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+Invalid(DROP,@1)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(@3)
+DropUPnP(@6)
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+NotSyn(DROP,@1)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+DropDNSrep(@5)

Shorewall/Actions/action.Related

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.Untracked

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.allowInvalid

@@ -3,7 +3,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Actions/action.dropInvalid

@@ -5,7 +5,7 @@
 #
 # This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-# (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
+# (c) 2011-2016 Tom Eastep (teastep@shorewall.net)
 #
 # Complete documentation is available at http://shorewall.net
 #

Shorewall/Contrib/swping

@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V5.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #

Shorewall/Contrib/swping.init

@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V5.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Macros/IPFS-swarm

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
-#
-# This macro handles IPFS data traffic (the connection to IPFS swarm).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     4001

Shorewall/Macros/macro.Bitcoin

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.Bitcoin
-#
-# Macro for handling Bitcoin P2P traffic
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	8333

Shorewall/Macros/macro.BitcoinRPC

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.BitcoinRPC
-#
-# Macro for handling Bitcoin RPC traffic
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	8332

Shorewall/Macros/macro.BitcoinZMQ

@@ -1,9 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.BitcoinZMQ
-#
-# Macro for handling Bitcoin ZMQ traffic
-# See https://github.com/bitcoin/bitcoin/blob/master/doc/zmq.md
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	28332

Shorewall/Macros/macro.Cockpit

@@ -1,12 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Cockpit
-#
-# This macro handles Time protocol (RFC868).
-# Unless you are supporting extremely old hardware or software,
-# you shouldn't be using this.  NTP is a superior alternative.
-#
-#		By Eric Teeter
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	9090

Shorewall/Macros/macro.FreeIPA

@@ -1,16 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.FreeIPA
-#
-# This macro handles FreeIPA server traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-DNS
-HTTP
-HTTPS
-Kerberos
-Kpasswd
-LDAP
-LDAPS
-NTP

Shorewall/Macros/macro.IPFS-API

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-API
-#
-# This macro handles IPFS API port (commands for the IPFS daemon).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     5001

Shorewall/Macros/macro.IPFS-gateway

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-gateway
-#
-# This macro handles the IPFS gateway to HTTP.
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     8080

Shorewall/Macros/macro.IPFS-swarm

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.IPFS-swarm
-#
-# This macro handles IPFS data traffic (the connection to IPFS swarm).
-#
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DPORT   SPORT   ORIGDEST        RATE   USER
-
-PARAM   -       -       tcp     4001

Shorewall/Macros/macro.IPMI

@@ -11,20 +11,14 @@
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
 PARAM	-	-	tcp	623		# RMCP
-PARAM	-	-	udp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
-PARAM	-	-	tcp	5120,5122,5123	# CD,FD,HD (Asus, Aten)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
-PARAM	-	-	tcp	8889		# WS-MAN
-HTTP
-Telnet
-SNMP
-
-# TLS/secure ports
 PARAM	-	-	tcp	3520		# Remote Console (Redfish)
-PARAM	-	-	tcp	3669		# Virtual Media (Dell)
-PARAM	-	-	tcp	5124,5126,5127	# CD,FD,HD (AMI)
-PARAM	-	-	tcp	7582		# Remote Console (AMI)
+PARAM	-	-	udp	623		# RMCP
+HTTP
 HTTPS
+SNMP
 SSH						# Serial over Lan
+Telnet

Shorewall/Macros/macro.Kpasswd

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Kpasswd
-#
-# This macro handles Kerberos "passwd" traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	464
-PARAM	-	-	udp	464

Shorewall/Macros/macro.ONCRPC

@@ -1,8 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.ONCRPC
-#
-# This macro handles ONC RCP traffic (for rpcbind on Linux, etc).
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp,udp	111

Shorewall/Macros/macro.RedisSecure

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.RedisSecure
-#
-# This macro handles Redis Secure (SSL/TLS) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	6380

Shorewall/Macros/macro.Rwhois

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Rwhois
-#
-# This macro handles Remote Who Is (rwhois) traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	4321

Shorewall/Macros/macro.SNMPTrap.deprecated

@@ -1,9 +1,9 @@
 #
-# Shorewall -- /usr/share/shorewall/macro.Apcupsd
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# This macro handles apcupsd traffic.
+# This macro deprecated by SNMPtrap.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
 
-PARAM	-	-	tcp	3551
+SNMPtrap

Shorewall/Macros/macro.SSDP

@@ -1,9 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDP
-#
-# This macro handles SSDP (used by DLNA/UPnP) client traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900

Shorewall/Macros/macro.SSDPserver

@@ -1,10 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.SSDPserver
-#
-# This macro handles SSDP (used by DLNA/UPnP) server bidirectional traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	udp	1900
-PARAM	DEST	SOURCE	udp	-	1900

