Add target file(s) 5.2.6-base

Signed-off-by: Tom Eastep <teastep@shorewall.net>

.gitattributes

@@ -0,0 +1 @@
+*targetname export-ignore

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.4.1
+5.2.6-base

Shorewall-core/lib.cli

@@ -937,11 +937,28 @@ show_events() {
     fi
 }
 
+sort_actions() {
+    local sep #separates sort keys from the action[.std] record
+    sep="##"
+
+    awk -v sep="$sep" \
+         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
+	  /^#/	  	  { next; };\
+	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
+	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
+			  { action = $1; };\
+	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
+			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
+}
+
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    local actions
+    actions=$(find_file actions)
+
+    if [ -f ${actions} ]; then
+	cat ${actions} ${g_sharedir}/actions.std | sort_actions
     else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
     fi
 }
 
@@ -1108,10 +1125,6 @@ show_blacklists() {
     show_bl;
 }
 
-show_actions_sorted() {
-    show_actions | sort
-}
-
 show_macros() {
     for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1556,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -2651,6 +2664,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
 
@@ -2667,6 +2681,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -3622,6 +3637,7 @@ reject_command() {
 
 blacklist_command() {
     local family
+    local timeout
 
     [ $# -gt 0 ] || fatal_error "Missing address"
 
@@ -3639,10 +3655,17 @@ blacklist_command() {
 	    ;;
     esac
 
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
+
+    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3897,7 +3920,7 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 
@@ -3905,11 +3928,49 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
+	    local ifs
+	    local f
+
+	    ifs=$IFS
+	    IFS=','
+
+	    for f in $DYNAMIC_BLACKLIST; do
+		case $f in
+		    timeout=*)
+			g_dbltimeout=${f#timeout=}
+			g_dbltimeout=${g_dbltimeout%%:*}
+			break
+			;;
+		esac
+	    done
+
+	    IFS=$ifs
+
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
     esac
@@ -3964,7 +4025,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4127,7 +4188,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
 
@@ -4260,7 +4321,7 @@ restart_command() {
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
 
@@ -4298,9 +4359,9 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
     echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -4340,7 +4401,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     if [ -z "$g_lite" ]; then
@@ -4356,7 +4417,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4458,6 +4519,8 @@ shorewall_cli() {
     g_disconnect=
     g_havemutex=
     g_trace=
+    g_dbltimeout=
+    g_dbllog=
 
     VERBOSE=
     VERBOSITY=1
@@ -4679,7 +4742,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4757,7 +4820,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)

Shorewall-core/lib.common

@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
 
     case $COMMAND in
         start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
     esac
 

Shorewall-core/manpages/shorewall.xml

@@ -48,7 +48,7 @@
 
       <arg>options</arg>
 
-      <arg choice="plain"><option>blacklist</option></arg>
+      <arg choice="plain"><option>blacklist[!]</option></arg>
 
       <arg
       choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -1151,7 +1151,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
+        <term><emphasis role="bold">blacklist[!]</emphasis>
         <replaceable>address</replaceable> [ <replaceable>option</replaceable>
         ... ]</term>
 
@@ -1165,7 +1165,17 @@
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
           <replaceable>address</replaceable> along with any
           <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
+          add</command> command. Probably the most useful
+          <replaceable>option</replaceable> is the <option>timeout</option>
+          option. For example, to permanently blacklist 192.0.2.22, the
+          command would be:</para>
+
+          <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
+
+          <para>Beginning with Shorewall 5.2.5, the above command can be
+          shortened to:</para>
+
+          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>
 
           <para>If the <option>disconnect</option> option is specified in the
           DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
@@ -2108,10 +2118,6 @@
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
           url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
-
-          <para>The <emphasis role="bold">-D </emphasis>option was added in
-          Shoewall 5.2.4 and causes the compiler to write a large amount of
-          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -2891,25 +2897,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
           listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
-          taken down. The only new traffic permitted through the firewall is
-          from systems listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
+          new traffic permitted through the firewall is from systems listed in
+          <ulink
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 

Shorewall-init/ifupdown.debian.sh

@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 
 for PRODUCT in $PRODUCTS; do
+    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
+	case $PRODUCT in
+	    *6*)
+		[ ${ADDRFAM} = inet6 ] || continue
+		;;
+	    *)
+		[ ${ADDRFAM} = inet ] || continue
+		;;
+	esac
+    fi
+
     setstatedir
 
     if [ -x $VARLIB/$PRODUCT/firewall ]; then

Shorewall-init/install.sh

@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
 
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
     if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
     elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
     fi
 
     if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -388,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -417,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi
 
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
-    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    if [ "$HOST" = debian ]; then
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
+    else
+	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+    fi
 fi
 
 case $HOST in
     debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;

Shorewall-init/shorewall-init

@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
+
 setstatedir() {
     local statedir
     if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,29 +43,18 @@ setstatedir() {
     fi
 }
 
-#
-# This is modified by the installer when ${SHAREDIR} <> /usr/share
-#
-. /usr/share/shorewall/shorewallrc
+# Initialize the firewalls
 
-# check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]; then
-    . $SYSCONFDIR/shorewall-init
-    if [ -z "$PRODUCTS" ]; then
-	echo "ERROR: No products configured" >&2
-	exit 1
-    fi
-else
-    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
-    exit 1
-fi
-
-# Initialize the firewall
-shorewall_start () {
+shorewall_init_start () {
     local PRODUCT
     local STATEDIR
 
     printf "Initializing \"Shorewall-based firewalls\": "
+
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi
+
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    #
@@ -78,19 +68,17 @@ shorewall_start () {
 	fi
     done
 
-    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-	ipset -R < "$SAVE_IPSETS"
-    fi
-
     return 0
 }
 
-# Clear the firewall
-shorewall_stop () {
+# Clear the firewalls
+
+shorewall_init_stop () {
     local PRODUCT
     local STATEDIR
 
     printf "Clearing \"Shorewall-based firewalls\": "
+
     for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    #
@@ -116,12 +104,29 @@ shorewall_stop () {
     return 0
 }
 
+#
+# This is modified by the installer when ${SHAREDIR} <> /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+# check if shorewall-init is configured or not
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+	echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
+    exit 1
+fi
+
 case "$1" in
     start)
-	shorewall_start
+	shorewall_init_start
 	;;
     stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
     *)
 	echo "Usage: $0 {start|stop}"

Shorewall/Perl/Shorewall/Chains.pm

@@ -320,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -726,6 +727,7 @@ our %opttype = ( rule          => CONTROL,
 		 'icmpv6-type' => UNIQUE,
 
 		 comment       => CONTROL,
+		 digest        => CONTROL,
 
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
@@ -892,7 +894,7 @@ sub validate_port( $$ ) {
 
     fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
 
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])";
 }
 
 #
@@ -3521,6 +3523,33 @@ sub irule_to_string( $ ) {
     $string;
 }
 
+#
+# This one omits the comment
+#
+sub irule_to_string1( $ ) {
+    my ( $ruleref ) = @_;
+
+    return $ruleref->{cmd} if exists $ruleref->{cmd};
+
+    my $string = '';
+
+    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
+	my $value = $ruleref->{$_};
+	if ( reftype $value ) {
+	    $string .= "$_=" . join( ',', @$value ) . ' ';
+	} else {
+	    $string .= "$_=$value ";
+	}
+    }
+
+    if ( $ruleref->{target} ) {
+	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
+	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
+    }
+
+    $string;
+}
+
 sub calculate_digest( $ ) {
     my $chainref = shift;
     my $rules = '';
@@ -4051,7 +4080,7 @@ sub optimize_level8( $$$ ) {
 
 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the BLACKLIST section, we can end up with many identical
+			# For simple use of the blrules file, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -4190,10 +4219,10 @@ sub get_multi_sports( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys( $ ) {
-    my %skip = ( dport => 1, comment => 1, origin => 1 );
+    my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4374,64 +4403,54 @@ sub delete_duplicates {
     my @rules;
     my $chainref  = shift;
     my $lastrule  = @_;
-    my $baseref   = pop;
     my $ruleref;
     my %skip = ( comment => 1, origin => 1 );
 
+    for ( @_ ) {
+	$_->{digest} = sha1_hex irule_to_string1( $_ );
+    }
+
+    my $baseref   = pop;
+
     while ( @_ ) {
 	my $docheck;
 	my $duplicate = 0;
 
 	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
-	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
+	    my $bad_key;
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
-		
-	    {
-	      RULE:
+	    my $digest   = $baseref->{digest};
 
-		while ( --$rulenum >= 0 ) {
-		    $ruleref = $_[$rulenum];
+	    for ( grep ! $skip{$_}, keys( %$baseref ) ) {
+		$bad_key = 1, last if $bad_match{$_};
+	    }
 
-		    last unless $ruleref->{mode} == CAT_MODE;
+	    while ( --$rulenum >= 0 ) {
+		$ruleref = $_[$rulenum];
 
-		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
+		last unless $ruleref->{mode} == CAT_MODE;
 
-		    next unless @keys1 == @keys2 ;
+		next unless $digest eq $ruleref->{digest};
 
-		    my $keynum = 0;
-
-		    if ( $adjacent > 0 ) {
-			#
-			# There are no non-duplicate rules between this rule and the base rule
-			#
-			for my $key (  @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			}
-		    } else {
-			#
-			# There are non-duplicate rules between this rule and the base rule
-			#
-			for my $key ( @keys1 ) {
-			    next RULE unless $key eq $keys2[$keynum++];
-			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
-			    last RULE if $bad_match{$key};
-			}
-		    }
+		unless ( $adjacent > 0 ) {
 		    #
-		    # This rule is a duplicate
+		    # There are non-duplicate rules between this rule and the base rule
 		    #
-		    $duplicate = 1;
-		    #
-		    # Increment $adjacent so that the continue block won't set it to zero
-		    #
-		    $adjacent++;
-
-		} continue {
-		    $adjacent--;
+		    last if $bad_key;
 		}
+		#
+		# This rule is a duplicate
+		#
+		$duplicate = 1;
+		#
+		# Increment $adjacent so that the continue block won't set it to zero
+		#
+		$adjacent++;
+
+	    } continue {
+		$adjacent--;
 	    }
 	}
 
@@ -4468,10 +4487,10 @@ sub get_conntrack( $ ) {
 }
 
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys1( $ ) {
-    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+    my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
 
     sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -8872,7 +8891,7 @@ sub ensure_ipsets( @ ) {
     my $set;
     my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8883,12 +8902,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}
 
 	pop_indent;
@@ -9065,10 +9084,14 @@ sub create_load_ipsets() {
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
-		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
-		  '        $IPSET flush $set' ,
-		  '        $IPSET destroy $set' ,
-		  "    done" ,
+		  '    if  [ -f ${VARDIR}/ipsets.save ]; then' ,
+		  '        while read verb set rest; do' ,
+		  '            if [ $verb = create ]; then' ,
+		  '                $IPSET flush $set' ,
+		  '                $IPSET destroy $set' ,
+		  '            fi' ,
+		  '        done < ${VARDIR}/ipsets.save' ,
+		  '    fi',
 		);
 	} else {
 	    #
@@ -9111,7 +9134,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );

Shorewall/Perl/Shorewall/Compiler.pm

@@ -543,13 +543,13 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
         ;;
     reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
         ;;
     restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
         ;;
 esac
 EOF
@@ -858,13 +858,14 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
+	    # Optimize the ruleet
+	    #
+	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
+	    optimize_policy_chains;
 	}
 
 	enable_script;
@@ -928,16 +929,16 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }
 
 	    enable_script if $debug;

Shorewall/Perl/Shorewall/Config.pm

@@ -311,7 +311,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
-				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_ALL
 				     ) , ] ,
@@ -555,7 +554,6 @@ use constant {
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
-	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
@@ -657,6 +655,30 @@ our %params;
 #
 our %compiler_params;
 #
+# Entries conditionally exported to the compiled script via the aux config file
+#
+our @exported_params = ( qw(
+			 VERBOSITY
+			 LOGFILE
+			 LOGFORMAT
+			 APRTABLES
+			 IPTABLES
+			 IP6TABLES
+			 IP
+			 TC
+			 IPSET
+			 PATH
+			 SHOREWALL_SHELL
+			 SHELL
+			 SUBSYSLOCK
+			 LOCKFILE
+			 RESTOREFILE
+			 RESTART
+			 DYNAMIC_BLACKLIST
+			 PAGER
+			 )
+    );
+#
 # Action parameters
 #
 our %actparams;
@@ -6671,7 +6693,7 @@ sub get_configuration( $$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
 
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
@@ -7196,8 +7218,8 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
-	conditionally_add_option $option;
+    for my $param ( @exported_params ) {
+	conditionally_add_option $param;
     }
 
     conditionally_add_option1 'TC_ENABLED';

Shorewall/Perl/Shorewall/Misc.pm

@@ -735,6 +735,7 @@ sub add_common_rules ( $ ) {
     my $dbl_tag;
     my $dbl_src_target;
     my $dbl_dst_target;
+    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -796,9 +797,10 @@ sub add_common_rules ( $ ) {
 
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -809,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -830,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2580,13 +2582,13 @@ EOF
     emit <<'EOF';
             case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                 enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
             esac
 
@@ -2809,7 +2811,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Providers.pm

@@ -2064,12 +2064,12 @@ sub compile_updown() {
 	push_indent;
 
 	emit( q(if [ "$state" = started ]; then) ,
-	      q(    if [ "$COMMAND" = up ]; then) , 
+	      q(    if [ "$COMMAND" = up ]; then) ,
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2110,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );
 
 	push_indent;

Shorewall/Perl/Shorewall/Rules.pm

@@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
     my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
 
     $chainref->{is_policy}   = 1;
+    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
     $chainref->{policy}      = $policy;
     $chainref->{provisional} = $provisional;
     $chainref->{audit}       = $audit;
@@ -660,7 +661,7 @@ sub handle_nfqueue( $ ) {
 
     if ( supplied $queue2 ) {
 	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
     } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
     }
@@ -1000,6 +1001,24 @@ sub determine_action_protocol( $$ ) {
     $proto;
 }
 
+sub determine_action_dport( $$$ ) {
+    my ( $action, $proto, $dport ) = @_;
+
+    if ( my $actiondport = $actions{$action}{dport} ) {
+	if ( $dport eq '-' ) {
+	    $dport = $actiondport;
+	} else {
+	    fatal_error( "The $action action is only usable with destination port $actiondport" ) if $dport =~ /[,]/;
+	    if ( ( my $portnum = validate_port( $proto, $dport ) ) ne '-' ) {
+		fatal_error( "The $action action is only usable with destination port $actiondport"  ) unless $actiondport = $portnum;
+		$dport = $portnum;
+	    }
+	}
+    }
+
+    $dport;
+}
+
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
@@ -1014,7 +1033,11 @@ sub add_policy_rules( $$$$$ ) {
 		# Policy action is a regular action -- jump to the action chain
 		#
 		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
-		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    if ( my $dport = determine_action_dport( $action, $proto, '' ) ) {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto, dport => $dport );
+		    } else {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    }
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
@@ -1147,7 +1170,7 @@ sub complete_policy_chains() {
 		}
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1252,6 +1275,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
     my $chain               = $chainref->{name};
     my $save_comment        = push_comment;
+    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
     my %state;
 
     $state{$_} = 1 for split ',', $state;
@@ -1262,74 +1286,76 @@ sub finish_chain_section ($$$) {
 
     $chain1ref->{sections}{$_} = 1 for keys %state;
 
-    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
-	if ( $state{$_} ) {
-	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
-	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
+    unless ( $wild ) {
+	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+	    if ( $state{$_} ) {
+		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+		my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
 
-	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
-		if ( $level ) {
-		    my $chain2ref;
+		if ( $twochains || $level || $target ne 'ACCEPT' ) {
+		    if ( $level ) {
+			my $chain2ref;
+
+			if ( $twochains ) {
+			    $chain2ref = $chainref;
+			} else {
+			    $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			}
+
+			log_rule_limit( $level,
+					$chain2ref,
+					$chain2ref->{logname},
+					uc $target,
+					$globals{LOGLIMIT},
+					$tag ,
+					'add' ,
+					'',
+					$level_origin );
+
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+
+			add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
+
+			$target = $chain2ref->{name} unless $twochains;
+		    }
 
 		    if ( $twochains ) {
-			$chain2ref = $chainref;
-		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			add_ijump_extended $chainref, g => $target , $origin if $target;
+			delete $state{$_};
+			last;
 		    }
 
-		    log_rule_limit( $level,
-				    $chain2ref,
-				    $chain2ref->{logname},
-				    uc $target,
-				    $globals{LOGLIMIT},
-				    $tag ,
-				    'add' ,
-				    '',
-				    $level_origin );
+		    if ( $target ) {
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			#
+			# Always handle ESTABLISHED first
+			#
+			if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
+			    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
+			    delete $state{ESTABLISHED};
+			}
 
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
+		    }
 
-		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
-
-		    $target = $chain2ref->{name} unless $twochains;
-		}
-
-		if ( $twochains ) {
-		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
-		    last;
 		}
-
-		if ( $target ) {
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-		    #
-		    # Always handle ESTABLISHED first
-		    #
-		    if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-			add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-			delete $state{ESTABLISHED};
-		    }
-
-		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
-		}
-
-		delete $state{$_};
-	    }
-	}
-    }
-
-    if ( keys %state ) {
-	my @state;
-
-	unless ( $config{FASTACCEPT} ) {
-	    for ( qw/ESTABLISHED RELATED/ ) {
-		push @state, $_ if $state{$_};
 	    }
 	}
 
-	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+	if ( keys %state ) {
+	    my @state;
 
-	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	    unless ( $config{FASTACCEPT} ) {
+		for ( qw/ESTABLISHED RELATED/ ) {
+		    push @state, $_ if $state{$_};
+		}
+	    }
+
+	    push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+
+	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	}
     }
 
     if ($sections{NEW} ) {
@@ -1497,13 +1523,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto, $dport ) = @_;
 
     fatal_error "Reserved action name ($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto, dport => $dport };
 
     $targets{$action} = $type;
 }
@@ -1774,7 +1800,7 @@ sub isolate_basic_target( $ ) {
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
-sub process_snat1( $$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 
 #
@@ -1968,23 +1994,49 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
-		split_line2( 'snat file',
-			     { action =>0,
-			       source => 1,
-			       dest => 2,
-			       proto => 3,
-			       port => 4,
-			       ipsec => 5,
-			       mark => 6,
-			       user => 7,
-			       switch => 8,
-			       origdest => 9,
-			       probability => 10,
-			     },
-			     {},
-			     11,
-			     1 );
+	    my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
+
+	    if ( $file_format == 1 ) {
+		( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   ipsec => 5,
+				   mark => 6,
+				   user => 7,
+				   switch => 8,
+				   origdest => 9,
+				   probability => 10,
+				 },
+				 {},
+				 11,
+				 1 );
+		$sport = '-';
+	    } else {
+		( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   sport => 5,
+				   ipsec => 6,
+				   mark => 7,
+				   user => 8,
+				   switch => 9,
+				   origdest => 10,
+				   probability => 11,
+				 },
+				 {},
+				 12,
+				 1 );
+	    }
 
 	    fatal_error 'ACTION must be specified' if $action eq '-';
 
@@ -2000,6 +2052,7 @@ sub process_action(\$\$$) {
 			       $dest,
 			       $proto,
 			       $port,
+			       $sport,
 			       $ipsec,
 			       $mark,
 			       $user,
@@ -2098,6 +2151,7 @@ sub process_actions() {
 
 	    my $state = '';
 	    my $proto = 0;
+	    my $dport = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2117,6 +2171,10 @@ sub process_actions() {
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
+		    } elsif ( /^dport=(.+)$/ ) {
+			fatal_error "The 'dport' option requires the 'proto' option" unless $proto;
+			$dport = validate_port($proto, $1);
+			fatal_error "A destination port may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2138,10 +2196,12 @@ sub process_actions() {
 		    }
 
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2185,7 +2245,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto , $dport );
 	    }
 	}
     }
@@ -2888,6 +2948,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
+	    $log_action = "$basictarget($setname)";
 
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
@@ -3063,9 +3124,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $actiontype & ACTION ) {
 	#
-	# Verify action 'proto', if any
+	# Verify action 'proto', and 'dport' if any
 	#
-	$proto = determine_action_protocol( $basictarget, $proto );
+	if ( ( $proto = determine_action_protocol( $basictarget, $proto ) ) ne '-' ) {
+	    $ports = determine_action_dport( $basictarget, $proto, $ports );
+	}
 	#
 	# Save NAT-oriented column contents
 	#
@@ -4817,9 +4880,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
+	    # Verify action 'proto' and 'dport' if any
 	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
+	    if ( ( $proto = determine_action_protocol( $cmd, $proto ) ) ne '-' ) {
+		$ports = determine_action_dport( $cmd, $proto, $ports );
+	    }
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
@@ -5363,8 +5428,8 @@ sub process_mangle_rule( $ ) {
     }
 }
 
-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
@@ -5383,28 +5448,54 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 
     progress_message "..Expanding inline action $inlinefile...";
 
