Merge branch 'busybox-shell-fixes/v1' into 'master'

lib.cli-std: fix two shell errors when AUTOMAKE is false

See merge request shorewall/code!14

.gitattributes

@@ -0,0 +1 @@
+*targetname export-ignore

Shorewall-core/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.org/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.4-Beta1
+5.2.8-RC1

Shorewall-core/configure

@@ -4,7 +4,7 @@
 #
 #     (c) 2012,2014,2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/configure.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -324,6 +324,15 @@ install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
 
 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+#
+# Install stop_service
+#
+if [ -n "${STOPSERVICEFILE}" ]; then
+    install_file ${STOPSERVICEFILE} ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service 0755
+
+    echo
+    echo "${STOPSERVICEFILE} installed in ${DESTDIR}${LIBEXECDIR}/shorewall/stop_service"
+fi
 
 #
 # Install the libraries

Shorewall-core/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.cli

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #
 
-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207
 
 if [ -z "$g_basedir" ]; then
     #
@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc1() {
+show_one_classifier() {
+    local class
 
+    qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
+    tc filter show dev $1
+    tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+	if [ -n "$class" ]; then
+	    echo
+	    echo Node $class
+	    tc filter show dev $device parent $class
+	fi
+    done
+    echo
+}
+
+show_classifier1() {
+    local device
+    local qdisc
+
+    device=${1%@*}
+    qdisc=$(tc qdisc list dev $device)
+    if [ -n "$qdisc" ]; then
+	echo Device $device:
+	show_one_classifier $device
+    fi
+}
+
+show_tc1() {
     show_one_tc() {
 	local device
+	local qdisc
+	local ingress
+
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 
@@ -260,6 +289,7 @@ show_tc1() {
 	    echo
 	    tc -s -d class show dev $device
 	    echo
+	    show_one_classifier $device "$qdisc"
 	fi
     }
 
@@ -270,7 +300,6 @@ show_tc1() {
 	    show_one_tc ${interface%:}
 	done
     fi
-
 }
 
 show_tc() {
@@ -291,28 +320,8 @@ show_tc() {
 #
 show_classifiers() {
 
-    show_one_classifier() {
-	local device
-	device=${1%@*}
-	qdisc=$(tc qdisc list dev $device)
-
-	if [ -n "$qdisc" ]; then
-	    echo Device $device:
-	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc filter show dev $device
-	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
-		if [ -n "$class" ]; then
-		    echo
-		    echo Node $class
-		    tc filter show dev $device parent $class
-		fi
-	    done
-	    echo
-	fi
-    }
-
     ip -o link list | while read inx interface details; do
-	show_one_classifier ${interface%:}
+	show_classifier1 ${interface%:}
     done
 
 }
@@ -937,11 +946,28 @@ show_events() {
     fi
 }
 
+sort_actions() {
+    local sep #separates sort keys from the action[.std] record
+    sep="##"
+
+    awk -v sep="$sep" \
+         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
+	  /^#/	  	  { next; };\
+	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
+	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
+			  { action = $1; };\
+	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
+			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
+}
+
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
+    local actions
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    actions=$(find_file actions)
+
+    if [ -f ${actions} ]; then
+	cat ${actions} ${g_sharedir}/actions.std | sort_actions
     else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
     fi
 }
 
@@ -1000,6 +1026,8 @@ show_mangle() {
 show_classifiers_command() {
     echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
     echo
+    echo "Warning: This command is deprecated in favor of the 'show tc' command"
+    echo
     show_classifiers
 }
 
@@ -1108,10 +1136,6 @@ show_blacklists() {
     show_bl;
 }
 
-show_actions_sorted() {
-    show_actions | sort
-}
-
 show_macros() {
     for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1567,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -1891,8 +1915,6 @@ do_dump_command() {
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
 	show_tc1
-	heading "TC Filters"
-	show_classifiers
 	fi
 }
 
@@ -2651,6 +2673,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
 
@@ -2667,6 +2690,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -2863,6 +2887,7 @@ determine_capabilities() {
     NETMAP_TARGET=
     NFLOG_SIZE=
     RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=
 
     AMANDA_HELPER=
     FTP_HELPER=
@@ -3230,6 +3255,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
     fi
 
     [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@@ -3373,6 +3402,7 @@ report_capabilities_unsorted() {
     report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
     report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
     report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION
 
     echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
     echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@@ -3479,6 +3509,7 @@ report_capabilities_unsorted1() {
     report_capability1 NFLOG_SIZE
     report_capability1 RESTORE_WAIT_OPTION
     report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION
 
     report_capability1 AMANDA_HELPER
     report_capability1 FTP_HELPER
@@ -3574,7 +3605,7 @@ status_command() {
 
     [ $# -eq 0 ] || missing_argument
 
-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
     [ -n "$interfaces" ] && show_interfaces
     exit $status
@@ -3622,6 +3653,7 @@ reject_command() {
 
 blacklist_command() {
     local family
+    local timeout
 
     [ $# -gt 0 ] || fatal_error "Missing address"
 
@@ -3639,10 +3671,17 @@ blacklist_command() {
 	    ;;
     esac
 
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3897,7 +3936,7 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 
@@ -3905,11 +3944,49 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
     esac
@@ -3942,9 +4019,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
     local config
     local lib
 
@@ -3964,7 +4047,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4093,7 +4176,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -4106,10 +4189,22 @@ get_config() {
     [ -f $lib ] && . $lib
 
 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
     local finished
     finished=0
 
@@ -4127,7 +4222,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
 
@@ -4196,10 +4291,21 @@ start_command() {
     do_it
 }
 
+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
     local finished
     finished=0
     local rc
@@ -4260,7 +4366,7 @@ restart_command() {
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
 
@@ -4268,6 +4374,17 @@ restart_command() {
     return $rc
 }
 
+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
     if [ -x $g_firewall ] ; then
 	run_it $g_firewall $@
@@ -4298,9 +4415,9 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
     echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -4340,7 +4457,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     if [ -z "$g_lite" ]; then
@@ -4356,7 +4473,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4371,12 +4488,11 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] {classifiers|filters)"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
     echo "   [ show | list | ls ] event [ <event> ...]"
     echo "   [ show | list | ls ] events"
-    echo "   [ show | list | ls ] filters"
     echo "   [ show | list | ls ] ip"
 
     if [ $g_family -eq 4 ]; then
@@ -4458,6 +4574,8 @@ shorewall_cli() {
     g_disconnect=
     g_havemutex=
     g_trace=
+    g_dbltimeout=
+    g_dbllog=
 
     VERBOSE=
     VERBOSITY=1
@@ -4635,7 +4753,7 @@ shorewall_cli() {
 	exit 1
     fi
 
-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
 
     COMMAND=$1
 
@@ -4679,7 +4797,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4725,7 +4843,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)
@@ -4757,7 +4875,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)

Shorewall-core/lib.common

@@ -3,7 +3,7 @@
 #
 #     (c) 2010-2018 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
 
     case $COMMAND in
         start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
     esac
 

Shorewall-core/lib.core

@@ -3,7 +3,7 @@
 #
 #     (c) 1999-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -337,8 +337,15 @@ ensure_config_path() {
 	. $F
     fi
 
-    if [ -n "$g_shorewalldir" ]; then
+    if [ -n "$g_shorewalldir" ] && [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ];then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+	case $CONFIG_PATH in
+	    :*)
+		CONFIG_PATH=${g_shorewalldir}${CONFIG_PATH}
+		;;
+	    *)
+		CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+		;;
+	esac
     fi
 }
 

Shorewall-core/lib.installer

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/lib.uninstaller

@@ -4,7 +4,7 @@
 #     (c) 2017 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2017 - Matt Darfeuille (matdarf@gmail.com)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/manpages/shorewall.xml

@@ -48,7 +48,7 @@
 
       <arg>options</arg>
 
-      <arg choice="plain"><option>blacklist</option></arg>
+      <arg choice="plain"><option>blacklist[!]</option></arg>
 
       <arg
       choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -981,7 +981,22 @@
               <td><command>shorewall -6</command> or <command>shorewall
               -6l</command></td>
             </tr>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall -l</command></td>
+            </tr>
           </table>
+
+          <para>Note that when Shorewall isn't installed, the 'shorewall'
+          command behaves like shorewall-lite. The same is not true with
+          respect to Shorewall6, "shorewall6" and 'shorewall6-lite". You can
+          make 'shorewall6' behave like 'shorewallt-lite' by adding the
+          following command to root's .profile file (or to .bashrc, if root's
+          shell is bash):</para>
+
+          <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
         </listitem>
       </varlistentry>
 
@@ -1151,7 +1166,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
+        <term><emphasis role="bold">blacklist[!]</emphasis>
         <replaceable>address</replaceable> [ <replaceable>option</replaceable>
         ... ]</term>
 
@@ -1165,7 +1180,17 @@
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
+          add</command> command. Probably the most useful
+          <replaceable>option</replaceable> is the <option>timeout</option>
+          option. For example, to permanently blacklist 192.0.2.22, the
+          command would be:</para>
+
+          <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
+
+          <para>Beginning with Shorewall 5.2.5, the above command can be
+          shortened to:</para>
+
+          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>
 
           <para>If the <option>disconnect</option> option is specified in the
           DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
@@ -2108,10 +2133,6 @@
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
           url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
-
-          <para>The <emphasis role="bold">-D </emphasis>option was added in
-          Shoewall 5.2.4 and causes the compiler to write a large amount of
-          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -2452,8 +2473,8 @@
             </varlistentry>
 
             <varlistentry>
-              <term><emphasis role="bold">bl|blacklists</emphasis>
+              <term><emphasis role="bold">[-<option>x</option>]
-              [-<option>x</option>]</term>
+              bl|blacklists</emphasis></term>
 
               <listitem>
                 <para>Added in Shorewall 4.6.2. Displays the dynamic chain
@@ -2521,7 +2542,9 @@
               <listitem>
                 <para>Displays information about the packet classifiers
                 defined on the system as a result of traffic shaping
-                configuration.</para>
+                configuration. Beginning with Shorewall 5.2.8, this command is
+                deprecated, as its output is included in the information
+                displayed by the 'show tc' command.</para>
               </listitem>
             </varlistentry>
 
@@ -2891,25 +2914,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
+        <term><emphasis role="bold">stop</emphasis></term>
-        [-<option>f</option>]</term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
           listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>, are taken
-          taken down. The only new traffic permitted through the firewall is
+          down. The only new traffic permitted through the firewall is from
-          from systems listed in <ulink
+          systems listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 
@@ -3170,7 +3186,7 @@
 
     <simplelist>
       <member><ulink
-      url="/starting_and_stopping_shorewall.htm">http://www.shorewall.org/starting_and_stopping_shorewall.htm</ulink>
+      url="/starting_and_stopping_shorewall.htm">https://shorewall.org/starting_and_stopping_shorewall.htm</ulink>
       - Describes operational aspects of Shorewall.</member>
 
       <member><ulink url="shorewall-files.html">shorewall-files(5)</ulink> -

Shorewall-core/shorewall

@@ -5,7 +5,7 @@
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014,2015-2017
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-core/shorewallrc.debian.systemd

@@ -22,3 +22,4 @@ SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib				#Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
 DEFAULT_PAGER=/usr/bin/less		#Pager to use if none specified in shorewall[6].conf
+STOPSERVICEFILE=stop_service.debian	#Name of script to stop systemd service that honours `SAFESTOP`.