Shorewall/Macros/macro.Tor

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.Tor
-#
-# Macro for handling Tor Onion Network traffic
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	9001	

Shorewall/Macros/macro.TorBrowserBundle

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.TorBrowserBundle
-#
-# Macro for handling Tor Onion Network traffic provided by Tor Browser Bundle
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	9150

Shorewall/Macros/macro.TorControl

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.TorControl
-#
-# Macro for handling Tor Controller Applications traffic
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	9051	

Shorewall/Macros/macro.TorDirectory

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.TorDirectory
-#
-# Macro for handling Tor Directory traffic
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	9030

Shorewall/Macros/macro.TorSocks

@@ -1,8 +0,0 @@
-#
-# Shorewall --/usr/share/shorewall/macro.TorSocks
-#
-# Macro for handling Tor Socks Proxy traffic
-#
-##############################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
-PARAM		-		-		tcp	9050	

Shorewall/Macros/macro.WUDO

@@ -1,9 +0,0 @@
-
-# Shorewall -- /usr/share/shorewall/macro.WUDO
-#
-# This macro handles WUDO (Windows Update Delivery Optimization)
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-PARAM	-	-	tcp	7680

Shorewall/Perl/Shorewall/ARP.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/ARP.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/ARP.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Accounting.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Accounting.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -201,13 +201,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
     my $prerule = '';
     my $rule2 = 0;
     my $jump  = 0;
-    my $raw_matches = get_inline_matches(1);
-
-    if ( $raw_matches =~ s/^\s*+// ) {
-	$prerule = $raw_matches;
-    } else {
-	$rule .= $raw_matches;
-    }
 
     unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
@@ -249,7 +242,9 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		    $rule .= do_nfacct( $_ );
 		}
 	    }
-	} elsif ( $action ne 'INLINE' ) {
+	} elsif ( $action eq 'INLINE' ) {
+	    $rule .= get_inline_matches(1);
+	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 
 	    if ( $cmd ) {
@@ -287,7 +282,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_chain ( $config{ACCOUNTING_TABLE}, 'accountout' ) ,
+			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
 			    $prerule ,
 			    $rule ,

Shorewall/Perl/Shorewall/Compiler.pm

@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.2
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -47,19 +47,19 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';
 
-our $export;          # True when compiling for export
+our $export;
 
-our $test;            # True when running regression tests
+our $test;
 
-our $family;          # IP address family (4 or 6)
+our $family;
 
-our $have_arptables;  # True if we have arptables rules
+our $have_arptables;
 
 #
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -103,13 +103,13 @@ sub generate_script_1( $ ) {
 
     copy2( $lib, $debug ) if -f $lib;
 
-    emithd<<'EOF';
+    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
 
-    for my $exit ( qw/init start tcclear started stop stopped clear restored enabled disabled/ ) {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored enabled disabled/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -125,7 +125,7 @@ EOF
 	emit '}';
     }
 
-    emithd <<'EOF';
+    emit <<'EOF';
 ################################################################################
 # End user exit functions
 ################################################################################
@@ -269,17 +269,13 @@ sub generate_script_2() {
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
 	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
-	      '    g_dockernetwork=One',
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
-	      '    g_dockernetwork=Two',
-	      'fi' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockernetwork=Yes' );
+	emit( '' );
     }
 
     pop_indent;
 
-    emit "}\n"; # End of initialize()
+    emit "\n}\n"; # End of initialize()
 
     emit( '' ,
 	  '#' ,
@@ -316,9 +312,10 @@ sub generate_script_2() {
 	    push_indent;
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
-		verify_required_interfaces(0);
+
 		set_global_variables(0, 0);
-		handle_optional_interfaces;
+
+		handle_optional_interfaces(0);
 	    }
 
 	    emit ';;';
@@ -330,19 +327,19 @@ sub generate_script_2() {
 	    push_indent;
 	}
 
-	verify_required_interfaces(1);
 	set_global_variables(1,1);
-	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
+	    handle_optional_interfaces(1);
 	    emit ';;';
 	    pop_indent;
 	    pop_indent;
 	    emit ( 'esac' );
+	} else {
+	    handle_optional_interfaces(1);
 	}
     } else {
-	verify_required_interfaces(1);
-	emit( 'true' ) unless handle_optional_interfaces;
+	emit( 'true' ) unless handle_optional_interfaces(1);
     }
 
     pop_indent;
@@ -361,7 +358,7 @@ sub generate_script_2() {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the output script file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {
 
     if ( $family == F_IPV4 ) {
 	progress_message2 "Creating iptables-restore input...";
@@ -371,6 +368,7 @@ sub generate_script_3() {
 
     create_netfilter_load( $test );
     create_arptables_load( $test ) if $have_arptables;
+    create_chainlist_reload( $_[0] );
     create_save_ipsets;
     create_load_ipsets;
 
