Add "zone name too long" error

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.org/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.4-Beta1
+5.2.5-Beta2

Shorewall-core/configure

@@ -4,7 +4,7 @@
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/configure.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.cli

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -2651,6 +2651,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
 
@@ -2667,6 +2668,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -3622,6 +3624,7 @@ reject_command() {
 
 blacklist_command() {
     local family
+    local timeout
 
     [ $# -gt 0 ] || fatal_error "Missing address"
 
@@ -3639,10 +3642,17 @@ blacklist_command() {
 	    ;;
     esac
 
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3897,7 +3907,7 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 
@@ -3905,11 +3915,49 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
     esac
@@ -4458,6 +4506,8 @@ shorewall_cli() {
     g_disconnect=
     g_havemutex=
     g_trace=
+    g_dbltimeout=
+    g_dbllog=
 
     VERBOSE=
     VERBOSITY=1
@@ -4679,7 +4729,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4757,7 +4807,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)

Shorewall-core/lib.common

@@ -3,7 +3,7 @@
 #
 #     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.core

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.installer

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.uninstaller

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/manpages/shorewall.xml

@@ -48,7 +48,7 @@
 
       <arg>options</arg>
 
-      <arg choice="plain"><option>blacklist</option></arg>
+      <arg choice="plain"><option>blacklist[!]</option></arg>
 
       <arg
       choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -1151,7 +1151,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
+        <term><emphasis role="bold">blacklist[!]</emphasis>
         <replaceable>address</replaceable> [ <replaceable>option</replaceable>
         ... ]</term>
 
@@ -1165,7 +1165,17 @@
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
+          add</command> command. Probably the most useful
+          <replaceable>option</replaceable> is the <option>timeout</option>
+          option. For example, to permanently blacklist 192.0.2.22, the
+          command would be:</para>
+
+          <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
+
+          <para>Beginning with Shorewall 5.2.5, the above command can be
+          shortened to:</para>
+
+          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>
 
           <para>If the <option>disconnect</option> option is specified in the
           DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
@@ -2891,25 +2901,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
+        <term><emphasis role="bold">stop</emphasis></term>
-        [-<option>f</option>]</term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
           listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
-          taken down. The only new traffic permitted through the firewall is
+          new traffic permitted through the firewall is from systems listed in
-          from systems listed in <ulink
+          <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -3170,7 +3173,7 @@
 
     <simplelist>
       <member><ulink
-      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.org/starting_and_stopping_shorewall.htm</ulink>
+      url="/starting_and_stopping_shorewall.htm">https://shorewall.org/starting_and_stopping_shorewall.htm</ulink>
       - Describes operational aspects of Shorewall.</member>
 
       <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -

Shorewall-core/shorewall

@@ -5,7 +5,7 @@
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/wait4ifup

@@ -6,7 +6,7 @@
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/ifupdown.debian.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
     *)
         #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
         #
 	INTERFACE="$IFACE"
 
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/ifupdown.fedora.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,7 +90,14 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *)
 		exit 0

Shorewall-init/ifupdown.suse.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,7 +120,14 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *if-up.d*)
 		COMMAND=up

Shorewall-init/init.debian.sh

@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/init.suse.sh

@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/install.sh

@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
 
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
     elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
     fi
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -388,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -417,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    if [ "$HOST" = debian ]; then
-    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    else
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;

Shorewall-init/shorewall-init

@@ -6,7 +6,7 @@
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
+
 setstatedir() {
     local statedir
     if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,6 +43,67 @@ setstatedir() {
     fi
 }
 
+# Initialize the firewalls
+
+shorewall_init_start () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Initializing \"Shorewall-based firewalls\": "
+
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
+	fi
+    done
+
+    return 0
+}
+
+# Clear the firewalls
+
+shorewall_init_stop () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Clearing \"Shorewall-based firewalls\": "
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} clear
+		fi
+	    )
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
+	fi
+    fi
+
+    return 0
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -59,62 +121,12 @@ else
     exit 1
 fi
 
-# Initialize the firewall
-shorewall_start () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
-    return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" ]; then
-	mkdir -p $(dirname "$SAVE_IPSETS")
-	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
-	fi
-    fi
-
-    return 0
-}
-
 case "$1" in
     start)
-	shorewall_start
+	shorewall_init_start
 	;;
     stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
     *)
 	echo "Usage: $0 {start|stop}"

Shorewall-lite/Shorewall-lite-targetname

@@ -1 +1 @@
-5.2.4-Beta1
+5.2.4.1

Shorewall-lite/init.openwrt.sh

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.sh

@@ -7,7 +7,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.suse.sh

@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -183,7 +183,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="http://www.shorewall.org/Documentation_Index.html">http://www.shorewall.org/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>
 
     <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),

Shorewall-lite/shorewall-lite.conf

@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.org/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall/Actions/action.A_REJECT

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.A_REJECT!