Shorewall-core/stop_service.debian

@@ -0,0 +1,19 @@
+#!/bin/sh
+
+PRODUCT=$1
+
+. /etc/default/${PRODUCT}
+
+if [ "$SAFESTOP" = 1 ]; then
+  COMMAND=stop
+else
+  COMMAND=clear
+fi
+
+if [ "${PRODUCT}" = shorewall6 ]; then
+  EXEC="/sbin/shorewall -6"
+else
+  EXEC="/sbin/${PRODUCT}"
+fi
+
+exec ${EXEC} ${OPTIONS} ${COMMAND}

Shorewall-core/uninstall.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://www.shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -134,6 +134,7 @@ fi
 
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall
 
 #
 # Report Success

Shorewall-core/wait4ifup

@@ -6,7 +6,7 @@
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
-#	Shorewall documentation is available at http://www.shorewall.org
+#	Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-init/ifupdown.debian.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -110,7 +110,7 @@ case $0 in
 	;;
     *)
         #
-        # Debian ifupdown system
+        # Debian ifupdown system - MODE and INTERFACE inherited from the environment
         #
 	INTERFACE="$IFACE"
 
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/ifupdown.fedora.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -90,7 +90,14 @@ case $0 in
 		COMMAND=down
 		;;
 	    *dispatcher.d*)
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *)
 		exit 0

Shorewall-init/ifupdown.suse.sh

@@ -6,7 +6,7 @@
 #
 #     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
@@ -120,7 +120,14 @@ case $0 in
 	case $0 in
 	    *dispatcher.d*)
 		INTERFACE="$1"
-		COMMAND="$2"
+		case "$2" in
+		    up|down)
+			COMMAND="$2"
+			;;
+		    *)
+			exit 0
+			;;
+		esac
 		;;
 	    *if-up.d*)
 		COMMAND=up

Shorewall-init/init.debian.sh

@@ -8,7 +8,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/init.suse.sh

@@ -7,7 +7,7 @@
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License

Shorewall-init/install.sh

@@ -5,7 +5,7 @@
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
 
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
     elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
     fi
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -388,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -417,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    if [ "$HOST" = debian ]; then
-    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    else
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;

Shorewall-init/shorewall-init

@@ -6,7 +6,7 @@
 #	On most distributions, this file should be called
 #	/etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is part of Shorewall.
 #
@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
+
 setstatedir() {
     local statedir
     if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,6 +43,67 @@ setstatedir() {
     fi
 }
 
+# Initialize the firewalls
+
+shorewall_init_start () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Initializing \"Shorewall-based firewalls\": "
+
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in a sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} stop
+		fi
+	    )
+	fi
+    done
+
+    return 0
+}
+
+# Clear the firewalls
+
+shorewall_init_stop () {
+    local PRODUCT
+    local STATEDIR
+
+    printf "Clearing \"Shorewall-based firewalls\": "
+
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    #
+	    # Run in sub-shell to avoid name collisions
+	    #
+	    (
+		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		    ${STATEDIR}/firewall ${OPTIONS} clear
+		fi
+	    )
+	fi
+    done
+
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
+	else
+	    rm -f "${SAVE_IPSETS}.tmp"
+	fi
+    fi
+
+    return 0
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -59,62 +121,12 @@ else
     exit 1
 fi
 
-# Initialize the firewall
-shorewall_start () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    #
-	    # Run in a sub-shell to avoid name collisions
-	    #
-	    (
-		if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		    ${STATEDIR}/firewall ${OPTIONS} stop
-		fi
-	    )
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
-    return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-    local PRODUCT
-    local STATEDIR
-
-    printf "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	if setstatedir; then
-	    ${STATEDIR}/firewall ${OPTIONS} clear
-	fi
-    done
-
-    if [ -n "$SAVE_IPSETS" ]; then
-	mkdir -p $(dirname "$SAVE_IPSETS")
-	if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" || rm -f "${SAVE_IPSETS}.tmp"
-	else
-	    rm -f "${SAVE_IPSETS}.tmp"
-	fi
-    fi
-
-    return 0
-}
-
 case "$1" in
     start)
-	shorewall_start
+	shorewall_init_start
 	;;
     stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
     *)
 	echo "Usage: $0 {start|stop}"

Shorewall-init/shorewall-init.service

@@ -12,7 +12,7 @@ Wants=network-pre.target
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
-StandardOutput=syslog
+StandardOutput=journal
 ExecStart=/sbin/shorewall-init start
 ExecStop=/sbin/shorewall-init stop
 

Shorewall-init/shorewall-init.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall firewall (bootup security)
+Documentation=man:shorewall-init(8)
 Before=network.target
 
 [Service]

Shorewall-lite/Shorewall-lite-targetname

@@ -1 +1 @@
-5.2.4-Beta1
+5.2.4.1

Shorewall-lite/init.debian.sh

@@ -13,8 +13,8 @@
 
 . /lib/lsb/init-functions
 
-SRWL='/sbin/shorewall -l'
+SRWL=/sbin/shorewall
-SRWL_OPTS="-tvv"
+SRWL_OPTS="-ltvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
 
 [ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

Shorewall-lite/init.openwrt.sh

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.sh

@@ -7,7 +7,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/init.suse.sh

@@ -8,7 +8,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall-lite/install.sh

@@ -4,7 +4,7 @@
 #
 #     (c) 2000-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Shorewall documentation is available at http://shorewall.org
+#       Shorewall documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/lib.base

@@ -3,7 +3,7 @@
 #
 #     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall-lite/manpages/shorewall-lite.conf.xml

@@ -183,7 +183,7 @@
     <title>See ALSO</title>
 
     <para><ulink
-    url="http://www.shorewall.org/Documentation_Index.html">http://www.shorewall.org/Documentation_Index.html</ulink></para>
+    url="https://shorewall.org/Documentation_Index.html">https://shorewall.org/Documentation_Index.html</ulink></para>
 
     <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
     shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),

Shorewall-lite/shorewall-lite.conf

@@ -8,7 +8,7 @@
 #  "man shorewall-lite.conf"
 #
 #  Manpage also online at
-#  http://www.shorewall.org/manpages/shorewall-lite.conf.html
+#  https://shorewall.org/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################

Shorewall-lite/shorewall-lite.service

@@ -13,7 +13,7 @@ Conflicts=iptables.service firewalld.service
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
-StandardOutput=syslog
+StandardOutput=journal
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 

Shorewall-lite/shorewall-lite.service.debian

@@ -6,6 +6,7 @@
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
+Documentation=man:shorewall-lite(8)
 Wants=network-online.target
 After=network-online.target
 Conflicts=iptables.service firewalld.service
@@ -16,7 +17,7 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/default/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
-ExecStop=/sbin/shorewall-lite $OPTIONS clear
+ExecStop=/usr/share/shorewall/stop_service shorewall-lite
 ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
 
 [Install]

Shorewall/Actions/action.A_REJECT

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.A_REJECT!

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.AllowICMPs

@@ -20,22 +20,23 @@ DEFAULTS ACCEPT
 
 # The following should have a ttl of 255 and must be allowed to transit a bridge
     @1	-		-	ipv6-icmp	router-solicitation
-    @1	-		-	ipv6-icmp	router-advertisement
     @1	-		-	ipv6-icmp	neighbour-solicitation
     @1	-		-	ipv6-icmp	neighbour-advertisement
-    @1	-		-	ipv6-icmp	137	# Redirect
     @1	-		-	ipv6-icmp	141	# Inverse neighbour discovery solicitation
     @1	-		-	ipv6-icmp	142	# Inverse neighbour discovery advertisement
 
-# The following should have a link local source address and must be allowed to transit a bridge
+# The following must have a link local source address and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	130	# Listener query
     @1	fe80::/10	-	ipv6-icmp	131	# Listener report
     @1	fe80::/10	-	ipv6-icmp	132	# Listener done
+    @1	fe80::/10	-	ipv6-icmp	router-advertisement
+    @1	::		-	ipv6-icmp	143	# Listener report v2
     @1	fe80::/10	-	ipv6-icmp	143	# Listener report v2
 
 # The following should be received with a ttl of 255 and must be allowed to transit a bridge
-    @1	-		-	ipv6-icmp	148	# Certificate path solicitation
+    @1	::		-	ipv6-icmp	148	# Certificate path solicitation
-    @1	-		-	ipv6-icmp	149	# Certificate path advertisement
+    @1	fe80::/10	-	ipv6-icmp	148	# Certificate path solicitation
+    @1	fe80::/10	-	ipv6-icmp	149	# Certificate path advertisement
 
 # The following should have a link local source address and a ttl of 1 and must be allowed to transit a bridge
     @1	fe80::/10	-	ipv6-icmp	151	# Multicast router advertisement

Shorewall/Actions/action.Broadcast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.DNSAmp

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Established

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.FIN

@@ -7,7 +7,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.IfEvent

@@ -27,7 +27,7 @@
 #                the IP address that are older than <duration> seconds.
 # Disposition  - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.org/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.Invalid

@@ -6,7 +6,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Limit

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Multicast

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.New

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.NotSyn

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.RST

@@ -7,7 +7,7 @@
 #
 # (c) 2012-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.Related

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.ResetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any rule generated.
 #
-# For additional information, see http://www.shorewall.org/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 ###############################################################################
 #                        DO NOT REMOVE THE FOLLOWING LINE

Shorewall/Actions/action.SetEvent

@@ -13,7 +13,7 @@
 #               address (dst)
 # Disposition - Disposition for any event generated.
 #
-# For additional information, see http://www.shorewall.org/Events.html
+# For additional information, see https://shorewall.org/Events.html
 #
 
 DEFAULTS -,ACCEPT,src

Shorewall/Actions/action.Untracked

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowInvalid

@@ -5,7 +5,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.allowinUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropBcasts

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropInvalid

@@ -7,7 +7,7 @@
 #
 # (c) 2011-2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropMcast

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.dropNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.forwardUPnP

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.mangletemplate

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.org/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/mangle.

Shorewall/Actions/action.rejNotSyn

@@ -5,7 +5,7 @@
 #
 # (c) 2017 Tom Eastep (teastep@shorewall.net)
 #
-# Complete documentation is available at http://shorewall.org
+# Complete documentation is available at https://shorewall.org
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of Version 2 of the GNU General Public License

Shorewall/Actions/action.template

@@ -13,7 +13,7 @@
 # 2. Copy this file to /etc/shorewall/action.<action name>
 # 3. Add the desired rules to that file.
 #
-# Please see http://shorewall.org/Actions.html for additional
+# Please see https://shorewall.org/Actions.html for additional
 # information.
 #
 # Columns are the same as in /etc/shorewall/rules.