@@ -384,10 +382,10 @@ sub generate_script_3() {
     save_progress_message 'Initializing...';
 
     if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( 'helpers' );
+	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
 
 	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
-	    emit 'echo MODULESDIR=\"$MODULESDIR\" > ${VARDIR}/.modulesdir';
+	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
 
@@ -402,10 +400,16 @@ sub generate_script_3() {
 	emit 'load_kernel_modules Yes';
     }
 
-    emit( '' ,
-	  'run_init_exit',
-	  '' ,
-	  'load_ipsets' ,
+    emit '';
+
+    emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	   '   run_refresh_exit' ,
+	   'else' ,
+	   '    run_init_exit',
+	   'fi',
+	   '' );
+
+    emit( 'load_ipsets' ,
 	  '' );
 
     create_nfobjects;
@@ -463,6 +467,11 @@ sub generate_script_3() {
     dump_proxy_arp;
     emit_unindented '__EOF__';
 
+    emit( '',
+	  'if [ "$COMMAND" != refresh ]; then' );
+
+    push_indent;
+
     emit 'cat > ${VARDIR}/zones << __EOF__';
     dump_zone_contents;
     emit_unindented '__EOF__';
@@ -475,6 +484,10 @@ sub generate_script_3() {
     dump_mark_layout;
     emit_unindented '__EOF__';
 
+    pop_indent;
+
+    emit "fi\n";
+
     emit '> ${VARDIR}/nat';
 
     add_addresses;
@@ -513,12 +526,29 @@ sub generate_script_3() {
 
     my $config_dir = $globals{CONFIGDIR};
 
-    emithd <<"EOF";
+    emit<<"EOF";
     set_state Started $config_dir
     run_restored_exit
-else
-    setup_netfilter
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
+    setup_load_distribution;
+    setup_forwarding( $family , 0 );
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit( '    run_refreshed_exit',
+	  '    do_iptables -N shorewall' );
+
+    emit( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit( "    set_state Started $config_dir",
+	  '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+	  'else',
+	  '    setup_netfilter'	);
+
     push_indent;
     emit 'setup_arptables' if $have_arptables;
     setup_load_distribution;
@@ -543,7 +573,7 @@ EOF
 	  '    run_started_exit',
 	  "fi\n" );
 
-    emithd<<'EOF';
+    emit<<'EOF';
 date > ${VARDIR}/restarted
 
 case $COMMAND in
@@ -553,6 +583,9 @@ case $COMMAND in
     reload)
         mylogger kern.info "$g_product reloaded"
         ;;
+    refresh)
+        mylogger kern.info "$g_product refreshed"
+        ;;
     restore)
         mylogger kern.info "$g_product restored"
         ;;
@@ -587,8 +620,8 @@ sub compile_info_command() {
 #
 sub compiler {
 
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 ) =
-       ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $config_path, $shorewallrc                      , $shorewallrc1 , $inline ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
 
     $export         = 0;
     $test           = 0;
@@ -617,6 +650,7 @@ sub compiler {
 		  timestamp     => { store => \$timestamp,     validate => \&validate_boolean   } ,
 		  debug         => { store => \$debug,         validate => \&validate_boolean   } ,
 		  export        => { store => \$export ,       validate => \&validate_boolean   } ,
+		  chains        => { store => \$chains },
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
@@ -624,6 +658,7 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  inline        => { store => \$inline,        validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		  shorewallrc1  => { store => \$shorewallrc1 } ,
@@ -660,7 +695,7 @@ sub compiler {
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
     #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export , $update , $annotate , $inline );
     #
     # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
     # now when shorewall.conf has been processed and the capabilities have been determined.
@@ -783,7 +818,7 @@ sub compiler {
     #
     # Setup Masquerade/SNAT
     #
-    setup_snat;
+    setup_snat( $update );
     #
     # Setup Nat
     #
@@ -864,7 +899,7 @@ sub compiler {
 
 	optimize_level0;
 
-	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -886,7 +921,7 @@ sub compiler {
 	#                          N E T F I L T E R   L O A D
 	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
-	generate_script_3();
+	generate_script_3( $chains );
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/IPAddrs.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,7 +60,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  decompose_net
 		  decompose_net_u32
 		  compare_nets
-		  loopback_address
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -99,14 +98,12 @@ our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
-our $loopback_address;
 
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv4_LOOPBACK       => '127.0.0.1' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
@@ -373,10 +370,6 @@ sub rfc1918_networks() {
     @rfc1918_networks
 }
 
