Don't run the 'up' command twice when an dual-stack interface comes up

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall-core/Shorewall-core-targetname

@@ -0,0 +1 @@
+5.2.4.1

Shorewall-core/configure

@@ -4,7 +4,7 @@
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/configure.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.cli

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -4120,9 +4120,9 @@ start_command() {
 
 	if [ -x $g_firewall ]; then
 	    if [ -n "$g_fast" -a -x ${VARDIR}/${RESTOREFILE} -a ! $g_firewall -nt ${VARDIR}/${RESTOREFILE} ]; then
-		run_it ${VARDIR}/${RESTOREFILE} $g_debugging restore
+		run_it ${VARDIR}/${RESTOREFILE} restore
 	    else
-		run_it $g_firewall $g_debugging start
+		run_it $g_firewall start
 	    fi
 	    rc=$?
 	else
@@ -4256,7 +4256,7 @@ restart_command() {
     [ -n "$g_nolock" ] || mutex_on
 
     if [ -x $g_firewall ]; then
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $COMMAND
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
@@ -4270,7 +4270,7 @@ restart_command() {
 
 run_command() {
     if [ -x $g_firewall ] ; then
-	run_it $g_firewall $g_debugging $@
+	run_it $g_firewall $@
     else
 	fatal_error "$g_firewall does not exist or is not executable"
     fi
@@ -4287,7 +4287,13 @@ ecko() {
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "Usage: $(basename $0) [ -T ] [ -D ] [ -N ] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
+    echo "   -T : Direct the generated script to produce a shell trace to standard error"
+    echo "   -D : Debug iptables commands"
+    echo "   -N : Don't take the master shorewall lock"
+    echo "   -q : Standard Shorewall verbosity control"
+    echo "   -v : Standard Shorewall verbosity control"
+    echo "   -t : Timestamp all messages"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
@@ -4317,7 +4323,6 @@ usage() # $1 = exit status
 	echo "   iptrace <ip6tables match expression>"
     fi
 
-    ecko "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ -i ] [ <directory> ] <system>"
     echo "   logdrop <address> ..."
     echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
@@ -4415,20 +4420,16 @@ usage() # $1 = exit status
 # here if that lib is loaded below.
 #
 shorewall_cli() {
-    g_debugging=
-
-    if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-	g_debugging=$1
-	shift
-    fi
-
     g_nolock=
-
+    #
+    # We'll keep this around for a while so we don't break people's started scripts
+    #
     if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 	g_nolock=nolock
 	shift
     fi
 
+    g_debugging=
     g_noroutes=
     g_purge=
     g_ipt_options="-nv"
@@ -4456,6 +4457,7 @@ shorewall_cli() {
     g_blacklistipset=
     g_disconnect=
     g_havemutex=
+    g_trace=
 
     VERBOSE=
     VERBOSITY=1
@@ -4587,6 +4589,17 @@ shorewall_cli() {
 			    finished=1
 			    option=
 			    ;;
+			T*)
+			    g_debugging=trace
+			    option=${option#T}
+			    ;;
+			D*)
+			    g_debugging=debug
+			    option=${option#D}
+			    ;;
+			N*)
+			    g_nolock=nolock
+			    ;;
 			*)
 			    option_error $option
 			    ;;
@@ -4639,7 +4652,7 @@ shorewall_cli() {
 	    get_config
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
 	    [ -n "$g_nolock" ] || mutex_on
-	    run_it $g_firewall $g_debugging $COMMAND
+	    run_it $g_firewall $COMMAND
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reset)
@@ -4648,7 +4661,7 @@ shorewall_cli() {
 	    shift
 	    [ -n "$g_nolock" ] || mutex_on
 	    [ -x $g_firewall ] || fatal_error "$g_product has never been started"
-	    run_it $g_firewall $g_debugging reset $@
+	    run_it $g_firewall reset $@
 	    [ -n "$g_nolock" ] || mutex_off
 	    ;;
 	reload|restart)
@@ -4661,7 +4674,7 @@ shorewall_cli() {
 	    only_root
 	    get_config Yes
 	    if product_is_started; then
-		run_it $g_firewall $g_debugging $@
+		run_it $g_firewall $@
 	    else
 		fatal_error "$g_product is not running"
 	    fi
@@ -4816,7 +4829,7 @@ shorewall_cli() {
 		    # It isn't a function visible to this script -- try
 		    # the compiled firewall
 		    #
-		    run_it $g_firewall $g_debugging call $@
+		    run_it $g_firewall call $@
 		fi
 	    else
 		missing_argument

Shorewall-core/lib.common

@@ -3,7 +3,7 @@
 #
 #     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -92,18 +92,20 @@ startup_error() # $* = Error Message
 #
 run_it() {
     local script
-    local options
+    local options='-'
 
     export VARDIR
 
     script=$1
     shift
 
-    if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	options="$1 -"
-	shift;
+
+    if [ "$g_debugging" = debug ]; then
+	options='-D'
+    elif [ "$g_debugging" = trace ]; then
+	options='-T'
     else
-	options='-'
+	options='-';
     fi
 
     [ -n "$g_noroutes" ]   && options=${options}n
@@ -736,8 +738,8 @@ truncate() # $1 = length
 
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
+# /sbin/shorewall program while holding mutual exclusion, you should pass -N as
+# the first argument. Example "shorewall -N refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the

Shorewall-core/lib.core

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.installer

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.uninstaller

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/manpages/shorewall.xml

@@ -21,9 +21,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg rep="norepeat">options</arg>
 
       <arg choice="plain"><option>add {</option></arg>
@@ -39,9 +36,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>allow</option></arg>
@@ -52,9 +46,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>blacklist</option></arg>
@@ -67,9 +58,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>call</option></arg>
@@ -106,9 +94,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -118,9 +103,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>close</option><arg choice="req">
@@ -159,9 +141,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg rep="norepeat">options</arg>
 
       <arg choice="plain"><option>delete {</option></arg>
@@ -177,9 +156,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>disable</option></arg>
@@ -191,9 +167,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>drop</option></arg>
@@ -204,8 +177,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>dump</option></arg>
@@ -222,9 +193,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>enable</option></arg>
@@ -236,9 +204,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>export</option></arg>
@@ -252,9 +217,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>forget</option></arg>
@@ -265,8 +227,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>help</option></arg>
@@ -275,8 +235,6 @@
     <cmdsynopsis>
       <command>shorewall[-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg
@@ -286,8 +244,6 @@
     <cmdsynopsis>
       <command>shorewall[-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>ipcalc</option></arg>
@@ -304,8 +260,6 @@
     <cmdsynopsis>
       <command>shorewall[-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>iprange</option></arg>
@@ -317,8 +271,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>iptrace</option></arg>
@@ -330,9 +282,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>logdrop</option></arg>
@@ -343,8 +292,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>logwatch</option></arg>
@@ -357,9 +304,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>logreject</option></arg>
@@ -370,8 +314,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>noiptrace</option></arg>
@@ -394,9 +336,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>reenable</option></arg>
@@ -408,9 +347,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>reject</option></arg>
@@ -421,9 +357,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>reload</option></arg>
@@ -448,10 +381,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
-      <arg>options</arg>
-
       <arg choice="plain"><option>remote-getcaps</option></arg>
 
       <arg><option>-s</option></arg>
@@ -472,8 +401,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-getrc</option></arg>
@@ -496,8 +423,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-start</option></arg>
@@ -520,8 +445,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-reload</option></arg>
@@ -544,8 +467,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>remote-restart</option></arg>
@@ -568,9 +489,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -581,9 +499,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>restart</option></arg>
@@ -608,9 +523,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -622,9 +534,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>run</option></arg>
@@ -637,9 +546,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>safe-restart</option></arg>
@@ -656,8 +562,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>safe-start</option></arg>
@@ -674,9 +578,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -688,9 +589,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>savesets</option></arg>
@@ -699,8 +597,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -713,8 +609,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -735,8 +629,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -761,8 +653,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -774,8 +664,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -787,8 +675,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -800,8 +686,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -814,8 +698,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -827,8 +709,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -841,8 +721,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -853,8 +731,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="req"><option>show | list | ls </option></arg>
@@ -867,8 +743,7 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
 
       <arg>options</arg>
 
@@ -892,9 +767,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg
@@ -904,8 +776,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><arg
@@ -915,9 +785,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg
-      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>try</option></arg>
@@ -930,8 +797,6 @@
     <cmdsynopsis>
       <command>shorewall[6]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg choice="plain"><option>update</option></arg>
@@ -956,8 +821,6 @@
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
-
       <arg>options</arg>
 