Shorewall/Contrib/swping

@@ -21,7 +21,7 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#  For information about this script, see  http://www.shorewall.org/MultiISP.html#swping.
+#  For information about this script, see  https://shorewall.org/MultiISP.html#swping.
 #
 ###########################################################################################
 #

Shorewall/Contrib/swping.init

@@ -7,7 +7,7 @@
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License

Shorewall/INSTALL

@@ -18,7 +18,7 @@ Shoreline Firewall (Shorewall) Version 5
 
 ---------------------------------------------------------------------------
 
-Please see http://www.shorewall.org/Install.htm for installation
+Please see https://shorewall.org/Install.htm for installation
 instructions.
 
 

Shorewall/Macros/macro.NFS

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd

Shorewall/Macros/macro.TorMetrics

@@ -0,0 +1,8 @@
+#
+# Shorewall --/usr/share/shorewall/macro.TorMetrics
+#
+# Macro for handling Tor Onion Network traffic
+#
+##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+PARAM		-		-		tcp	9035	

Shorewall/Perl/Shorewall/ARP.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2013 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Accounting.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Chains.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -37,6 +37,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use strict;
+use sort 'stable';
 
 our @ISA = qw(Exporter);
 our @EXPORT = ( qw(
@@ -319,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -725,6 +727,7 @@ our %opttype = ( rule          => CONTROL,
 		 'icmpv6-type' => UNIQUE,
 
 		 comment       => CONTROL,
+		 digest        => CONTROL,
 
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
@@ -891,7 +894,7 @@ sub validate_port( $$ ) {
 
     fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
 
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])";
 }
 
 #
@@ -3520,6 +3523,33 @@ sub irule_to_string( $ ) {
     $string;
 }
 
+#
+# This one omits the comment
+#
+sub irule_to_string1( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
@@ -3706,6 +3736,16 @@ sub optimize_level0() {
     }
 }
 
+#
+# Conditionally sort a list of chain table entry references by name, if -t was specified
+#
+sub sortchainsiftest(\%) {
+    my $hashref = shift;
+
+    return sort { $a->{name} cmp $b->{name} } values %$hashref if $test;
+    return values %$hashref;
+}
+
 sub optimize_level4( $$ ) {
     my ( $table, $tableref ) = @_;
     my $progress = 1;
@@ -3927,7 +3967,7 @@ sub optimize_level4( $$ ) {
     my @chains  = grep ( $_->{referenced}   &&
 			 ! $_->{optflags}   &&
 			 @{$_->{rules}} < 4 &&
-			 keys %{$_->{references}} == 1 , values %$tableref );
+			 keys %{$_->{references}} == 1 , sortchainsiftest %$tableref );
 
     if ( my $chains  = @chains ) {
 	$passes++;
@@ -3936,7 +3976,7 @@ sub optimize_level4( $$ ) {
 
 	for my $chainref ( @chains ) {
 	    my $name = $chainref->{name};
-	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+	    for my $sourceref ( map $tableref->{$_}, sortkeysiftest %{$chainref->{references}} ) {
 		my $name1 = $sourceref->{name};
 
 		if ( $chainref->{references}{$name1} == 1 ) {
@@ -4040,7 +4080,7 @@ sub optimize_level8( $$$ ) {
 
 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the BLACKLIST section, we can end up with many identical
+			# For simple use of the blrules file, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -4066,7 +4106,7 @@ sub optimize_level8( $$$ ) {
 	    #
 	    # First create aliases for each renamed chain and change the {name} member.
 	    #
-	    for my $oldname ( @rename ) {
+	    for my $oldname ( sortiftest @rename ) {
 		my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
 
 		trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
@@ -4179,10 +4219,10 @@ sub get_multi_sports( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys( $ ) {
-    my %skip = ( dport => 1, comment => 1, origin => 1 );
+    my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4363,64 +4403,54 @@ sub delete_duplicates {
     my @rules;
     my $chainref  = shift;
     my $lastrule  = @_;
-    my $baseref   = pop;
     my $ruleref;
     my %skip = ( comment => 1, origin => 1 );
 
+    for ( @_ ) {
+	$_->{digest} = sha1_hex irule_to_string1( $_ );
+    }
+
+    my $baseref   = pop;
+
     while ( @_ ) {
 	my $docheck;
 	my $duplicate = 0;
 
 	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
-	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
+	    my $bad_key;
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
-		
+	    my $digest   = $baseref->{digest};
-	    {
-	      RULE:
 
-		while ( --$rulenum >= 0 ) {
+	    for ( grep ! $skip{$_}, keys( %$baseref ) ) {
-		    $ruleref = $_[$rulenum];
+		$bad_key = 1, last if $bad_match{$_};
+	    }
 
-		    last unless $ruleref->{mode} == CAT_MODE;
+	    while ( --$rulenum >= 0 ) {
+		$ruleref = $_[$rulenum];
 
-		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
+		last unless $ruleref->{mode} == CAT_MODE;
 
-		    next unless @keys1 == @keys2 ;
+		next unless $digest eq $ruleref->{digest};
 
-		    my $keynum = 0;
+		unless ( $adjacent > 0 ) {
-
-		    if ( $adjacent > 0 ) {
-			#
-			# There are no non-duplicate rules between this rule and the base rule
-			#
-			for my $key (  @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			}
-		    } else {
-			#
-			# There are non-duplicate rules between this rule and the base rule
-			#
-			for my $key ( @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			    last RULE if $bad_match{$key};
-			}
-		    }
 		    #
-		    # This rule is a duplicate
+		    # There are non-duplicate rules between this rule and the base rule
 		    #
-		    $duplicate = 1;
+		    last if $bad_key;
-		    #
-		    # Increment $adjacent so that the continue block won't set it to zero
-		    #
-		    $adjacent++;
-
-		} continue {
-		    $adjacent--;
 		}
+		#
+		# This rule is a duplicate
+		#
+		$duplicate = 1;
+		#
+		# Increment $adjacent so that the continue block won't set it to zero
+		#
+		$adjacent++;
+
+	    } continue {
+		$adjacent--;
 	    }
 	}
 
@@ -4457,10 +4487,10 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys1( $ ) {
-    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+    my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4579,7 +4609,7 @@ sub combine_states {
 
 sub optimize_level16( $$$ ) {
     my ( $table, $tableref , $passes ) = @_;
-    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
+    my @chains   = ( grep $_->{referenced}, sortchainsiftest %{$tableref} );
     my @chains1  = @chains;
     my $chains   = @chains;
 
@@ -4696,7 +4726,7 @@ sub setup_zone_mss() {
 
 	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
 
-	for my $hostref ( @$hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$hosts : @$hosts ) {
 	    my $mss         = $hostref->[4];
 	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @sourcedev   = imatch_source_dev $hostref->[0];
@@ -7448,20 +7478,20 @@ sub have_address_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $$$ ) {
 
-    my ( $setall, $conditional ) = @_;
+    my ( $setall, $conditional, $call_generate_all_acasts ) = @_;
 
     if ( $conditional ) {
 	my ( $interface, @interfaces );
 
-	@interfaces = keys %interfaceaddr;
+	@interfaces = sortkeysiftest %interfaceaddr;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfaceaddr{$interface}) );
 	}
 
-	@interfaces = keys %interfacegateways;
+	@interfaces = sortkeysiftest %interfacegateways;
 
 	for $interface ( @interfaces ) {
 	    emit( qq(if [ -z "\$interface" -o "\$interface" = "$interface" ]; then) );
@@ -7471,29 +7501,30 @@ sub set_global_variables( $$ ) {
 	    emit( qq(fi\n) );
 	}
 
-	@interfaces = keys %interfacemacs;
+	@interfaces = sortkeysiftest %interfacemacs;
 
 	for $interface ( @interfaces ) {
 	    emit( qq([ -z "\$interface" -o "\$interface" = "$interface" ] && $interfacemacs{$interface}) );
 	}
     } else {
-	emit $_     for values %interfaceaddr;
+	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit "$_\n" for values %interfacegateways;
+	emit "$interfacegateways{$_}\n" for sortkeysiftest %interfacegateways;
-	emit $_     for values %interfacemacs;
+	emit $interfacemacs{$_}         for sortkeysiftest %interfacemacs;
     }
 
     if ( $setall ) {
-	emit $_ for values %interfaceaddrs;
+	if ( $conditional ) {
-	emit $_ for values %interfacenets;
+	    emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	    emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	}
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
-
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
-		emit $_ for values %interfacebcasts;
+		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
-		emit 'ALL_ACASTS="$(get_all_acasts)"';
+		emit $call_generate_all_acasts;
-		emit $_ for values %interfaceacasts;
+		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}
     }
@@ -8457,7 +8488,7 @@ sub add_interface_options( $ ) {
 	# Insert jumps to the interface chains into the rules chains
 	#
 	for my $zone1 ( off_firewall_zones ) {
-	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
+	    my @input_interfaces   = sortkeysiftest %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 
 	    if ( @input_interfaces > 1 ) {
@@ -8543,7 +8574,7 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
-		my @interfaces = keys %{zone_interfaces( $zone2 )};
+		my @interfaces = sortkeysiftest %{zone_interfaces( $zone2 )};
 		my $chain1ref;
 
 		for my $interface ( @interfaces ) {
@@ -8861,7 +8892,7 @@ sub ensure_ipsets( @ ) {
     my $set;
     my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8872,12 +8903,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}
 
 	pop_indent;
@@ -8984,7 +9015,7 @@ sub create_save_ipsets() {
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );
 
-	    my @sets = keys %ipsets;
+	    my @sets = sortkeysiftest %ipsets;
 
 	    emit( '' ,
 		  '    rm -f $file' ,
@@ -9054,10 +9085,14 @@ sub create_load_ipsets() {
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
-		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '    if  [ -f ${VARDIR}/ipsets.save ]; then' ,
-		  '        $IPSET flush $set' ,
+		  '        while read verb set rest; do' ,
-		  '        $IPSET destroy $set' ,
+		  '            if [ $verb = create ]; then' ,
-		  "    done" ,
+		  '                $IPSET flush $set' ,
+		  '                $IPSET destroy $set' ,
+		  '            fi' ,
+		  '        done < ${VARDIR}/ipsets.save' ,
+		  '    fi',
 		);
 	} else {
 	    #
@@ -9100,7 +9135,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
@@ -9153,7 +9188,7 @@ sub create_load_ipsets() {
 #
 sub create_nfobjects() {
     
-    my @objects = ( keys %nfobjects );
+    my @objects = ( sortkeysiftest %nfobjects );
 
     if ( @objects ) {
 	if ( $config{NFACCT} ) {
@@ -9168,7 +9203,7 @@ sub create_nfobjects() {
 	}
     }
 