-sub loopback_address() {
-    $loopback_address;
-}
-
 #
 # Protocol/port validation
 #
@@ -762,7 +755,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$vlsm_width       = VLSMv4;
-	$loopback_address = IPv4_LOOPBACK;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -775,7 +767,6 @@ sub initialize( $ ) {
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$vlsm_width       = VLSMv6;
-	$loopback_address = IPv6_LOOPBACK;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;

Shorewall/Perl/Shorewall/Misc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -66,9 +66,6 @@ sub initialize( $ ) {
     $family = shift;
 }
 
-#
-# Warn that the tos file is no longer supported
-#
 sub process_tos() {
 
    if ( my $fn = open_file 'tos' ) {
@@ -148,9 +145,6 @@ sub setup_ecn()
     }
 }
 
-#
-# Add a logging rule followed by a jump
-#
 sub add_rule_pair( $$$$$ ) {
     my ($chainref , $predicate , $target , $level, $tag ) = @_;
 
@@ -408,9 +402,6 @@ EOF
     }
 }
 
-#
-# Convert a routestopped file into an equivalent stoppedrules file
-#
 sub convert_routestopped() {
 
     if ( my $fn = open_file 'routestopped' ) {
@@ -671,26 +662,13 @@ sub process_stoppedrules() {
     $result;
 }
 
-#
-# Generate the rules required when DOCKER=Yes
-#
 sub create_docker_rules() {
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
-    add_commands( $chainref ,
-		  '',
-		  'case "$g_dockernetwork" in',
-		  '    One)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
-		  '        ;;',
-		  '    Two)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
-		  '        ;;',
-		  'esac' );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS"   >&3', );
+    add_commands( $chainref, '[ -n "$g_dockernetwork" ] && echo "-A FORWARD -j DOCKER-ISOLATION" >&3', );
 
     if ( my $dockerref = known_interface('docker0') ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
@@ -715,9 +693,6 @@ sub create_docker_rules() {
 
 sub setup_mss();
 
-#
-# Add rules generated by .conf options and interface options
-#
 sub add_common_rules ( $ ) {
     my ( $upgrade ) = @_;
     my $interface;
@@ -743,7 +718,7 @@ sub add_common_rules ( $ ) {
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
-	fatal_error( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
     } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
@@ -835,7 +810,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1298,13 +1273,6 @@ my %maclist_targets = ( ACCEPT => { target => 'RETURN' , mangle => 1 } ,
 			REJECT => { target => 'reject' , mangle => 0 } ,
 			DROP   => { target => 'DROP' ,   mangle => 1 } );
 
-#
-# Create rules generated by the 'maclist' option and by entries in the maclist file.
-#
-# The function is called twice. The first call passes '1' and causes the maclist file
-# to be processed. The second call passes '2' and generates the jumps for 'maclist'
-# interfaces.
-#
 sub setup_mac_lists( $ ) {
 
     my $phase = $_[0];
@@ -1746,9 +1714,9 @@ sub add_interface_jumps {
 	    add_ijump( $filter_table->{input_chain $bridge },
 		       j => $inputref ,
 		       imatch_source_dev( $interface, 1 )
-		) unless $input_jump_added{$interface}   || ! use_interface_chain( $interface, 'use_input_chain' );
+		    ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
 
-	    unless ( $output_jump_added{$interface} || ! use_interface_chain( $interface, 'use_output_chain') ) {
+	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
 		add_ijump( $filter_table->{output_chain $bridge} ,
 			   j => $outputref ,
 			   imatch_dest_dev( $interface, 1 ) )
@@ -1757,10 +1725,10 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 
-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref )         && ! $forward_jump_added{$interface}++;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_interface_chain( $interface, 'use_input_chain' ) && ! $input_jump_added{$interface}++;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;
 
-	    if ( use_interface_chain( $interface, 'use_output_chain' ) ) {
+	    if ( use_output_chain $interface, $outputref ) {
 		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
@@ -1949,7 +1917,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
     my @zone_interfaces   = keys %{zone_interfaces( $zone )};
 
-    if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
+    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
@@ -2083,7 +2051,7 @@ sub add_input_jumps( $$$$$$$$$ ) {
     my @source            = imatch_source_net $net;
     my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 
-    if ( @vservers || use_interface_chain( $interface, 'use_input_chain' ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or
@@ -2476,9 +2444,6 @@ sub generate_matrix() {
     }
 }
 