-    push_open $inlinefile, 2, 1, undef , 2;
+    push_open $inlinefile, 2, 1, undef , 1;
 
     my $save_comment = push_comment;
 
     while ( read_a_line( NORMAL_READ ) ) {
-	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
-	    split_line2( 'snat file',
-			 { action =>0,
-			   source => 1,
-			   dest => 2,
-			   proto => 3,
-			   port => 4,
-			   ipsec => 5,
-			   mark => 6,
-			   user => 7,
-			   switch => 8,
-			   origdest => 9,
-			   probability => 10,
-			 },
-			 {},
-			 11,
-			 1 );
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
+
+	if ( $file_format == 1 ) {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       ipsec => 5,
+			       mark => 6,
+			       user => 7,
+			       switch => 8,
+			       origdest => 9,
+			       probability => 10,
+			     },
+			     {},
+			     11,
+			     1 );
+	    $msports = '-';
+	} else {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       sport => 5,
+			       ipsec => 6,
+			       mark => 7,
+			       user => 8,
+			       switch => 9,
+			       origdest => 10,
+			       probability => 11,
+			     },
+			     {},
+			     12,
+			     1 );
+	}
 
 	fatal_error 'ACTION must be specified' if $maction eq '-';
 
@@ -5432,6 +5523,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			   $mdest,
 			   $proto,
 			   merge_macro_column( $mports,          $ports ),
+			   merge_macro_column( $msports,         $sports ),
 			   merge_macro_column( $mipsec,          $ipsec ),
 			   merge_macro_column( $mmark,           $mark ),
 			   merge_macro_column( $muser,           $user ),
@@ -5458,8 +5550,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 #
 # Process a record in the snat file
 #
-sub process_snat1( $$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat1( $$$$$$$$$$$$$ ) {
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $inchain;
     my $inaction;
@@ -5479,6 +5571,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     my ( $action, $loglevel ) = split_action( $origaction );
     my $logaction;
     my $param;
+    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/^s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
 
     if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5571,7 +5670,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, $sports );
     #
     # Handle Mark
     #
@@ -5818,6 +5917,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
+				 $sports,
 				 $ipsec,
 				 $mark,
 				 $user,
@@ -5828,9 +5928,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
+		# Verify action 'proto' and 'dport', if any
 		#
-		$proto = determine_action_protocol( $target, $proto );
+		if ( ( $proto = determine_action_protocol( $target, $proto ) ) ne '-' ) {
+		    $ports = determine_action_dport( $target, $proto, $ports );
+		}
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
@@ -5928,18 +6030,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 sub process_snat( )
 {
-    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	split_line2( 'snat file',
-		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-		     {},    #Nopad
-		     undef, #Columns
-		     1 );   #Allow inline matches
+    my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+
+    if ( $file_format == 1 ) {
+	($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 {},    #Nopad
+			 11,    #Columns
+			 1 );   #Allow inline matches
+	$sports = '-';
+    } else {
+	($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
+			 {},    #Nopad
+			 12,    #Columns
+			 1 );   #Allow inline matches
+    }
 
     fatal_error 'ACTION must be specified' if $action eq '-';
     fatal_error 'DEST must be specified' if $dest eq '-';
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
     }
 }
 
@@ -5954,7 +6068,7 @@ sub setup_snat()
 	#
 	# Masq file was empty or didn't exist
 	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}

Shorewall/Perl/Shorewall/Zones.pm

@@ -560,7 +560,8 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
     }
 
-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
+    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
 
@@ -2028,7 +2029,7 @@ sub verify_required_interfaces( $ ) {
 
 	push_indent;
 
-	emit( 'start|reload|restore)' );
+	emit( 'start|reload|restore|enable)' );
 
 	push_indent;
 

Shorewall/Perl/lib.runtime

@@ -1089,7 +1089,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 #
@@ -1113,7 +1113,7 @@ interface_is_usable() # $1 = interface
     status=0
 
     if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1389,7 +1389,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 ?endif # IPv6-specific functions.

Shorewall/Samples/three-interfaces/snat

@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #

Shorewall/Samples/two-interfaces/snat

@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.4.1
+5.2.6-RC1

Shorewall/configfiles/snat

@@ -5,5 +5,6 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/lib.cli-std

@@ -338,7 +338,7 @@ get_config() {
 
     if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
 	case $COMMAND in
-	    blacklist|allow|drop|logdrop|reject)
+	    blacklist*|allow|drop|logdrop|reject)
 		setup_dbl
 		;;
 	esac
@@ -386,6 +386,7 @@ uptodate() {
 
     [ -n "${find}" ] || return 1
     [ -h "${find}" ] && busybox=Yes
+    find="${find} -L"
 
     for dir in $g_shorewalldir $(split $CONFIG_PATH); do
 	if [ -n "${busybox}" ]; then

Shorewall/manpages/shorewall-actions.xml

@@ -26,8 +26,8 @@
     <title>Description</title>
 
     <para>This file allows you to define new ACTIONS for use in rules (see
-    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>).
-    You define the iptables rules to be performed in an ACTION in
+    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
+    the iptables rules to be performed in an ACTION in
     /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
 
     <para>Columns are:</para>
@@ -148,8 +148,8 @@
               <listitem>
                 <para>Added in Shorewall 5.0.7. Specifies that this action is
                 to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                rather than <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
                 url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
               </listitem>
             </varlistentry>
@@ -160,11 +160,11 @@
               <listitem>
                 <para>Added in Shorewall 5.0.13. Specifies that this action is
                 to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink>
-                rather than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.
-                The <option>mangle</option> and <option>nat</option> options
-                are mutually exclusive.</para>
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
               </listitem>
             </varlistentry>
 
@@ -212,6 +212,24 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>dport</option>=<replaceable>portorservice</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.6. Requires that the <emphasis
+                role="bold">proto</emphasis> option be previously given and
+                indicates that this action may only be applied to flows with
+                the specified <replaceable>protocol</replaceable> and
+                <replaceable>portorservice</replaceable>.
+                <replaceable>portorservice</replaceable> may be a valid port
+                number or the name of a service defined in /etc/services to be
+                usable with the specified <replaceable>protocol</replaceable>.
+                If a port or service is specified in the DPORT column of an
+                invocation, then it must match the named
+                <replaceable>portorservice</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>section</option></term>
 

Shorewall/manpages/shorewall-interfaces.xml

@@ -70,8 +70,7 @@
           in this column.</para>
 
           <para>If the interface serves multiple zones that will be defined in
-          the <ulink
-          url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
+          the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
           file, you should place "-" in this column.</para>
 
           <para>If there are multiple interfaces to the same zone, you must
@@ -109,8 +108,8 @@ loc     eth2            -</programlisting>
           <para>When using Shorewall versions before 4.1.4, care must be
           exercised when using wildcards where there is another zone that uses
           a matching specific interface. See <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
-          for a discussion of this problem.</para>
+          url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
+          discussion of this problem.</para>
 
           <para>Shorewall allows '+' as an interface name, but that usage is
           deprecated. A better approach is to specify
@@ -370,8 +369,7 @@ loc     eth2            -</programlisting>
                 firewall through this interface and whether the source address
                 and/or destination address is to be compared against the
                 ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
-                <ulink
-                url="shorewall.conf.html">shorewall.conf(5)</ulink>).
+                <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
                 The default is determine by the setting of
                 DYNAMIC_BLACKLIST:</para>
 
@@ -459,8 +457,8 @@ loc     eth2            -</programlisting>
 
                   <listitem>
                     <para>the interface is a <ulink
-                    url="../SimpleBridge.html">simple bridge</ulink> with a DHCP
-                    server on one port and DHCP clients on another
+                    url="../SimpleBridge.html">simple bridge</ulink> with a
+                    DHCP server on one port and DHCP clients on another
                     port.</para>
 
                     <note>
@@ -585,8 +583,8 @@ loc     eth2            -</programlisting>
               <listitem>
                 <para>Connection requests from this interface are compared
                 against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-                If this option is specified, the interface must be an Ethernet
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                this option is specified, the interface must be an Ethernet
                 NIC and must be up before Shorewall is started.</para>
               </listitem>
             </varlistentry>
@@ -650,8 +648,8 @@ loc     eth2            -</programlisting>
 
                 <para>Smurfs will be optionally logged based on the setting of
                 SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).
-                After logging, the packets are dropped.</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
               </listitem>
             </varlistentry>
 
@@ -659,6 +657,11 @@ loc     eth2            -</programlisting>
               <term><emphasis role="bold">optional</emphasis></term>
 
               <listitem>
+                <para>This option indicates that the firewall should be able
+                to start, even if the interface is not usable for handling
+                traffic. It allows use of the <command>enable</command> and
+                <command>disable</command> commands on the interface.</para>
+
                 <para>When <option>optional</option> is specified for an
                 interface, Shorewall will be silent when:</para>
 
@@ -674,6 +677,16 @@ loc     eth2            -</programlisting>
                     <para>The first address of the interface cannot be
                     obtained.</para>
                   </listitem>
+
+                  <listitem>
+                    <para>The gateway of the interface can not be obtained
+                    (provider interface).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>The interface has been disabled using the
+                    <command>disable</command> command.</para>
+                  </listitem>
                 </itemizedlist>
 
                 <para>May not be specified with <emphasis
@@ -826,9 +839,9 @@ loc     eth2            -</programlisting>
 
                 <important>
                   <para>If ROUTE_FILTER=Yes in <ulink
-                  url="shorewall.conf.html">shorewall.conf</ulink>(5),
-                  or if your distribution sets net.ipv4.conf.all.rp_filter=1
-                  in <filename>/etc/sysctl.conf</filename>, then setting
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
+                  your distribution sets net.ipv4.conf.all.rp_filter=1 in
+                  <filename>/etc/sysctl.conf</filename>, then setting
                   <emphasis role="bold">routefilter</emphasis>=0 in an
                   <replaceable>interface</replaceable> entry will not disable
                   route filtering on that
@@ -848,8 +861,8 @@ loc     eth2            -</programlisting>
                   <itemizedlist>
                     <listitem>
                       <para>If USE_DEFAULT_RT=Yes in <ulink
-                      url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                      and the interface is listed in <ulink
+                      url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+                      the interface is listed in <ulink
                       url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
                     </listitem>
 

Shorewall/manpages/shorewall-providers.xml

@@ -79,13 +79,13 @@
 
         <listitem>
           <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-          file to direct packets to this provider.</para>
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
+          direct packets to this provider.</para>
 
           <para>If PROVIDER_OFFSET is non-zero in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
-          the number of significant bits may not exceed PROVIDER_OFFSET +
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
+          must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number
+          of significant bits may not exceed PROVIDER_OFFSET +
           PROVIDER_BITS.</para>
         </listitem>
       </varlistentry>
@@ -111,8 +111,8 @@
         <listitem>
           <para>The name of the network interface to the provider. Must be
           listed in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
-          In general, that interface should not have the
+          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
+          general, that interface should not have the
           <option>proxyarp</option> or <option>proxyndp</option> option
           specified unless <option>loose</option> is given in the OPTIONS
           column of this entry.</para>
@@ -190,9 +190,8 @@
 
                 <para>Beginning with Shorewall 4.4.3, <option>track</option>
                 defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>
-                (5). If you set TRACK_PROVIDERS=Yes and want to override that
+                <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
+                If you set TRACK_PROVIDERS=Yes and want to override that
                 setting for an individual provider, then specify
                 <option>notrack</option> (see below).</para>
               </listitem>
@@ -343,7 +342,7 @@
                 <replaceable>weight</replaceable> is given, a balanced route
                 is added with the weight of this provider equal to the
                 specified <replaceable>weight</replaceable>. If the option is
-                given without a <replaceable>weight</replaceable>, an separate
+                given without a <replaceable>weight</replaceable>, a separate
                 default route is added through the provider's gateway; the
                 route has a metric equal to the provider's NUMBER.</para>
 

Shorewall/manpages/shorewall-snat.xml

@@ -39,12 +39,26 @@
       <para>If you have more than one ISP link, adding entries to this file
       will <emphasis role="bold">not</emphasis> force connections to go out
       through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
       url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
       that.</para>
     </warning>
 
+    <para>Beginning with Shorewall 5.2.6, the snat file supports two different
+    formats:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The SPORT (source port) column is omitted. This is the default
+        unless a "?FORMAT 2" compiler directive is included.</para>
+      </listitem>
+
+      <listitem>
+        <para>The SPORT column immediately follows the DPORT column.</para>
+      </listitem>
+    </orderedlist>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>
@@ -68,10 +82,10 @@
               <listitem>
                 <para>where <replaceable>action</replaceable> is an action
                 declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
-                url="../Actions.html">https://shorewall.org/Actions.html</ulink> for
-                further information.</para>
+                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
+                the <option>nat</option> option. See <ulink
+                url="../Actions.html">https://shorewall.org/Actions.html</ulink>
+                for further information.</para>
               </listitem>
             </varlistentry>
 
@@ -165,9 +179,9 @@
                 <para>If you specify an address here, matching packets will
                 have their source address set to that address. If
                 ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column (IPv4 only).</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5) then
+                Shorewall will automatically add this address to the INTERFACE
+                named in the first column (IPv4 only).</para>
 
                 <para>You may also specify a range of up to 256 IP addresses
                 if you want the SNAT address to be assigned from that range in
@@ -237,10 +251,10 @@
 
           <para>Normally Masq/SNAT rules are evaluated after those for
           one-to-one NAT (defined in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, follow the
-          action name with "+": This feature should only be required if you
-          need to insert rules in this file that preempt entries in <ulink
+          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
+          rule to be applied before one-to-one NAT rules, follow the action
+          name with "+": This feature should only be required if you need to
+          insert rules in this file that preempt entries in <ulink
           url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -279,23 +293,23 @@
           networks. Multiple interfaces may be listed when the ACTION is
           MASQUERADE, but this is usually just your internet interface. If
           ADD_SNAT_ALIASES=Yes in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
+          and a <emphasis>digit</emphasis> to indicate that you want the alias
+          added with that name (e.g., eth0:0). This will allow the alias to be
+          displayed with ifconfig. <emphasis role="bold">That is the only use
+          for the alias name; it may not appear in any other place in your
+          Shorewall configuration.</emphasis></para>
 
           <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
           nat table's INPUT chain by specifying $FW rather than one or more
-          interfaces. </para>
+          interfaces.</para>
 
           <para>Each interface must match an entry in <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
           Shorewall allows loose matches to wildcard entries in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
+          example, <filename class="devicefile">ppp0</filename> in this file
+          will match a <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           entry that defines <filename
           class="devicefile">ppp+</filename>.</para>
@@ -315,8 +329,8 @@
           addresses to indicate that you only want to change the source IP
           address for packets being sent to those particular destinations.
           Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>
 
           <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
           entry then include the ":" but omit the digit:</para>
@@ -341,8 +355,7 @@
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
           then enter the protocol name (from protocols(5)) or number here. See
-          <ulink
-          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
+          <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
           details.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -356,10 +369,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
         {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
         <listitem>
+          <para>The column was renamed to DPORT in Shorewall 5.2.6. Beginning
+          with that release, both PORT and DPORT are accepted in the
+          alternative input format,</para>
+
           <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
           SCTP (132) or UDPLITE (136) then you may list one or more port
           numbers (or names from services(5)) or port ranges separated by
@@ -375,6 +392,27 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">SPORT
+        {-|[!]<replaceable>port-name-or-number</replaceable>[,<replaceable>port-name-or-number</replaceable>]...|+<replaceable>ipset</replaceable>}</emphasis></term>
+
+        <listitem>
+          <para>FORMAT 2 only.</para>
+
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>An <replaceable>ipset</replaceable> name can be specified in
+          this column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
         [<emphasis>option</emphasis>[<emphasis

Shorewall/manpages/shorewall.conf.xml

@@ -245,8 +245,8 @@
         <listitem>
           <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
           is enabled (see <ulink
-          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)).
-          If not specified or set to the empty value, ACCOUNTING=Yes is
+          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
+          not specified or set to the empty value, ACCOUNTING=Yes is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -271,8 +271,8 @@
         <listitem>
           <para>This parameter determines whether Shorewall automatically adds
           the external address(es) in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is
-          only available in IPv4 configurations. If the variable is set to
+          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
+          available in IPv4 configurations. If the variable is set to
           <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis> then Shorewall automatically adds these
           aliases. If it is set to <emphasis role="bold">No</emphasis> or
@@ -300,8 +300,8 @@
         <listitem>
           <para>This parameter determines whether Shorewall automatically adds
           the SNAT ADDRESS in <ulink
-          url="shorewall-masq.html">shorewall-masq</ulink>(5), and
-          is only available in IPv4 configurations. If the variable is set to
+          url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
+          available in IPv4 configurations. If the variable is set to
           <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis> then Shorewall automatically adds these
           addresses. If it is set to <emphasis role="bold">No</emphasis> or
@@ -445,8 +445,7 @@
 
                 <listitem>
                   <para>Specify the appropriate helper in the HELPER column in
-                  <ulink
-                  url="shorewall-rules.html">shorewall-rules</ulink>
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
                   (5).</para>
 
                   <note>
@@ -514,8 +513,8 @@
           <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
           determines whether the <option>balance</option> provider option (see
           <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>)
-          is the default. When BALANCE_PROVIDERS=Yes, then the
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
           <option>balance</option> option is assumed unless the
           <option>fallback</option>, <option>loose</option>,
           <option>load</option> or <option>tproxy</option> option is
@@ -531,8 +530,8 @@
         <listitem>
           <para>Added in Shorewall-4.6.0. When set to <emphasis
           role="bold">Yes</emphasis>, causes entries in <ulink
-          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
-          to generate a basic filter rather than a u32 filter. This setting
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
           requires the <firstterm>Basic Ematch</firstterm> capability in your
           kernel and iptables.</para>
 
@@ -589,8 +588,7 @@
 
           <para>The BLACKLIST_DISPOSITION setting determines the disposition
           of packets sent to the <emphasis role="bold">blacklog</emphasis>
-          target of <ulink
-          url="shorewall-blrules.html">shorewall-blrules
+          target of <ulink url="shorewall-blrules.html">shorewall-blrules
           </ulink>(5), but otherwise does not affect entries in that
           file.</para>
         </listitem>
@@ -652,8 +650,8 @@
           not supply an /etc/shorewall/tcstart file. That way, your traffic
           shaping rules can still use the “fwmark” classifier based on packet
           marking defined in <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
-          If not specified, CLEAR_TC=Yes is assumed.</para>
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
+          specified, CLEAR_TC=Yes is assumed.</para>
 
           <warning>
             <para>When you specify TC_ENABLED=shared (see below), then you
@@ -943,14 +941,37 @@
                 </important>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>log</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.5. When specified, successful
+                'blacklist' and 'allow' commands will log a message to the
+                system log.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noupdate</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.5. Normally, once an address has
+                been blacklisted, each time that a packet is received from the
+                packet, the ipset's entry for the address is updated to reset
+                the timeout to the value specifyed in the
+                <option>timeout</option> option above. Setting the
+                <option>noupdate</option> option, inhibits this resetting of
+                the entry's timeout. This option is ignored when the
+                <option>timeout</option> option is not specified.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
 
           <para>When ipset-based dynamic blacklisting is enabled, the contents
           of the blacklist will be preserved over
           <command>stop</command>/<command>reboot</command>/<command>start</command>
-          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-          <replaceable>setname</replaceable> is included in the list of sets
-          to be saved in SAVE_IPSETS.</para>
+          sequences.</para>
         </listitem>
       </varlistentry>
 
@@ -1159,12 +1180,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>Subzones are defined by following their name with ":" and a
           list of parent zones (in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5)).
-          Normally, you want to have a set of special rules for the subzone
-          and if a connection doesn't match any of those subzone-specific
-          rules then you want the parent zone rules and policies to be
-          applied; see <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
+          you want to have a set of special rules for the subzone and if a
+          connection doesn't match any of those subzone-specific rules then
+          you want the parent zone rules and policies to be applied; see
+          <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
           With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
 
           <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -1182,10 +1202,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         <listitem>
           <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
           INVALID packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          When a packet in INVALID state fails to match any rule in the
-          INVALID section, the packet is disposed of based on this setting.
-          The default value is CONTINUE for compatibility with earlier
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
           versions.</para>
         </listitem>
       </varlistentry>
@@ -1197,9 +1217,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         <listitem>
           <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
           do not match any rule in the INVALID section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -1482,8 +1502,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           sample configurations use this as the default log level and changing
           it will change all packet logging done by the configuration. In any
           configuration file (except <ulink
-          url="shorewall-params.html">shorewall-params(5)</ulink>),
-          $LOG_LEVEL will expand to this value.</para>
+          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          will expand to this value.</para>
         </listitem>
       </varlistentry>
 
@@ -1635,8 +1655,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           <note>
             <para>The setting of LOGFORMAT has an effect of the permitted
             length of zone names. See <ulink
-            url="shorewall-zones.html">shorewall-zones</ulink>
-            (5).</para>
+            url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
           </note>
 
           <caution>
@@ -1793,8 +1812,8 @@ LOG:info:,bar                        net                    fw</programlisting>
         <listitem>
           <para>The performance of configurations with a large numbers of
           entries in <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5)
-          can be improved by setting the MACLIST_TTL variable in <ulink
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
+          improved by setting the MACLIST_TTL variable in <ulink
           url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
 
           <para>If your iptables and kernel support the "Recent Match" (see
@@ -1804,15 +1823,14 @@ LOG:info:,bar                        net                    fw</programlisting>
 