-    for ( keys %nfobjects ) {
+    for ( @objects ) {
 	emit( qq(if ! qt \$NFACCT get $_; then),
 	      qq(    \$NFACCT add $_),
 	      qq(fi\n) );
@@ -9541,7 +9576,7 @@ sub create_stop_load( $ ) {
 }
 
 sub initialize_switches() {
-    if ( keys %switches ) {
+    if ( sortkeysiftest %switches ) {
 	emit( 'if [ $COMMAND = start ]; then' );
 	push_indent;
 	for my $switch ( keys %switches ) {

Shorewall/Perl/Shorewall/Compiler.pm

@@ -6,7 +6,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -49,8 +49,6 @@ our $VERSION = 'MODULEVERSION';
 
 our $export;          # True when compiling for export
 
-our $test;            # True when running regression tests
-
 our $family;          # IP address family (4 or 6)
 
 our $have_arptables;  # True if we have arptables rules
@@ -58,8 +56,8 @@ our $have_arptables;  # True if we have arptables rules
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
+sub initialize_package_globals( $$$$ ) {
-    Shorewall::Config::initialize($family, $export, $_[1], $_[2]);
+    Shorewall::Config::initialize($family, $export, $_[1], $_[2], $_[3]);
     Shorewall::Chains::initialize ($family, 1, $export );
     Shorewall::Zones::initialize ($family, $_[0]);
     Shorewall::Nat::initialize($family);
@@ -278,12 +276,18 @@ sub generate_script_2() {
 
     emit "}\n"; # End of initialize()
 
+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);
 
     my $global_variables    = have_global_variables;
     my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -314,7 +318,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }
 
@@ -328,7 +332,7 @@ sub generate_script_2() {
 	}
 
 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {
@@ -545,13 +549,13 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
         ;;
     reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
         ;;
     restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
         ;;
 esac
 EOF
@@ -588,7 +592,7 @@ sub compiler {
        ( '',              '',         -1,         '',          0,      '',    -1,             0,        0,         0,        0,        , ''          , '/usr/share/shorewall/shorewallrc', ''            );
 
     $export         = 0;
-    $test           = 0;
+    my $test        = 0;
     $have_arptables = 0;
 
     sub validate_boolean( $ ) {
@@ -641,18 +645,19 @@ sub compiler {
     #
     # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
     #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
+    initialize_package_globals( $update, $test, $shorewallrc, $shorewallrc1 );
-
+    #
+    # Rather than continuing to extend the argument list of Config::initialize(),
+    # we use a set of small functions to export settings to the Config module.
+    #
     set_config_path( $config_path ) if $config_path;
-
     set_shorewall_dir( $directory ) if $directory ne '';
-
     $verbosity = 1 if $debug && $verbosity < 1;
-
     set_verbosity( $verbosity );
     set_log($log, $log_verbosity) if $log;
     set_timestamp( $timestamp );
     set_debug( $debug , $confess );
+    set_command( 'compile', 'Compiling', 'Compiled' );
     #
     #                                      S H O R E W A L L R C ,
     #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
@@ -670,12 +675,7 @@ sub compiler {
     #
     # Create a temp file to hold the script
     #
-    if ( $scriptfilename ) {
+    create_temp_script( $scriptfilename , $export ) if $scriptfilename;
-	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_script( $scriptfilename , $export );
-    } else {
-	set_command( 'check', 'Checking', 'Checked' );
-    }
     #
     #                                     Z O N E   D E F I N I T I O N
     #                              (Produces no output to the compiled script)
@@ -864,13 +864,13 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
+	    # Optimize the ruleet
+	    #
+	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 
 	enable_script;
@@ -913,7 +913,7 @@ sub compiler {
 	#
 	# Close, rename and secure the script
 	#
-	finalize_script ( $export );
+	finalize_script ( $export, $test );
 	#
 	# And generate the auxilary config file
 	#
@@ -934,16 +934,16 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }
 
 	    enable_script if $debug;
@@ -978,11 +978,7 @@ sub compiler {
 	#
 	report_used_capabilities;
 
-	if ( $family == F_IPV4 ) {
+	progress_message3 "$Product configuration verified";
-	    progress_message3 "Shorewall configuration verified";
-	} else {
-	    progress_message3 "Shorewall6 configuration verified";
-	}
     }
 
     close_log if $log;

Shorewall/Perl/Shorewall/Config.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -166,7 +166,11 @@ our @EXPORT = qw(
 		 report_used_capabilities
 		 kernel_version
 
-                 compiletime
+		 compiletime
+
+		 sortkeysiftest
+		 sortvaluesiftest
+		 sortiftest
 				       
 		 F_IPV4
 		 F_IPV6
@@ -264,6 +268,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $debug
 				       $file_format
 				       $comment
+				       $test
 
 				       %config
 				       %origin
@@ -306,7 +311,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
-				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_ALL
 				     ) , ] ,
@@ -498,6 +502,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                  NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 CONNMARK_ACTION => 'TC connmark support',
 		 #
 		 # Helpers
 		 #
@@ -550,7 +555,6 @@ use constant {
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
-	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
@@ -652,6 +656,30 @@ our %params;
 #
 our %compiler_params;
 #
+# Entries conditionally exported to the compiled script via the aux config file
+#
+our @exported_params = ( qw(
+			 VERBOSITY
+			 LOGFILE
+			 LOGFORMAT
+			 APRTABLES
+			 IPTABLES
+			 IP6TABLES
+			 IP
+			 TC
+			 IPSET
+			 PATH
+			 SHOREWALL_SHELL
+			 SHELL
+			 SUBSYSLOCK
+			 LOCKFILE
+			 RESTOREFILE
+			 RESTART
+			 DYNAMIC_BLACKLIST
+			 PAGER
+			 )
+    );
+#
 # Action parameters
 #
 our %actparams;
@@ -793,6 +821,8 @@ our %filecache;
 
 our $compiletime;
 
+our $test;
+
 sub process_shorewallrc($$);
 sub add_variables( \% );
 #
@@ -804,9 +834,12 @@ sub add_variables( \% );
 #
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
-#
+####################################################################################################
-sub initialize($;$$$) {
+# Do not change the required part of this prototype unless you want to take on a lot of additional
-    ( $family, $export, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
+# work (This function is called from build).
+####################################################################################################
+sub initialize($;$$$$) {
+    ( $family, $export, $test, my ( $shorewallrc, $shorewallrc1 ) ) = @_;
 
     if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -851,8 +884,8 @@ sub initialize($;$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.0-Beta1',
+		    VERSION                 => '5.2.8-RC1',
-		    CAPVERSION              => 50200 ,
+		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@@ -1146,6 +1179,7 @@ sub initialize($;$$$) {
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
+	       CONNMARK_ACTION => undef ,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -1473,7 +1507,7 @@ sub qt1( $ ) {
 }
 
 #
-# Delete the test chains
+# Delete the test chains and IP sets
 #
 sub cleanup_iptables() {
     qt1( "$iptables $iptablesw -F $sillyname" );
@@ -1496,6 +1530,12 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
     }
 
+    my $ipset  = $config{IPSET} || 'ipset';
+    $ipset = which( $ipset ) unless $ipset =~ '/';
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+    }
+
     $sillyname = $sillyname1 = '';
 }
 
@@ -1540,7 +1580,7 @@ sub cleanup() {
     unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
     #
-    # Delete temporary chains
+    # Delete temporary chains and IP sets
     #
     cleanup_iptables if $sillyname;
 }
@@ -1828,6 +1868,30 @@ sub set_command( $$$ ) {
     ($command, $doing, $done) = @_;
 }
 
+#
+# Return the keys or values of the passed hash. If $test, the keys/values will be sorted by their own values
+#
+sub sortkeysiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort keys %$hashref if $test;
+    return keys %$hashref;
+}
+
+sub sortvaluesiftest(\%) {
+    my ( $hashref ) =  @_;
+
+    return sort values %$hashref if $test;
+    return keys %$hashref;
+}
+
+#
+# Sort a list by the list elements if $test
+#
+sub sortiftest(@) {
+    return $test ? sort @_ : @_;
+}
+
 #
 # Print the current TOD to STDOUT.
 #
@@ -2015,28 +2079,30 @@ sub generate_sha1() {
 #
 # Finalize the script file
 #
-sub finalize_script( $ ) {
+sub finalize_script( $$ ) {
-    my $export = $_[0];
+    my ( $export, $test ) = @_;
     close $script;
     $script = 0;
 
     if ( $file ne '-' ) {
-	my $sha1sum  = generate_sha1;
+	unless ( $test ) {
-	my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	    my $sha1sum  = generate_sha1;
-	my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
+	    my $sha1sum1 = join( '-', 'sha-lh', substr( $sha1sum, 0, 20 ) );
+	    my $sha1sum2 = join( '-', 'sha-rh', substr( $sha1sum, -20   ) );
 
-	@ARGV = ( $tempfile );
+	    @ARGV = ( $tempfile );
-	$^I = '';
+	    $^I = '';
 
-	while ( <> ) {
+	    while ( <> ) {
-	    s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
+		s/g_sha1sum1=/g_sha1sum1=$sha1sum1/;
-	    s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
+		s/g_sha1sum2=/g_sha1sum2=$sha1sum2/;
-	    print;
+		print;
+	    }
 	}
 
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
 	chmod 0700, $file or fatal_error "Cannot secure $file for execute access";
-	progress_message3 "Shorewall configuration compiled to $file" unless $export;
+	progress_message3 "$Product configuration compiled to $file" unless $export;
     }
 }
 
@@ -2058,7 +2124,7 @@ sub finalize_aux_config() {
     close $script;
     $script = 0;
     rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
-    progress_message3 "Shorewall configuration compiled to $file";
+    progress_message3 "$Product configuration compiled to $file";
 }
 
 #
@@ -4355,7 +4421,9 @@ sub validate_level( $;$ ) {
 sub default_log_level( $$ ) {
     my ( $level, $default ) = @_;
 
-    my $value = $config{$level};
+    my $value = $config{$level} || '';
+
+    $value = $config{LOG_LEVEL} if $value eq '$LOG_LEVEL';  #This can happen during update
 
     unless ( supplied $value ) {
 	$config{$level} = validate_level $default, $level;
@@ -4992,6 +5060,10 @@ sub Basic_Filter() {
     $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }
 
+sub Connmark_Action() {
+    $tc && system( "$tc action add connmark help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 sub Basic_Ematch() {
     $tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
 }
@@ -5121,6 +5193,7 @@ our %detect_capability =
       COMMENTS => \&Comments,
       CONNLIMIT_MATCH => \&Connlimit_Match,
       CONNMARK => \&Connmark,
+      CONNMARK_ACTION => \&Connmark_Action,
       CONNMARK_MATCH => \&Connmark_Match,
       CONNTRACK_MATCH => \&Conntrack_Match,
       CPU_FANOUT => \&Cpu_Fanout,
@@ -5314,17 +5387,12 @@ sub ensure_config_path() {
 
     my $chop = ( $path =~ s/^:// );
 