-#
-# Generate MSS rules
-#
 sub setup_mss( ) {
     my $clampmss = $config{CLAMPMSS};
     my $option;
@@ -2589,6 +2554,9 @@ EOF
 	        reload)
 	            mylogger kern.err "ERROR:$g_product reload failed"
 	            ;;
+	        refresh)
+	            mylogger kern.err "ERROR:$g_product refresh failed"
+	            ;;
                 enable)
                     mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
@@ -2678,6 +2646,7 @@ EOF
 
         rm -f ${VARDIR}/proxyarp
     fi
+
 EOF
     } else {
 	emit <<'EOF';
@@ -2691,6 +2660,7 @@ EOF
 
         rm -f ${VARDIR}/proxyndp
     fi
+
 EOF
     }
 

Shorewall/Perl/Shorewall/Nat.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Nat.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Nat.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule convert_masq @addresses_to_add %addresses_to_add ) ] );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule process_one_masq convert_masq @addresses_to_add %addresses_to_add ) ] );
 our @EXPORT_OK = ();
 
 Exporter::export_ok_tags('rules');
@@ -90,7 +90,7 @@ sub process_one_masq1( $$$$$$$$$$$ )
     #
     # Handle early matches
     #
-    if ( $inlinematches =~ s/^s*\+// ) {
+    if ( $inlinematches =~ s/s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
     }
@@ -587,11 +587,11 @@ EOF
 # Convert a masq file into the equivalent snat file
 #
 sub convert_masq() {
-    my $have_masq_rules;
-
     if ( my $fn = open_file( 'masq', 1, 1 ) ) {
 	my ( $snat, $fn1 ) = open_snat_for_output( $fn );
 
+	my $have_masq_rules;
+
 	directive_callback(
 	    sub ()
 	    {
@@ -647,8 +647,6 @@ sub convert_masq() {
 
 	close $snat, directive_callback( 0 );
     }
-
-    $have_masq_rules;
 }
 
 #

Shorewall/Perl/Shorewall/Proc.pm

@@ -1,5 +1,5 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Providers.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Providers.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -60,63 +60,25 @@ our @routemarked_providers;
 our %routemarked_interfaces;
 our @routemarked_interfaces;
 our %provider_interfaces;
-our @load_providers;
+our @load_interfaces;
 
-our $balancing;               # True, if there are balanced providers
-our $fallback;                # True, if there are fallback providers
-our $balanced_providers;      # Count of balanced providers
-our $fallback_providers;      # Count of fallback providers
-our $metrics;                 # True, if using statistical balancing
-our $first_default_route;     # True, until we generate the first 'via' clause for balanced providers
-our $first_fallback_route;    # True, until we generate the first 'via' clause for fallback providers
-our $maxload;                 # Sum of 'load' values
-our $tproxies;                # Count of tproxy providers
+our $balancing;
+our $fallback;
+our $balanced_providers;
+our $fallback_providers;
+our $metrics;
+our $first_default_route;
+our $first_fallback_route;
+our $maxload;
+our $tproxies;
 
-our %providers;               # Provider table
-#
-# %provider_table { <provider> => { provider	      => <provider name>,
-#				    number	      => <provider number>,
-#				    id		      => <name> or <number> depending on USE_RT_NAMES,
-#				    rawmark	      => <specified mark value>,
-#				    mark	      => <mark, in hex>,
-#				    interface	      => <logical interface>,
-#				    physical	      => <physical interface>,
-#				    optional	      => {0|1},
-#				    wildcard	      => <from interface>,
-#				    gateway	      => <gateway>,
-#				    gatewaycase	      => { 'detect', 'none', or 'specified' },
-#				    shared	      => <true, if multiple providers through this interface>,
-#				    copy	      => <contents of the COPY column>,
-#				    balance	      => <balance count>,
-#				    pref	      => <route rules preference (priority) value>,
-#				    mtu		      => <mtu>,
-#				    noautosrc	      => {0|1} based on [no]autosrc setting,
-#				    track	      => {0|1} based on 'track' setting,
-#				    loose	      => {0|1} based on 'loose' setting,
-#				    duplicate	      => <contents of the DUPLICATE column>,
-#				    address	      => If {shared} above, then the local IP address.
-#							 Otherwise, the value of the 'src' option,
-#				    mac		      => Mac address of gateway, if {shared} above,
-#				    tproxy	      => {0|1},
-#				    load	      => <load % for statistical balancing>,
-#				    pseudo	      => {0|1}. 1 means this is an optional interface and not
-#							 a real provider,
-#				    what	      => 'provider' or 'interface' depending on {pseudo} above,
-#				    hostroute	      => {0|1} based on [no]hostroute setting,
-#				    rules	      => ( <routing rules> ),
-#				    persistent_rules  => ( <persistent routing rules> ),
-#				    routes	      => ( <routes> ),
-#				    persistent_routes => ( <persistent routes> ),
-#				    persistent	      => {0|1} depending on 'persistent' setting,
-#				    routedests	      => { <subnet> => 1 , ... }, (used for duplicate destination detection),
-#				    origin	      => <filename and linenumber where provider/interface defined>
-#		   }
+our %providers;
 