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Broadcast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.DNSAmp

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Established

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.FIN

@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.IfEvent

@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.org/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.Invalid

@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Limit

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Multicast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.New

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.NotSyn

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.RST

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Related

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.ResetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.org/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.SetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.org/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 
 DEFAULTS -,ACCEPT,src

Shorewall/Actions/action.Untracked

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowInvalid

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowinUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcasts

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropInvalid

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.forwardUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.mangletemplate

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.org/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.

Shorewall/Actions/action.rejNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.template

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.org/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.

Shorewall/Contrib/swping

@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.org/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #

Shorewall/Contrib/swping.init

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.org/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall/Perl/Shorewall/ARP.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Chains.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -37,6 +37,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use strict;
+use sort 'stable';
 
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw(
@@ -319,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -725,6 +727,7 @@ our %opttype = ( rule          => CONTROL,
 		 'icmpv6-type' => UNIQUE,
 
 		 comment       => CONTROL,
+		 digest        => CONTROL,
 
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
@@ -3520,6 +3523,33 @@ sub irule_to_string( $ ) {
     $string;
 }
 
+#
+# This one omits the comment
+#
+sub irule_to_string1( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
@@ -3706,6 +3736,16 @@ sub optimize_level0() {
     }
 }
 
+#
+# Conditionally sort a list of chain table entry references by name, if -t was specified
+#
+sub sortchainsiftest(\%) {
+    my $hashref = shift;
+
+    return sort { $a->{name} cmp $b->{name} } values %$hashref if $test;
+    return values %$hashref;
+}
+
 sub optimize_level4( $$ ) {
     my ( $table, $tableref ) = @_;
     my $progress = 1;
@@ -3927,7 +3967,7 @@ sub optimize_level4( $$ ) {
     my @chains  = grep ( $_->{referenced}   &&
 			 ! $_->{optflags}   &&
 			 @{$_->{rules}} < 4 &&
-			 keys %{$_->{references}} == 1 , values %$tableref );
+			 keys %{$_->{references}} == 1 , sortchainsiftest %$tableref );
 
     if ( my $chains  = @chains ) {
 	$passes++;
@@ -3936,7 +3976,7 @@ sub optimize_level4( $$ ) {
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
-	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+	    for my $sourceref ( map $tableref->{$_}, sortkeysiftest %{$chainref->{references}} ) {
 		my $name1 = $sourceref->{name};
 
 		if ( $chainref->{references}{$name1} == 1 ) {
@@ -4040,7 +4080,7 @@ sub optimize_level8( $$$ ) {
 
 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the BLACKLIST section, we can end up with many identical
+			# For simple use of the blrules file, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -4066,7 +4106,7 @@ sub optimize_level8( $$$ ) {
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
-	    for my $oldname ( @rename ) {
+	    for my $oldname ( sortiftest @rename ) {
 		my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
 
 		trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
@@ -4179,10 +4219,10 @@ sub get_multi_sports( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys( $ ) {
-    my %skip = ( dport => 1, comment => 1, origin => 1 );
+    my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4363,64 +4403,54 @@ sub delete_duplicates {
     my @rules;
     my $chainref  = shift;
     my $lastrule  = @_;
-    my $baseref   = pop;
     my $ruleref;
     my %skip = ( comment => 1, origin => 1 );
 
+    for ( @_ ) {
+	$_->{digest} = sha1_hex irule_to_string1( $_ );
+    }
+
+    my $baseref   = pop;
+
     while ( @_ ) {
 	my $docheck;
 	my $duplicate = 0;
 
 	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
-	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
+	    my $bad_key;
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
+	    my $digest   = $baseref->{digest};
 