+    $path =~ s/:+/:/g;
+
     @config_path = split /:/, $path;
 
     shift @config_path if $chop && ( $export || $> != 0 );
 
-    #
-    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
-    # clash on a case-insensitive filesystem.
-    #
-    push @config_path, $globals{SHAREDIR}    . "/deprecated";
-    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
-
     for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
         s|//|/|g;
@@ -5468,6 +5536,8 @@ sub update_config_file( $ ) {
     for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 
+	$policy = '' unless defined $policy;
+
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
@@ -5619,6 +5689,11 @@ sub process_shorewall_conf( $$ ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;
 
+	if ( $export ) {
+	    use Sys::Hostname;
+	    $globals{CONFIGDIR} = join( ':', hostname, $globals{CONFIGDIR} );
+	}
+
 	if ( -r _ ) {
 	    open_file $file;
 
@@ -5747,9 +5822,10 @@ sub get_capabilities($)
 	fatal_error "Can't find $toolname executable" unless $iptables = which $toolname;
     }
     #
-    # Determine if iptables supports the -w option
+    # Determine if iptables supports the -w option unless we already have
+    # existing capabilities
     #
-    $iptablesw = qt1( "$iptables -w -L -n") ? '-w' : '';
+    $iptablesw = qt1( "$iptables -w -n -L INPUT") ? '-w' : '' unless $_[0];
 
     my $iptables_restore=$iptables . '-restore';
 
@@ -6257,6 +6333,14 @@ sub get_configuration( $$$ ) {
     process_shorewall_conf( $update, $annotate );
 
     ensure_config_path;
+    #
+    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
+    # clash on a case-insensitive filesystem.
+    #
+    push @config_path, $globals{SHAREDIR}    . "/deprecated/" unless $config_path[-1] eq $globals{SHAREDIR} . "/deprecated/";
+    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated/' unless $globals{PRODUCT} eq 'shorewall';
+
+    $config{CONFIG_PATH} = join( ':', @config_path );
 
     @INC = @originalinc;
 
@@ -6635,7 +6719,7 @@ sub get_configuration( $$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
 
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
@@ -6774,6 +6858,12 @@ sub get_configuration( $$$ ) {
 
     require_capability 'AUDIT_TARGET', "SMURF_DISPOSITION=$val", 's' if $val =~ /^A_/;
 
+    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
+	validate_level( $val );
+    } else {
+	$config{LOG_LEVEL} = 'info';
+    }
+
     default_log_level 'BLACKLIST_LOG_LEVEL',  '';
     default_log_level 'MACLIST_LOG_LEVEL',    '';
     default_log_level 'TCP_FLAGS_LOG_LEVEL',  '';
@@ -6782,12 +6872,6 @@ sub get_configuration( $$$ ) {
     default_log_level 'INVALID_LOG_LEVEL',    '';
     default_log_level 'UNTRACKED_LOG_LEVEL',  '';
 
-    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
-	validate_level( $val );
-    } else {
-	$config{LOG_LEVEL} = 'info';
-    }
-
     if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -7160,8 +7244,8 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $param ( @exported_params ) {
-	conditionally_add_option $option;
+	conditionally_add_option $param;
     }
 
     conditionally_add_option1 'TC_ENABLED';

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -149,14 +149,13 @@ sub validate_4address( $$ ) {
 
     unless ( valid_4address $addr ) {
 	fatal_error "Invalid IP Address ($addr)" unless $allow_name;
-	fatal_error "Unknown Host ($addr)" unless  @addrs = gethostbyname( $addr );
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
+	    family => Socket::AF_INET,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;
 
-	if ( defined wantarray ) {
+	@addrs = translate_addr_structs( @addr_structs );
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = ( inet_ntoa( $_ ) );
-	    }
-	}
     }
 
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@@ -164,14 +163,14 @@ sub validate_4address( $$ ) {
 
 sub resolve_4dnsname( $ ) {
     my $net = $_[0];
-    my @addrs;
 
-    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
+	family => Socket::AF_INET,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;
 
-    shift @addrs for (1..4);
+    my @addrs = translate_addr_structs( @addr_structs );
-    for ( @addrs ) {
-	$_ = ( inet_ntoa( $_ ) );
-    }
 
     @addrs;
 } 
@@ -508,15 +507,13 @@ sub validate_6address( $$ ) {
 
     unless ( valid_6address $addr ) {
 	fatal_error "Invalid IPv6 Address ($addr)" unless $allow_name;
-	require Socket6;
+	my ( $err, @addr_structs ) = Socket::getaddrinfo( $addr, 0, {
-	fatal_error "Unknown Host ($addr)" unless (@addrs = Socket6::gethostbyname2( $addr, Socket6::AF_INET6()));
+	    family => Socket::AF_INET6,
+	    protocol => Socket::IPPROTO_TCP,
+	} );
+	fatal_error "Unknown Host ($addr)" if $err != 0;
 
-	if ( defined wantarray ) {
+	@addrs = translate_addr_structs( @addr_structs );
-	    shift @addrs for (1..4);
-	    for ( @addrs ) {
-		$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-	    }
-	}
     }
 
     defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
@@ -524,15 +521,14 @@ sub validate_6address( $$ ) {
 
 sub resolve_6dnsname( $ ) {
     my $net = $_[0];
-    my @addrs;
     
-    require Socket6;
+    my ( $err, @addr_structs ) = Socket::getaddrinfo( $net, 0, {
-    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+	family => Socket::AF_INET6,
+	protocol => Socket::IPPROTO_TCP,
+    } );
+    fatal_error "Unknown Host ($net)" if $err != 0;
 
-    shift @addrs for (1..4);
+    my @addrs = translate_addr_structs( @addr_structs );
-    for ( @addrs ) {
-	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-    }
 
     @addrs;
 }
@@ -661,6 +657,19 @@ sub validate_6host( $$ ) {
     }
 }
 
+sub translate_addr_structs {
+    my @addr_structs = @_;
+
+    my @addrs;
+    foreach my $addr_struct ( @addr_structs ) {
+	my ( $err, $ip_addr ) = Socket::getnameinfo( $addr_struct->{addr},
+	    Socket::NI_NUMERICHOST, Socket::NIx_NOSERV );
+        push @addrs, $ip_addr if $err == 0;
+    }
+
+    return @addrs;
+}
+
 my %ipv6_icmp_types = ( any                          => 'any',
 			'destination-unreachable'    => 1,
 			'no-route'                   => '1/0',

Shorewall/Perl/Shorewall/Misc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use Shorewall::Proc;
+use sort 'stable';
 
 use strict;
 
@@ -130,7 +131,7 @@ sub setup_ecn()
 	}
 
 	if ( @hosts ) {
-	    my @interfaces = ( keys %interfaces );
+	    my @interfaces = ( sortkeysiftest %interfaces );
 
 	    progress_message "$doing ECN control on @interfaces...";
 
@@ -335,7 +336,7 @@ sub convert_blacklist() {
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
-# Please see http://shorewall.org/blacklisting_support.htm for additional
+# Please see https://shorewall.org/blacklisting_support.htm for additional
 # information.
 #
 ###################################################################################################################################################################################################
@@ -434,9 +435,9 @@ sub convert_routestopped() {
 # For information about entries in this file, type "man shorewall-stoppedrules"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-stoppedrules.html
+# https://shorewall.org/manpages/shorewall-stoppedrules.html
 #
-# See http://shorewall.org/starting_and_stopping_shorewall.htm for additional
+# See https://shorewall.org/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
@@ -734,6 +735,7 @@ sub add_common_rules ( $ ) {
     my $dbl_tag;
     my $dbl_src_target;
     my $dbl_dst_target;
+    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -795,9 +797,10 @@ sub add_common_rules ( $ ) {
 
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -808,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -829,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -1322,7 +1325,7 @@ sub setup_mac_lists( $ ) {
 	$maclist_interfaces{ $hostref->[0] } = 1;
     }
 
-    my @maclist_interfaces = ( keys %maclist_interfaces );
+    my @maclist_interfaces = ( sortkeysiftest %maclist_interfaces );
 
     if ( $phase == 1 ) {
 
@@ -1408,7 +1411,7 @@ sub setup_mac_lists( $ ) {
 	#
 	# Generate jumps from the input and forward chains
 	#
-	for my $hostref ( @$maclist_hosts ) {
+	for my $hostref ( $test ? sort { $a->[0] cmp $b->[0] } @$maclist_hosts : @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
 	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
@@ -1801,7 +1804,7 @@ sub handle_complex_zone( $$ ) {
 	my $type       = $zoneref->{type};
 	my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
-	for my $interface ( keys %$source_ref ) {
+	for my $interface ( sortkeysiftest %$source_ref ) {
 	    my $sourcechainref = $filter_table->{forward_chain $interface};
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
@@ -1941,7 +1944,7 @@ sub add_output_jumps( $$$$$$$$ ) {
     my $use_output        = 0;
     my @dest              = imatch_dest_net $net;
     my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
-    my @zone_interfaces   = keys %{zone_interfaces( $zone )};
+    my @zone_interfaces   = sortkeysiftest %{zone_interfaces( $zone )};
 
     if ( @vservers || use_interface_chain( $interface, 'use_output_chain' ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) || @zone_interfaces > 1 ) {
 	#
@@ -2285,10 +2288,13 @@ sub generate_matrix() {
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	if ( @zones > 2 || $zoneref->{complex} ) {
+
-	    handle_complex_zone( $zone, $zoneref );
+	unless ( $zoneref->{type} == LOCAL ) {
-	} else {
+	    if ( @zones > 2 || $zoneref->{complex} ) {
-	    new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
+		handle_complex_zone( $zone, $zoneref );
+	    } else {
+		new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
+	    }
 	}
     }
     #
@@ -2313,9 +2319,9 @@ sub generate_matrix() {
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
-	for my $type ( keys %$source_hosts_ref ) {
+	for my $type ( sortkeysiftest %$source_hosts_ref ) {
 	    my $typeref = $source_hosts_ref->{$type};
-	    for my $interface ( keys %$typeref ) {
+	    for my $interface ( sortkeysiftest %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
@@ -2400,9 +2406,9 @@ sub generate_matrix() {
 
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 
-		for my $type ( keys %{$zone1ref->{hosts}} ) {
+		for my $type ( sortkeysiftest %{$zone1ref->{hosts}} ) {
 		    my $typeref = $zone1ref->{hosts}{$type};
-		    for my $interface ( keys %$typeref ) {
+		    for my $interface ( sortkeysiftest %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
@@ -2579,13 +2585,13 @@ EOF
     emit <<'EOF';
             case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                 enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
             esac
 