-our @providers;    # Provider names. Only declared names are included in this array. 
+our @providers;
 
-our $family;       # Address family
+our $family;
 
-our $lastmark;     # Highest assigned mark
+our $lastmark;
 
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 
@@ -137,7 +99,7 @@ sub initialize( $ ) {
     %routemarked_interfaces = ();
     @routemarked_interfaces = ();
     %provider_interfaces    = ();
-    @load_providers         = ();
+    @load_interfaces        = ();
     $balancing              = 0;
     $balanced_providers     = 0;
     $fallback_providers     = 0;
@@ -170,6 +132,7 @@ sub setup_route_marking() {
     #
     # Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
     #
+
     if ( $config{ZERO_MARKS} ) {
 	add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
     }
@@ -198,15 +161,6 @@ sub setup_route_marking() {
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref,  $origin, i => $physical,     mark => "--mark 0/$mask";
 		add_ijump_extended $mangle_table->{PREROUTING} , j => $chainref1, $origin, i => "! $physical", mark => "--mark  $mark/$mask";
 		add_ijump_extended $mangle_table->{OUTPUT}     , j => $chainref2, $origin,                     mark => "--mark  $mark/$mask";
-
-		if ( have_ipsec ) {
-		    if ( have_capability( 'MARK_ANYWHERE' ) && ( my $chainref = $filter_table->{forward_chain($interface)} ) ) {
-			add_ijump_extended $chainref, j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}",               , state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    } elsif ( have_capability( 'MANGLE_FORWARD' ) ) {
-			add_ijump_extended $mangle_table->{FORWARD},                   j => 'CONNMARK', $origin, targetopts => "--set-mark 0${exmask}", i => $physical, state_imatch('NEW'), policy => '--dir in --pol ipsec';
-		    }
-		}
-
 		$marked_interfaces{$interface} = 1;
 	    }
 
@@ -222,16 +176,16 @@ sub setup_route_marking() {
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
     }
 
-    if ( @load_providers ) {
+    if ( @load_interfaces ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
 
-	for my $provider ( @load_providers ) {
+	for my $physical ( @load_interfaces ) {
 
-	    my $chainref2 = new_chain( 'mangle', load_chain( $provider ) );
+	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
 
 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 
@@ -375,22 +329,22 @@ sub balance_default_route( $$$$ ) {
     if ( $first_default_route ) {
 	if ( $balanced_providers == 1 ) {
 	    if ( $gateway ) {
-		emit qq(DEFAULT_ROUTE="via $gateway dev $interface $realm");
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
-		emit qq(DEFAULT_ROUTE="dev $interface $realm");
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_default_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(DEFAULT_ROUTE="\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -405,22 +359,22 @@ sub balance_fallback_route( $$$$ ) {
     if ( $first_fallback_route ) {
 	if ( $fallback_providers == 1 ) {
 	    if ( $gateway ) {
-		emit qq(FALLBACK_ROUTE="via $gateway dev $interface $realm");
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
 	    } else {
-		emit qq(FALLBACK_ROUTE="dev $interface $realm");
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
 	    }
 	} elsif ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
 	}
 
 	$first_fallback_route = 0;
     } else {
 	if ( $gateway ) {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
-	    emit qq(FALLBACK_ROUTE="\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm");
+	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop dev $interface weight $weight $realm\"";
 	}
     }
 }
@@ -483,7 +437,7 @@ sub process_a_provider( $ ) {
     fatal_error 'NAME must be specified' if $table eq '-';
 
     unless ( $pseudo ) {
-	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[A-Za-z][\w]*$/;
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
 
 	my $num = numeric_value $number;
 
@@ -673,7 +627,6 @@ sub process_a_provider( $ ) {
     }
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
-    fatal_error "An interface supporting multiple providers may not be optional" if $shared && $optional;
 
     unless ( $pseudo ) {
 	if ( $local ) {
@@ -714,6 +667,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
+
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
@@ -816,7 +770,7 @@ sub process_a_provider( $ ) {
 	push @routemarked_providers, $providers{$table};
     }
 
-    push @load_providers, $table if $load;
+    push @load_interfaces, $physical if $load;
 
     push @providers, $table;
 
@@ -913,7 +867,7 @@ sub add_a_provider( $$ ) {
 	    }
 
 	    emit( "run_ip route replace default via $gateway src $address dev $physical ${mtu}table $id $realm" );
-	    emit( qq(echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
+	    emit( qq( echo "\$IP route del default via $gateway src $address dev $physical ${mtu}table $id $realm > /dev/null 2>&1"  >> \${VARDIR}/undo_${table}_routing) );
 	}
 
 	if ( ! $noautosrc ) {
@@ -922,8 +876,7 @@ sub add_a_provider( $$ ) {
 		emit( "run_ip rule add from $address pref 20000 table $id" ,
 		      "echo \"\$IP -$family rule del from $address pref 20000> /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
 	    } else {
-		emit  ( '',
-			"find_interface_addresses $physical | while read address; do",
+		emit  ( "find_interface_addresses $physical | while read address; do",
 			"    qt \$IP -$family rule del from \$address",
 			"    run_ip rule add from \$address pref 20000 table $id",
 			"    echo \"\$IP -$family rule del from \$address pref 20000 > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
@@ -978,9 +931,8 @@ sub add_a_provider( $$ ) {
 	}
     }
 
-    emit( "echo $load > \${VARDIR}/${table}_load",
-	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${table}_mark",
-	  "echo $physical > \${VARDIR}/${table}_interface" ) if $load;
+    emit( "echo $load > \${VARDIR}/${physical}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
 
     emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -1135,7 +1087,7 @@ CEOF
 	    $weight = 1;
 	}
 
-	emit ( "distribute_load $maxload @load_providers" ) if $load;
+	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
 
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
@@ -1282,14 +1234,14 @@ CEOF
 	}
 
 	emit ( '',
-	       "distribute_load $maxload @load_providers" ) if $load;
+	       "distribute_load $maxload @load_interfaces" ) if $load;
 
 	if ( $persistent ) {
 	    emit ( '',
 		   'if [ $COMMAND = disable ]; then',
 		   "    do_persistent_${what}_${table}",
 		   "else",
-		   "    echo 1 > \${VARDIR}/${physical}_disabled",
+		   "    echo 1 > \${VARDIR}/${physical}_disabled\n",
 		   "fi\n",
 		 );
 	}
@@ -1623,7 +1575,7 @@ sub finish_providers() {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
 	} else {
 	    emit  ( "    if echo \$DEFAULT_ROUTE | grep -q 'nexthop.+nexthop'; then",
-		    "        while qt \$IP -6 route delete default table $table; do true; done",
+		    "        qt \$IP -6 route delete default scope global table $table \$DEFAULT_ROUTE",
 		    "        run_ip route add default scope global table $table \$DEFAULT_ROUTE",
 		    '    else',
 		    "        run_ip route replace default scope global table $table \$DEFAULT_ROUTE",
@@ -1632,8 +1584,7 @@ sub finish_providers() {
 	}
 
 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( '',
-		    "    while qt \$IP -$family route del default table $main; do",
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1653,7 +1604,7 @@ sub finish_providers() {
 	emit(   'fi',
 		'' );
     } else {
-	if ( ( $fallback || @load_providers ) && $config{USE_DEFAULT_RT} ) {
+	if ( ( $fallback || @load_interfaces ) && $config{USE_DEFAULT_RT} ) {
 	    emit  ( q(#),
 		    q(# Delete any default routes in the 'main' table),
 		    q(#),
@@ -1687,7 +1638,7 @@ sub finish_providers() {
 	if ( $family == F_IPV4 ) {
 	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    while qt \$IP -6 route delete default table $default; do true; done" );
+	    emit( "    run_ip route delete default scope global table $default \$FALLBACK_ROUTE" );
 	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}
 
@@ -1779,7 +1730,7 @@ sub process_providers( $ ) {
 
     add_a_provider( $providers{$_}, $tcdevices ) for @providers;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
 
 #
 # Enable an optional provider
@@ -1825,11 +1776,12 @@ EOF
     pop_indent;
     pop_indent;
 
-    emithd << 'EOF';;
+    emit << 'EOF';;
         *)
             startup_error "$g_interface is not an optional provider or interface"
             ;;
     esac
+
 }
 
 #
@@ -1933,38 +1885,38 @@ sub setup_providers() {
 
 	start_providers;
 
-	setup_null_routing, emit '' if $config{NULL_ROUTE_RFC1918};
+	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 
-	if ( @providers ) {
-	    emit "start_$providers{$_}->{what}_$_" for @providers;
-	    emit '';
-	}
+	emit '';
+
+	emit "start_$providers{$_}->{what}_$_" for @providers;
+
+	emit '';
 
 	finish_providers;
 
 	emit "\nrun_ip route flush cache";
 
 	pop_indent;
-	emit 'fi';
+	emit "fi\n";
 
-	setup_route_marking if @routemarked_interfaces || @load_providers;
+	setup_route_marking if @routemarked_interfaces || @load_interfaces;
     } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 
 	push_indent;
 
-	emit "undo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
-
 	if ( $pseudoproviders ) {
 	    emit '';
 	    emit "start_$providers{$_}->{what}_$_" for @providers;
 	}
 
+	emit "\nundo_routing";
+	emit "restore_default_route $config{USE_DEFAULT_RT}";
+
 	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
 
 	if ( $config{NULL_ROUTE_RFC1918} ) {
-	    emit '';
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache" unless $standard_routes;
 	}
@@ -1984,7 +1936,7 @@ sub setup_providers() {
 
 	pop_indent;
 
-	emit 'fi';
+	emit "fi\n";
     }
 }
 
@@ -2234,13 +2186,17 @@ sub provider_realm( $ ) {
 }
 
 #
-# Perform processing related to optional interfaces. Returns true if there are optional interfaces.
-
+# This function is called by the compiler when it is generating the detect_configuration() function.
+# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
+# ..._IS_USABLE interface variables appropriately for the  optional interfaces
 #
-sub handle_optional_interfaces() {
+# Returns true if there were required or optional interfaces
+#
+sub handle_optional_interfaces( $ ) {
 
     my @interfaces;
     my $wildcards;
+
     #
     # First do the provider interfacess. Those that are real providers will never have wildcard physical
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
@@ -2264,6 +2220,10 @@ sub handle_optional_interfaces() {
 
     if ( @interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
+	my $gencase     = shift;
+
+	verify_required_interfaces( $gencase );
+	emit '' if $gencase;
 
 	emit( 'HAVE_INTERFACE=', '' ) if $require;
 	#
@@ -2406,7 +2366,7 @@ sub handle_optional_interfaces() {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
-		  '        start|reload|restore)'
+		  '        start|reload|restore|refresh)'
 		);
 
 	    if ( $family == F_IPV4 ) {
@@ -2427,6 +2387,8 @@ sub handle_optional_interfaces() {
 
 	return 1;
     }
+
+    verify_required_interfaces( shift );
 }
 
 #
@@ -2523,7 +2485,7 @@ sub handle_stickiness( $ ) {
 	}
     }
 
-    if ( @routemarked_providers || @load_providers ) {
+    if ( @routemarked_providers || @load_interfaces ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
     }
@@ -2531,9 +2493,9 @@ sub handle_stickiness( $ ) {
 
 sub setup_load_distribution() {
     emit ( '',
-	   "distribute_load $maxload @load_providers" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
-	 ) if @load_providers;
+	 ) if @load_interfaces;
 }
 
 1;

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Proxyarp.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -96,7 +96,6 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
     }
 
     emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   '' ,
 	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
 
     push @proxyarp, "$address $interface $external $haveroute";

Shorewall/Perl/Shorewall/Raw.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Raw.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Raw.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -70,13 +70,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $zone;
     my $restriction = PREROUTE_RESTRICT;
-    my $raw_matches = get_inline_matches(0);
-    my $prerule = '';
-
-    if ( $raw_matches =~ /^s*+/ ) {
-	$prerule = $raw_matches;
-	$raw_matches = '';
-    }
 
     if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@@ -98,7 +91,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     my $disposition = $action;
     my $exception_rule = '';
-
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
     my $level = '';
 
     if ( $action =~ /^(?:NFLOG|ULOG)/ ) {
@@ -145,14 +138,6 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
 	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 
-	if ( $proto ne '-' ) {
-	    if ( $proto =~ s/:all$// ) {
-		fatal_error '":all" may only be used with TCP' unless resolve_proto( $proto ) == TCP;
-	    } else {
-		$proto = TCP . ':syn' if $proto !~ /:syn/ && resolve_proto( $proto ) == TCP;
-	    }
-	}
-
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
@@ -213,11 +198,8 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 
     expand_rule( $chainref ,
 		 $restriction ,
-		 $prerule,
-		 do_proto( $proto, $ports, $sports ) . 
-		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ) .
-		 $raw_matches ,
+		 '',
+		 $rule,
 		 $source ,
 		 $dest ,
 		 '' ,
@@ -324,7 +306,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
 		}
 
 		$empty = 0;

Shorewall/Perl/Shorewall/Tc.pm

@@ -1,9 +1,9 @@
 #
-# Shorewall 5.2 -- /usr/share/shorewall/Shorewall/Tc.pm
+# Shorewall 5.0 -- /usr/share/shorewall/Shorewall/Tc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -225,11 +225,11 @@ sub handle_in_bandwidth( $$$ ) {
     if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
-		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst drop\n" );
+		  "    police mpu 64 drop rate ${in_rate}kbit burst $in_burst\n" );
 	} else {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
 		  "    estimator $in_interval $in_decay basic \\",
-		  "    police avrate ${in_avrate}kbit drop\n" );
+		  "    police drop avrate ${in_avrate}kbit\n" );
 	}
     } else {
 	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,