           <para>When a new connection arrives from a 'maclist' interface, the
           packet passes through then list of entries for that interface in
-          <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-          If there is a match then the source IP address is added to the
-          'Recent' set for that interface. Subsequent connection attempts from
-          that IP address occurring within $MACLIST_TTL seconds will be
-          accepted without having to scan all of the entries. After
-          $MACLIST_TTL from the first accepted connection request from an IP
-          address, the next connection request from that IP address will be
-          checked against the entire list.</para>
+          <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+          there is a match then the source IP address is added to the 'Recent'
+          set for that interface. Subsequent connection attempts from that IP
+          address occurring within $MACLIST_TTL seconds will be accepted
+          without having to scan all of the entries. After $MACLIST_TTL from
+          the first accepted connection request from an IP address, the next
+          connection request from that IP address will be checked against the
+          entire list.</para>
 
           <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
           MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -2386,13 +2404,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
         <listitem>
           <para>Added in Shorewall 4.4.27. Shorewall has traditionally
           ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
-          setting. The default value is ACCEPT for compatibility with earlier
-          versions.</para>
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          (5). Concern about the safety of this practice resulted in the
+          addition of this option. When a packet in RELATED state fails to
+          match any rule in the RELATED section, the packet is disposed of
+          based on this setting. The default value is ACCEPT for compatibility
+          with earlier versions.</para>
         </listitem>
       </varlistentry>
 
@@ -2403,9 +2420,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
         <listitem>
           <para>Added in Shorewall 4.4.27. Packets in the related state that
           do not match any rule in the RELATED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -2506,8 +2523,7 @@ INLINE          -       -       -       ;; -j REJECT
           <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
           at least one optional interface must be up in order for the firewall
           to be in the started state. Intended to be used with the <ulink
-          url="shorewall-init.html">Shorewall Init
-          Package</ulink>.</para>
+          url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -2593,18 +2609,17 @@ INLINE          -       -       -       ;; -j REJECT
           <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
           addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
           ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5) and
-          <ulink url="shorewall-masq.html">shorewall-masq</ulink>(5)
-          are processed then are re-added later. This is done to help ensure
-          that the addresses can be added with the specified labels but can
-          have the undesirable side effect of causing routes to be quietly
-          deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
-          not be deleted. Regardless of the setting of RETAIN_ALIASES,
-          addresses added during <emphasis role="bold">shorewall
-          start</emphasis> are still deleted at a subsequent <emphasis
-          role="bold">shorewall [stop</emphasis>, <emphasis
-          role="bold">shorewall reload</emphasis> or <emphasis
-          role="bold">shorewall restart</emphasis>.</para>
+          url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
+          url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
+          then are re-added later. This is done to help ensure that the
+          addresses can be added with the specified labels but can have the
+          undesirable side effect of causing routes to be quietly deleted.
+          When RETAIN_ALIASES is set to Yes, existing addresses will not be
+          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+          added during <emphasis role="bold">shorewall start</emphasis> are
+          still deleted at a subsequent <emphasis role="bold">shorewall
+          [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
+          or <emphasis role="bold">shorewall restart</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -2708,9 +2723,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.4.20. Determines the disposition of
           packets matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          the <option>routeback</option> option.<footnote>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
             </footnote></para>
@@ -2724,9 +2739,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added on Shorewall 4.4.20. Determines the logging of packets
           matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          the <option>routeback</option> option.<footnote>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
             </footnote> The default is <option>info</option>. If you don't
@@ -2754,9 +2769,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.4.20. The default setting is DROP which
           causes smurf packets (see the nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          to be dropped. A_DROP causes the packets to be audited prior to
-          being dropped and requires AUDIT_TARGET support in the kernel and
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
+          be dropped. A_DROP causes the packets to be audited prior to being
+          dropped and requires AUDIT_TARGET support in the kernel and
           iptables.</para>
         </listitem>
       </varlistentry>
@@ -2768,8 +2783,8 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Specifies the logging level for smurf packets (see the
           nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
-          If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
+          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
           logged.</para>
         </listitem>
       </varlistentry>
@@ -2871,8 +2886,7 @@ INLINE          -       -       -       ;; -j REJECT
           <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
           simple traffic shaping using <ulink
           url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
-          and <ulink
-          url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
+          and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
           enabled.</para>
 
           <para>If you set TC_ENABLED=Internal or internal or leave the option
@@ -2936,10 +2950,10 @@ INLINE          -       -       -       ;; -j REJECT
           <para>Determines the disposition of TCP packets that fail the checks
           enabled by the <emphasis role="bold">tcpflags</emphasis> interface
           option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and must have a value of ACCEPT (accept the packet), REJECT (send an
-          RST response) or DROP (ignore the packet). If not set or if set to
-          the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          must have a value of ACCEPT (accept the packet), REJECT (send an RST
+          response) or DROP (ignore the packet). If not set or if set to the
+          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
           TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
 
           <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@@ -2968,8 +2982,8 @@ INLINE          -       -       -       ;; -j REJECT
           <para>Added in Shorewall 4.4.3. When set to Yes, causes the
           <option>track</option> option to be assumed on all providers defined
           in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>(5).
-          May be overridden on an individual provider through use of the
+          url="shorewall-providers.html">shorewall-providers</ulink>(5). May
+          be overridden on an individual provider through use of the
           <option>notrack</option> option. The default value is 'No'.</para>
 
           <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@@ -3023,10 +3037,10 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
           UNTRACKED packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          When a packet in UNTRACKED state fails to match any rule in the
-          UNTRACKED section, the packet is disposed of based on this setting.
-          The default value is CONTINUE for compatibility with earlier
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
           versions.</para>
         </listitem>
       </varlistentry>
@@ -3038,9 +3052,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
           do not match any rule in the UNTRACKED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -3062,8 +3076,8 @@ INLINE          -       -       -       ;; -j REJECT
           <orderedlist>
             <listitem>
               <para>Both the DUPLICATE and the COPY columns in <ulink
-              url="shorewall-providers.html">providers</ulink>(5)
-              file must remain empty (or contain "-").</para>
+              url="shorewall-providers.html">providers</ulink>(5) file must
+              remain empty (or contain "-").</para>
             </listitem>
 
             <listitem>
@@ -3083,9 +3097,9 @@ INLINE          -       -       -       ;; -j REJECT
             <listitem>
               <para>Packets are sent through the main routing table by a rule
               with priority 999. In <ulink
-              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5),
-              the range 1-998 may be used for inserting rules that bypass the
-              main table.</para>
+              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
+              range 1-998 may be used for inserting rules that bypass the main
+              table.</para>
             </listitem>
 
             <listitem>

Shorewall6/configfiles/snat

@@ -5,5 +5,7 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+

docs/Build.xml

@@ -40,7 +40,11 @@
 
   <note>
     <para>This information is provided primarily for Shorewall developers.
-    Users are expected to install from pre-built tarballs or packages.</para>
+	    Users are expected to install from pre-built tarballs or packages.
+	    In addition to the below, it is also suggested to read the
+	    <ulink url="https://gitlab.com/shorewall/tools/raw/master/files/shorewall-release-process.txt">README file</ulink>
+	    located in the root directory of the tools repository.
+    </para>
   </note>
 
   <section>
@@ -98,6 +102,21 @@
       version.</para>
     </section>
 
+    <section>
+      <title>release (Clone of Release)</title>
+
+      <para>Added in Shorewall 4.4.22, this directory contains the files that
+      contain release-dependent information (change.txt, releasenotes.txt,
+      .spec files, etc). This is actually a symbolic link to ../release which
+      has its own Git repository.</para>
+    </section>
+
+    <section>
+      <title>testing (Clone of Testing)</title>
+
+      <para> This directory contains the regression library files.</para>
+    </section>
+
     <section>
       <title>tools (Clone of Tools)</title>
 
@@ -117,7 +136,8 @@
           <term>tools/files</term>
 
           <listitem>
-            <para>Files that are used during the release process.</para>
+		  <para>Files that are used during the release process.
+		  The license and readme files are also kept there.</para>
           </listitem>
         </varlistentry>
 
@@ -145,15 +165,6 @@
       <para>The files from the web site that are maintained in HTML format.
       are kept in this directory.</para>
     </section>
-
-    <section>
-      <title>release (Clone of Release)</title>
-
-      <para>Added in Shorewall 4.4.22, this directory contains the files that
-      contain release-dependent information (change.txt, releasenotes.txt,
-      .spec files, etc). This is actually a symbolic link to ../release which
-      has its own Git repository.</para>
-    </section>
   </section>
 
   <section>
@@ -180,10 +191,11 @@
     </section>
 
     <section>
-      <title>build45, build46 and build50</title>
+      <title>build45, build46, and build</title>
 
       <para>These are the scripts that respectively build Shorewall 4.5,
-      Shorewall 4.6 and Shorewall 5.[012] packages from Git.</para>
+      Shorewall 4.6 and Shorewall 5.[012] packages from Git.
+      Build is actually a symlink to the current build script.</para>
 
       <para>The scripts copy content from Git using the <command>git
       archive</command> command. They then use that content to build the
@@ -297,7 +309,7 @@
       <para>The general form of the build command is:</para>
 
       <blockquote>
-        <para><command>build</command>xx [ -<replaceable>options</replaceable>
+	      <para><command>build</command>[<replaceable>xx</replaceable>] [ -<replaceable>options</replaceable>
         ] <replaceable>release</replaceable> [ <replaceable>prior
         release</replaceable> ]</para>
       </blockquote>

docs/SharedConfig.xml

@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
-  <!--mangle$Id$-->
+  <!--$Id$-->
 
   <articleinfo>
     <title>Shared Shorewall and Shorewall6 Configuration</title>
@@ -20,6 +20,8 @@
     <copyright>
       <year>2017</year>
 
+      <year>2020</year>
+
       <holder>Thomas M. Eastep</holder>
     </copyright>
 
@@ -37,7 +39,7 @@
   <section>
     <title>Introduction</title>
 
-    <para>Netfilter separates management of IPv4 and IPv6 configurations. Each
+    <para>Iptables separates management of IPv4 and IPv6 configurations. Each
     address family has its own utility (iptables and ip6tables), and changes
     made to the configuration of one address family do not affect the other.
     While Shorewall also separates the address families in this way, it is
@@ -68,7 +70,7 @@
 
     <para>Here is a diagram of this installation:</para>
 
-    <graphic fileref="images/Network2017.png"/>
+    <graphic fileref="images/Network2020.png"/>
   </section>
 
   <section>
@@ -76,36 +78,40 @@
 
     <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
 
-    <programlisting>root@gateway:~# ls -l /etc/shorewall/
-total 92
+    <programlisting>root@gateway:~# ls -l /etc/shorewall
+total 120
 -rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
--rw-r--r-- 1 root root  109 Oct 20 09:18 actions
--rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
--rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
--rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
--rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
--rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
--rw-r--r-- 1 root root  559 Oct 19 12:56 mangle
--rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
--rw-r--r-- 1 root root 2687 Oct 15 14:20 params
--rw-r--r-- 1 root root  738 Oct 15 12:16 policy
--rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
+-rw-r--r-- 1 root root  109 Oct 20  2017 actions
+-rw-r--r-- 1 root root   82 Oct  5  2018 arprules
+-rw-r--r-- 1 root root  528 Oct  7  2019 blrules
+-rw-r--r-- 1 root root 1797 Sep 16  2019 capabilities
+-rw-r--r-- 1 root root  656 Jun 10  2018 conntrack
+-rw-r--r-- 1 root root  104 Oct 13  2017 hosts
+-rw-r--r-- 1 root root  867 Jun 10  2018 interfaces
+-rw-r--r-- 1 root root  107 Jun 29  2017 isusable
+-rw-r--r-- 1 root root  240 Oct 13  2017 macro.FTP
+-rw-r--r-- 1 root root  705 Oct 22  2019 mangle
+-rw-r--r-- 1 root root 1308 Apr  2  2018 mirrors
+-rw-r--r-- 1 root root 2889 Apr 23 17:13 params
+-rw-r--r-- 1 root root 1096 Oct 14  2019 policy
+-rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
 -rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
--rw-r--r-- 1 root root  738 Nov  8 09:34 routes
--rw-r--r-- 1 root root  729 Nov  7 12:52 rtrules
--rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
--rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
--rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
--rw-r--r-- 1 root root  181 Jun 29 15:12 started
--rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
--rw-r--r-- 1 root root  941 Oct 15 11:27 zones
-root@gateway:~# ls -l /etc/shorewall6/
-total 8
-lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
-lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
--rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
-root@gateway:~# 
-</programlisting>
+-rw-r--r-- 1 root root  726 Oct 24  2018 routes
+-rw-r--r-- 1 root root  729 Mar  1 11:08 rtrules
+-rw-r--r-- 1 root root 8593 Feb 25 08:49 rules
+-rw-r--r-- 1 root root 5490 Mar  1 18:34 shorewall.conf
+-rw-r--r-- 1 root root 1090 Sep 16  2019 snat
+-rw-r--r-- 1 root root  180 Jan 30  2018 started
+-rw-r--r-- 1 root root  539 Feb  6 14:33 stoppedrules
+-rw-r--r-- 1 root root  435 Oct 13  2017 tunnels
+-rw-r--r-- 1 root root  941 Oct 15  2017 zones
+root@gateway:~# ls -l /etc/shorewall6
+total 12
+-rw-r--r-- 1 root root 1786 Sep 16  2019 capabilities
+lrwxrwxrwx 1 root root   20 Jul  6  2017 mirrors -&gt; ../shorewall/mirrors
+lrwxrwxrwx 1 root root   19 Jul  6  2017 params -&gt; ../shorewall/params
+-rw-r--r-- 1 root root 5324 Oct 18  2019 shorewall6.conf
+root@gateway:~#</programlisting>
 
     <para>The various configuration files are described in the sections that
     follow. Note that in all cases, these files use the <ulink
@@ -171,7 +177,7 @@ DEFAULT_PAGER=/usr/bin/less
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -185,11 +191,11 @@ VERBOSITY=1
 ###############################################################################
 PAGER=pager
 ###############################################################################
-#			     F I R E W A L L
+#                            F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
-#			       L O G G I N G
+#                             L O G G I N G
 ###############################################################################
 LOG_LEVEL="NFLOG(0,64,1)"
 BLACKLIST_LOG_LEVEL="none"
@@ -197,9 +203,10 @@ INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=1
+LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT=": %s %s"
+LOGFORMAT="%s %s"
 LOGTAGONLY=Yes
 LOGLIMIT="s:5/min"
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
@@ -211,7 +218,7 @@ STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+#     L O C A T I O N    O F    F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 ARPTABLES=
 CONFIG_PATH="/etc/shorewall:/usr/share/shorewall:/usr/share/shorewall/Shorewall"
@@ -229,7 +236,7 @@ SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 TC=
 ###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
+#               D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="NotSyn(DROP):$LOG_LEVEL"
@@ -238,15 +245,15 @@ NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
-#			 R S H / R C P	C O M M A N D S
+#                    R S H / R C P    C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 ###############################################################################
-#			F I R E W A L L	  O P T I O N S
+#                    F I R E W A L L  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
-ACCOUNTING_TABLE=mangle
+ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
@@ -256,7 +263,7 @@ AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
-CLAMPMSS=Yes
+CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DEFER_DNS_RESOLUTION=No
@@ -266,22 +273,19 @@ DISABLE_IPV6=No
 DOCKER=No
 DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
 DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=No
 HELPERS="ftp,irc"
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
-INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Yes
 KEEP_RT_TABLES=Yes
-LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=60
 MANGLE_ENABLED=Yes
-MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MULTICAST=No
@@ -291,6 +295,7 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=12345
 REJECT_ACTION=
+RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -314,7 +319,7 @@ WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
-#			P A C K E T   D I S P O S I T I O N
+#                        P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
@@ -326,14 +331,13 @@ SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=DROP
 ################################################################################
-#			P A C K E T  M A R K  L A Y O U T
+#                        P A C K E T  M A R K  L A Y O U T
 ################################################################################
 TC_BITS=8
 PROVIDER_BITS=2
 PROVIDER_OFFSET=16
 MASK_BITS=8
-ZONE_BITS=0
-</programlisting>
+ZONE_BITS=0</programlisting>
       </section>
 
       <section>
@@ -348,34 +352,35 @@ ZONE_BITS=0
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
-#  https://shorewall.org/manpages/shorewall.conf.html
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
-#		       S T A R T U P   E N A B L E D
+#                        S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
-#			     V E R B O S I T Y
+#                               V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
-#			        P A G E R
+#                                  P A G E R
 ###############################################################################
 PAGER=pager
 ###############################################################################
-#			     F I R E W A L L
+#                                F I R E W A L L
 ###############################################################################
 FIREWALL=
 ###############################################################################
-#			       L O G G I N G
+#                               L O G G I N G
 ###############################################################################
 LOG_LEVEL="NFLOG(0,64,1)"
 BLACKLIST_LOG_LEVEL="none"
 INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_VERBOSITY=2
+LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT="%s %s "
+LOGFORMAT="%s %s"
 LOGLIMIT="s:5/min"
 LOGTAGONLY=Yes
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
@@ -387,7 +392,7 @@ STARTUP_LOG=/var/log/shorewall6-init.log
 TCP_FLAGS_LOG_LEVEL="$LOG_LEVEL"
 UNTRACKED_LOG_LEVEL=
 ###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
+#     L O C A T I O N  O F   F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH="${CONFDIR}/shorewall6:${CONFDIR}/shorewall:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -404,7 +409,7 @@ SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=/var/lock/subsys/shorewall6
 TC=
 ###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
+#             D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
@@ -413,12 +418,12 @@ NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 ###############################################################################
-#			 R S H / R C P	C O M M A N D S
+#                     R S H / R C P   C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 ###############################################################################
-#			F I R E W A L L	  O P T I O N S
+#                     F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=mangle
@@ -443,11 +448,9 @@ FORWARD_CLEAR_MARK=No
 HELPERS=ftp
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
-INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
-LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
@@ -458,6 +461,7 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
+RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -470,7 +474,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=Yes
-USE_PHYSICAL_NAMES=No
+USE_PHYSICAL_NAMES=Yes
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
@@ -478,7 +482,7 @@ WORKAROUNDS=No
 ZERO_MARKS=No
 ZONE2ZONE=-
 ###############################################################################
-#			P A C K E T   D I S P O S I T I O N
+#                    P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 INVALID_DISPOSITION=CONTINUE
@@ -490,13 +494,14 @@ SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 UNTRACKED_DISPOSITION=DROP
 ################################################################################
-#			P A C K E T  M A R K  L A Y O U T
+#                     P A C K E T  M A R K  L A Y O U T
 ################################################################################
 TC_BITS=8
 PROVIDER_BITS=2
 PROVIDER_OFFSET=8
 MASK_BITS=8
 ZONE_BITS=0
+#LAST LINE -- DO NOT REMOVE
 </programlisting>
       </section>
     </section>
@@ -524,47 +529,50 @@ if [ $g_family = 4 ]; then
     #
     # IPv4 compilation
     #
-    FALLBACK=Yes	   # Make FAST_IF the primary and PROD_IF the fallback interface
+    FALLBACK=Yes           # Make FAST_IF the primary and PROD_IF the fallback interface
 			   # See /etc/shorewall/providers
-    STATISTICAL=No	   # Don't use statistical load balancing
-    LISTS=70.90.191.124	   # IP address of lists.shorewall.net (MX)
-    MAIL=70.90.191.122	   # IP address of mail.shorewall.net  (IMAPS)
-    SERVER=70.90.191.125   # IP address of shorewall.org
-    PROXY=		   # Use TPROXY for local web access
-    ALL=0.0.0.0/0	   # Entire address space
+    STATISTICAL=           # Use statistical load balancing
+    LISTS=70.90.191.124    # IP address of lists.shorewall.net (MX)
+    MAIL=70.90.191.122     # IP address of mail.shorewall.net  (IMAPS)
+    SERVER=70.90.191.125   # IP address of www.shorewall.org
+    IRSSIEXT=10.2.10.2     # External address of irssi.shorewall.net
+    IRSSIINT=172.20.2.44   # Internal IP address of irssi.shorewall.net
+    PROXY=Yes              # Use TPROXY for local web access
+    ALL=0.0.0.0/0          # Entire address space
     LOC_ADDR=172.20.1.253  # IP address of the local LAN interface
     FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
-    FAST_MARK=0x20000	   # Multi-ISP mark setting for IF_FAST
+    FAST_MARK=0x20000      # Multi-ISP mark setting for IF_FAST
     IPSECMSS=1460
     #
     # Interface Options
     #
     LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2
-    FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0
-    PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1
-    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0
+    FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth0
+    PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth1
+    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodbl,physical=br0
     IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1
 else
     #
     # IPv6 compilation
     #
-    FALLBACK=Yes			      # Make FAST_IF the primary and PROD_IF the fallback interface
-					      # See /etc/shorewall/providers
-    STATISTICAL=No			      # Don't use statistical load balancing
-    LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
-    MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
-    SERVER=[2001:470:b:227::43]		      # IP address of shorewall.org   (HTTP, FTP and RSYNC)
-    PROXY=3				      # Use TPROXY for local web access
-    ALL=[::]/0				      # Entire address space
-    LOC_ADDR=[2601:601:a000:16f0::1]	      # IP address of the local LAN interface
-    FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
-    FAST_MARK=0x100			      # Multi-ISP mark setting for IF_FAST
+    FALLBACK=Yes                           # Make FAST_IF the primary and PROD_IF the fallback interface
+                                           # See /etc/shorewall/providers
+    STATISTICAL=No                         # Don't use statistical load balancing
+    LISTS=[2001:470:b:227::42]             # IP address of lists.shorewall.net (MX and HTTPS)
+    MAIL=[2001:470:b:227::45]              # IP address of mail.shorewall.net  (IMAPS and HTTPS)
+    SERVER=[2001:470:b:227::43]            # IP address of www.shorewall.org   (HTTP, FTP and RSYNC)
+    IRSSI=[2601:601:a000:16f1::]/64        # IP address of asus.shorewall.org  (Bit Torrent)
+    PROXY=Yes                              # Use TPROXY for local web access
+    ALL=[::]/0                             # Entire address space
+    LOC_ADDR=[2601:601:a000:16f0::1]       # IP address of the local LAN interface
+    FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
+    FAST_MARK=0x100                        # Multi-ISP mark setting for IF_FAST
     IPSECMSS=1440
     #
     # Interface Options
     #
-    PROD_OPTIONS=forward=1,optional,physical=sit1
-    FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0
+    PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
+    FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
     LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
     DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
     IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
@@ -579,11 +587,9 @@ fi</programlisting>
       <programlisting>###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
-
 #
 # By using the 'ip' type, both Shorewall and Shorewall6 can share this file
 #
-
 fw	{ TYPE=firewall }
 net	{ TYPE=ip }
 loc	{ TYPE=ip }
@@ -599,7 +605,11 @@ vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
       <para>/etc/shorewall/interfaces makes heavy use of variables set in
       /etc/shorewall/params:</para>
 
-      <programlisting>#
+      <programlisting>?FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+
+#
 # The two address families use different production interfaces and different 
 #
 # LOC_IF is the local LAN for both families
@@ -614,8 +624,7 @@ loc  { INTERFACE=LOC_IF,  OPTIONS=$LOC_OPTIONS }
 net  { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
 net  { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
 dmz  { INTERFACE=DMZ_IF,  OPTIONS=$DMZ_OPTIONS }
-apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
-</programlisting>
+apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }</programlisting>
     </section>
 
     <section>
@@ -623,11 +632,10 @@ apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
 
       <para>/etc/shorewall/hosts is used to define the vpn zone:</para>
 
-      <programlisting>#ZONE		HOSTS				OPTIONS
+      <programlisting>##ZONE		HOSTS				OPTIONS
 vpn { HOSTS=PROD_IF:$ALL }
 vpn { HOSTS=FAST_IF:$ALL }
-vpn { HOSTS=LOC_IF:$ALL }
-</programlisting>
+vpn { HOSTS=LOC_IF:$ALL }</programlisting>
     </section>
 
     <section>
@@ -638,20 +646,29 @@ vpn { HOSTS=LOC_IF:$ALL }
       <programlisting>#SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
 
 $FW	     { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-$FW	     { DEST=all,	 POLICY=ACCEPT }
 
-loc	     { DEST=net,	 POLICY=ACCEPT }
+?if __IPV4
+$FW	     { DEST=all,	 POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT),			  LOGLEVEL=$LOG_LEVEL }
+?else
+$FW	     { DEST=all,	 POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multicast(ACCEPT)		  LOGLEVEL=$LOG_LEVEL }
+?endif
+
+loc,apps     { DEST=net,	 POLICY=ACCEPT }
 loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
 loc	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 
+?if __IPV4
 net	     { DEST=net,	 POLICY=NONE }
+?else
+net	     { DEST=net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+?endif
 net	     { DEST=fw,		 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
 net	     { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
 
-dmz	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+dmz	     { DEST=fw	 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+dmz	     { DEST=dmz 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 
-all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-</programlisting>
+all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlisting>
     </section>
 
     <section>
@@ -676,7 +693,9 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
         </listitem>
       </orderedlist>
 
-      <programlisting>#
+      <programlisting>#NAME		NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
+
+#
 # This could be cleaned up a bit, but I'm leaving it as is for now
 #
 #   - The two address families use different fw mark geometry
@@ -687,7 +706,9 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 ?if $FALLBACK
     # FAST_IF is primary, PROD_IF is fallback
     #
-    ?info Compiling with FALLBACK
+    ?if $VERBOSITY &gt; 0
+        ?info Compiling with FALLBACK
+    ?endif
     IPv6Beta	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
     ?if __IPV4
 	ComcastB    { NUMBER=4, MARK=0x10000,	 INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
@@ -696,25 +717,29 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
     ?endif
 ?elsif $STATISTICAL
     # Statistically balance traffic between FAST_IF and PROD_IF
-    ?info Compiling with STATISTICAL
+    ?if $VERBOSITY &gt; 0
+        ?info Compiling with STATISTICAL
+    ?endif
     ?if __IPV4
-    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
+    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary,persistent }
+	ComcastB    { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,load=0.33333333,fallback,persistent }
     ?else
 	HE	    { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,                        OPTIONS=track,load=0.33333333,persistent }
     ?endif
 ?else
-    ?INFO Compiling with BALANCE
-    IPv6Beta	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
+    ?if $VERBOSITY &gt; 0
+        ?info Compiling with BALANCE
+    ?endif
+    IPv6Beta	 { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
     ?if __IPV4
-	ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
+	ComcastB { NUMBER=4, MARK=0x10000,    INTERFACE=PROD_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
     ?else
         ?warning No BALANCE IPv6 configuration
 	HE	 { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,			     OPTIONS=fallback,persistent }
     ?endif    
 ?endif
 
-Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
-</programlisting>
+Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
     </section>
 
     <section>
@@ -754,7 +779,7 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
     # not effective in routing the 'ping' request packets out of FAST_IF.
     # The following route solves that problem.
     #
-    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
+    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE=FAST_IF, OPTIONS=persistent }
 ?endif</programlisting>
     </section>
 
@@ -822,12 +847,13 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
       <para>/etc/shorewall/rules has only a couple of rules that are
       conditional based on address family:</para>
 
-      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+      <programlisting>##############################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 
 ?SECTION ALL
 
-Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
-Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
+Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
+Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
 
 ?SECTION ESTABLISHED
 
@@ -845,8 +871,8 @@ ACCEPT		{ SOURCE=dmz, DEST=dmz }
 ?SECTION INVALID
 
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
+FIN(ACCEPT)	{ SOURCE=all, DEST=all }
 DROP		{ SOURCE=net, DEST=all }
-FIN		{ SOURCE=all, DEST=all }
 
 ?SECTION UNTRACKED
 
@@ -863,17 +889,26 @@ CONTINUE	  { SOURCE=$FW, DEST=all }
 # Stop certain outgoing traffic to the net
 #
 REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
+#REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
 
-REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
-REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
 
 REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }
 
 REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 
+?if __IPV6
+DROP		{ SOURCE=net:PROD_IF, DEST=net:PROD_IF }
+?endif
+
 ?COMMENT
 
+######################################################################################################
+# SACK
+#
+DROP:$LOG_LEVEL	 { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535
+
 ######################################################################################################
 # 6in4
 #
@@ -884,8 +919,9 @@ REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ######################################################################################################
 # Ping
 #
-Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
-Ping(ACCEPT)	  { SOURCE=all,              DEST=net }
+Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn,apps, DEST=$FW,loc,dmz,vpn,apps }
+Ping(ACCEPT)	  { SOURCE=dmz, DEST=dmz }
+Ping(ACCEPT)	  { SOURCE=all, DEST=net }
 ######################################################################################################
 # SSH
 #
@@ -900,6 +936,11 @@ SSH(DNAT-)	  { SOURCE=net,              DEST=172.20.2.44, PROTO=tcp, DPORT=ssh,
 #
 DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
 DNS(ACCEPT)	  { SOURCE=$FW, DEST=net }
+?if $TEST
+DNS(REDIRECT)	  loc		53	 -	53	-	!&amp;LOC_IF
+DNS(REDIRECT)	  fw		53	 -	53	-	!::1
+?endif
+DropDNSrep        { SOURCE=net, DEST=all }
 ######################################################################################################
 # Traceroute
 #
@@ -910,6 +951,7 @@ Trcrt(ACCEPT)	  { SOURCE=net, DEST=$FW,dmz }
 #
 SMTP(ACCEPT)	   { SOURCE=net,$FW, DEST=dmz:$LISTS }
 SMTP(ACCEPT)	   { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
+SMTP(ACCEPT)	   { SOURCE=dmz, DEST=dmz:$LISTS }
 SMTP(REJECT)	   { SOURCE=dmz:$LISTS, DEST=net }
 IMAPS(ACCEPT)  	   { SOURCE=all, DEST=dmz:$MAIL }
 Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
@@ -919,7 +961,6 @@ IMAP(ACCEPT)	   { SOURCE=loc,vpn, DEST=net }
 # NTP
 #
 NTP(ACCEPT)	   { SOURCE=all, DEST=net }
-NTP(ACCEPT)	   { SOURCE=loc,vpn,dmz,apps DEST=$FW }
 ######################################################################################################
 # Squid
 ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } 
@@ -929,8 +970,8 @@ ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 }
 Web(ACCEPT)	   { SOURCE=loc,vpn DEST=$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=proxy }
 Web(DROP)	   { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
-HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
-HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
+HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
 Web(ACCEPT)	   { SOURCE=dmz,apps DEST=net,$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=root }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=teastep }
@@ -938,13 +979,13 @@ Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=_apt }
 ######################################################################################################
 # FTP
 #
-FTP(ACCEPT)	   { SOURCE=loc,vpn,apps DEST=net }
+FTP(ACCEPT)	   { SOURCE=loc,vpn,apps  DEST=net }
 FTP(ACCEPT)	   { SOURCE=dmz,          DEST=net }
 FTP(ACCEPT)	   { SOURCE=$FW,          DEST=net, USER=root }
 FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 # Some FTP clients seem prone to sending the PORT command split over two packets.
-# This prevents the FTP connection tracking code from processing the command  and setting
+# This prevents the FTP connection tracking code from processing the command and setting
 # up the proper expectation.
 #
 # The following rule allows active FTP to work in these cases
@@ -952,6 +993,10 @@ FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 ACCEPT:$LOG_LEVEL  { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
 ######################################################################################################
+# Git
+#
+Git(ACCEPT)        { source=all, DEST=dmz:$SERVER }
+######################################################################################################
 # whois
 #
 Whois(ACCEPT)	   { SOURCE=all, DEST=net }
@@ -963,12 +1008,45 @@ SMBBI(ACCEPT)	    { SOURCE=vpn, DEST=$FW }
 ######################################################################################################
 # IRC
 #
-IRC(ACCEPT)	    { SOURCE=loc,apps, DEST=net }
+SetEvent(IRC)	                      { SOURCE=loc,apps, DEST=net, PROTO=tcp, DPORT=6667 }
+IfEvent(IRC,ACCEPT,10,1,dst,reset)    { SOURCE=net, DEST=loc,apps, PROTO=tcp, DPORT=113 }
+######################################################################################################
+# AUTH
+Auth(REJECT)	{ SOURCE=net, DEST=all }
 ######################################################################################################
 # Rsync
 #
 Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
-</programlisting>
+######################################################################################################
+# IPSEC
+#
+?if __IPV4
+DNAT		{ SOURCE=loc,net, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,4500, ORIGDEST=70.90.191.123 }
+?else
+ACCEPT		{ SOURCE=loc,net, DEST=apps, PROTO=udp, DPORT=500,4500 }
+ACCEPT		{ SOURCE=loc,net, DEST=apps, PROTO=esp }
+?endif
+ACCEPT		{ SOURCE=$FW,     DEST=net,  PROTO=udp, SPORT=4500 }
+######################################################################################################
+# Bit Torrent
+?if __IPV4
+DNAT		{ SOURCE=net,	  DEST=apps:$IRSSIINT,	PROTO=udp,tcp,	DPORT=59410, ORIGDEST=$IRSSIEXT }
+?else
+ACCEPT		{ SOURCE=net,	  DEST=apps:$IRSSI,	PROTO=udp,tcp,	DPORT=59410 }
+?endif
+REJECT		{ SOURCE=net,	  DEST=all,	  PROTO=udp,tcp,	DPORT=51413,59410 }
+######################################################################################################
+# VNC
+ACCEPT		{ SOURCE=loc,	  DEST=$FW,	  PROTO=tcp,		DPORT=5900 }
+######################################################################################################
+# FIN &amp; RST
+RST(ACCEPT)	{ SOURCE=all, DEST=all }
+FIN(ACCEPT)	{ SOURCE=all, DEST=all }
+######################################################################################################
+# Multicast
+?if __IPV4
+Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
+?endif</programlisting>
     </section>
 
     <section>
@@ -979,6 +1057,10 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
 
       <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 
+?if $VERSION &gt;= 50109
+TCPMSS(pmtu,none) { PROTO=tcp }
+?endif
+
 ?if __IPV4
     #
     # I've had a checksum issue with certain IPv4 UDP packets
@@ -989,13 +1071,12 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
 
 ?if $PROXY
     #
-    # Use TPROXY for web access from the local LAN
+    # Use TPROXY for IPv4 web access from the local LAN
     #
     DIVERT:R { PROTO=tcp, SPORT=80 }
     DIVERT:R { PROTO=tcp, DPORT=80 }
     TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
-?endif
-</programlisting>
+?endif</programlisting>
     </section>
 
     <section>
@@ -1003,19 +1084,19 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
 
       <para>NAT entries are quite dependent on the address family:</para>
 
-      <programlisting>#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
+      <programlisting>###################################################################################################################
+#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 
 ?if __IPV4
-    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
-    MASQUERADE 		{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
-    SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
-    SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
-    SNAT(172.20.1.253)  { SOURCE=172.20.3.0/24,	 	      DEST=LOC_IF:172.20.1.100 }
+    MASQUERADE			{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
+    MASQUERADE			{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
+    SNAT(70.90.191.121) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
+    SNAT(70.90.191.123) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
+    SNAT(172.20.1.253)  	{ SOURCE=!172.20.1.0/24, 	      DEST=LOC_IF:172.20.1.100 }
 ?else
-    SNAT(&amp;PROD_IF)	{ SOURCE=2601:601:8b00:bf0::/60,                DEST=PROD_IF }
-    SNAT(&amp;FAST_IF)	{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
-?endif
-</programlisting>
+    SNAT(&amp;PROD_IF)		{ SOURCE=2601:601:a000:16f0::/60,               DEST=PROD_IF }
+    SNAT(&amp;FAST_IF)		{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
+?endif</programlisting>
     </section>
 
     <section>
@@ -1032,8 +1113,6 @@ ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
     <section>
       <title>proxyarp</title>
 
-      <para>This file is only used in the IPv4 configuration:</para>
-
       <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
 
 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
@@ -1068,5 +1147,14 @@ return $status
 fi
 </programlisting>
     </section>
+
+    <section>
+      <title>stoppedrules</title>
+
+      <para>/etc/shorewall/stoppedrules allow SSH connections into the
+      firewall system when Shorewall[6] is in the stopped state.</para>
+
+      <programlisting/>
+    </section>
   </section>
 </article>

docs/blacklisting_support.xml

@@ -250,14 +250,36 @@ DROP            net:200.55.14.18        all
           </important>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>log</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.5. When specified, successful
+          'blacklist' and 'allow' commands will log a message to the system
+          log.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>noupdate</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.5. Normally, once an address has been
+          blacklisted, each time that a packet is received from the packet,
+          the ipset's entry for the address is updated to reset the timeout to
+          the value specifyed in the <option>timeout</option> option above.
+          Setting the <option>noupdate</option> option, inhibits this
+          resetting of the entry's timeout. This option is ignored when the
+          <option>timeout</option> option is not specified.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>When ipset-based dynamic blacklisting is enabled, the contents of
     the blacklist will be preserved over
     <command>stop</command>/<command>reboot</command>/<command>start</command>
-    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-    <replaceable>setname</replaceable> is included in the list of sets to be
-    saved in SAVE_IPSETS.</para>
+    sequences.</para>
   </section>
 
   <section>
@@ -275,4 +297,69 @@ DROP            net:200.55.14.18        all
     <command>shorewall show action BLACKLIST</command> command for
     details.</para>
   </section>
+
+  <section id="fail2ban">
+    <title>BLACKLIST and Fail2ban</title>
+
+    <para>The BLACKLIST command can be used as 'blocktype' in
+    /etc/fail2ban/actions.d/shorewall.conf. Prior to Shorewall 5.2.5, this
+    works best if there is no <emphasis role="bold">timeout</emphasis>
+    specified in the DYNAMIC_BLACKLIST setting or if <emphasis
+    role="bold">timeout=0</emphasis> is given.</para>
+
+    <para>Beginning with Shorewall 5.2.5, Shorewall includes new features that
+    allow fail2ban to work most seamlessly with Shorewall's ipset-based
+    dynamic blacklisting:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>When a <emphasis role="bold">timeout</emphasis> is specified in
+        the DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset is
+        created with default timeout 0. As entries are added by BLACKLIST
+        policies or by the <emphasis role="bold">blacklist</emphasis> command,
+        the created entry is given the specified timeout value.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">noupdate</emphasis> option has been
+        added. Specifying this option prevents 'timeout 0' ipset entries from
+        being changed to finite timeout entries as a result of blacklisted ip
+        addresses continuing to send packets to the firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">blacklist!</emphasis> command has been
+        added. specifying that command as the fail2ban 'blocktype' causes
+        entries created by fail2ban to persist until fail2ban unbans them
+        using the Shorewall <emphasis role="bold">allow</emphasis>
+        comand.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>There are a couple of additional things to note:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>The documentation in /etc/fail2ban/action.d/shorewall.conf
+        states that you should set BLACKLIST=All. A better approach when using
+        BLACKLIST as the 'blocktype' is to specify the <emphasis
+        role="bold">disconnect</emphasis> option in the setting of
+        DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
+        firewall from the net must be checked against the dynamic-blacklisting
+        ipset. That is not required when you specify <emphasis
+        role="bold">disconnect</emphasis>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">noupdate</emphasis> option allows
+        fail2ban full control when a host is 'unbanned'. The cost of using
+        this option is that after the specified <emphasis
+        role="bold">timeout</emphasis>, the entry for an attacking host will
+        be removed from the dynamic-blacklisting ipset, even if the host has
+        continued the attack while blacklisted. This isn't a great concern, as
+        the first attempt to access an unauthorized service will result in the
+        host being re-blacklisted.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>

docs/configuration_file_basics.xml

@@ -663,7 +663,7 @@ ACCEPT      net:\
           <row>
             <entry>mangle</entry>
 
-            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
           </row>
 
           <row>
@@ -738,6 +738,14 @@ ACCEPT      net:\
             <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
           </row>
 
+          <row>
+            <entry>snat</entry>
+
+            <entry>action,source,dest,proto,port,sport,ipsec,mark,user,switch,origdest,probability
+            (Note: 'port' may be specified as 'dport', beginning with
+            Shorewall 5.2.6).</entry>
+          </row>
+
           <row>
             <entry>tcclasses</entry>
 
@@ -1867,6 +1875,9 @@ SSH(ACCEPT)    net:$MYIP      $FW
       </listitem>
     </itemizedlist>
 
+    <para>They may also be used as the parameter to SNAT() in <ulink
+    url="manpages/shorewall-snat.html">shorewall-snat</ulink>(5).</para>
+
     <para>For optional interfaces, if the interface is not usable at the time
     that the firewall starts, one of two approaches are taken, depending on
     the context:</para>

docs/docs-targetname

@@ -1 +1 @@
-5.2.4.1
+5.2.6-RC1

docs/images/docs-images-targetname

@@ -1 +1 @@
-5.2.4-Beta1
+5.2.5-Beta1

docs/ipsets.xml

@@ -192,11 +192,19 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     ipv4 ipsets are saved. Both features require ipset version 5 or
     later.</para>
 
+    <caution>
+      <para>After setting SAVE_IPSETS, it is important to recompile the
+      firewall script (e.g., 'shorewall compile', 'shorewall reload' or
+      'shorewall restart') before rebooting</para>
+    </caution>
+
     <para>Although Shorewall can save the definition of your ipsets and
     restore them when Shorewall starts, in most cases you must use the ipset
     utility to initially create and load your ipsets. The exception is that
     Shorewall will automatically create an empty iphash ipset to back each
-    dynamic zone.</para>
+    dynamic zone. It will also create the ipset required by the
+    DYNAMIC_BLACKLIST=ipset:.. setting in <ulink
+    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para>
   </section>
 
   <section>
@@ -220,6 +228,32 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     the ipsets will be save to and restored from. Shorewall-init will create
     any necessary directories during the first 'save' operation.</para>
 
+    <caution>
+      <para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
+      (/etc/default/shorewall-init on Debian and derivatives) when
+      shorewall-init has not been started by systemd, then when the system is
+      going down during reboot, the ipset contents will not be saved. You can
+      work around that as follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Suppose that you have set
+          SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para>
+        </listitem>
+
+        <listitem>
+          <para>Before rebooting, execute this command:</para>
+
+          <programlisting>ipset save &gt; /var/lib/shorewall/init-save-ipsets</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>Be sure to enable shoewall-init (e.g., <emphasis
+          role="bold">systemctl enable shorewall-init</emphasis>).</para>
+        </listitem>
+      </itemizedlist>
+    </caution>
+
     <para>If you configure Shorewall-init to save/restore ipsets, be sure to
     set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
 

docs/support.xml

@@ -42,10 +42,10 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
+        url="ReleaseModel.html">major release</ulink>s are , 5.1 and 5.2.</para>
 
         <note>
-          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
+          <para>Shorewall versions earlier than 5.1.0 are no longer supported;
           we will try to help but we will not spend time reading earlier code
           to try to help you solve a problem and we will not release a patch
           to correct any defect found.</para>