@@ -2808,7 +2814,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Nat.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -561,7 +561,7 @@ sub open_snat_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-snat"
 #
-# See http://shorewall.org/manpages/shorewall-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	} else {
 	    print $snat <<'EOF';
@@ -570,7 +570,7 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-snat"
 #
-# See http://shorewall.org/manpages6/shorewall6-snat.html for additional information
+# See https://shorewall.org/manpages/shorewall-snat.html for additional information
 EOF
 	}
 

Shorewall/Perl/Shorewall/Proc.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Providers.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -1892,8 +1892,8 @@ sub map_provider_to_interface() {
 
     my $haveoptional;
 
-    for my $providerref ( values %providers ) {
+    for my $provider ( @providers ) {
-	if ( $providerref->{optional} ) {
+	if ( ( my $providerref=$providers{$provider} )->{optional} ) {
 	    unless ( $haveoptional++ ) {
 		emit( 'if [ -n "$interface" ]; then',
 		      '    case $interface in' );
@@ -2054,8 +2054,7 @@ sub compile_updown() {
 	    );
     }
 
-    my @nonshared = ( grep $providers{$_}->{optional},
+    my @nonshared = ( grep $providers{$_}->{optional}, sortvaluesiftest %provider_interfaces );
-		      values %provider_interfaces );
 
     if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
@@ -2065,12 +2064,12 @@ sub compile_updown() {
 	push_indent;
 
 	emit( q(if [ "$state" = started ]; then) ,
-	      q(    if [ "$COMMAND" = up ]; then) , 
+	      q(    if [ "$COMMAND" = up ]; then) ,
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2111,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );
 
 	push_indent;
@@ -2246,9 +2245,11 @@ sub handle_optional_interfaces() {
     # names but they might derive from wildcard interface entries. Optional interfaces which do not have
     # wildcard physical names are also included in the providers table.
     #
-    for my $providerref ( grep $_->{optional} , values %providers ) {
+    for my $provider ( @providers ) {
-	push @interfaces, $providerref->{interface};
+	if ( ( my $providerref = $providers{$provider} )->{optional} ) {
-	$wildcards ||= $providerref->{wildcard};
+	    push @interfaces, $providerref->{interface};
+	    $wildcards ||= $providerref->{wildcard};
+	}
     }
 
     #
@@ -2296,17 +2297,7 @@ sub handle_optional_interfaces() {
 
 		emit( "$physical)" ), push_indent if $wildcards;
 
-		if ( $provider eq $physical ) {
+		emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		    #
-		    # Just an optional interface, or provider and interface are the same
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		} else {
-		    #
-		    # Provider
-		    #
-		    emit qq(if [ -z "\$interface" -o "\$interface" = "$physical" ]; then);
-		}
 
 		push_indent;
 

Shorewall/Perl/Shorewall/Proxyarp.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2017 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -155,7 +155,7 @@ sub setup_proxy_arp() {
 
 	emit '';
 
-	for my $interface ( keys %reset ) {
+	for my $interface ( sortkeysiftest %reset ) {
 	    unless ( $set{interface} ) {
 		my $physical = get_physical $interface;
 		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
@@ -164,7 +164,7 @@ sub setup_proxy_arp() {
 	    }
 	}
 
-	for my $interface ( keys %set ) {
+	for my $interface ( sortkeysiftest %set ) {
 	    my $physical = get_physical $interface;
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );

Shorewall/Perl/Shorewall/Raw.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Rules.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
     my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
 
     $chainref->{is_policy}   = 1;
+    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
     $chainref->{policy}      = $policy;
     $chainref->{provisional} = $provisional;
     $chainref->{audit}       = $audit;
@@ -660,7 +661,7 @@ sub handle_nfqueue( $ ) {
 
     if ( supplied $queue2 ) {
 	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
     } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
     }
@@ -1000,6 +1001,24 @@ sub determine_action_protocol( $$ ) {
     $proto;
 }
 
+sub determine_action_dport( $$$ ) {
+    my ( $action, $proto, $dport ) = @_;
+
+    if ( my $actiondport = $actions{$action}{dport} ) {
+	if ( $dport eq '-' ) {
+	    $dport = $actiondport;
+	} else {
+	    fatal_error( "The $action action is only usable with destination port $actiondport" ) if $dport =~ /[,]/;
+	    if ( ( my $portnum = validate_port( $proto, $dport ) ) ne '-' ) {
+		fatal_error( "The $action action is only usable with destination port $actiondport"  ) unless $actiondport = $portnum;
+		$dport = $portnum;
+	    }
+	}
+    }
+
+    $dport;
+}
+
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
@@ -1014,7 +1033,11 @@ sub add_policy_rules( $$$$$ ) {
 		# Policy action is a regular action -- jump to the action chain
 		#
 		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
-		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    if ( my $dport = determine_action_dport( $action, $proto, '' ) ) {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto, dport => $dport );
+		    } else {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    }
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
@@ -1147,7 +1170,7 @@ sub complete_policy_chains() {
 		}
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1252,6 +1275,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
     my $chain               = $chainref->{name};
     my $save_comment        = push_comment;
+    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
     my %state;
 
     $state{$_} = 1 for split ',', $state;
@@ -1262,74 +1286,76 @@ sub finish_chain_section ($$$) {
 
     $chain1ref->{sections}{$_} = 1 for keys %state;
 
-    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+    unless ( $wild ) {
-	if ( $state{$_} ) {
+	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
-	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+	    if ( $state{$_} ) {
-	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
+		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+		my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
 
-	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
+		if ( $twochains || $level || $target ne 'ACCEPT' ) {
-		if ( $level ) {
+		    if ( $level ) {
-		    my $chain2ref;
+			my $chain2ref;
+
+			if ( $twochains ) {
+			    $chain2ref = $chainref;
+			} else {
+			    $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			}
+
+			log_rule_limit( $level,
+					$chain2ref,
+					$chain2ref->{logname},
+					uc $target,
+					$globals{LOGLIMIT},
+					$tag ,
+					'add' ,
+					'',
+					$level_origin );
+
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+
+			add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
+
+			$target = $chain2ref->{name} unless $twochains;
+		    }
 
 		    if ( $twochains ) {
-			$chain2ref = $chainref;
+			add_ijump_extended $chainref, g => $target , $origin if $target;
-		    } else {
+			delete $state{$_};
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			last;
 		    }
 
-		    log_rule_limit( $level,
+		    if ( $target ) {
-				    $chain2ref,
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-				    $chain2ref->{logname},
+			#
-				    uc $target,
+			# Always handle ESTABLISHED first
-				    $globals{LOGLIMIT},
+			#
-				    $tag ,
+			if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-				    'add' ,
+			    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-				    '',
+			    delete $state{ESTABLISHED};
-				    $level_origin );
+			}
 
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
+		    }
 
-		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
-
-		    $target = $chain2ref->{name} unless $twochains;
-		}
-
-		if ( $twochains ) {
-		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
-		    last;
 		}
-
-		if ( $target ) {
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-		    #
-		    # Always handle ESTABLISHED first
-		    #
-		    if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-			add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-			delete $state{ESTABLISHED};
-		    }
-
-		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
-		}
-
-		delete $state{$_};
-	    }
-	}
-    }
-
-    if ( keys %state ) {
-	my @state;
-
-	unless ( $config{FASTACCEPT} ) {
-	    for ( qw/ESTABLISHED RELATED/ ) {
-		push @state, $_ if $state{$_};
 	    }
 	}
 
-	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+	if ( keys %state ) {
+	    my @state;
 
-	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	    unless ( $config{FASTACCEPT} ) {
+		for ( qw/ESTABLISHED RELATED/ ) {
+		    push @state, $_ if $state{$_};
+		}
+	    }
+
+	    push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+
+	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	}
     }
 
     if ($sections{NEW} ) {
@@ -1497,13 +1523,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto, $dport ) = @_;
 
     fatal_error "Reserved action name ($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto, dport => $dport };
 
     $targets{$action} = $type;
 }
@@ -1774,7 +1800,7 @@ sub isolate_basic_target( $ ) {
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
-sub process_snat1( $$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 
 #
@@ -1968,23 +1994,49 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+	    my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
-		split_line2( 'snat file',
+
-			     { action =>0,
+	    if ( $file_format == 1 ) {
-			       source => 1,
+		( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
-			       dest => 2,
+		    split_line2( 'snat file',
-			       proto => 3,
+				 { action =>0,
-			       port => 4,
+				   source => 1,
-			       ipsec => 5,
+				   dest => 2,
-			       mark => 6,
+				   proto => 3,
-			       user => 7,
+				   port => 4,
-			       switch => 8,
+				   dport => 4,
-			       origdest => 9,
+				   ipsec => 5,
-			       probability => 10,
+				   mark => 6,
-			     },
+				   user => 7,
-			     {},
+				   switch => 8,
-			     11,
+				   origdest => 9,
-			     1 );
+				   probability => 10,
+				 },
+				 {},
+				 11,
+				 1 );
+		$sport = '-';
+	    } else {
+		( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   sport => 5,
+				   ipsec => 6,
+				   mark => 7,
+				   user => 8,
+				   switch => 9,
+				   origdest => 10,
+				   probability => 11,
+				 },
+				 {},
+				 12,
+				 1 );
+	    }
 
 	    fatal_error 'ACTION must be specified' if $action eq '-';
 
@@ -2000,6 +2052,7 @@ sub process_action(\$\$$) {
 			       $dest,
 			       $proto,
 			       $port,
+			       $sport,
 			       $ipsec,
 			       $mark,
 			       $user,
@@ -2098,6 +2151,7 @@ sub process_actions() {
 
 	    my $state = '';
 	    my $proto = 0;
+	    my $dport = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2117,6 +2171,10 @@ sub process_actions() {
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
+		    } elsif ( /^dport=(.+)$/ ) {
+			fatal_error "The 'dport' option requires the 'proto' option" unless $proto;
+			$dport = validate_port($proto, $1);
+			fatal_error "A destination port may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2138,10 +2196,12 @@ sub process_actions() {
 		    }
 
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2185,7 +2245,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto , $dport );
 	    }
 	}
     }
@@ -2888,6 +2948,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	    $log_action = "$basictarget($setname)";
 
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
@@ -3063,9 +3124,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $actiontype & ACTION ) {
 	#
-	# Verify action 'proto', if any
+	# Verify action 'proto', and 'dport' if any
 	#
-	$proto = determine_action_protocol( $basictarget, $proto );
+	if ( ( $proto = determine_action_protocol( $basictarget, $proto ) ) ne '-' ) {
+	    $ports = determine_action_dport( $basictarget, $proto, $ports );
+	}
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3923,9 +3986,8 @@ sub process_rules() {
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
 