       <arg
@@ -1025,16 +888,7 @@
   <refsect1>
     <title>Options</title>
 
-    <para>The <option>trace</option> and <option>debug</option> options are
-    used for debugging. See <ulink
-    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
-
-    <para>The <option>nolock</option> option prevents the command from
-    attempting to acquire the Shorewall lockfile. It is useful if you need to
-    include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
-
-    <para>Other <replaceable>options</replaceable> are:</para>
+    <para>The <replaceable>options</replaceable> are:</para>
 
     <variablelist>
       <varlistentry>
@@ -1141,7 +995,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>When no <replaceable>verbosity</replaceable> is specified,
           each instance of this option causes 1 to be added to the effective
@@ -1162,7 +1016,7 @@
           setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>Each instance of this option causes 1 to be subtracted from
           the effective verbosity.</para>
@@ -1176,7 +1030,66 @@
           <para>Causes all progress messages to be timestamped.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-T</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier
+          <command>trace</command> keyword.. If the command invokes the
+          generated firewall script, the script's execution will be traced to
+          standard error.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>-D</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.4 to replace the earlier debug keyword.
+          If the command invokes the generated firewall script, individual
+          invocations of the ip[6]tables utility will be used to configure the
+          ruleset rather than ip[6]tables-restore. This is useful for
+          diagnosing ip[6]tables-restore failures on a *COMMIT command.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
+
+    <note>
+      <para>Prior to Shorewall 5.2.4, the general syntax for a CLI command
+      was:</para>
+
+      <cmdsynopsis>
+        <arg><option>trace|debug</option></arg>
+
+        <arg><option>nolock</option></arg>
+
+        <arg><replaceable>options</replaceable></arg>
+
+        <arg choice="plain"><replaceable>command</replaceable></arg>
+
+        <arg><replaceable>command-options</replaceable></arg>
+
+        <arg><replaceable>command-arguments</replaceable></arg>
+      </cmdsynopsis>
+
+      <para>Examples:</para>
+
+      <programlisting>    shorewall debug -tv2 reload
+    shorewall trace check
+    shorewall nolock enable eth0</programlisting>
+
+      <para>In Shorewall 5.2.4 and later, those commands would be:</para>
+
+      <programlisting>    shorewall -Dtv2 reload
+    shorewall check -D
+    shorewall -N enable eth0</programlisting>
+
+      <para>While not shown in the command synopses at the top of this page,
+      the <option>nolock</option> keyword is still supported in Shorewall
+      5.2.4 and later, but is deprecated in favor of the -<option>N
+      </option>option.</para>
+    </note>
   </refsect1>
 
   <refsect1>
@@ -1199,7 +1112,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5))file.
           A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
@@ -1214,11 +1127,12 @@
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
-          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
-          handle entries for multiple interfaces. When that option is
-          specified for a zone, the <command>add</command> command has the
-          alternative syntax in which the <replaceable>zone</replaceable> name
-          precedes the <replaceable>host-list</replaceable>.</para>
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
+          allows a single ipset to handle entries for multiple interfaces.
+          When that option is specified for a zone, the <command>add</command>
+          command has the alternative syntax in which the
+          <replaceable>zone</replaceable> name precedes the
+          <replaceable>host-list</replaceable>.</para>
         </listitem>
       </varlistentry>
 
@@ -1294,7 +1208,7 @@
         <term><emphasis role="bold">check</emphasis> [-<option>e</option>]
         [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
         [-<option>T</option>] [-<option>i</option>]
-        [<replaceable>directory</replaceable>]</term>
+        [-D][<replaceable>directory</replaceable>]</term>
 
         <listitem>
           <para>Not available with Shorewall[6]-lite.</para>
@@ -1332,7 +1246,11 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -1383,8 +1301,9 @@
       <varlistentry>
         <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
         [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
-        [-<option>T</option>] [-<option>i</option>] [<replaceable> directory
-        </replaceable>] [<replaceable> pathname</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-D] [<replaceable>
+        directory </replaceable>] [<replaceable> pathname</replaceable>
+        ]</term>
 
         <listitem>
           <para>Not available with shorewall[6]-lite.</para>
@@ -1440,7 +1359,11 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -1458,7 +1381,7 @@
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
+          url="/manpages/shorewall-interfaces.html">shorewall6-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are a host or network address.</para>
 
@@ -1466,7 +1389,7 @@
           role="bold">dynamic_shared</emphasis> zone option (<ulink
           url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
           <ulink
-          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall6-zones</ulink>(5))
           allows a single ipset to handle entries for multiple interfaces.
           When that option is specified for a zone, the
           <command>delete</command> command has the alternative syntax in
@@ -1493,7 +1416,7 @@
           command removes any routes added from <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))and
           any traffic shaping configuration for the interface.</para>
         </listitem>
       </varlistentry>
@@ -1554,7 +1477,7 @@
           adds any route specified in <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
           (<ulink
-          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
+          url="/manpages/shorewall-routes.html">shorewall6-routes</ulink>(5))
           and installs the interface's traffic shaping configuration, if
           any.</para>
         </listitem>
@@ -1599,7 +1522,7 @@
           given then the file specified by RESTOREFILE in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -1684,7 +1607,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1700,16 +1623,16 @@
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
-          and produces an audible alarm when new Shorewall messages are
-          logged. The <emphasis role="bold">-m</emphasis> option causes the
-          MAC address of each packet source to be displayed if that
-          information is available. The
-          <replaceable>refresh-interval</replaceable> specifies the time in
-          seconds between screen refreshes. You can enter a negative number by
-          preceding the number with "--" (e.g., <command>shorewall logwatch --
-          -30</command>). In this case, when a packet count changes, you will
-          be prompted to hit any key to resume screen refreshes.</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) and
+          produces an audible alarm when new Shorewall messages are logged.
+          The <emphasis role="bold">-m</emphasis> option causes the MAC
+          address of each packet source to be displayed if that information is
+          available. The <replaceable>refresh-interval</replaceable> specifies
+          the time in seconds between screen refreshes. You can enter a
+          negative number by preceding the number with "--" (e.g.,
+          <command>shorewall logwatch -- -30</command>). In this case, when a
+          packet count changes, you will be prompted to hit any key to resume
+          screen refreshes.</para>
         </listitem>
       </varlistentry>
 
@@ -1723,7 +1646,7 @@
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command requires that the firewall be in the started state and
           that DYNAMIC_BLACKLIST=Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf
@@ -1824,7 +1747,8 @@
         <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
         [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
         [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>
 
         <listitem>
           <para>This command was re-implemented in Shorewall 5.0.0. The
@@ -1878,17 +1802,21 @@
                 INLINE_MATCHES is set to Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))..</para>
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))..</para>
 
                 <para>The <option>-C</option> option was added in Shorewall
                 4.6.5 and is only meaningful when AUTOMAKE=Yes in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 If an existing firewall script is used and if that script was
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
                 as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
               </listitem>
             </varlistentry>
 
@@ -2006,7 +1934,7 @@
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
           url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2071,8 +1999,9 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2104,7 +2033,7 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -2144,8 +2073,9 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          url="/manpages/shorewall.conf.html">shorewall6.conf(5)</ulink>
+          (<ulink
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)) is
           assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
@@ -2177,7 +2107,11 @@
           set to Yes in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
+
+          <para>The <emphasis role="bold">-D </emphasis>option was added in
+          Shoewall 5.2.4 and causes the compiler to write a large amount of
+          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -2204,7 +2138,8 @@
         <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
         [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
         [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
-        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
+        [-<option>C</option>] [-D] [ <replaceable>directory</replaceable>
+        ]</term>
 
         <listitem>
           <para>Beginning with Shorewall 5.0.0, this command performs a true
@@ -2264,6 +2199,10 @@
                 the one that generated the current running configuration, then
                 the running netfilter configuration will be reloaded as is so
                 as to preserve the iptables packet and byte counters.</para>
+
+                <para>The <emphasis role="bold">-D </emphasis>option was added
+                in Shoewall 5.2.4 and causes the compiler to write a large
+                amount of debugging information to standard output.</para>
               </listitem>
             </varlistentry>
 