-	    {
+	    for ( grep ! $skip{$_}, keys( %$baseref ) ) {
-	      RULE:
+		$bad_key = 1, last if $bad_match{$_};
+	    }
 
-		while ( --$rulenum >= 0 ) {
+	    while ( --$rulenum >= 0 ) {
-		    $ruleref = $_[$rulenum];
+		$ruleref = $_[$rulenum];
 
-		    last unless $ruleref->{mode} == CAT_MODE;
+		last unless $ruleref->{mode} == CAT_MODE;
 
-		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
+		next unless $digest eq $ruleref->{digest};
 
-		    next unless @keys1 == @keys2 ;
+		unless ( $adjacent > 0 ) {
-
-		    my $keynum = 0;
-
-		    if ( $adjacent > 0 ) {
-			#
-			# There are no non-duplicate rules between this rule and the base rule
-			#
-			for my $key (  @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			}
-		    } else {
-			#
-			# There are non-duplicate rules between this rule and the base rule
-			#
-			for my $key ( @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			    last RULE if $bad_match{$key};
-			}
-		    }
 		    #
-		    # This rule is a duplicate
+		    # There are non-duplicate rules between this rule and the base rule
 		    #
-		    $duplicate = 1;
+		    last if $bad_key;
-		    #
-		    # Increment $adjacent so that the continue block won't set it to zero
-		    #
-		    $adjacent++;
-
-		} continue {
-		    $adjacent--;
 		}
+		#
+		# This rule is a duplicate
+		#
+		$duplicate = 1;
+		#
+		# Increment $adjacent so that the continue block won't set it to zero
+		#
+		$adjacent++;
+
+	    } continue {
+		$adjacent--;
 	    }
 	}
 
@@ -4457,10 +4487,10 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys1( $ ) {
-    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+    my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4579,7 +4609,7 @@ sub combine_states {
 
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
-    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
+    my @chains   = ( grep $_->{referenced}, sortchainsiftest %{$tableref} );
     my @chains1  = @chains;
     my $chains   = @chains;
 
@@ -4696,7 +4726,7 @@ sub setup_zone_mss() {
 
 	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
 
-	for my $hostref ( @$hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$hosts : @$hosts ) {
 	    my $mss         = $hostref->[4];
 	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @sourcedev   = imatch_source_dev $hostref->[0];
@@ -7455,13 +7485,13 @@ sub set_global_variables( $$ ) {
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sortkeysiftest %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = keys %interfacegateways;
+	@interfaces = sortkeysiftest %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7471,29 +7501,29 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = keys %interfacemacs;
+	@interfaces = sortkeysiftest %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
+	emit "$interfacegateways{$_}\n" for sortkeysiftest %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $interfacemacs{$_}         for sortkeysiftest %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit $_ for values %interfacenets;
+	emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
 
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
 		emit 'ALL_ACASTS="$(get_all_acasts)"';
-		emit $_ for values %interfaceacasts;
+		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
     }
@@ -8457,7 +8487,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sortkeysiftest %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8543,7 +8573,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sortkeysiftest %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8861,7 +8891,7 @@ sub ensure_ipsets( @ ) {
     my $set;
     my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8872,12 +8902,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}
 
 	pop_indent;
@@ -8984,7 +9014,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = keys %ipsets;
+	    my @sets = sortkeysiftest %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -9054,10 +9084,14 @@ sub create_load_ipsets() {
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
-		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '    if  [ -f ${VARDIR}/ipsets.save ]; then' ,
-		  '        $IPSET flush $set' ,
+		  '        while read verb set rest; do' ,
-		  '        $IPSET destroy $set' ,
+		  '            if [ $verb = create ]; then' ,
-		  "    done" ,
+		  '                $IPSET flush $set' ,
+		  '                $IPSET destroy $set' ,
+		  '            fi' ,
+		  '        done < ${VARDIR}/ipsets.save' ,
+		  '    fi',
 		);
 	} else {
 	    #
@@ -9100,7 +9134,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
@@ -9153,7 +9187,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sortkeysiftest %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -9168,7 +9202,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( @objects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9541,7 +9575,7 @@ sub create_stop_load( $ ) {
 }
 
 sub initialize_switches() {
-    if ( keys %switches ) {
+    if ( sortkeysiftest %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
 	for my $switch ( keys %switches ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -6,7 +6,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -49,8 +49,6 @@ our $VERSION = 'MODULEVERSION';
 
 our $export;          # True when compiling for export
 
-our $test;            # True when running regression tests
-
 our $family;          # IP address family (4 or 6)
 
 our $have_arptables;  # True if we have arptables rules
@@ -58,8 +56,8 @@ our $have_arptables;  # True if we have arptables rules
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
+sub initialize_package_globals( $$$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2], $_[3]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -545,13 +543,13 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
         ;;
     reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
         ;;
     restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
         ;;
 esac
 EOF
@@ -588,7 +586,7 @@ sub compiler {
        ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
-    $test           = 0;
+    my $test        = 0;
     $have_arptables = 0;
 
     sub validate_boolean( $ ) {
@@ -641,18 +639,19 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
+    initialize_package_globals( $update, $test, $shorewallrc, $shorewallrc1 );
-
+    #
+    # Rather than continuing to extend the argument list of Config::initialize(),
+    # we use a set of small functions to export settings to the Config module.
+    #
     set_config_path( $config_path ) if $config_path;
-
     set_shorewall_dir( $directory ) if $directory ne '';
-
     $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
+    set_command( 'compile', 'Compiling', 'Compiled' );
     #
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
@@ -670,12 +669,7 @@ sub compiler {
     #
     # Create a temp file to hold the script
     #
-    if ( $scriptfilename ) {
+    create_temp_script( $scriptfilename , $export ) if $scriptfilename;
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
     #
     #                                     Z O N E   D E F I N I T I O N
     #                              (Produces no output to the compiled script)
@@ -913,7 +907,7 @@ sub compiler {
 	#
 	# Close, rename and secure the script
 	#
-	finalize_script ( $export );
+	finalize_script ( $export, $test );
 	#
 	# And generate the auxilary config file
 	#
@@ -978,11 +972,7 @@ sub compiler {
 	#
 	report_used_capabilities;
 
-	if ( $family == F_IPV4 ) {
+	progress_message3 "$Product configuration verified";
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -166,7 +166,11 @@ our @EXPORT = qw(
 		 report_used_capabilities
 		 kernel_version
 
-                 compiletime
+		 compiletime
+
+		 sortkeysiftest
+		 sortvaluesiftest
+		 sortiftest
 				       
 		 F_IPV4
 		 F_IPV6
@@ -264,6 +268,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $debug
 				       $file_format
 				       $comment
+				       $test
 
 				       %config
 				       %origin
@@ -652,6 +657,30 @@ our %params;
 #
 our %compiler_params;
 #
+# Entries conditionally exported to the compiled script via the aux config file
+#
+our @exported_params = ( qw(
+			 VERBOSITY
+			 LOGFILE
+			 LOGFORMAT
+			 APRTABLES
+			 IPTABLES
+			 IP6TABLES
+			 IP
+			 TC
+			 IPSET
+			 PATH
+			 SHOREWALL_SHELL
+			 SHELL
+			 SUBSYSLOCK
+			 LOCKFILE
+			 RESTOREFILE
+			 RESTART
+			 DYNAMIC_BLACKLIST
+			 PAGER
+			 )
+    );
+#
 # Action parameters
 #
 our %actparams;
@@ -793,6 +822,8 @@ our %filecache;
 
 our $compiletime;
 
+our $test;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -804,9 +835,12 @@ sub add_variables( \% );
 #
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
-#
+####################################################################################################
-sub initialize($;$$$) {
+# Do not change the required part of this prototype unless you want to take on a lot of additional
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+# work (This function is called from build).
+####################################################################################################
+sub initialize($;$$$$) {
+    ( $family, $export, $test, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -851,7 +885,7 @@ sub initialize($;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.0-Beta1',
+		    VERSION                 => '5.2.4.1',
 		    CAPVERSION              => 50200 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -1828,6 +1862,30 @@ sub set_command( $$$ ) {
     ($command, $doing, $done) = @_;
 }
 
+#
+# Return the keys or values of the passed hash. If $test, the keys/values will be sorted by their own values
+#
+sub sortkeysiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort keys %$hashref if $test;
+    return keys %$hashref;
+}
+
+sub sortvaluesiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort values %$hashref if $test;
+    return keys %$hashref;
+}
+
+#
+# Sort a list by the list elements if $test
+#
+sub sortiftest(@) {
+    return $test ? sort @_ : @_;
+}
+
 #
 # Print the current TOD to STDOUT.
 #
@@ -2015,28 +2073,30 @@ sub generate_sha1() {
 #
 # Finalize the script file
 #
-sub finalize_script( $ ) {
+sub finalize_script( $$ ) {
-    my $export = $_[0];
+    my ( $export, $test ) = @_;
     close $script;
     $script = 0;
 
     if ( $file ne '-' ) {
-	my $sha1sum  = generate_sha1;
+	unless ( $test ) {
-	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	    my $sha1sum  = generate_sha1;
-	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+	    my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	    my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 
-	@ARGV = ( $tempfile );
+	    @ARGV = ( $tempfile );
-	$^I = '';
+	    $^I = '';
 
-	while ( <> ) {
+	    while ( <> ) {
-	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+		s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
-	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+		s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
-	    print;
+		print;
+	    }
 	}
 
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
-	progress_message3 "Shorewall configuration compiled to $file" unless $export;
+	progress_message3 "$Product configuration compiled to $file" unless $export;
     }
 }
 
@@ -2058,7 +2118,7 @@ sub finalize_aux_config() {
     close $script;
     $script = 0;
     rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
-    progress_message3 "Shorewall configuration compiled to $file";
+    progress_message3 "$Product configuration compiled to $file";
 }
 
 #
@@ -6635,7 +6695,7 @@ sub get_configuration( $$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
 
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
@@ -7160,8 +7220,8 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $param ( @exported_params ) {
-	conditionally_add_option $option;
+	conditionally_add_option $param;
     }
 
     conditionally_add_option1 'TC_ENABLED';

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Misc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use Shorewall::Proc;
+use sort 'stable';
 
 use strict;
 
@@ -130,7 +131,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sortkeysiftest %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -335,7 +336,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.org/blacklisting_support.htm for additional
+# Please see https://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -434,9 +435,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-stoppedrules.html
+# https://shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.org/starting_and_stopping_shorewall.htm for additional
+# See https://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -734,6 +735,7 @@ sub add_common_rules ( $ ) {
     my $dbl_tag;
     my $dbl_src_target;
     my $dbl_dst_target;
+    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -795,9 +797,10 @@ sub add_common_rules ( $ ) {
 
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -808,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -829,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1322,7 +1325,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sortkeysiftest %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1408,7 +1411,7 @@ sub setup_mac_lists( $ ) {
 	#
 	# Generate jumps from the input and forward chains
 	#
-	for my $hostref ( @$maclist_hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$maclist_hosts : @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
@@ -1801,7 +1804,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sortkeysiftest %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1941,7 +1944,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
+    my @zone_interfaces   = sortkeysiftest %{zone_interfaces( $zone )};
 
     if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
@@ -2313,9 +2316,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sortkeysiftest %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sortkeysiftest %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2400,9 +2403,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sortkeysiftest %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sortkeysiftest %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2808,7 +2811,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Nat.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.org/manpages/shorewall-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.org/manpages6/shorewall6-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	}
 

Shorewall/Perl/Shorewall/Proc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -1892,8 +1892,8 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
+    for my $provider ( @providers ) {
-	if ( $providerref->{optional} ) {
+	if ( ( my $providerref=$providers{$provider} )->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
@@ -2054,8 +2054,7 @@ sub compile_updown() {
 	    );
     }
 
-    my @nonshared = ( grep $providers{$_}->{optional},
+    my @nonshared = ( grep $providers{$_}->{optional}, sortvaluesiftest %provider_interfaces );
-		      values %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2070,7 +2069,7 @@ sub compile_updown() {
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2111,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );
 
 	push_indent;
@@ -2246,9 +2245,11 @@ sub handle_optional_interfaces() {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $provider ( @providers ) {
-	push @interfaces, $providerref->{interface};
+	if ( ( my $providerref = $providers{$provider} )->{optional} ) {
-	$wildcards ||= $providerref->{wildcard};
+	    push @interfaces, $providerref->{interface};
+	    $wildcards ||= $providerref->{wildcard};
+	}
     }
 
     #
@@ -2296,17 +2297,7 @@ sub handle_optional_interfaces() {
 
 		emit( "$physical)" ), push_indent if $wildcards;
 
-		if ( $provider eq $physical ) {
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
 
 		push_indent;
 

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -155,7 +155,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sortkeysiftest %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +164,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sortkeysiftest %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
     my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
 
     $chainref->{is_policy}   = 1;
+    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
     $chainref->{policy}      = $policy;
     $chainref->{provisional} = $provisional;
     $chainref->{audit}       = $audit;
@@ -1147,7 +1148,7 @@ sub complete_policy_chains() {
 		}
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1252,6 +1253,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
     my $chain               = $chainref->{name};
     my $save_comment        = push_comment;
+    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
     my %state;
 
     $state{$_} = 1 for split ',', $state;
@@ -1262,74 +1264,76 @@ sub finish_chain_section ($$$) {
 
     $chain1ref->{sections}{$_} = 1 for keys %state;
 
-    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+    unless ( $wild ) {
-	if ( $state{$_} ) {
+	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
-	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+	    if ( $state{$_} ) {
-	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
+		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+		my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
 
-	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
+		if ( $twochains || $level || $target ne 'ACCEPT' ) {
-		if ( $level ) {
+		    if ( $level ) {
-		    my $chain2ref;
+			my $chain2ref;
+
+			if ( $twochains ) {
+			    $chain2ref = $chainref;
+			} else {
+			    $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			}
+
+			log_rule_limit( $level,
+					$chain2ref,
+					$chain2ref->{logname},
+					uc $target,
+					$globals{LOGLIMIT},
+					$tag ,
+					'add' ,
+					'',
+					$level_origin );
+
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+
+			add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
+
+			$target = $chain2ref->{name} unless $twochains;
+		    }
 
 		    if ( $twochains ) {
-			$chain2ref = $chainref;
+			add_ijump_extended $chainref, g => $target , $origin if $target;
-		    } else {
+			delete $state{$_};
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			last;
 		    }
 
-		    log_rule_limit( $level,
+		    if ( $target ) {
-				    $chain2ref,
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-				    $chain2ref->{logname},
+			#
-				    uc $target,
+			# Always handle ESTABLISHED first
-				    $globals{LOGLIMIT},
+			#
-				    $tag ,
+			if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-				    'add' ,
+			    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-				    '',
+			    delete $state{ESTABLISHED};
-				    $level_origin );
+			}
 
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
+		    }
 
-		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
-
-		    $target = $chain2ref->{name} unless $twochains;
-		}
-
-		if ( $twochains ) {
-		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
-		    last;
 		}
-
-		if ( $target ) {
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-		    #
-		    # Always handle ESTABLISHED first
-		    #
-		    if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-			add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-			delete $state{ESTABLISHED};
-		    }
-
-		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
-		}
-
-		delete $state{$_};
-	    }
-	}
-    }
-
-    if ( keys %state ) {
-	my @state;
-
-	unless ( $config{FASTACCEPT} ) {
-	    for ( qw/ESTABLISHED RELATED/ ) {
-		push @state, $_ if $state{$_};
 	    }
 	}
 
-	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+	if ( keys %state ) {
+	    my @state;
 
-	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	    unless ( $config{FASTACCEPT} ) {
+		for ( qw/ESTABLISHED RELATED/ ) {
+		    push @state, $_ if $state{$_};
+		}
+	    }
+
+	    push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+
+	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	}
     }
 
     if ($sections{NEW} ) {
@@ -2888,6 +2892,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	    $log_action = "$basictarget($setname)";
 
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';

Shorewall/Perl/Shorewall/Tc.pm

@@ -10,7 +10,7 @@
 #     Modified by Tom Eastep for integration into the Shorewall distribution
 #     published under GPL Version 2#
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -2284,11 +2284,11 @@ sub open_mangle_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
-# See http://shorewall.org/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.org/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.org/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##############################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
@@ -2300,11 +2300,11 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
-# See http://shorewall.org/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.org/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.org/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
@@ -2455,7 +2455,7 @@ sub setup_tc( $ ) {
 		}
 	    }
 	} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-	    warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
+	    warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -4,7 +4,7 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -29,6 +29,7 @@ package Shorewall::Zones;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
+use sort 'stable';
 
 use strict;
 
@@ -559,7 +560,8 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
     }
 
-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
+    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
 
@@ -847,10 +849,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sortkeysiftest %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sortkeysiftest %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -1241,7 +1243,7 @@ sub process_interface( $$ ) {
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
-	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
+	fatal_error qq("Virtual" interfaces are not supported -- see https://shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
 
@@ -2027,7 +2029,7 @@ sub verify_required_interfaces( $ ) {
 
 	push_indent;
 
-	emit( 'start|reload|restore)' );
+	emit( 'start|reload|restore|enable)' );
 
 	push_indent;
 
@@ -2320,9 +2322,9 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2350,9 +2352,9 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/getparams

@@ -4,7 +4,7 @@
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/lib.runtime

@@ -1089,7 +1089,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 #
@@ -1113,7 +1113,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1389,7 +1389,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 ?endif # IPv6-specific functions.

Shorewall/Samples/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.org/shorewall_quickstart_guide.htm
+https://shorewall.org/shorewall_quickstart_guide.htm
 
     Shorewall Samples
     Copyright (C) 2006 by the following authors:

Shorewall/Samples/Universal/interfaces

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-interfaces.html
+# https://shorewall.org/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 ?FORMAT 2

Shorewall/Samples/Universal/policy

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-policy.html
+# https://shorewall.org/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT

Shorewall/Samples/Universal/rules

@@ -4,7 +4,7 @@
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-rules.html
+# https://shorewall.org/manpages/shorewall-rules.html
 #
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER

Shorewall/Samples/Universal/shorewall.conf

@@ -4,7 +4,7 @@
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at http://www.shorewall.org/manpages/shorewall.conf.html
+#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

Shorewall/Samples/Universal/zones

@@ -4,7 +4,7 @@
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-zones.html
+# https://shorewall.org/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT

Shorewall/Samples/one-interface/README.txt

@@ -1,6 +1,6 @@
 For instructions on using this sample configuration, please see
 
-http://www.shorewall.org/standalone.htm
+https://shorewall.org/standalone.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors:

Shorewall/Samples/one-interface/shorewall.conf

@@ -14,7 +14,7 @@
 # For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
-# http://shorewall.org/manpages/shorewall.conf.html
+# https://shorewall.org/manpages/shorewall.conf.html
 #
 ###############################################################################
 #		       S T A R T U P   E N A B L E D

Shorewall/Samples/three-interfaces/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.org/three-interface.htm
+https://shorewall.org/three-interface.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors:

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -14,7 +14,7 @@
 # For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
-# http://shorewall.org/manpages/shorewall.conf.html
+# https://shorewall.org/manpages/shorewall.conf.html
 #
 ###############################################################################
 STARTUP_ENABLED=No

Shorewall/Samples/three-interfaces/snat

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.org/manpages/shorewall-snat.html for more information
+# See https://shorewall.org/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #

Shorewall/Samples/two-interfaces/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.org/two-interface.htm
+https://shorewall.org/two-interface.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors:

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -14,7 +14,7 @@
 # For information about the settings in this file, type "man shorewall.conf"
 #
 # The manpage is also online at
-# http://shorewall.org/manpages/shorewall.conf.html
+# https://shorewall.org/manpages/shorewall.conf.html
 #
 ###############################################################################
 #		       S T A R T U P   E N A B L E D

Shorewall/Samples/two-interfaces/snat

@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.org/manpages/shorewall-snat.html for more information
+# See https://shorewall.org/manpages/shorewall-snat.html for more information
 ###########################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.4-Beta1
+5.2.5-Beta2

Shorewall/actions.std

@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/actions.std
 #
-#	Please see http://shorewall.org/Actions.html for additional
+#	Please see https://shorewall.org/Actions.html for additional
 #	information.
 #
 ###############################################################################

Shorewall/configfiles/accounting

@@ -3,7 +3,7 @@
 #
 # For information about entries in this file, type "man shorewall-accounting"
 #
-# Please see http://shorewall.org/Accounting.html for examples and
+# Please see https://shorewall.org/Accounting.html for examples and
 # additional information about how to use this file.
 #
 #####################################################################################################

Shorewall/configfiles/actions

@@ -3,7 +3,7 @@
 #
 # For information about entries in this file, type "man shorewall-actions"
 #
-# Please see http://shorewall.org/Actions.html for additional information.
+# Please see https://shorewall.org/Actions.html for additional information.
 #
 # Place '# ' below the 'C' in COMMENT followed by a comment describing
 # the action.