-	unless ( @zones <= 2 && ! $zoneref->{complex} ) {
+	unless ( $zoneref->{type} == LOCAL || ( @zones <= 2 && ! $zoneref->{complex} ) ) {
 	    #
 	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	    #
@@ -4817,9 +4879,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
+	    # Verify action 'proto' and 'dport' if any
 	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
+	    if ( ( $proto = determine_action_protocol( $cmd, $proto ) ) ne '-' ) {
+		$ports = determine_action_dport( $cmd, $proto, $ports );
+	    }
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
@@ -5363,8 +5427,8 @@ sub process_mangle_rule( $ ) {
     }
 }
 
-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
+sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
@@ -5383,28 +5447,54 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 
     progress_message "..Expanding inline action $inlinefile...";
 
-    push_open $inlinefile, 2, 1, undef , 2;
+    push_open $inlinefile, 2, 1, undef , 1;
 
     my $save_comment = push_comment;
 
     while ( read_a_line( NORMAL_READ ) ) {
-	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
-	    split_line2( 'snat file',
+
-			 { action =>0,
+	if ( $file_format == 1 ) {
-			   source => 1,
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
-			   dest => 2,
+		split_line2( 'snat file',
-			   proto => 3,
+			     { action =>0,
-			   port => 4,
+			       source => 1,
-			   ipsec => 5,
+			       dest => 2,
-			   mark => 6,
+			       proto => 3,
-			   user => 7,
+			       port => 4,
-			   switch => 8,
+			       dport => 4,
-			   origdest => 9,
+			       ipsec => 5,
-			   probability => 10,
+			       mark => 6,
-			 },
+			       user => 7,
-			 {},
+			       switch => 8,
-			 11,
+			       origdest => 9,
-			 1 );
+			       probability => 10,
+			     },
+			     {},
+			     11,
+			     1 );
+	    $msports = '-';
+	} else {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       sport => 5,
+			       ipsec => 6,
+			       mark => 7,
+			       user => 8,
+			       switch => 9,
+			       origdest => 10,
+			       probability => 11,
+			     },
+			     {},
+			     12,
+			     1 );
+	}
 
 	fatal_error 'ACTION must be specified' if $maction eq '-';
 
@@ -5432,6 +5522,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			   $mdest,
 			   $proto,
 			   merge_macro_column( $mports,          $ports ),
+			   merge_macro_column( $msports,         $sports ),
 			   merge_macro_column( $mipsec,          $ipsec ),
 			   merge_macro_column( $mmark,           $mark ),
 			   merge_macro_column( $muser,           $user ),
@@ -5458,8 +5549,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 #
 # Process a record in the snat file
 #
-sub process_snat1( $$$$$$$$$$$$ ) {
+sub process_snat1( $$$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $inchain;
     my $inaction;
@@ -5479,6 +5570,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     my ( $action, $loglevel ) = split_action( $origaction );
     my $logaction;
     my $param;
+    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/^s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
 
     if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5571,7 +5669,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, $sports );
     #
     # Handle Mark
     #
@@ -5818,6 +5916,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
+				 $sports,
 				 $ipsec,
 				 $mark,
 				 $user,
@@ -5828,9 +5927,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
+		# Verify action 'proto' and 'dport', if any
 		#
-		$proto = determine_action_protocol( $target, $proto );
+		if ( ( $proto = determine_action_protocol( $target, $proto ) ) ne '-' ) {
+		    $ports = determine_action_dport( $target, $proto, $ports );
+		}
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
@@ -5928,18 +6029,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 sub process_snat( )
 {
-    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-	split_line2( 'snat file',
+
-		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+    if ( $file_format == 1 ) {
-		     {},    #Nopad
+	($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-		     undef, #Columns
+	    split_line2( 'snat file',
-		     1 );   #Allow inline matches
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 {},    #Nopad
+			 11,    #Columns
+			 1 );   #Allow inline matches
+	$sports = '-';
+    } else {
+	($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
+			 {},    #Nopad
+			 12,    #Columns
+			 1 );   #Allow inline matches
+    }
 
     fatal_error 'ACTION must be specified' if $action eq '-';
     fatal_error 'DEST must be specified' if $dest eq '-';
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
     }
 }
 
@@ -5954,7 +6067,7 @@ sub setup_snat()
 	#
 	# Masq file was empty or didn't exist
 	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}

Shorewall/Perl/Shorewall/Tc.pm

@@ -10,7 +10,7 @@
 #     Modified by Tom Eastep for integration into the Shorewall distribution
 #     published under GPL Version 2#
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -72,6 +72,9 @@ our %flow_keys = ( 'src'            => 1,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
+#                              flow          => Comma-separated flow tupple
+#                              classify      => 0|1
+#                              pfifo         => 0|1
 #                              tablenumber   => <next u32 table to be allocated for this device>
 #                              default       => <default class mark value>
 #                              redirected    => [ <dev1>, <dev2>, ... ]
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src'            => 1,
 #                              qdisc         => htb|hfsc
 #                              guarantee     => <total RATE of classes seen so far>
 #                              name          => <interface>
+#                              filters       => [ filter, ... ]
+#                              linklayer     => <type> (optional)
+#                              overhead      => <number>
+#                              mtu           => <number>
+#                              tsize         => <number>
+#                              filterpri     => <number> (initially 0)
+#                              connmark      => 0|1
 #                                               }
 #
 our @tcdevices;
@@ -139,12 +149,14 @@ sub initialize( $ ) {
 sub rate_to_kbit( $ ) {
     my $rate = $_[0];
 
-    return 0           if $rate eq '-';
+    return 0              if $rate eq '-';
-    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
+    return $1             if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
-    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
+    return $1 * 1000      if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
-    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 1000000   if $rate =~ /^((\d+)(\.\d+)?)gbit$/i;
-    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return $1 * 8000000   if $rate =~ /^((\d+)(\.\d+)?)gbps$/i;
-    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
+    return $1 * 8000      if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 8         if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return ($1/125)       if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
     fatal_error "Invalid Rate ($rate)";
 }
 
@@ -202,7 +214,7 @@ sub process_in_bandwidth( $ ) {
     } else {
 	if ( $in_band =~ /:/ ) {
 	    ( $in_band, $burst ) = split /:/, $in_rate, 2;
-	    fatal_error "Invalid burst ($burst)" unless $burst  =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid burst ($burst)" unless $burst  =~ /^\d+(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $in_burst = $burst;
 	}
 
@@ -314,7 +326,7 @@ sub process_simple_device() {
 	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
 
 	if ( supplied $burst ) {
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $command .= " burst $burst";
 	} else {
 	    $command .= ' burst 10kb';
@@ -330,12 +342,12 @@ sub process_simple_device() {
 	$command .= ' mpu 64'; #Assume Ethernet
 
 	if ( supplied $peak ) {
-	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $command .= " peakrate $peak";
 	}
 
 	if ( supplied $minburst ) {
-	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|g|gb|gbit|mbit|kbit|b)?$/;
 	    $command .= " minburst $minburst";
 	}
 
@@ -365,9 +377,7 @@ sub process_simple_device() {
 
     emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip6 protocol 6 0xff" .
-	  "\\\n    match u8 0x05 0x0f at 0" .
+	  "\\\n    match u8 0x10 0xff at 53 flowid $number:1\n" );
-	  "\\\n    match u16 0x0000 0xffc0 at 2" .
-	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
 
     save_progress_message_short qq("   TC Device $physical defined.");
 
@@ -422,8 +432,8 @@ sub validate_tc_device( ) {
     fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
     fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
 
-    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize, $connmark ) = 
-	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
+	(0,         0,      '',    'htb',  '',         0,         0,    0,    0,      0);
 
     if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -458,6 +468,9 @@ sub validate_tc_device( ) {
 		$tsize = numeric_value( $1 );
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option eq 'connmark' ) {
+		require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
+		$connmark = 1;
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -470,7 +483,7 @@ sub validate_tc_device( ) {
 
     if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
-	$classify = 1;
+	$classify = 1 unless $connmark;
 
 	for my $rdevice ( @redirected ) {
 	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -478,6 +491,8 @@ sub validate_tc_device( ) {
 	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
 	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} != 0;
 	}
+    } elsif ( $connmark ) {
+	fatal_error "Option connmark can only be used when setting up a IFB device";
     }
 
     $inband = process_in_bandwidth( $inband );
@@ -503,6 +518,7 @@ sub validate_tc_device( ) {
 			    mpu           => $mpu,
 			    tsize         => $tsize,
 			    filterpri     => 0,
+			    connmark      => $connmark,
 			  } ,
 
     push @tcdevices, $device;
@@ -661,6 +677,7 @@ sub validate_tc_class( ) {
 
     if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	fatal_error "MARK may not be specified for an interface with the 'classify' option" if $devref->{classify};
 
 	( $mark, my $priority ) = split/:/, $mark, 2;
 
@@ -1639,8 +1656,8 @@ sub process_tcfilters() {
 #
 # Process a tcpri record
 #
-sub process_tc_priority1( $$$$$$ ) {
+sub process_tc_priority1( $$$$$$$ ) {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
+    my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
 
     my $val = numeric_value $band;
 
@@ -1651,7 +1668,7 @@ sub process_tc_priority1( $$$$$$ ) {
     $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
 
     if ( $interface ne '-' ) {
-	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
 
 	my $forwardref = $mangle_table->{tcfor};
 
@@ -1662,41 +1679,57 @@ sub process_tc_priority1( $$$$$$ ) {
 	my $postref = $mangle_table->{tcpost};
 
 	if ( $address ne '-' ) {
-	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
 	    add_rule( $postref ,
-		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+		      join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
 		      1 );
 
-	    if ( $ports ne '-' ) {
+	    if ( $dports ne '-' ) {
 		my $protocol = resolve_proto $proto;
 
 		if ( $proto =~ /^ipp2p/ ) {
 		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
 		    $ipp2p = 1;
+		} elsif ( $file_format == 1 ) {
+		    add_rule( $postref ,
+			      join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
+			      1 )
+			unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 		}
-
-		add_rule( $postref ,
-			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
-			  1 )
-		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
 	    }
 	}
     }
 }
 
 sub process_tc_priority() {
-    my ( $band, $protos, $ports , $address, $interface, $helper ) =
+    my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
-	split_line1( 'tcpri',
+
-		     { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
+    if ( $file_format == 1 ) {
+	( $band, $protos, $dports , $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
+			 {},
+			 6,
+			 1 );
+	$sports = '-';
+    } else {
+	( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
+	    split_line2( 'tcpri',
+			 { band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
+			 {},
+			 7,
+			 1 );
+    };
 
     fatal_error 'BAND must be specified' if $band eq '-';
 
     fatal_error "Invalid tcpri entry" if ( $protos    eq '-' &&
-					   $ports     eq '-' &&
+					   $dports    eq '-' &&
+					   $sports    eq '-' &&
 					   $address   eq '-' &&
 					   $interface eq '-' &&
 					   $helper    eq '-' );
@@ -1706,7 +1739,7 @@ sub process_tc_priority() {
     fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+	process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
     }
 }
 