@@ -2304,7 +2243,7 @@
           restored from the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <caution>
             <para>If your iptables ruleset depends on variables that are
@@ -2460,7 +2399,7 @@
           in the file specified by the RESTOREFILE option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>The <option>-C</option> option, added in Shorewall 4.6.5,
           causes the iptables packet and byte counters to be saved along with
@@ -2477,7 +2416,7 @@
           the SAVE_IPSETS option in <ulink
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
           (<ulink
-          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
           This command may be used to proactively save your ipset contents in
           the event that a system failure occurs prior to issuing a
           <command>stop</command> command.</para>
@@ -2645,7 +2584,7 @@
                 accounting counters (<ulink
                 url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                 (5), <ulink
-                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
+                url="/manpages/shorewall-accounting.html">shorewall6-accounting</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -2669,7 +2608,7 @@
                 file specified by the LOGFILE option in <ulink
                 url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                 (<ulink
-                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                 The <emphasis role="bold">-m</emphasis> option causes the MAC
                 address of each packet source to be displayed if that
                 information is available.</para>
@@ -2831,8 +2770,8 @@
         <term><emphasis role="bold">start </emphasis><emphasis role="bold">
         </emphasis>[-<option>n</option>] [-<option>p</option>]
         [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
-        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
-        <replaceable>directory</replaceable> ]</term>
+        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [-D]
+        [ <replaceable>directory</replaceable> ]</term>
 
         <listitem>
           <para><variablelist>
@@ -2851,7 +2790,7 @@
                   in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5))
                   will be restored if that saved configuration exists and has
                   been modified more recently than the files in
                   /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
@@ -2862,7 +2801,7 @@
                   option was added to <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When LEGACY_FASTSTART=No, the modification times of files in
                   /etc/shorewall are compared with that of
                   /var/lib/shorewall/firewall (the compiled script that last
@@ -2881,7 +2820,7 @@
                   overriding the AUTOMAKE setting in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).
                   When both <option>-f</option> and <option>-c</option>are
                   present, the result is determined by the option that appears
                   last.</para>
@@ -2897,7 +2836,7 @@
                   INLINE_MATCHES is set to Yes in <ulink
                   url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
                   (<ulink
-                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+                  url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)).</para>
 
                   <para>The <option>-C</option> option was added in Shorewall
                   4.6.5 and is only meaningful when the <option>-f</option>
@@ -2906,6 +2845,11 @@
                   option was also specified in the <emphasis
                   role="bold">save</emphasis> command, then the packet and
                   byte counters will be restored.</para>
+
+                  <para>The <emphasis role="bold">-D </emphasis>option was
+                  added in Shoewall 5.2.4 and causes the compiler to write a
+                  large amount of debugging information to standard
+                  output.</para>
                 </listitem>
               </varlistentry>
 
@@ -3226,7 +3170,7 @@
 
     <simplelist>
       <member><ulink
-      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink>
+      url="/starting_and_stopping_shorewall.htm">https://shorewall.org/starting_and_stopping_shorewall.htm</ulink>
       - Describes operational aspects of Shorewall.</member>
 
       <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -

Shorewall-core/shorewall

@@ -5,7 +5,7 @@
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/wait4ifup

@@ -6,7 +6,7 @@
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.net
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/ifupdown.debian.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
     *)
         #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
         #
 	INTERFACE="$IFACE"
 
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/ifupdown.fedora.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,7 +90,14 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *)
 		exit 0

Shorewall-init/ifupdown.suse.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,7 +120,14 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *if-up.d*)
 		COMMAND=up

Shorewall-init/init.debian.sh

@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/init.suse.sh

@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/install.sh

@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/shorewall-init

@@ -6,7 +6,7 @@
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -93,7 +93,14 @@ shorewall_stop () {
     printf "Clearing \"Shorewall-based firewalls\": "
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} clear
+		fi
+	    )
 	fi
     done
 

Shorewall-lite/Shorewall-lite-targetname

@@ -0,0 +1 @@
+5.2.4.1

Shorewall-lite/init.openwrt.sh

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.sh

@@ -7,7 +7,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.suse.sh

@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.net
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -183,7 +183,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>
 
     <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),

Shorewall-lite/shorewall-lite.conf

@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall/Actions/action.A_REJECT

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.A_REJECT!

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Broadcast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.DNSAmp

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Established

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.FIN

@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.IfEvent

@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
@@ -115,8 +115,6 @@ if ( ( $targets{$action} || 0 ) & NATRULE ) {
 if ( $command & $RESET_CMD ) {
     require_capability 'MARK_ANYWHERE', '"reset"', 's';
     
-    print "Resetting....\n";
-    
     my $mark = $globals{EVENT_MARK};
     #
     # The event mark bit must be within 32 bits

Shorewall/Actions/action.Invalid

@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Limit

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Multicast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.New

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.NotSyn

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.RST

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Related

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.ResetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.SetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.net/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 
 DEFAULTS -,ACCEPT,src

Shorewall/Actions/action.Untracked

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowInvalid

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowinUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcasts

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropInvalid

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.forwardUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.mangletemplate

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.

Shorewall/Actions/action.rejNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.net
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.template

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.net/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.

Shorewall/Contrib/swping

@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.net/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #

Shorewall/Contrib/swping.init

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.net/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall/Macros/macro.BitcoinRegtest

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinRegtest
+#
+# Macro for handling Bitcoin P2P traffic (Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18444

Shorewall/Macros/macro.BitcoinTestnet

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnet
+#
+# Macro for handling Bitcoin P2P traffic (Testnet mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18333

Shorewall/Macros/macro.BitcoinTestnetRPC

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.BitcoinTestnetRPC
+#
+# Macro for handling Bitcoin RPC traffic (Testnet and Regtest mode)
+#
+##############################################################################################################################################################
+#ACTION     SOURCE      DEST        PROTO   DPORT   SPORT   ORIGDEST    RATE    USER    MARK    CONNLIMIT   TIME    HEADERS SWITCH  HELPER
+PARAM       -           -           tcp     18332

Shorewall/Perl/Shorewall/ARP.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Chains.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -37,6 +37,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use strict;
+use sort 'stable';
 
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw(
@@ -536,6 +537,9 @@ our $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 
+#
+# Chain optimization flags
+#
 use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
 
 our %dscpmap = ( CS0  => 0x00,
@@ -694,7 +698,7 @@ use constant { UNIQUE      => 1,       # Simple header matches - only allowed on
 	       CONTROL     => 16,      # Unsed internally by the compiler - does not contribute to the iptables rule
 	       COMPLEX     => 32,      # Currently means 'contrack --cstate'
 	       NFACCT      => 64,      # nfacct match
-	       EXPENSIVE   => 128,     # Has high rule-processing cost in the kernel
+	       EXPENSIVE   => 128,     # Has high match-processing cost in the kernel
 	       RECENT      => 256,     # recent match
 	   };
 
@@ -1140,16 +1144,30 @@ sub set_rule_option( $$$ ) {
 	#
 	# Consider each subtype as a separate type
 	#
-	my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+	if ( have_capability( 'OLD_CONNTRACK_MATCH' ) ) {
+	    my ( $subtype, $invert, $val, $rest ) = split ' ', $value;
 
-	if ( $invert eq '!' ) {
-	    assert( ! supplied $rest );
-	    $option = join( ' ', $option, $invert, $subtype );
-	    $value  = $val;
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $subtype );
+		$value  = join( ' ', $invert, $val );
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $invert , $option );
+		$value   = $invert;
+	    }
 	} else {
-	    assert( ! supplied $val );
-	    $option  = join( ' ', $option, $invert );
-	    $value   = $subtype;
+	    my ( $invert, $subtype, $val, $rest ) = split ' ', $value;
+
+	    if ( $invert eq '!' ) {
+		assert( ! supplied $rest );
+		$option = join( ' ', $option, $invert, $subtype );
+		$value  = $val;
+	    } else {
+		assert( ! supplied $val );
+		$option  = join( ' ', $option, $invert );
+		$value   = $subtype;
+	    }
 	}
 
 	$opttype = EXCLUSIVE;
@@ -1222,8 +1240,8 @@ sub transform_rule( $;\$ ) {
 	    $option = $2;
 	} elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) {
 	    $invert = '!' if $1;
-	    my $opt = $option = $2;
-	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
+	    my $opt = $2;
+	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$opt};
 	} else {
 	    fatal_error "Unrecognized iptables option string ($input)";
 	}
@@ -1422,7 +1440,7 @@ sub compatible( $$ ) {
 	}
     }
     #
-    # Don't combine chains where each specifies
+    # Don't combine rules where each specifies
     #    -m policy and the policies are different
     # or when one specifies
     #    -m multiport
@@ -3366,13 +3384,13 @@ sub initialize_chain_table($) {
 	add_commands( $chainref, '[ -f ${VARDIR}/.nat_DOCKER ] && cat ${VARDIR}/.nat_DOCKER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-INGRESS'   );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS           ] && cat ${VARDIR}/.filter_DOCKER-INGRESS   >&3' );
-	$chainref = new_standard_chain( 'DOCKER-USER'   );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-INGRESS ] && cat ${VARDIR}/.filter_DOCKER-INGRESS >&3' );
+	$chainref = new_standard_chain( 'DOCKER-USER'      );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER              ] && cat ${VARDIR}/.filter_DOCKER-USER      >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-USER ] && cat ${VARDIR}/.filter_DOCKER-USER >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
-	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION         ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
+	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION >&3' );
 	$chainref = new_standard_chain( 'DOCKER-ISOLATION-STAGE-1' );
 	set_optflags( $chainref, DONT_OPTIMIZE | DONT_DELETE | DONT_MOVE );
 	add_commands( $chainref, '[ -f ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 ] && cat ${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1 >&3' );
@@ -3689,6 +3707,16 @@ sub optimize_level0() {
     }
 }
 
+#
+# Conditionally sort a list of chain table entry references by name, if -t was specified
+#
+sub sortchainsiftest(\%) {
+    my $hashref = shift;
+
+    return sort { $a->{name} cmp $b->{name} } values %$hashref if $test;
+    return values %$hashref;
+}
+
 sub optimize_level4( $$ ) {
     my ( $table, $tableref ) = @_;
     my $progress = 1;
@@ -3910,7 +3938,7 @@ sub optimize_level4( $$ ) {
     my @chains  = grep ( $_->{referenced}   &&
 			 ! $_->{optflags}   &&
 			 @{$_->{rules}} < 4 &&
-			 keys %{$_->{references}} == 1 , values %$tableref );
+			 keys %{$_->{references}} == 1 , sortchainsiftest %$tableref );
 
     if ( my $chains  = @chains ) {
 	$passes++;
@@ -3919,7 +3947,7 @@ sub optimize_level4( $$ ) {
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
-	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+	    for my $sourceref ( map $tableref->{$_}, sortkeysiftest %{$chainref->{references}} ) {
 		my $name1 = $sourceref->{name};
 
 		if ( $chainref->{references}{$name1} == 1 ) {
@@ -4049,7 +4077,7 @@ sub optimize_level8( $$$ ) {
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
-	    for my $oldname ( @rename ) {
+	    for my $oldname ( sortiftest @rename ) {
 		my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
 
 		trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
@@ -4562,7 +4590,7 @@ sub combine_states {
 
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
-    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
+    my @chains   = ( grep $_->{referenced}, sortchainsiftest %{$tableref} );
     my @chains1  = @chains;
     my $chains   = @chains;
 
@@ -4679,7 +4707,7 @@ sub setup_zone_mss() {
 
 	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
 
-	for my $hostref ( @$hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$hosts : @$hosts ) {
 	    my $mss         = $hostref->[4];
 	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @sourcedev   = imatch_source_dev $hostref->[0];
@@ -4991,10 +5019,10 @@ sub do_proto( $$$;$ )
 
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
+			if ( $sports =~ /^\+/ ) {
 			    $output .= $invert;
 			    $output .= '-m set ';
-			    $output .= get_set_flags( $ports, 'src' );
+			    $output .= get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5207,8 +5235,8 @@ sub do_iproto( $$$ )
 			fatal_error "'=' in the SOURCE PORT(S) column requires one or more ports in the DEST PORT(S) column" if $sports eq '=';
 			$invert = $sports =~ s/^!// ? '! ' : '';
 
-			if ( $ports =~ /^\+/ ) {
-			    push @output, set => ${invert} . get_set_flags( $ports, 'src' );
+			if ( $sports =~ /^\+/ ) {
+			    push @output, set => ${invert} . get_set_flags( $sports, 'src' );
 			} elsif ( $multiport ) {
 			    if ( port_count( $sports ) > 15 ) {
 				if ( $restricted ) {
@@ -5747,10 +5775,25 @@ sub validate_helper( $;$ ) {
 
 	    my $protonum = -1;
 
-	    fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );
+	    fatal_error "Unknown PROTO ($proto)" unless $proto eq '-' || defined ( $protonum = resolve_proto( $proto ) );
 
-	    unless ( $protonum == $helper_proto ) {
-		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
+	    if ( reftype( $helper_proto ) ) {
+		#
+		# More than one protocol allowed with this helper, so $helper_proto is an array reference
+		#
+		my $found;
+		my $names = '';
+
+		for ( @$helper_proto ) {
+		    $names = $names ? join( ',', $names, proto_name( $_ ) ) : proto_name( $_ );
+		    $found = 1 if $protonum == $_;
+		}
+
+		fatal_error "The $helper_base helper requires PROTO to be one of '$names'" unless $found;
+	    } else {
+		unless ( $protonum == $helper_proto ) {
+		    fatal_error "The $helper_base helper requires PROTO=" . (proto_name( $helper_proto ) );
+		}
 	    }
 	}
     } else {
@@ -7423,13 +7466,13 @@ sub set_global_variables( $$ ) {
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sortkeysiftest %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = keys %interfacegateways;
+	@interfaces = sortkeysiftest %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7439,29 +7482,29 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = keys %interfacemacs;
+	@interfaces = sortkeysiftest %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	emit "$interfacegateways{$_}\n" for sortkeysiftest %interfacegateways;
+	emit $interfacemacs{$_}         for sortkeysiftest %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
-	emit $_ for values %interfacenets;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
     }
@@ -7652,11 +7695,13 @@ sub isolate_source_interface( $ ) {
 		) {
 	    $iiface = $1;
 	    $inets  = $2;
+	    $inets =~ s/\]-\[/-/;
 	} elsif ( $source =~ /:/ ) {
 	    if ( $source =~ /^\[(?:.+),\[(?:.+)\]$/ ){
 		$inets = $source;
 	    } elsif ( $source =~ /^\[(.+)\]$/ ) {
 		$inets = $1;
+		$inets =~ s/\]-\[/-/;
 	    } else {
 		$inets = $source;
 	    }
@@ -7774,6 +7819,7 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(\[(?:.+),\[(?:.+)\])$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
+	    $dnets =~ s/\]-\[/-/;
 	} elsif (  $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
 		   $dest =~ /^(.+?):(!?\+.+)$/    ||
 		   $dest =~ /^(.+?):(!?[&%].+)$/  ||
@@ -7786,6 +7832,7 @@ sub isolate_dest_interface( $$$$ ) {
 		$dnets = $dest;
 	    } elsif ( $dest =~ /^\[(.+)\]$/ ) {
 		$dnets = $1;
+	        $dnets =~ s/\]-\[/-/;
 	    } else {
 		$dnets = $dest;
 	    }
@@ -8421,7 +8468,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sortkeysiftest %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8507,7 +8554,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sortkeysiftest %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8691,32 +8738,29 @@ sub emitr1( $$ ) {
 sub save_docker_rules($) {
     my $tool = $_[0];
 
+    my $bridge = $config{DOCKER_BRIDGE};
+
     emit( qq(if [ -n "\$g_docker" ]; then),
 	  qq(    $tool -t nat -S DOCKER | tail -n +2 > \${VARDIR}/.nat_DOCKER),
 	  qq(    $tool -t nat -S OUTPUT | tail -n +2 | fgrep DOCKER > \${VARDIR}/.nat_OUTPUT),
-	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL > \${VARDIR}/.nat_POSTROUTING),
+	  qq(    $tool -t nat -S POSTROUTING | tail -n +2 | fgrep -v SHOREWALL | fgrep -v LIBVIRT > \${VARDIR}/.nat_POSTROUTING),
 	  qq(    $tool -t filter -S DOCKER | tail -n +2 > \${VARDIR}/.filter_DOCKER),
-	  qq(    [ -n "\$g_dockeringress" ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
-	  qq(    [ -n "\$g_dockeruser" ]    && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    rm -f \${VARDIR}/.filter_DOCKER-*),
+	  qq(    [ -n "\$g_dockeringress"  ] && $tool -t filter -S DOCKER-INGRESS   | tail -n +2 > \${VARDIR}/.filter_DOCKER-INGRESS),
+	  qq(    [ -n "\$g_dockeruser"     ] && $tool -t filter -S DOCKER-USER      | tail -n +2 > \${VARDIR}/.filter_DOCKER-USER),
+	  qq(    [ -n "\$g_dockeriso"      ] && $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
 	  qq(),
-	  qq(    case "\$g_dockernetwork" in),
-	  qq(        One\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION),
-	  qq(            ;;),
-	  qq(        Two\)),
-	  qq(            rm -f \${VARDIR}/.filter_DOCKER-ISOLATION*),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
-	  qq(            $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
-	  qq(            ;;),
-	  qq(    esac),
+	  qq(    if [ -n "\$g_dockerisostage" ]; then),
+	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-1 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-1),
+	  qq(        $tool -t filter -S DOCKER-ISOLATION-STAGE-2 | tail -n +2 > \${VARDIR}/.filter_DOCKER-ISOLATION-STAGE-2),
+	  qq(    fi),
 	  qq(),
 	);
 
-    if ( known_interface( 'docker0' ) ) {
+    if ( known_interface( $bridge ) ) {
 	emit( qq(    $tool -t filter -S FORWARD | grep '^-A FORWARD.*[io] br-[a-z0-9]\\{12\\}' > \${VARDIR}/.filter_FORWARD) );
     } else {
-	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] (docker0|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
+	emit( qq(    $tool -t filter -S FORWARD | egrep '^-A FORWARD.*[io] ($bridge|br-[a-z0-9]{12})' > \${VARDIR}/.filter_FORWARD) );
     }
 
     emit( q(    [ -s ${VARDIR}/.filter_FORWARD ] || rm -f ${VARDIR}/.filter_FORWARD),
@@ -8951,7 +8995,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = keys %ipsets;
+	    my @sets = sortkeysiftest %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -9120,7 +9164,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sortkeysiftest %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -9135,7 +9179,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( @objects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9230,10 +9274,10 @@ sub create_netfilter_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9345,11 +9389,11 @@ sub preview_netfilter_load() {
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode1;
-			print( '[ "$g_dockernetwork" = One ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+			print( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
 			print "\n";
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode1;
-			print( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			print( qq([ "\$g_dockeisostage" ] && echo ":$name - [0:0]" >&3) );
 			print "\n";
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode1;
@@ -9446,10 +9490,10 @@ sub create_stop_load( $ ) {
 			emit( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
 		    } elsif ( $name eq 'DOCKER-ISOLATION' ) {
 			ensure_cmd_mode;
-			emit( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
-		    } elsif ( $name =~ /^DOCKER-ISOLATION-/ ) {
+			emit( '[ -n "$g_dockeriso" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
+		    } elsif ( $name =~ /^DOCKER-ISOLATION/ ) {
 			ensure_cmd_mode;
-			emit( qq([ "\$g_dockernetwork" = Two ] && echo ":$name - [0:0]" >&3) );
+			emit( qq([ -n "\$g_dockerisostage" ] && echo ":$name - [0:0]" >&3) );
 		    } elsif ( $name eq 'DOCKER-INGRESS' ) {
 			ensure_cmd_mode;
 			emit( '[ -n "$g_dockeringress" ] && echo ":DOCKER-INGRESS - [0:0]" >&3' );
@@ -9508,7 +9552,7 @@ sub create_stop_load( $ ) {
 }
 
 sub initialize_switches() {
-    if ( keys %switches ) {
+    if ( sortkeysiftest %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
 	for my $switch ( keys %switches ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -6,7 +6,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -49,8 +49,6 @@ our $VERSION = 'MODULEVERSION';
 
 our $export;          # True when compiling for export
 
-our $test;            # True when running regression tests
-
 our $family;          # IP address family (4 or 6)
 
 our $have_arptables;  # True if we have arptables rules
@@ -58,8 +56,8 @@ our $have_arptables;  # True if we have arptables rules
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+sub initialize_package_globals( $$$$ ) {
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2], $_[3]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -268,13 +266,10 @@ sub generate_script_2() {
 	emit( '',
 	      'chain_exists DOCKER nat && chain_exists DOCKER && g_docker=Yes',
 	    );
-	emit( 'chain_exists DOCKER-INGRESS   && g_dockeringress=Yes' );
-	emit( 'chain_exists DOCKER-USER      && g_dockeruser=Yes' );
-	emit( 'if chain_exists DOCKER-ISOLATION; then',
-	      '    g_dockernetwork=One',
-	      'elif chain_exists DOCKER-ISOLATION-STAGE-1; then',
-	      '    g_dockernetwork=Two',
-	      'fi' );
+	emit( 'chain_exists DOCKER-INGRESS && g_dockeringress=Yes' );
+	emit( 'chain_exists DOCKER-USER && g_dockeruser=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION && g_dockeriso=Yes' );
+	emit( 'chain_exists DOCKER-ISOLATION-STAGE-1 && g_dockerisostage=Yes' );
     }
 
     pop_indent;
@@ -591,7 +586,7 @@ sub compiler {
        ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
-    $test           = 0;
+    my $test        = 0;
     $have_arptables = 0;
 
     sub validate_boolean( $ ) {
@@ -644,18 +639,19 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
-
+    initialize_package_globals( $update, $test, $shorewallrc, $shorewallrc1 );
+    #
+    # Rather than continuing to extend the argument list of Config::initialize(),
+    # we use a set of small functions to export settings to the Config module.
+    #
     set_config_path( $config_path ) if $config_path;
-
     set_shorewall_dir( $directory ) if $directory ne '';
-
     $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
+    set_command( 'compile', 'Compiling', 'Compiled' );
     #
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
@@ -673,12 +669,7 @@ sub compiler {
     #
     # Create a temp file to hold the script
     #
-    if ( $scriptfilename ) {
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
+    create_temp_script( $scriptfilename , $export ) if $scriptfilename;
     #
     #                                     Z O N E   D E F I N I T I O N
     #                              (Produces no output to the compiled script)
@@ -916,7 +907,7 @@ sub compiler {
 	#
 	# Close, rename and secure the script
 	#
-	finalize_script ( $export );
+	finalize_script ( $export, $test );
 	#
 	# And generate the auxilary config file
 	#
@@ -981,11 +972,7 @@ sub compiler {
 	#
 	report_used_capabilities;
 
-	if ( $family == F_IPV4 ) {
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
+	progress_message3 "$Product configuration verified";
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -162,10 +162,15 @@ our @EXPORT = qw(
 
 		 have_capability
 		 require_capability
+		 require_mangle_capability
 		 report_used_capabilities
 		 kernel_version
 
-                 compiletime
+		 compiletime
+
+		 sortkeysiftest
+		 sortvaluesiftest
+		 sortiftest
 				       
 		 F_IPV4
 		 F_IPV6
@@ -263,6 +268,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $debug
 				       $file_format
 				       $comment
+				       $test
 
 				       %config
 				       %origin
@@ -684,7 +690,6 @@ our $shorewall_dir;          # Shorewall Directory; if non-empty, search here fi
 
 our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
-our $update;                 # True if this is an update
 
 our $family;                 # Protocol family (4 or 6)
 our $export;                 # True when compiling for export
@@ -793,6 +798,8 @@ our %filecache;
 
 our $compiletime;
 
+our $test;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -804,9 +811,12 @@ sub add_variables( \% );
 #
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
-#
-sub initialize( $;$$$) {
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+####################################################################################################
+# Do not change the required part of this prototype unless you want to take on a lot of additional
+# work (This function is called from build).
+####################################################################################################
+sub initialize($;$$$$) {
+    ( $family, $export, $test, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -851,7 +861,7 @@ sub initialize( $;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.0-Beta1',
+		    VERSION                 => '5.2.4.1',
 		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -1010,6 +1020,7 @@ sub initialize( $;$$$) {
 	  PERL_HASH_SEED => undef ,
 	  USE_NFLOG_SIZE => undef ,
 	  RENAME_COMBINED => undef ,
+	  DOCKER_BRIDGE => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -1192,7 +1203,6 @@ sub initialize( $;$$$) {
 
     $debug = 0;
     $confess = 0;
-    $update = 0;
 
     %params = ();
 
@@ -1828,6 +1838,30 @@ sub set_command( $$$ ) {
     ($command, $doing, $done) = @_;
 }
 
+#
+# Return the keys or values of the passed hash. If $test, the keys/values will be sorted by their own values
+#
+sub sortkeysiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort keys %$hashref if $test;
+    return keys %$hashref;
+}
+
+sub sortvaluesiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort values %$hashref if $test;
+    return keys %$hashref;
+}
+
+#
+# Sort a list by the list elements if $test
+#
+sub sortiftest(@) {
+    return $test ? sort @_ : @_;
+}
+
 #
 # Print the current TOD to STDOUT.
 #
@@ -2015,28 +2049,30 @@ sub generate_sha1() {
 #
 # Finalize the script file
 #
-sub finalize_script( $ ) {
-    my $export = $_[0];
+sub finalize_script( $$ ) {
+    my ( $export, $test ) = @_;
     close $script;
     $script = 0;
 
     if ( $file ne '-' ) {
-	my $sha1sum  = generate_sha1;
-	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
-	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+	unless ( $test ) {
+	    my $sha1sum  = generate_sha1;
+	    my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	    my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 
-	@ARGV = ( $tempfile );
-	$^I = '';
+	    @ARGV = ( $tempfile );
+	    $^I = '';
 
-	while ( <> ) {
-	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
-	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
-	    print;
+	    while ( <> ) {
+		s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+		s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+		print;
+	    }
 	}
 
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
-	progress_message3 "Shorewall configuration compiled to $file" unless $export;
+	progress_message3 "$Product configuration compiled to $file" unless $export;
     }
 }
 
@@ -2058,7 +2094,7 @@ sub finalize_aux_config() {
     close $script;
     $script = 0;
     rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
-    progress_message3 "Shorewall configuration compiled to $file";
+    progress_message3 "$Product configuration compiled to $file";
 }
 
 #
@@ -4023,9 +4059,9 @@ sub read_a_line($) {
 	    #
 	    handle_first_entry if $first_entry;
 	    #
-	    # Save Raw Image if we are updating
+	    # Save Raw Image
 	    #
-	    $rawcurrentline = $currentline if $update;
+	    $rawcurrentline = $currentline;
 	    #
 	    # Expand Shell Variables using %params and %actparams
 	    #
@@ -4075,14 +4111,16 @@ sub process_shorewallrc( $$ ) {
     my ( $shorewallrc , $product ) = @_;
 
     $shorewallrc{PRODUCT} = $product;
+    $variables{PRODUCT}   = $product;
 
     if ( open_file $shorewallrc ) {
-	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK | EXPAND_VARIABLES ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_shorewallrc_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
+		$variables{$var}   = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
@@ -4603,7 +4641,11 @@ sub New_Conntrack_Match() {
 }
 
 sub Old_Conntrack_Match() {
-    ! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    if ( $family == F_IPV4 ) {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst 1.2.3.4" );
+    } else {
+	! qt1( "$iptables $iptablesw -A $sillyname -m conntrack ! --ctorigdst ::1" );
+    }
 }
 
 sub Multiport() {
@@ -5263,6 +5305,16 @@ sub require_capability( $$$ ) {
     fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
 }
 
+sub require_mangle_capability( $$$ ) {
+    my ( $capability, $description, $singular ) = @_;
+
+    if ( $config{MANGLE_ENABLED} ) {
+	&require_capability( @_ );
+    } else {
+	fatal_error "$description " . ( $singular ?  'is' : 'are' ) . " not available when MANGLE_ENABLED=No in $shorewallrc{PRODUCT}.conf";
+    }
+}
+
 #
 # Return Kernel Version
 #
@@ -5441,6 +5493,7 @@ sub update_config_file( $ ) {
     update_default( 'PAGER',                 $shorewallrc1{DEFAULT_PAGER} );
     update_default( 'LOGFORMAT',             'Shorewall:%s:%s:' );
     update_default( 'LOGLIMIT',              '' );
+    update_default( 'AUTOMAKE',              'No' );
 
     if ( $family == F_IPV4 ) {
 	update_default( 'BLACKLIST_DEFAULT', 'dropBcasts,dropNotSyn,dropInvalid' );
@@ -5593,8 +5646,8 @@ EOF
 #
 # Small functions called by get_configuration. We separate them so profiling is more useful
 #
-sub process_shorewall_conf( $ ) {
-    my ( $annotate ) = @_;
+sub process_shorewall_conf( $$ ) {
+    my ( $update, $annotate ) = @_;
     my $file   = find_file "$product.conf";
     my @vars;
 
@@ -6175,7 +6228,7 @@ sub convert_to_version_5_2() {
 #
 sub get_configuration( $$$ ) {
 
-    ( my $export, $update, my $annotate ) = @_;
+    my ( $export, $update, $annotate ) = @_;
 
     $globals{EXPORT} = $export;
 
@@ -6237,7 +6290,7 @@ sub get_configuration( $$$ ) {
 
     get_params( $export );
 
-    process_shorewall_conf( $annotate );
+    process_shorewall_conf( $update, $annotate );
 
     ensure_config_path;
 
@@ -6553,6 +6606,9 @@ sub get_configuration( $$$ ) {
 	fatal_error "DOCKER=Yes is not allowed in Shorewall6" if $family == F_IPV6;
 	require_capability( 'IPTABLES_S', 'DOCKER=Yes', 's' );
 	require_capability( 'ADDRTYPE', '  DOCKER=Yes', 's' );
+	default( 'DOCKER_BRIDGE' , 'docker0' );
+    } elsif ( $family == F_IPV6 ) {
+	warning_message( "DOCKER_BRIDGE=$val ignored by shorewall6" ) if supplied( $val = $config{DOCKER_BRIDGE} );
     }
 
     if ( supplied( $val = $config{RESTART} ) ) {
@@ -6606,6 +6662,7 @@ sub get_configuration( $$$ ) {
     if ( supplied $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
+	fatal_error "ACCOUNTING_TABLE=mangle not allowed with MANGLE_ENABLED=No" if $value eq 'mangle' and ! $config{MANGLE_ENABLED};
     } else {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
@@ -6681,7 +6738,7 @@ sub get_configuration( $$$ ) {
 
     $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
 
-    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
+    require_mangle_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
 
     numeric_option 'TC_BITS'         , 8, 0;
     numeric_option 'MASK_BITS'       , 8, 0;
@@ -6925,7 +6982,7 @@ sub get_configuration( $$$ ) {
 
     if ( $config{TC_ENABLED} ) {
 	fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
-	require_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
+	require_mangle_capability 'MANGLE_ENABLED', "TC_ENABLED=$config{TC_ENABLED}", 's';
     }
 
     if ( supplied( $val = $config{TC_PRIOMAP} ) ) {
@@ -6942,9 +6999,7 @@ sub get_configuration( $$$ ) {
     }
 
     default 'RESTOREFILE'           , 'restore';
-
     default 'DROP_DEFAULT'          , 'none';
-
     default 'REJECT_DEFAULT'        , 'none';
     default 'BLACKLIST_DEFAULT'     , 'none';
     default 'QUEUE_DEFAULT'         , 'none';
@@ -7008,9 +7063,9 @@ sub get_configuration( $$$ ) {
     }
 
     require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's'                 ) if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's'        ) if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'             ) if $config{TC_ENABLED};
 
     if ( $config{WARNOLDCAPVERSION} ) {
 	if ( $capabilities{CAPVERSION} ) {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use Shorewall::Proc;
+use sort 'stable';
 
 use strict;
 
@@ -97,7 +98,7 @@ sub setup_ecn()
     if ( my $fn = open_file 'ecn' ) {
 
 	first_entry( sub { progress_message2 "$doing $fn...";
-			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   require_mangle_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
 
@@ -130,7 +131,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sortkeysiftest %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -335,7 +336,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.net/blacklisting_support.htm for additional
+# Please see https://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -434,9 +435,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+# https://shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# See https://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -675,30 +676,24 @@ sub process_stoppedrules() {
 # Generate the rules required when DOCKER=Yes
 #
 sub create_docker_rules() {
+    my $bridge = $config{DOCKER_BRIDGE};
+
     add_commands( $nat_table->{PREROUTING} , '[ -n "$g_docker" ] && echo "-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER" >&3' );
 
     my $chainref = $filter_table->{FORWARD};
 
-    add_commands( $chainref, '[ -n "$g_dockeringress" ] && echo "-A FORWARD -j DOCKER-INGRESS" >&3', );
-    add_commands( $chainref, '[ -n "$g_dockeruser" ]    && echo "-A FORWARD -j DOCKER-USER"    >&3', );
-    add_commands( $chainref ,
-		  '',
-		  'case "$g_dockernetwork" in',
-		  '    One)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION" >&3',
-		  '        ;;',
-		  '    Two)',
-		  '        echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3',
-		  '        ;;',
-		  'esac' );
+    add_commands( $chainref, '[ -n "$g_dockeringress" ]  && echo "-A FORWARD -j DOCKER-INGRESS" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeruser" ]     && echo "-A FORWARD -j DOCKER-USER" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockeriso" ]      && echo "-A FORWARD -j DOCKER-ISOLATION" >&3' );
+    add_commands( $chainref, '[ -n "$g_dockerisostage" ] && echo "-A FORWARD -j DOCKER-ISOLATION-STAGE-1" >&3' );
 
-    if ( my $dockerref = known_interface('docker0') ) {
+    if ( my $dockerref = known_interface( $bridge ) ) {
 	add_commands( $chainref, 'if [ -n "$g_docker" ]; then' );
 	incr_cmd_level( $chainref );
-	add_ijump( $chainref, j => 'DOCKER', o => 'docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
-	add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
+	add_ijump( $chainref, j => 'DOCKER', o => $bridge );
+	add_ijump( $chainref, j => 'ACCEPT', o => $bridge , state_imatch 'ESTABLISHED,RELATED' );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => "! $bridge" );
+	add_ijump( $chainref, j => 'ACCEPT', i => $bridge , o => $bridge ) if $dockerref->{options}{routeback};
 	decr_cmd_level( $chainref );
 	add_commands( $chainref, 'fi' );
 
@@ -1328,7 +1323,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sortkeysiftest %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1414,7 +1409,7 @@ sub setup_mac_lists( $ ) {
 	#
 	# Generate jumps from the input and forward chains
 	#
-	for my $hostref ( @$maclist_hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$maclist_hosts : @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
@@ -1807,7 +1802,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sortkeysiftest %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1947,7 +1942,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
+    my @zone_interfaces   = sortkeysiftest %{zone_interfaces( $zone )};
 
     if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
@@ -2319,9 +2314,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sortkeysiftest %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sortkeysiftest %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2406,9 +2401,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sortkeysiftest %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sortkeysiftest %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2540,6 +2535,7 @@ sub compile_stop_firewall( $$$$ ) {
     my $input   = $filter_table->{INPUT};
     my $output  = $filter_table->{OUTPUT};
     my $forward = $filter_table->{FORWARD};
+    my $absentminded = $config{ ADMINISABSENTMINDED };
 
     emit <<'EOF';
 #
@@ -2547,7 +2543,7 @@ sub compile_stop_firewall( $$$$ ) {
 #
 stop_firewall() {
 EOF
-    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};
+    $output->{policy} = 'ACCEPT' if $absentminded;
 
     if ( $family == F_IPV4 ) {
 	emit <<'EOF';
@@ -2706,7 +2702,7 @@ EOF
     #
     create_docker_rules if $config{DOCKER};
 
-    if ( $config{ADMINISABSENTMINDED} ) {
+    if ( $absentminded ) {
 	add_ijump $filter_table ->{$_}, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' for qw/INPUT FORWARD/;
     }
 
@@ -2715,7 +2711,7 @@ EOF
 	add_ijump $input, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	add_ijump $input, j => 'ACCEPT', d => IPv6_MULTICAST;
 
-	unless ( $config{ADMINISABSENTMINDED} ) {
+	unless ( $absentminded ) {
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_LINKLOCAL;
 	    add_ijump $output, j => 'ACCEPT', d => IPv6_MULTICAST;
 	}
@@ -2729,12 +2725,25 @@ EOF
     
     process_stoppedrules;
 
+    if ( $family == F_IPV6 ) {
+	my $chain = new_action_chain( 'filter', 'AllowICMPs' );
+
+	for my $type ( 1, 2, 3, 4, 130, 131, 132, 133, 134, 135, 136, 137, 141, 142, 143, 148, 149, 151, 152, 153 ) {
+	    add_ijump( $chain, j => 'ACCEPT', p => IPv6_ICMP . " --icmpv6-type $type" );
+	}
+
+	for $chain ( $input, $output, $forward ) {
+	    next if $chain eq $output && $absentminded;
+	    add_ijump( $chain, j => 'AllowICMPs', p => IPv6_ICMP );
+	}
+    }
+
     if ( have_capability 'IFACE_MATCH' ) {
 	add_ijump $input,  j => 'ACCEPT', iface => '--dev-in --loopback';
-	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', iface => '--dev-out --loopback' unless $absentminded;
     } else {
 	add_ijump $input,  j => 'ACCEPT', i => loopback_interface;
-	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $config{ADMINISABSENTMINDED};
+	add_ijump $output, j => 'ACCEPT', o => loopback_interface unless $absentminded;
     }
 
     my $interfaces = find_interfaces_by_option 'dhcp';
@@ -2744,7 +2753,7 @@ EOF
 
 	for my $interface ( @$interfaces ) {
 	    add_ijump $input,  j => 'ACCEPT', p => "udp --dport $ports", imatch_source_dev( $interface );
-	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $config{ADMINISABSENTMINDED};
+	    add_ijump $output, j => 'ACCEPT', p => "udp --dport $ports", imatch_dest_dev( $interface ) unless $absentminded;
 	    #
 	    # This might be a bridge
 	    #

Shorewall/Perl/Shorewall/Nat.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -316,9 +316,9 @@ sub process_one_masq1( $$$$$$$$$$$ )
 				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 				$addr = $1;
+				$addr =~ s/\]-\[/-/;
 
 				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				    validate_range( $1, $2 );
 				} else {
 				    validate_address $addr, 0;
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.net/manpages6/shorewall6-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	}
 
@@ -930,7 +930,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 
 		if ( $server =~ /^\[(.+)\]$/ ) {
 		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    $server =~ s/\]-\[/-/;
 		    assert( $server =~ /^(.+)-(.+)$/ );
 		    ( $addr1, $addr2 ) = ( $1, $2 );
 		}

Shorewall/Perl/Shorewall/Proc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -594,7 +594,7 @@ sub process_a_provider( $ ) {
     unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
-		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
+		require_mangle_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -714,7 +714,7 @@ sub process_a_provider( $ ) {
     $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
 
     if ( $mark ne '-' ) {
-	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+	require_mangle_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
@@ -1180,14 +1180,14 @@ CEOF
 	emit "fi\n";
 
 	if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-	    my $variable = interface_address( $interface );
+	    my $variable = get_interface_address( $interface );
 
-	    emit( "echo \$$variable > \${VARDIR}/${physical}.address" );
+	    emit( "echo $variable > \${VARDIR}/${physical}.address" );
 	}
 
 	if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-	    my $variable = interface_gateway( $interface );
-	    emit( qq(echo "\$$variable" > \${VARDIR}/${physical}.gateway\n) );
+	    my $variable = get_interface_gateway( $interface );
+	    emit( qq(echo "$variable" > \${VARDIR}/${physical}.gateway\n) );
 	}
     } else {
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -1892,8 +1892,8 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
-	if ( $providerref->{optional} ) {
+    for my $provider ( @providers ) {
+	if ( ( my $providerref=$providers{$provider} )->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
@@ -2054,8 +2054,7 @@ sub compile_updown() {
 	    );
     }
 
-    my @nonshared = ( grep $providers{$_}->{optional},
-		      values %provider_interfaces );
+    my @nonshared = ( grep $providers{$_}->{optional}, sortvaluesiftest %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2070,7 +2069,7 @@ sub compile_updown() {
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    elif [ "$PHASE" != pre-down ]; then # post-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2246,9 +2245,11 @@ sub handle_optional_interfaces() {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
-	push @interfaces, $providerref->{interface};
-	$wildcards ||= $providerref->{wildcard};
+    for my $provider ( @providers ) {
+	if ( ( my $providerref = $providers{$provider} )->{optional} ) {
+	    push @interfaces, $providerref->{interface};
+	    $wildcards ||= $providerref->{wildcard};
+	}
     }
 
     #
@@ -2296,17 +2297,7 @@ sub handle_optional_interfaces() {
 
 		emit( "$physical)" ), push_indent if $wildcards;
 
-		if ( $provider eq $physical ) {
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
 
 		push_indent;
 
@@ -2323,22 +2314,22 @@ sub handle_optional_interfaces() {
 		emit( 'fi' );
 
 		if ( get_interface_option( $interface, 'used_address_variable' ) ) {
-		    my $variable = interface_address( $interface );
+		    my $variable = get_interface_address( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.address ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.address) != \$$variable ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.address) != $variable ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );
 		}
 
 		if ( get_interface_option( $interface, 'used_gateway_variable' ) ) {
-		    my $variable = interface_gateway( $interface );
+		    my $variable = get_interface_gateway( $interface );
 
 		    emit( '',
 			  "if [ -f \${VARDIR}/${physical}.gateway ]; then",
-			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"\$$variable\" ]; then",
+			  "    if [ \$(cat \${VARDIR}/${physical}.gateway) != \"$variable\" ]; then",
 			  '        g_forcereload=Yes',
 			  '    fi',
 			  'fi' );

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -155,7 +155,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sortkeysiftest %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +164,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sortkeysiftest %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -611,8 +611,8 @@ sub process_policy_actions( $$$ ) {
 #
 # Verify an NFQUEUE specification and return the appropriate ip[6]tables target
 #
-sub handle_nfqueue( $$ ) {
-    my ($params, $allow_bypass ) = @_;
+sub handle_nfqueue( $ ) {
+    my ($params) = @_;
     my ( $action, $bypass, $fanout );
     my ( $queue1, $queue2, $queuenum1, $queuenum2 );
 
@@ -625,7 +625,6 @@ sub handle_nfqueue( $$ ) {
 
 	if ( supplied $queue ) {
 	    if ( $queue eq 'bypass' ) {
-		fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 		fatal_error "Invalid NFQUEUE options (bypass,$bypass)" if supplied $bypass;
 		return 'NFQUEUE --queue-bypass';
 	    }
@@ -653,7 +652,6 @@ sub handle_nfqueue( $$ ) {
 
     if ( supplied $bypass ) {
 	fatal_error "Invalid NFQUEUE option ($bypass)" if $bypass ne 'bypass';
-	fatal_error "'bypass' is not allowed in this context" unless $allow_bypass;
 
 	$bypass =' --queue-bypass';
     } else {
@@ -721,7 +719,13 @@ sub process_a_policy1($$$$$$$) {
 
     require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;
 
-    my ( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    my ( $policy, $pactions );
+
+    if ( $originalpolicy =~ /^NFQUEUE\((.*?)\)(?::?(.*))/ ) {
+	( $policy, $pactions ) = ( "NFQUEUE($1)", $2 );
+    } else {
+	( $policy, $pactions ) = split( /:/, $originalpolicy, 2 );
+    }
 
     fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
 
@@ -736,9 +740,7 @@ sub process_a_policy1($$$$$$$) {
     my $pactionref = process_policy_actions( $originalpolicy, $policy, $pactions );
 
     if ( defined $queue ) {
-	$policy = handle_nfqueue( $queue,
-				  0 # Don't allow 'bypass'
-	    );
+	$policy = handle_nfqueue( $queue );
     } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
@@ -1604,8 +1606,8 @@ sub merge_levels ($$) {
 
     return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
 
-    my @supparts = split /:/, $superior;
-    my @subparts = split /:/, $subordinate;
+    my @supparts = split_list2( $superior ,    'Action' );
+    my @subparts = split_list2( $subordinate , 'Action' );
 
     my $subparts = @subparts;
 
@@ -2698,9 +2700,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	$macro_nest_level--;
 	goto EXIT;
     } elsif ( $actiontype & NFQ ) {
-	$action = handle_nfqueue( $param,
-				  1 # Allow 'bypass'
-	    );
+	$action = handle_nfqueue( $param );
     } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
@@ -5767,9 +5767,9 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 			    fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
 
 			    $addr = $1;
+			    $addr =~ s/\]-\[/-/;
 
 			    if ( $addr =~ /^(.+)-(.+)$/ ) {
-				fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $addr, 0;

Shorewall/Perl/Shorewall/Tc.pm

@@ -10,7 +10,7 @@
 #     Modified by Tom Eastep for integration into the Shorewall distribution
 #     published under GPL Version 2#
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -2284,11 +2284,11 @@ sub open_mangle_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##############################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
@@ -2300,11 +2300,11 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
-# See http://shorewall.net/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.net/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.net/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -4,7 +4,7 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.net
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -29,6 +29,7 @@ package Shorewall::Zones;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
+use sort 'stable';
 
 use strict;
 
@@ -847,10 +848,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sortkeysiftest %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sortkeysiftest %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -1241,7 +1242,7 @@ sub process_interface( $$ ) {
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
-	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
+	fatal_error qq("Virtual" interfaces are not supported -- see https://shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
 
@@ -2320,9 +2321,9 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2350,9 +2351,9 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/getparams

@@ -4,7 +4,7 @@
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/prog.footer

@@ -42,6 +42,7 @@ usage() {
     echo "   up <interface>"
     echo "   savesets <file>"
     echo "   call <function> [ <parameter> ... ]"
+    echo "   help"
     echo "   version"
     echo "   info"
     echo
@@ -54,6 +55,8 @@ usage() {
     echo "   -c               Save/restore iptables counters"
     echo "   -V <verbosity>   Set verbosity explicitly"
     echo "   -R <file>        Override RESTOREFILE setting"
+    echo "   -T               Trace execution"
+    echo "   -D               Debug iptables"
     exit $1
 }
 
@@ -109,20 +112,6 @@ reload_command() {
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 #
-# Start trace if first arg is "debug" or "trace"
-#
-g_debug_iptables=
-
-if [ $# -gt 1 ]; then
-    if [ "x$1" = "xtrace" ]; then
-	set -x
-	shift
-    elif [ "x$1" = "xdebug" ]; then
-	g_debug_iptables=Yes
-	shift
-    fi
-fi
-#
 # Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
@@ -148,9 +137,11 @@ g_compiled=
 g_file=
 g_docker=
 g_dockeringress=
-g_dockernetwork=
+g_dockeriso=
+g_dockerisostage=
 g_forcereload=
 g_fallback=
+g_debug_iptables=
 
 [ -n "$SERVICEDIR" ] && SUBSYSLOCK=
 
@@ -257,6 +248,14 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			RESTOREFILE=$option
 			option=
 			;;
+		    T*)
+			set -x;
+			option=${option#T}
+			;;
+		    D*)
+			g_debug_iptables=Yes
+			option=${option#D}
+			;;
 		    *)
 			usage 1
 			;;

Shorewall/Samples/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.net/shorewall_quickstart_guide.htm
+https://shorewall.org/shorewall_quickstart_guide.htm
 
     Shorewall Samples
     Copyright (C) 2006 by the following authors:

Shorewall/Samples/Universal/interfaces

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
+# https://shorewall.org/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 ?FORMAT 2

Shorewall/Samples/Universal/policy

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
+# https://shorewall.org/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT

Shorewall/Samples/Universal/rules

@@ -4,7 +4,7 @@
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
+# https://shorewall.org/manpages/shorewall-rules.html
 #
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER

Shorewall/Samples/Universal/shorewall.conf

@@ -4,7 +4,7 @@
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -163,6 +163,8 @@ DISABLE_IPV6=No
 
 DOCKER=No
 
+DOCKER_BRIDGE=docker0
+
 DELETE_THEN_ADD=Yes
 
 DETECT_DNAT_IPADDRS=No

Shorewall/Samples/Universal/zones

@@ -4,7 +4,7 @@
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
+# https://shorewall.org/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT

Shorewall/Samples/one-interface/README.txt

@@ -1,6 +1,6 @@
 For instructions on using this sample configuration, please see
 
-http://www.shorewall.net/standalone.htm
+https://shorewall.org/standalone.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors:

Shorewall/Samples/one-interface/shorewall.conf

@@ -14,7 +14,7 @@
 # For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
-# http://shorewall.net/manpages/shorewall.conf.html
+# https://shorewall.org/manpages/shorewall.conf.html
 #
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
@@ -174,6 +174,8 @@ DISABLE_IPV6=No
 
 DOCKER=No
 
+DOCKER_BRIDGE=docker0
+
 DELETE_THEN_ADD=Yes
 
 DETECT_DNAT_IPADDRS=No

Shorewall/Samples/three-interfaces/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.net/three-interface.htm
+https://shorewall.org/three-interface.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors:

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -14,7 +14,7 @@
 # For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
-# http://shorewall.net/manpages/shorewall.conf.html
+# https://shorewall.org/manpages/shorewall.conf.html
 #
 ###############################################################################
 STARTUP_ENABLED=No
@@ -171,6 +171,8 @@ DISABLE_IPV6=No
 
 DOCKER=No
 
+DOCKER_BRIDGE=docker0
+
 DELETE_THEN_ADD=Yes
 
 DETECT_DNAT_IPADDRS=No

Shorewall/Samples/three-interfaces/snat

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
+# See https://shorewall.org/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #

Shorewall/Samples/two-interfaces/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.net/two-interface.htm
+https://shorewall.org/two-interface.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors:

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -14,7 +14,7 @@
 # For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
-# http://shorewall.net/manpages/shorewall.conf.html
+# https://shorewall.org/manpages/shorewall.conf.html
 #
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
@@ -174,6 +174,8 @@ DISABLE_IPV6=No
 
 DOCKER=No
 
+DOCKER_BRIDGE=docker0
+
 DELETE_THEN_ADD=Yes
 
 DETECT_DNAT_IPADDRS=No

Shorewall/Samples/two-interfaces/snat

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.net/manpages/shorewall-snat.html for more information
+# See https://shorewall.org/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #

Shorewall/Shorewall-targetname

@@ -0,0 +1 @@
+5.2.4.1