@@ -1728,7 +1761,7 @@ sub process_tcinterfaces() {
 #
 sub process_tcpri() {
     my $fn  = find_file 'tcinterfaces';
-    my $fn1 = open_file 'tcpri', 1,1;
+    my $fn1 = open_file 'tcpri', 2,1,0,1;
 
     if ( $fn1 ) {
 	first_entry
@@ -1865,7 +1898,7 @@ sub process_traffic_shaping() {
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
 	    }
 
 	    for my $class ( @tcclasses ) {
@@ -2284,11 +2317,11 @@ sub open_mangle_for_output( $ ) {
 #
 # For information about entries in this file, type "man shorewall-mangle"
 #
-# See http://shorewall.org/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.org/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.org/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##############################################################################################################################################################
 #ACTION         SOURCE          DEST            PROTO   DEST    SOURCE  USER    TEST    LENGTH  TOS     CONNBYTES       HELPER  PROBABILITY     DSCP    SWITCH
@@ -2300,11 +2333,11 @@ EOF
 #
 # For information about entries in this file, type "man shorewall6-mangle"
 #
-# See http://shorewall.org/traffic_shaping.htm for additional information.
+# See https://shorewall.org/traffic_shaping.htm for additional information.
 # For usage in selecting among multiple ISPs, see
-# http://shorewall.org/MultiISP.html
+# https://shorewall.org/MultiISP.html
 #
-# See http://shorewall.org/PacketMarking.html for a detailed description of
+# See https://shorewall.org/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 #
 ######################################################################################################################################################################
@@ -2371,7 +2404,6 @@ sub setup_tc( $ ) {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-
 	if ( $convert ) {
 	    my $have_tcrules;
 
@@ -2455,7 +2487,7 @@ sub setup_tc( $ ) {
 		}
 	    }
 	} elsif ( -f ( my $fn = find_file( 'tcrules' ) ) ) {
-	    warning_message "The tcrules file is no longer supported -- use '$shorewallrc{product} update' to convert $fn to an equivalent 'mangle' file";
+	    warning_message "The tcrules file is no longer supported -- use '$product update' to convert $fn to an equivalent 'mangle' file";
 	}
 
 	if ( my $fn = open_file( 'mangle', 1, 1 ) ) {

Shorewall/Perl/Shorewall/Tunnels.pm

@@ -4,7 +4,7 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #     (c) 2007-2016 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/Shorewall/Zones.pm

@@ -5,7 +5,7 @@
 #
 #     (c) 2007-2019 - Tom Eastep (teastep@shorewall.net)
 #
-#       Complete documentation is available at http://shorewall.org
+#       Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -29,6 +29,7 @@ package Shorewall::Zones;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
+use sort 'stable';
 
 use strict;
 
@@ -102,6 +103,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    have_ipsec
+		    generate_all_acasts
 		 ),
 	      );
 
@@ -175,7 +177,8 @@ our %reservedName = ( all => 1,
 #				      number	  => <ordinal position in the interfaces file>
 #				      physical	  => <physical interface name>
 #				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#				      wildcard	  => undef|1 # Wildcard Logical Name
+#				      physwild	  => undef|1 # Wildcard Physical Name
 #				      zones	  => { zone1 => 1, ... }
 #				      origin	  => <where defined>
 #				    }
@@ -417,7 +420,8 @@ sub initialize( $$ ) {
 		       32  => 'loopback',
 		       64  => 'local' );
     } else {
-	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+	%validinterfaceoptions = (
+				    accept_ra	=> NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
@@ -429,6 +433,7 @@ sub initialize( $$ ) {
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    omitanycast	=> SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
@@ -559,7 +564,8 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
     }
 
-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
+    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
 
@@ -847,10 +853,10 @@ sub dump_zone_contents() {
 	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};
 
 	if ( $hostref ) {
-	    for my $type ( keys %$hostref ) {
+	    for my $type ( sortkeysiftest %$hostref ) {
 		my $interfaceref = $hostref->{$type};
 
-		for my $interface ( keys %$interfaceref ) {
+		for my $interface ( sortkeysiftest %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 
@@ -1241,7 +1247,7 @@ sub process_interface( $$ ) {
     fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
 
     if ( supplied $port ) {
-	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
+	fatal_error qq("Virtual" interfaces are not supported -- see https://shorewall.org/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
 
@@ -1368,7 +1374,7 @@ sub process_interface( $$ ) {
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		if ( $option eq 'arp_ignore' ) {
-		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $physwild;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1485,7 +1491,7 @@ sub process_interface( $$ ) {
 
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
-	    fatal_error "Bridges may not have wildcard names" if $wildcard;
+	    fatal_error "Bridges may not have wildcard names" if $physwild;
 	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}
 
@@ -1534,7 +1540,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
+						   physwild   => $physwild,
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1715,6 +1721,7 @@ sub known_interface($)
 					       physical => $physical ,
 					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
+					       physwild => $interfaceref->{physwild} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
@@ -2027,7 +2034,7 @@ sub verify_required_interfaces( $ ) {
 
 	push_indent;
 
-	emit( 'start|reload|restore)' );
+	emit( 'start|reload|restore|enable)' );
 
 	push_indent;
 
@@ -2320,9 +2327,9 @@ sub find_hosts_by_option( $ ) {
     }
 
     for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    my $ipsec  = $host->{ipsec};
@@ -2350,9 +2357,9 @@ sub find_zone_hosts_by_option( $$ ) {
     my @hosts;
 
     unless ( $zones{$zone}{type} & FIREWALL ) {
-	for my $type (keys %{$zones{$zone}{hosts}} ) {
+	for my $type (sortkeysiftest %{$zones{$zone}{hosts}} ) {
 	    my $interfaceref = $zones{$zone}{hosts}->{$type};
-	    for my $interface ( keys %$interfaceref ) {
+	    for my $interface ( sortkeysiftest %$interfaceref ) {
 		my $arrayref = $interfaceref->{$interface};
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
@@ -2383,4 +2390,110 @@ sub find_zones_by_option( $$ ) {
     \@zns;
 }
 
+#
+# Generate the shell code to populate the ALL_ACASTS run-time variable
+#
+
+sub generate_all_acasts() {
+    my ( @acasts, @noacasts, @wildacasts, @wildnoacasts );
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+	my $physical     = $interfaceref->{physical};
+
+	next if ( $interfaceref->{options}{port} ||
+		  $interfaceref->{options}{unmanaged} );
+
+	if ( $interfaceref->{physwild} ) {
+	    $physical =~ s/\+/*/;
+
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		if ( $physical eq '*' ) {
+		    @wildnoacasts = ( '*' );
+		} else {
+		    push @wildnoacasts, $physical;
+		}
+	    } else {
+		if ( $physical eq '*' ) {
+		    @wildacasts = ( '*' );
+		} else {
+		    push @wildacasts, $physical;
+		}
+	    }
+	} else {
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		push @noacasts, $physical;
+	    } else {
+		push @acasts, $physical;
+	    }
+	}
+    }
+
+    return 'ALL_ACASTS="$(get_all_acasts)"' unless @noacasts || @wildnoacasts;
+
+    @wildacasts = '*' unless @wildacasts;
+
+    emit( "#\n# Populate the ALL_ACASTS variable\n#",
+	  'generate_all_acasts()',
+	  '{' );
+    push_indent;
+
+    emit( 'ALL_ACASTS=',
+	  '',
+	  'for iface in $(find_all_interfaces1); do' );
+
+    push_indent;
+
+    emit( 'case $iface in' );
+
+    push_indent;
+
+    if ( @noacasts ) {
+	unless ( @wildacasts ) {
+	    push @noacasts, @wildnoacasts;
+	    @wildnoacasts = ();
+	}
+
+	emit( join( '|', @noacasts) . ')',
+	      '    ;;' );
+    }
+
+    if ( @wildnoacasts ) {
+	if ( @acasts ) {
+	    emit( join( '|', @acasts) . ')',
+		  '    if [ -n "$ALL_ACASTS" ]; then',
+		  '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+		  '    else',
+		  '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+		  '    fi',
+		  '    ;;' );
+	}
+
+	emit( join( '|', @wildnoacasts) . ')',
+	      '    ;;' );
+
+    } else {
+	@wildacasts = ( '*' );
+    }
+
+    if ( @wildacasts ) {
+	emit( join( '|', @wildacasts ) . ')',
+	      '    if [ -n "$ALL_ACASTS" ]; then',
+	      '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+	      '    else',
+	      '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+	      '    fi',
+	      '    ;;' );
+    }
+
+    pop_indent;
+    emit( 'esac');
+    pop_indent;
+    emit( 'done');
+    pop_indent;
+    emit( "}\n" );
+
+    return 'generate_all_acasts';
+}
+
 1;

Shorewall/Perl/compiler.pl

@@ -4,7 +4,7 @@
 #
 #     (c) 2007,2008,2009,2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #
@@ -47,7 +47,7 @@
 #
 use strict;
 use FindBin;
-use lib "$FindBin::Bin";
+use lib "$FindBin::Bin"; # Required to allow modules to reside in ${BASEDIR}/Shorewall/
 use Shorewall::Compiler;
 use Getopt::Long;
 

Shorewall/Perl/getparams

@@ -4,7 +4,7 @@
 #
 #     (c) 2010,2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.org
+#	Complete documentation is available at https://shorewall.org
 #
 #       This program is part of Shorewall.
 #

Shorewall/Perl/lib.runtime

@@ -1089,7 +1089,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 #
@@ -1113,7 +1113,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1389,7 +1389,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 ?endif # IPv6-specific functions.

Shorewall/Samples/README.txt

@@ -1,6 +1,6 @@
 For instructions on using these sample configurations, please see
 
-http://www.shorewall.org/shorewall_quickstart_guide.htm
+https://shorewall.org/shorewall_quickstart_guide.htm
 
     Shorewall Samples
     Copyright (C) 2006 by the following authors:

Shorewall/Samples/Universal/interfaces

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-interfaces.html
+# https://shorewall.org/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 ?FORMAT 2

Shorewall/Samples/Universal/policy

@@ -4,7 +4,7 @@
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-policy.html
+# https://shorewall.org/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOGLEVEL	RATE		CONNLIMIT

Shorewall/Samples/Universal/rules

@@ -4,7 +4,7 @@
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-rules.html
+# https://shorewall.org/manpages/shorewall-rules.html
 #
 ######################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER

Shorewall/Samples/Universal/shorewall.conf

@@ -4,7 +4,7 @@
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at http://www.shorewall.org/manpages/shorewall.conf.html
+#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################

Shorewall/Samples/Universal/zones

@@ -4,7 +4,7 @@
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
-# http://www.shorewall.org/manpages/shorewall-zones.html
+# https://shorewall.org/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT

Shorewall/Samples/one-interface/README.txt

@@ -1,6 +1,6 @@
 For instructions on using this sample configuration, please see
 
-http://www.shorewall.org/standalone.htm
+https://shorewall.org/standalone.htm
 
     Shorewall Samples
     Copyright (C) 2006-2015 by the following authors: