Link the simple TC article to FAQs 97 and 97a

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add target file(s) 5.2.6.1
2020-07-18 17:01:33 -07:00 · 2020-07-12 19:46:23 -07:00 · 2020-07-12 19:46:13 -07:00 · 2020-07-07 12:27:48 -07:00 · 2020-07-06 16:00:15 -07:00 · 2020-07-06 15:38:28 -07:00
42 changed files with 1301 additions and 673 deletions
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
 *targetname export-ignore
--- a/Shorewall-core/Shorewall-core-targetname
+++ b/Shorewall-core/Shorewall-core-targetname
@@ -1 +1 @@
-5.2.4.1
+5.2.6-base
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -937,11 +937,28 @@ show_events() {
    fi
 }
 sort_actions() {
    local sep #separates sort keys from the action[.std] record
    sep="##"
    awk -v sep="$sep" \
         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
 	  /^#/	  	  { next; };\
 	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
 	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
 			  { action = $1; };\
 	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
 			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
 }
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
+    local actions
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    actions=$(find_file actions)
    if [ -f ${actions} ]; then
 	cat ${actions} ${g_sharedir}/actions.std | sort_actions
    else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
    fi
 }
@@ -1108,10 +1125,6 @@ show_blacklists() {
    show_bl;
 }
 show_actions_sorted() {
    show_actions | sort
 }
 show_macros() {
    for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1556,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -2651,6 +2664,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
 			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
@@ -2667,6 +2681,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -3622,6 +3637,7 @@ reject_command() {
 blacklist_command() {
    local family
    local timeout
    [ $# -gt 0 ] || fatal_error "Missing address"
@@ -3639,10 +3655,17 @@ blacklist_command() {
 	    ;;
    esac
-    if $IPSET -A $g_blacklistipset $@ -exist; then
+    if [ $COMMAND = 'blacklist!' ]; then
 	timeout='timeout 0'
    else
 	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
    fi
    if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 	progress_message2 "$1 Blacklisted"
 	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3897,7 +3920,7 @@ setup_dbl() {
    case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
@@ -3905,11 +3928,49 @@ setup_dbl() {
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,log*)
 	    #
 	    # Capture 'log'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
 	    g_dbllog=Yes
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,noupdate*)
 	    #
 	    # This utility doesn't use this option
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
 	    ;;
    esac
    case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
-	    # This utility doesn't need to know about 'timeout=nnn'
+	    # Capture timeout
 	    #
 	    local ifs
 	    local f
 	    ifs=$IFS
 	    IFS=','
 	    for f in $DYNAMIC_BLACKLIST; do
 		case $f in
 		    timeout=*)
 			g_dbltimeout=${f#timeout=}
 			g_dbltimeout=${g_dbltimeout%%:*}
 			break
 			;;
 		esac
 	    done
 	    IFS=$ifs
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed -r 's/,timeout=[[:digit:]]+//')
 	    ;;
    esac
@@ -3964,7 +4025,7 @@ get_config() {
    ensure_config_path
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -4127,7 +4188,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
@@ -4260,7 +4321,7 @@ restart_command() {
 	rc=$?
    else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
    fi
@@ -4298,9 +4359,9 @@ usage() # $1 = exit status
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
    echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
    echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
@@ -4340,7 +4401,7 @@ usage() # $1 = exit status
    if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
    fi
    if [ -z "$g_lite" ]; then
@@ -4356,7 +4417,7 @@ usage() # $1 = exit status
    if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
    else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
    fi
    echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4458,6 +4519,8 @@ shorewall_cli() {
    g_disconnect=
    g_havemutex=
    g_trace=
    g_dbltimeout=
    g_dbllog=
    VERBOSE=
    VERBOSITY=1
@@ -4679,7 +4742,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4757,7 +4820,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
    case $COMMAND in
        start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
--- a/Shorewall-core/lib.core
+++ b/Shorewall-core/lib.core
@@ -337,8 +337,15 @@ ensure_config_path() {
 	. $F
    fi
-    if [ -n "$g_shorewalldir" ]; then
+    if [ -n "$g_shorewalldir" ] && [ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ];then
-	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
+	case $CONFIG_PATH in
 	    :*)
 		CONFIG_PATH=${g_shorewalldir}${CONFIG_PATH}
 		;;
 	    *)
 		CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
 		;;
 	esac
    fi
 }
--- a/Shorewall-core/manpages/shorewall.xml
+++ b/Shorewall-core/manpages/shorewall.xml
@@ -48,7 +48,7 @@
      <arg>options</arg>
-      <arg choice="plain"><option>blacklist</option></arg>
+      <arg choice="plain"><option>blacklist[!]</option></arg>
      <arg
      choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -1151,7 +1151,7 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
+        <term><emphasis role="bold">blacklist[!]</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>
@@ -1165,7 +1165,17 @@
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
          <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
-          add</command> command.</para>
+          add</command> command. Probably the most useful
          <replaceable>option</replaceable> is the <option>timeout</option>
          option. For example, to permanently blacklist 192.0.2.22, the
          command would be:</para>
          <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
          <para>Beginning with Shorewall 5.2.5, the above command can be
          shortened to:</para>
          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>
          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
@@ -2108,10 +2118,6 @@
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
          (<ulink
          url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
          <para>The <emphasis role="bold">-D </emphasis>option was added in
          Shoewall 5.2.4 and causes the compiler to write a large amount of
          debugging information to standard output.</para>
        </listitem>
      </varlistentry>
@@ -2891,25 +2897,18 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
+        <term><emphasis role="bold">stop</emphasis></term>
        [-<option>f</option>]</term>
        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
          or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
-          taken down. The only new traffic permitted through the firewall is
+          new traffic permitted through the firewall is from systems listed in
-          from systems listed in <ulink
+          <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">reload</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -127,6 +127,17 @@ esac
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 for PRODUCT in $PRODUCTS; do
    if [ -n "$ADDRFAM" -a ${COMMAND} = up ]; then
 	case $PRODUCT in
 	    *6*)
 		[ ${ADDRFAM} = inet6 ] || continue
 		;;
 	    *)
 		[ ${ADDRFAM} = inet ] || continue
 		;;
 	esac
    fi
    setstatedir
    if [ -x $VARLIB/$PRODUCT/firewall ]; then
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -169,7 +169,7 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID=)
+		ID=$(grep '^ID=' /etc/os-release | sed 's/ID=//; s/"//g;')
 		case $ID in
 		    fedora|rhel|centos|foobar)
@@ -357,12 +357,11 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	make_parent_directory ${DESTDIR}${ETC}/network/if-up.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-down.d 0755
 	make_parent_directory ${DESTDIR}${ETC}/network/if-post-down.d 0755
    elif [ $configure -eq 0 ]; then
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-up.d 0755
+	make_parent_directory ${CONFDIR}/network/if-up.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-down.d 0755
+	make_parent_directory ${CONFDIR}/network/if-post-down.d 0755
-	make_parent_directory ${DESTDIR}${CONFDIR}/network/if-post-down.d 0755
+	rm -f ${CONFDIR}/network/if-down.d/shorewall
    fi
    if [ ! -f ${DESTDIR}${CONFDIR}/default/$PRODUCT ]; then
@@ -388,7 +387,7 @@ else
 	    elif [ $HOST = openwrt ]; then
 		# Not implemented on OpenWRT
 		/bin/true
-	    else
+	    elif [ "$HOST" != debian ]; then
 		make_parent_directory ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d 0755
 	    fi
 	fi
@@ -417,19 +416,22 @@ if [ $HOST != openwrt ]; then
 fi
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    [ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
+    if [ "$HOST" = debian ]; then
-    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
+	rm -f ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall
    else
 	[ $configure -eq 1 ] || make_parent_directory ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d 0755
 	install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
    fi
 fi
 case $HOST in
    debian)
 	if [ $configure -eq 1 ]; then
 	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	    rm -f ${DESTDIR}/etc/network/if-down.d/shorewall
 	else
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
 	fi
 	;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -25,6 +25,7 @@
 #
 ###############################################################################
 # set the STATEDIR variable
 setstatedir() {
    local statedir
    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
@@ -42,29 +43,18 @@ setstatedir() {
    fi
 }
-#
+# Initialize the firewalls
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
 . /usr/share/shorewall/shorewallrc
-# check if shorewall-init is configured or not
+shorewall_init_start () {
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
 	echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
    exit 1
 fi
 # Initialize the firewall
 shorewall_start () {
    local PRODUCT
    local STATEDIR
    printf "Initializing \"Shorewall-based firewalls\": "
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 	ipset -R < "$SAVE_IPSETS"
    fi
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    #
@@ -78,19 +68,17 @@ shorewall_start () {
 	fi
    done
    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
 	ipset -R < "$SAVE_IPSETS"
    fi
    return 0
 }
-# Clear the firewall
+# Clear the firewalls
-shorewall_stop () {
+
 shorewall_init_stop () {
    local PRODUCT
    local STATEDIR
    printf "Clearing \"Shorewall-based firewalls\": "
    for PRODUCT in $PRODUCTS; do
 	if setstatedir; then
 	    #
@@ -116,12 +104,29 @@ shorewall_stop () {
    return 0
 }
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
 	echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
    exit 1
 fi
 case "$1" in
    start)
-	shorewall_start
+	shorewall_init_start
 	;;
    stop)
-	shorewall_stop
+	shorewall_init_stop
 	;;
    *)
 	echo "Usage: $0 {start|stop}"
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -320,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
 #                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -726,6 +727,7 @@ our %opttype = ( rule          => CONTROL,
 		 'icmpv6-type' => UNIQUE,
 		 comment       => CONTROL,
 		 digest        => CONTROL,
 		 policy        => MATCH,
 		 state         => EXCLUSIVE,
@@ -892,7 +894,7 @@ sub validate_port( $$ ) {
    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])";
 }
 #
@@ -3521,6 +3523,33 @@ sub irule_to_string( $ ) {
    $string;
 }
 #
 # This one omits the comment
 #
 sub irule_to_string1( $ ) {
    my ( $ruleref ) = @_;
    return $ruleref->{cmd} if exists $ruleref->{cmd};
    my $string = '';
    for ( grep ! ( get_opttype( $_, 0 ) & ( CONTROL | TARGET ) ), @{$ruleref->{matches}}) {
 	my $value = $ruleref->{$_};
 	if ( reftype $value ) {
 	    $string .= "$_=" . join( ',', @$value ) . ' ';
 	} else {
 	    $string .= "$_=$value ";
 	}
    }
    if ( $ruleref->{target} ) {
 	$string .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
 	$string .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};
    }
    $string;
 }
 sub calculate_digest( $ ) {
    my $chainref = shift;
    my $rules = '';
@@ -4051,7 +4080,7 @@ sub optimize_level8( $$$ ) {
 		    if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) {
 			#
-			# For simple use of the BLACKLIST section, we can end up with many identical
+			# For simple use of the blrules file, we can end up with many identical
 			# chains. To distinguish them from other renamed chains, we keep track of
 			# these chains via the 'blacklistsection' member.
 			#
@@ -4190,10 +4219,10 @@ sub get_multi_sports( $ ) {
 }
 #
-# Return an array of keys for the passed rule. 'dport', 'comment', and 'origin' are omitted;
+# Return an array of keys for the passed rule. 'dport', 'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys( $ ) {
-    my %skip = ( dport => 1, comment => 1, origin => 1 );
+    my %skip = ( dport => 1, comment => 1, origin => 1, digest => 1 );
    sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -4374,64 +4403,54 @@ sub delete_duplicates {
    my @rules;
    my $chainref  = shift;
    my $lastrule  = @_;
    my $baseref   = pop;
    my $ruleref;
    my %skip = ( comment => 1, origin => 1 );
    for ( @_ ) {
 	$_->{digest} = sha1_hex irule_to_string1( $_ );
    }
    my $baseref   = pop;
    while ( @_ ) {
 	my $docheck;
 	my $duplicate = 0;
 	if ( $baseref->{mode} == CAT_MODE && $baseref->{target} ) {
 	    my $ports1;
-	    my @keys1    = sort( grep ! $skip{$_}, keys( %$baseref ) );
+	    my $bad_key;
 	    my $rulenum  = @_;
 	    my $adjacent = 1;
-		
+	    my $digest   = $baseref->{digest};
 	    {
 	      RULE:
-		while ( --$rulenum >= 0 ) {
+	    for ( grep ! $skip{$_}, keys( %$baseref ) ) {
-		    $ruleref = $_[$rulenum];
+		$bad_key = 1, last if $bad_match{$_};
 	    }
-		    last unless $ruleref->{mode} == CAT_MODE;
+	    while ( --$rulenum >= 0 ) {
 		$ruleref = $_[$rulenum];
-		    my @keys2 = sort(grep ! $skip{$_}, keys( %$ruleref ) );
+		last unless $ruleref->{mode} == CAT_MODE;
-		    next unless @keys1 == @keys2 ;
+		next unless $digest eq $ruleref->{digest};
-		    my $keynum = 0;
+		unless ( $adjacent > 0 ) {
 		    if ( $adjacent > 0 ) {
 			#
 			# There are no non-duplicate rules between this rule and the base rule
 			#
 			for my $key (  @keys1 ) {
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 		    } else {
 			#
 			# There are non-duplicate rules between this rule and the base rule
 			#
 			for my $key ( @keys1 ) {
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			    last RULE if $bad_match{$key};
 			}
 		    }
 		    #
-		    # This rule is a duplicate
+		    # There are non-duplicate rules between this rule and the base rule
 		    #
-		    $duplicate = 1;
+		    last if $bad_key;
 		    #
 		    # Increment $adjacent so that the continue block won't set it to zero
 		    #
 		    $adjacent++;
 		} continue {
 		    $adjacent--;
 		}
 		#
 		# This rule is a duplicate
 		#
 		$duplicate = 1;
 		#
 		# Increment $adjacent so that the continue block won't set it to zero
 		#
 		$adjacent++;
 	    } continue {
 		$adjacent--;
 	    }
 	}
@@ -4468,10 +4487,10 @@ sub get_conntrack( $ ) {
 }
 #
-# Return an array of keys for the passed rule. 'conntrack',  'comment' & 'origin' are omitted;
+# Return an array of keys for the passed rule. 'conntrack',  'comment', 'origin' and 'digest' are omitted;
 #
 sub get_keys1( $ ) {
-    my %skip = ( comment => 1, origin => 1 , 'conntrack --ctstate' => 1 );
+    my %skip = ( comment => 1, origin => 1 , digest => 1, 'conntrack --ctstate' => 1 );
    sort grep ! $skip{$_},  keys %{$_[0]};
 }
@@ -8872,7 +8891,7 @@ sub ensure_ipsets( @ ) {
    my $set;
    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
-    if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
+    if ( $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
 	emit( qq(    if ! qt \$IPSET list $globals{DBL_IPSET}; then));
@@ -8883,12 +8902,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout 0${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout 0${counters}) );
 	}
 	pop_indent;
@@ -9065,10 +9084,14 @@ sub create_load_ipsets() {
 	    # Requires V5 or later
 	    #
 	    emit( '' ,
-		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		  '    if  [ -f ${VARDIR}/ipsets.save ]; then' ,
-		  '        $IPSET flush $set' ,
+		  '        while read verb set rest; do' ,
-		  '        $IPSET destroy $set' ,
+		  '            if [ $verb = create ]; then' ,
-		  "    done" ,
+		  '                $IPSET flush $set' ,
 		  '                $IPSET destroy $set' ,
 		  '            fi' ,
 		  '        done < ${VARDIR}/ipsets.save' ,
 		  '    fi',
 		);
 	} else {
 	    #
@@ -9111,7 +9134,7 @@ sub create_load_ipsets() {
 		emit( '        #',
 		      '        # Update the dynamic blacklisting ipset timeout value',
 		      '        #',
-		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout $globals{DBL_TIMEOUT}" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
+		      qq(        awk '/create $set/      { sub( /timeout [0-9]+/, "timeout 0" ) }; {print};' \${VARDIR}/ipsets.save > \${VARDIR}/ipsets.temp),
 		      '        zap_ipsets',
 		      '        $IPSET restore < ${VARDIR}/ipsets.temp',
 		      '    fi' );
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -543,13 +543,13 @@ date > ${VARDIR}/restarted
 case $COMMAND in
    start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
        ;;
    reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
        ;;
    restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
        ;;
 esac
 EOF
@@ -858,13 +858,13 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize the ruleet
 	    #
 	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    #
 	    # More Optimization
 	    #
 	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 	enable_script;
@@ -928,16 +928,16 @@ sub compiler {
 	    optimize_level0;
-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
 		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 		#
 		# Optimize Policy Chains
 		#
 		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }
 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -311,7 +311,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_ALL
 				     ) , ] ,
@@ -555,7 +554,6 @@ use constant {
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
               OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
@@ -657,6 +655,30 @@ our %params;
 #
 our %compiler_params;
 #
 # Entries conditionally exported to the compiled script via the aux config file
 #
 our @exported_params = ( qw(
 			 VERBOSITY
 			 LOGFILE
 			 LOGFORMAT
 			 APRTABLES
 			 IPTABLES
 			 IP6TABLES
 			 IP
 			 TC
 			 IPSET
 			 PATH
 			 SHOREWALL_SHELL
 			 SHELL
 			 SUBSYSLOCK
 			 LOCKFILE
 			 RESTOREFILE
 			 RESTART
 			 DYNAMIC_BLACKLIST
 			 PAGER
 			 )
    );
 #
 # Action parameters
 #
 our %actparams;
@@ -4391,7 +4413,9 @@ sub validate_level( $;$ ) {
 sub default_log_level( $$ ) {
    my ( $level, $default ) = @_;
-    my $value = $config{$level};
+    my $value = $config{$level} || '';
    $value = $config{LOG_LEVEL} if $value eq '$LOG_LEVEL';  #This can happen during update
    unless ( supplied $value ) {
 	$config{$level} = validate_level $default, $level;
@@ -5350,17 +5374,12 @@ sub ensure_config_path() {
    my $chop = ( $path =~ s/^:// );
    $path =~ s/:+/:/g;
    @config_path = split /:/, $path;
    shift @config_path if $chop && ( $export || $> != 0 );
    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
    # clash on a case-insensitive filesystem.
    #
    push @config_path, $globals{SHAREDIR}    . "/deprecated";
    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated' unless $globals{PRODUCT} eq 'shorewall';
    for ( @config_path ) {
 	$_ .= '/' unless m|/$|;
        s|//|/|g;
@@ -5504,6 +5523,8 @@ sub update_config_file( $ ) {
    for ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT/ ) {
 	my $policy = $config{ $_ };
 	$policy = '' unless defined $policy;
 	if ( $policy =~ /\bA_(?:Drop|Reject)\b/ ) {
 	    if ( $family == F_IPV4 ) {
 		$policy =~ s/A_(?:Drop|Reject)/Broadcast(A_DROP),Multicast(A_DROP)/;
@@ -6293,6 +6314,14 @@ sub get_configuration( $$$ ) {
    process_shorewall_conf( $update, $annotate );
    ensure_config_path;
    #
    # To accomodate Cygwin-based compilation, we have separate directories for files whose names
    # clash on a case-insensitive filesystem.
    #
    push @config_path, $globals{SHAREDIR}    . "/deprecated/" unless $config_path[-1] eq $globals{SHAREDIR} . "/deprecated/";
    push @config_path, $shorewallrc{SHAREDIR}. '/shorewall/deprecated/' unless $globals{PRODUCT} eq 'shorewall';
    $config{CONFIG_PATH} = join( ':', @config_path );
    @INC = @originalinc;
@@ -6671,7 +6700,7 @@ sub get_configuration( $$$ ) {
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
@@ -6810,6 +6839,12 @@ sub get_configuration( $$$ ) {
    require_capability 'AUDIT_TARGET', "SMURF_DISPOSITION=$val", 's' if $val =~ /^A_/;
    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
 	validate_level( $val );
    } else {
 	$config{LOG_LEVEL} = 'info';
    }
    default_log_level 'BLACKLIST_LOG_LEVEL',  '';
    default_log_level 'MACLIST_LOG_LEVEL',    '';
    default_log_level 'TCP_FLAGS_LOG_LEVEL',  '';
@@ -6818,12 +6853,6 @@ sub get_configuration( $$$ ) {
    default_log_level 'INVALID_LOG_LEVEL',    '';
    default_log_level 'UNTRACKED_LOG_LEVEL',  '';
    if ( supplied( $val = $config{LOG_LEVEL} ) ) {
 	validate_level( $val );
    } else {
 	$config{LOG_LEVEL} = 'info';
    }
    if ( supplied( $val = $config{LOG_BACKEND} ) ) {
 	if ( $family == F_IPV4 && $val eq 'ULOG' ) {
 	    $val = 'ipt_ULOG';
@@ -7196,8 +7225,8 @@ sub generate_aux_config() {
    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
+    for my $param ( @exported_params ) {
-	conditionally_add_option $option;
+	conditionally_add_option $param;
    }
    conditionally_add_option1 'TC_ENABLED';
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -735,6 +735,7 @@ sub add_common_rules ( $ ) {
    my $dbl_tag;
    my $dbl_src_target;
    my $dbl_dst_target;
    my $dbl_options;
    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -796,9 +797,10 @@ sub add_common_rules ( $ ) {
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
 		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -809,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -830,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2286,10 +2288,13 @@ sub generate_matrix() {
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	if ( @zones > 2 || $zoneref->{complex} ) {
+
-	    handle_complex_zone( $zone, $zoneref );
+	unless ( $zoneref->{type} == LOCAL ) {
-	} else {
+	    if ( @zones > 2 || $zoneref->{complex} ) {
-	    new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
+		handle_complex_zone( $zone, $zoneref );
 	    } else {
 		new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
 	    }
 	}
    }
    #
@@ -2580,13 +2585,13 @@ EOF
    emit <<'EOF';
            case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                    ;;
            esac
@@ -2809,7 +2814,7 @@ EOF
    emit '
    set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -2064,12 +2064,12 @@ sub compile_updown() {
 	push_indent;
 	emit( q(if [ "$state" = started ]; then) ,
-	      q(    if [ "$COMMAND" = up ]; then) , 
+	      q(    if [ "$COMMAND" = up ]; then) ,
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration $1),
 	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(    else),
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration $1),
@@ -2110,7 +2110,7 @@ sub compile_updown() {
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	      '    else' ,
 	    );
 	push_indent;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
    my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
    $chainref->{is_policy}   = 1;
    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
    $chainref->{policy}      = $policy;
    $chainref->{provisional} = $provisional;
    $chainref->{audit}       = $audit;
@@ -660,7 +661,7 @@ sub handle_nfqueue( $ ) {
    if ( supplied $queue2 ) {
 	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
    } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
    }
@@ -1000,6 +1001,24 @@ sub determine_action_protocol( $$ ) {
    $proto;
 }
 sub determine_action_dport( $$$ ) {
    my ( $action, $proto, $dport ) = @_;
    if ( my $actiondport = $actions{$action}{dport} ) {
 	if ( $dport eq '-' ) {
 	    $dport = $actiondport;
 	} else {
 	    fatal_error( "The $action action is only usable with destination port $actiondport" ) if $dport =~ /[,]/;
 	    if ( ( my $portnum = validate_port( $proto, $dport ) ) ne '-' ) {
 		fatal_error( "The $action action is only usable with destination port $actiondport"  ) unless $actiondport = $portnum;
 		$dport = $portnum;
 	    }
 	}
    }
    $dport;
 }
 sub add_policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
@@ -1014,7 +1033,11 @@ sub add_policy_rules( $$$$$ ) {
 		# Policy action is a regular action -- jump to the action chain
 		#
 		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
-		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    if ( my $dport = determine_action_dport( $action, $proto, '' ) ) {
 			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto, dport => $dport );
 		    } else {
 			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
 		    }
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
@@ -1147,7 +1170,7 @@ sub complete_policy_chains() {
 		}
 	    }
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1252,6 +1275,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
    my $chain               = $chainref->{name};
    my $save_comment        = push_comment;
    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
    my %state;
    $state{$_} = 1 for split ',', $state;
@@ -1262,74 +1286,76 @@ sub finish_chain_section ($$$) {
    $chain1ref->{sections}{$_} = 1 for keys %state;
-    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+    unless ( $wild ) {
-	if ( $state{$_} ) {
+	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
-	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+	    if ( $state{$_} ) {
-	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
+		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
 		my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
-	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
+		if ( $twochains || $level || $target ne 'ACCEPT' ) {
-		if ( $level ) {
+		    if ( $level ) {
-		    my $chain2ref;
+			my $chain2ref;
 			if ( $twochains ) {
 			    $chain2ref = $chainref;
 			} else {
 			    $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
 			}
 			log_rule_limit( $level,
 					$chain2ref,
 					$chain2ref->{logname},
 					uc $target,
 					$globals{LOGLIMIT},
 					$tag ,
 					'add' ,
 					'',
 					$level_origin );
 			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
 			add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
 			$target = $chain2ref->{name} unless $twochains;
 		    }
 		    if ( $twochains ) {
-			$chain2ref = $chainref;
+			add_ijump_extended $chainref, g => $target , $origin if $target;
-		    } else {
+			delete $state{$_};
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			last;
 		    }
-		    log_rule_limit( $level,
+		    if ( $target ) {
-				    $chain2ref,
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-				    $chain2ref->{logname},
+			#
-				    uc $target,
+			# Always handle ESTABLISHED first
-				    $globals{LOGLIMIT},
+			#
-				    $tag ,
+			if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-				    'add' ,
+			    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-				    '',
+			    delete $state{ESTABLISHED};
-				    $level_origin );
+			}
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
 		    }
 		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
 		    $target = $chain2ref->{name} unless $twochains;
 		}
 		if ( $twochains ) {
 		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
 		    last;
 		}
 		if ( $target ) {
 		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
 		    #
 		    # Always handle ESTABLISHED first
 		    #
 		    if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
 			add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
 			delete $state{ESTABLISHED};
 		    }
 		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
 		}
 		delete $state{$_};
 	    }
 	}
    }
    if ( keys %state ) {
 	my @state;
 	unless ( $config{FASTACCEPT} ) {
 	    for ( qw/ESTABLISHED RELATED/ ) {
 		push @state, $_ if $state{$_};
 	    }
 	}
-	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+	if ( keys %state ) {
 	    my @state;
-	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	    unless ( $config{FASTACCEPT} ) {
 		for ( qw/ESTABLISHED RELATED/ ) {
 		    push @state, $_ if $state{$_};
 		}
 	    }
 	    push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
 	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
 	}
    }
    if ($sections{NEW} ) {
@@ -1497,13 +1523,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$$$ ) {
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto, $dport ) = @_;
    fatal_error "Reserved action name ($action)" if reserved_name( $action );
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto, dport => $dport };
    $targets{$action} = $type;
 }
@@ -1774,7 +1800,7 @@ sub isolate_basic_target( $ ) {
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
-sub process_snat1( $$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 #
@@ -1968,23 +1994,49 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+	    my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
-		split_line2( 'snat file',
+
-			     { action =>0,
+	    if ( $file_format == 1 ) {
-			       source => 1,
+		( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
-			       dest => 2,
+		    split_line2( 'snat file',
-			       proto => 3,
+				 { action =>0,
-			       port => 4,
+				   source => 1,
-			       ipsec => 5,
+				   dest => 2,
-			       mark => 6,
+				   proto => 3,
-			       user => 7,
+				   port => 4,
-			       switch => 8,
+				   dport => 4,
-			       origdest => 9,
+				   ipsec => 5,
-			       probability => 10,
+				   mark => 6,
-			     },
+				   user => 7,
-			     {},
+				   switch => 8,
-			     11,
+				   origdest => 9,
-			     1 );
+				   probability => 10,
 				 },
 				 {},
 				 11,
 				 1 );
 		$sport = '-';
 	    } else {
 		( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
 		    split_line2( 'snat file',
 				 { action =>0,
 				   source => 1,
 				   dest => 2,
 				   proto => 3,
 				   port => 4,
 				   dport => 4,
 				   sport => 5,
 				   ipsec => 6,
 				   mark => 7,
 				   user => 8,
 				   switch => 9,
 				   origdest => 10,
 				   probability => 11,
 				 },
 				 {},
 				 12,
 				 1 );
 	    }
 	    fatal_error 'ACTION must be specified' if $action eq '-';
@@ -2000,6 +2052,7 @@ sub process_action(\$\$$) {
 			       $dest,
 			       $proto,
 			       $port,
 			       $sport,
 			       $ipsec,
 			       $mark,
 			       $user,
@@ -2098,6 +2151,7 @@ sub process_actions() {
 	    my $state = '';
 	    my $proto = 0;
 	    my $dport = 0;
 	    if ( $action =~ /:/ ) {
 		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2117,6 +2171,10 @@ sub process_actions() {
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } elsif ( /^dport=(.+)$/ ) {
 			fatal_error "The 'dport' option requires the 'proto' option" unless $proto;
 			$dport = validate_port($proto, $1);
 			fatal_error "A destination port may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2138,10 +2196,12 @@ sub process_actions() {
 		    }
 		    $proto = $actions{$action}{proto} unless $proto;
 		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
 		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2185,7 +2245,7 @@ sub process_actions() {
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto , $dport );
 	    }
 	}
    }
@@ -2888,6 +2948,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 	    fatal_error "Invalid flags ($flags)"         unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
 	    $log_action = "$basictarget($setname)";
 	    if ( supplied $timeout ) {
 		fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD';
@@ -3063,9 +3124,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
    if ( $actiontype & ACTION ) {
 	#
-	# Verify action 'proto', if any
+	# Verify action 'proto', and 'dport' if any
 	#
-	$proto = determine_action_protocol( $basictarget, $proto );
+	if ( ( $proto = determine_action_protocol( $basictarget, $proto ) ) ne '-' ) {
 	    $ports = determine_action_dport( $basictarget, $proto, $ports );
 	}
 	#
 	# Save NAT-oriented column contents
 	#
@@ -3923,9 +3986,8 @@ sub process_rules() {
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
-	unless ( @zones <= 2 && ! $zoneref->{complex} ) {
+	unless ( $zoneref->{type} == LOCAL || ( @zones <= 2 && ! $zoneref->{complex} ) ) {
 	    #
 	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	    #
@@ -4817,9 +4879,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
+	    # Verify action 'proto' and 'dport' if any
 	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
+	    if ( ( $proto = determine_action_protocol( $cmd, $proto ) ) ne '-' ) {
 		$ports = determine_action_dport( $cmd, $proto, $ports );
 	    }
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
@@ -5363,8 +5427,8 @@ sub process_mangle_rule( $ ) {
    }
 }
-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
+sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
@@ -5383,28 +5447,54 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
    progress_message "..Expanding inline action $inlinefile...";
-    push_open $inlinefile, 2, 1, undef , 2;
+    push_open $inlinefile, 2, 1, undef , 1;
    my $save_comment = push_comment;
    while ( read_a_line( NORMAL_READ ) ) {
-	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
-	    split_line2( 'snat file',
+
-			 { action =>0,
+	if ( $file_format == 1 ) {
-			   source => 1,
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
-			   dest => 2,
+		split_line2( 'snat file',
-			   proto => 3,
+			     { action =>0,
-			   port => 4,
+			       source => 1,
-			   ipsec => 5,
+			       dest => 2,
-			   mark => 6,
+			       proto => 3,
-			   user => 7,
+			       port => 4,
-			   switch => 8,
+			       dport => 4,
-			   origdest => 9,
+			       ipsec => 5,
-			   probability => 10,
+			       mark => 6,
-			 },
+			       user => 7,
-			 {},
+			       switch => 8,
-			 11,
+			       origdest => 9,
-			 1 );
+			       probability => 10,
 			     },
 			     {},
 			     11,
 			     1 );
 	    $msports = '-';
 	} else {
 	    ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
 		split_line2( 'snat file',
 			     { action =>0,
 			       source => 1,
 			       dest => 2,
 			       proto => 3,
 			       port => 4,
 			       dport => 4,
 			       sport => 5,
 			       ipsec => 6,
 			       mark => 7,
 			       user => 8,
 			       switch => 9,
 			       origdest => 10,
 			       probability => 11,
 			     },
 			     {},
 			     12,
 			     1 );
 	}
 	fatal_error 'ACTION must be specified' if $maction eq '-';
@@ -5432,6 +5522,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			   $mdest,
 			   $proto,
 			   merge_macro_column( $mports,          $ports ),
 			   merge_macro_column( $msports,         $sports ),
 			   merge_macro_column( $mipsec,          $ipsec ),
 			   merge_macro_column( $mmark,           $mark ),
 			   merge_macro_column( $muser,           $user ),
@@ -5458,8 +5549,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 #
 # Process a record in the snat file
 #
-sub process_snat1( $$$$$$$$$$$$ ) {
+sub process_snat1( $$$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
    my $inchain;
    my $inaction;
@@ -5479,6 +5570,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    my ( $action, $loglevel ) = split_action( $origaction );
    my $logaction;
    my $param;
    #
    # Handle early matches
    #
    if ( $inlinematches =~ s/^s*\+// ) {
 	$prerule = $inlinematches;
 	$inlinematches = '';
    }
    if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5571,7 +5669,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
    #
    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, $sports );
    #
    # Handle Mark
    #
@@ -5818,6 +5916,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
 				 $sports,
 				 $ipsec,
 				 $mark,
 				 $user,
@@ -5828,9 +5927,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
+		# Verify action 'proto' and 'dport', if any
 		#
-		$proto = determine_action_protocol( $target, $proto );
+		if ( ( $proto = determine_action_protocol( $target, $proto ) ) ne '-' ) {
 		    $ports = determine_action_dport( $target, $proto, $ports );
 		}
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
@@ -5928,18 +6029,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 sub process_snat( )
 {
-    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+    my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
-	split_line2( 'snat file',
+
-		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+    if ( $file_format == 1 ) {
-		     {},    #Nopad
+	($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-		     undef, #Columns
+	    split_line2( 'snat file',
-		     1 );   #Allow inline matches
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
 			 {},    #Nopad
 			 11,    #Columns
 			 1 );   #Allow inline matches
 	$sports = '-';
    } else {
 	($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
 	    split_line2( 'snat file',
 			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
 			 {},    #Nopad
 			 12,    #Columns
 			 1 );   #Allow inline matches
    }
    fatal_error 'ACTION must be specified' if $action eq '-';
    fatal_error 'DEST must be specified' if $dest eq '-';
    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
    }
 }
@@ -5954,7 +6067,7 @@ sub setup_snat()
 	#
 	# Masq file was empty or didn't exist
 	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -560,7 +560,8 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
    }
-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
    fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
    fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
@@ -2028,7 +2029,7 @@ sub verify_required_interfaces( $ ) {
 	push_indent;
-	emit( 'start|reload|restore)' );
+	emit( 'start|reload|restore|enable)' );
 	push_indent;
--- a/Shorewall/Perl/lib.runtime
+++ b/Shorewall/Perl/lib.runtime
@@ -1089,7 +1089,7 @@ clear_firewall() {
    set_state "Cleared"
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 #
@@ -1113,7 +1113,7 @@ interface_is_usable() # $1 = interface
    status=0
    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && [ -z "$($IP -$g_family link list dev $1 2> /dev/null | fgrep 'state DOWN')" ]; then
+	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    if [ "$COMMAND" != enable ]; then
 		[ ! -f ${VARDIR}/${1}_disabled ] && run_isusable_exit $1
 		status=$?
@@ -1389,7 +1389,7 @@ clear_firewall() {
    set_state "Cleared"
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 ?endif # IPv6-specific functions.
--- a/Shorewall/Samples/three-interfaces/snat
+++ b/Shorewall/Samples/three-interfaces/snat
@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
+?FORMAT 2
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+###################################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #
--- a/Shorewall/Samples/two-interfaces/snat
+++ b/Shorewall/Samples/two-interfaces/snat
@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
+?FORMAT 2
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+###################################################################################################################################################
 #ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #
--- a/Shorewall/Shorewall-targetname
+++ b/Shorewall/Shorewall-targetname
@@ -1 +1 @@
-5.2.4.1
+5.2.6-RC1
--- a/Shorewall/configfiles/snat
+++ b/Shorewall/configfiles/snat
@@ -5,5 +5,6 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
+?FORMAT 2
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+###################################################################################################################################################
 #ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -338,7 +338,7 @@ get_config() {
    if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
 	case $COMMAND in
-	    blacklist|allow|drop|logdrop|reject)
+	    blacklist*|allow|drop|logdrop|reject)
 		setup_dbl
 		;;
 	esac
@@ -386,6 +386,7 @@ uptodate() {
    [ -n "${find}" ] || return 1
    [ -h "${find}" ] && busybox=Yes
    find="${find} -L"
    for dir in $g_shorewalldir $(split $CONFIG_PATH); do
 	if [ -n "${busybox}" ]; then
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -26,8 +26,8 @@
    <title>Description</title>
    <para>This file allows you to define new ACTIONS for use in rules (see
-    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>).
+    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
-    You define the iptables rules to be performed in an ACTION in
+    the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
    <para>Columns are:</para>
@@ -148,8 +148,8 @@
              <listitem>
                <para>Added in Shorewall 5.0.7. Specifies that this action is
                to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
-                rather than <ulink
+                than <ulink
                url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
              </listitem>
            </varlistentry>
@@ -160,11 +160,11 @@
              <listitem>
                <para>Added in Shorewall 5.0.13. Specifies that this action is
                to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink>
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
-                rather than <ulink
+                than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
-                The <option>mangle</option> and <option>nat</option> options
+                <option>mangle</option> and <option>nat</option> options are
-                are mutually exclusive.</para>
+                mutually exclusive.</para>
              </listitem>
            </varlistentry>
@@ -212,6 +212,24 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>dport</option>=<replaceable>portorservice</replaceable></term>
              <listitem>
                <para>Added in Shorewall 5.2.6. Requires that the <emphasis
                role="bold">proto</emphasis> option be previously given and
                indicates that this action may only be applied to flows with
                the specified <replaceable>protocol</replaceable> and
                <replaceable>portorservice</replaceable>.
                <replaceable>portorservice</replaceable> may be a valid port
                number or the name of a service defined in /etc/services to be
                usable with the specified <replaceable>protocol</replaceable>.
                If a port or service is specified in the DPORT column of an
                invocation, then it must match the named
                <replaceable>portorservice</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><option>section</option></term>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -70,8 +70,7 @@
          in this column.</para>
          <para>If the interface serves multiple zones that will be defined in
-          the <ulink
+          the <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
          url="shorewall-hosts.html">shorewall-hosts</ulink>(5)
          file, you should place "-" in this column.</para>
          <para>If there are multiple interfaces to the same zone, you must
@@ -109,8 +108,8 @@ loc     eth2            -</programlisting>
          <para>When using Shorewall versions before 4.1.4, care must be
          exercised when using wildcards where there is another zone that uses
          a matching specific interface. See <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5)
+          url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for a
-          for a discussion of this problem.</para>
+          discussion of this problem.</para>
          <para>Shorewall allows '+' as an interface name, but that usage is
          deprecated. A better approach is to specify
@@ -370,8 +369,7 @@ loc     eth2            -</programlisting>
                firewall through this interface and whether the source address
                and/or destination address is to be compared against the
                ipset-based dynamic blacklist (DYNAMIC_BLACKLIST=ipset... in
-                <ulink
+                <ulink url="shorewall.conf.html">shorewall.conf(5)</ulink>).
                url="shorewall.conf.html">shorewall.conf(5)</ulink>).
                The default is determine by the setting of
                DYNAMIC_BLACKLIST:</para>
@@ -459,8 +457,8 @@ loc     eth2            -</programlisting>
                  <listitem>
                    <para>the interface is a <ulink
-                    url="../SimpleBridge.html">simple bridge</ulink> with a DHCP
+                    url="../SimpleBridge.html">simple bridge</ulink> with a
-                    server on one port and DHCP clients on another
+                    DHCP server on one port and DHCP clients on another
                    port.</para>
                    <note>
@@ -585,8 +583,8 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Connection requests from this interface are compared
                against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                If this option is specified, the interface must be an Ethernet
+                this option is specified, the interface must be an Ethernet
                NIC and must be up before Shorewall is started.</para>
              </listitem>
            </varlistentry>
@@ -650,8 +648,8 @@ loc     eth2            -</programlisting>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
-                After logging, the packets are dropped.</para>
+                logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
@@ -659,6 +657,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">optional</emphasis></term>
              <listitem>
                <para>This option indicates that the firewall should be able
                to start, even if the interface is not usable for handling
                traffic. It allows use of the <command>enable</command> and
                <command>disable</command> commands on the interface.</para>
                <para>When <option>optional</option> is specified for an
                interface, Shorewall will be silent when:</para>
@@ -674,6 +677,16 @@ loc     eth2            -</programlisting>
                    <para>The first address of the interface cannot be
                    obtained.</para>
                  </listitem>
                  <listitem>
                    <para>The gateway of the interface can not be obtained
                    (provider interface).</para>
                  </listitem>
                  <listitem>
                    <para>The interface has been disabled using the
                    <command>disable</command> command.</para>
                  </listitem>
                </itemizedlist>
                <para>May not be specified with <emphasis
@@ -826,9 +839,9 @@ loc     eth2            -</programlisting>
                <important>
                  <para>If ROUTE_FILTER=Yes in <ulink
-                  url="shorewall.conf.html">shorewall.conf</ulink>(5),
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
-                  or if your distribution sets net.ipv4.conf.all.rp_filter=1
+                  your distribution sets net.ipv4.conf.all.rp_filter=1 in
-                  in <filename>/etc/sysctl.conf</filename>, then setting
+                  <filename>/etc/sysctl.conf</filename>, then setting
                  <emphasis role="bold">routefilter</emphasis>=0 in an
                  <replaceable>interface</replaceable> entry will not disable
                  route filtering on that
@@ -848,8 +861,8 @@ loc     eth2            -</programlisting>
                  <itemizedlist>
                    <listitem>
                      <para>If USE_DEFAULT_RT=Yes in <ulink
-                      url="shorewall.conf.html">shorewall.conf</ulink>(5)
+                      url="shorewall.conf.html">shorewall.conf</ulink>(5) and
-                      and the interface is listed in <ulink
+                      the interface is listed in <ulink
                      url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
                    </listitem>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -79,13 +79,13 @@
        <listitem>
          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
-          file to direct packets to this provider.</para>
+          direct packets to this provider.</para>
          <para>If PROVIDER_OFFSET is non-zero in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
+          must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number
-          the number of significant bits may not exceed PROVIDER_OFFSET +
+          of significant bits may not exceed PROVIDER_OFFSET +
          PROVIDER_BITS.</para>
        </listitem>
      </varlistentry>
@@ -111,8 +111,8 @@
        <listitem>
          <para>The name of the network interface to the provider. Must be
          listed in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
+          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
-          In general, that interface should not have the
+          general, that interface should not have the
          <option>proxyarp</option> or <option>proxyndp</option> option
          specified unless <option>loose</option> is given in the OPTIONS
          column of this entry.</para>
@@ -190,9 +190,8 @@
                <para>Beginning with Shorewall 4.4.3, <option>track</option>
                defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink
+                <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
-                url="shorewall.conf.html">shorewall.conf</ulink>
+                If you set TRACK_PROVIDERS=Yes and want to override that
                (5). If you set TRACK_PROVIDERS=Yes and want to override that
                setting for an individual provider, then specify
                <option>notrack</option> (see below).</para>
              </listitem>
@@ -343,7 +342,7 @@
                <replaceable>weight</replaceable> is given, a balanced route
                is added with the weight of this provider equal to the
                specified <replaceable>weight</replaceable>. If the option is
-                given without a <replaceable>weight</replaceable>, an separate
+                given without a <replaceable>weight</replaceable>, a separate
                default route is added through the provider's gateway; the
                route has a metric equal to the provider's NUMBER.</para>
--- a/Shorewall/manpages/shorewall-snat.xml
+++ b/Shorewall/manpages/shorewall-snat.xml
@@ -39,12 +39,26 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
-      PREROUTING entries in <ulink
+      entries in <ulink
      url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
      that.</para>
    </warning>
    <para>Beginning with Shorewall 5.2.6, the snat file supports two different
    formats:</para>
    <orderedlist>
      <listitem>
        <para>The SPORT (source port) column is omitted. This is the default
        unless a "?FORMAT 2" compiler directive is included.</para>
      </listitem>
      <listitem>
        <para>The SPORT column immediately follows the DPORT column.</para>
      </listitem>
    </orderedlist>
    <para>The columns in the file are as follows.</para>
    <variablelist>
@@ -68,10 +82,10 @@
              <listitem>
                <para>where <replaceable>action</replaceable> is an action
                declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink>
+                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
-                with the <option>nat</option> option. See <ulink
+                the <option>nat</option> option. See <ulink
-                url="../Actions.html">https://shorewall.org/Actions.html</ulink> for
+                url="../Actions.html">https://shorewall.org/Actions.html</ulink>
-                further information.</para>
+                for further information.</para>
              </listitem>
            </varlistentry>
@@ -165,9 +179,9 @@
                <para>If you specify an address here, matching packets will
                have their source address set to that address. If
                ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5)
+                url="shorewall.conf.html">shorewall.conf</ulink>(5) then
-                then Shorewall will automatically add this address to the
+                Shorewall will automatically add this address to the INTERFACE
-                INTERFACE named in the first column (IPv4 only).</para>
+                named in the first column (IPv4 only).</para>
                <para>You may also specify a range of up to 256 IP addresses
                if you want the SNAT address to be assigned from that range in
@@ -237,10 +251,10 @@
          <para>Normally Masq/SNAT rules are evaluated after those for
          one-to-one NAT (defined in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you
+          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
-          want the rule to be applied before one-to-one NAT rules, follow the
+          rule to be applied before one-to-one NAT rules, follow the action
-          action name with "+": This feature should only be required if you
+          name with "+": This feature should only be required if you need to
-          need to insert rules in this file that preempt entries in <ulink
+          insert rules in this file that preempt entries in <ulink
          url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -279,23 +293,23 @@
          networks. Multiple interfaces may be listed when the ACTION is
          MASQUERADE, but this is usually just your internet interface. If
          ADD_SNAT_ALIASES=Yes in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5), you
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
+          and a <emphasis>digit</emphasis> to indicate that you want the alias
-          want the alias added with that name (e.g., eth0:0). This will allow
+          added with that name (e.g., eth0:0). This will allow the alias to be
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
+          displayed with ifconfig. <emphasis role="bold">That is the only use
-          is the only use for the alias name; it may not appear in any other
+          for the alias name; it may not appear in any other place in your
-          place in your Shorewall configuration.</emphasis></para>
+          Shorewall configuration.</emphasis></para>
          <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
          nat table's INPUT chain by specifying $FW rather than one or more
-          interfaces. </para>
+          interfaces.</para>
          <para>Each interface must match an entry in <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
          Shorewall allows loose matches to wildcard entries in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
-          For example, <filename class="devicefile">ppp0</filename> in this
+          example, <filename class="devicefile">ppp0</filename> in this file
-          file will match a <ulink
+          will match a <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          entry that defines <filename
          class="devicefile">ppp+</filename>.</para>
@@ -315,8 +329,8 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
-          as are ipset names preceded by a plus sign '+';</para>
+          are ipset names preceded by a plus sign '+';</para>
          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@@ -341,8 +355,7 @@
        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number here. See
-          <ulink
+          <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
          details.</para>
          <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -356,10 +369,14 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
        {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
        <listitem>
          <para>The column was renamed to DPORT in Shorewall 5.2.6. Beginning
          with that release, both PORT and DPORT are accepted in the
          alternative input format,</para>
          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
          SCTP (132) or UDPLITE (136) then you may list one or more port
          numbers (or names from services(5)) or port ranges separated by
@@ -375,6 +392,27 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SPORT
        {-|[!]<replaceable>port-name-or-number</replaceable>[,<replaceable>port-name-or-number</replaceable>]...|+<replaceable>ipset</replaceable>}</emphasis></term>
        <listitem>
          <para>FORMAT 2 only.</para>
          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
          SCTP (132) or UDPLITE (136) then you may list one or more port
          numbers (or names from services(5)) or port ranges separated by
          commas.</para>
          <para>Port ranges are of the form
          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
          <para>An <replaceable>ipset</replaceable> name can be specified in
          this column. This is intended to be used with
          <firstterm>bitmap:port</firstterm> ipsets.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
        [<emphasis>option</emphasis>[<emphasis
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -245,8 +245,8 @@
        <listitem>
          <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
          is enabled (see <ulink
-          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)).
+          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
-          If not specified or set to the empty value, ACCOUNTING=Yes is
+          not specified or set to the empty value, ACCOUNTING=Yes is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -271,8 +271,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the external address(es) in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is
+          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
-          only available in IPv4 configurations. If the variable is set to
+          available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          aliases. If it is set to <emphasis role="bold">No</emphasis> or
@@ -300,8 +300,8 @@
        <listitem>
          <para>This parameter determines whether Shorewall automatically adds
          the SNAT ADDRESS in <ulink
-          url="shorewall-masq.html">shorewall-masq</ulink>(5), and
+          url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
-          is only available in IPv4 configurations. If the variable is set to
+          available in IPv4 configurations. If the variable is set to
          <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis> then Shorewall automatically adds these
          addresses. If it is set to <emphasis role="bold">No</emphasis> or
@@ -445,8 +445,7 @@
                <listitem>
                  <para>Specify the appropriate helper in the HELPER column in
-                  <ulink
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
                  url="shorewall-rules.html">shorewall-rules</ulink>
                  (5).</para>
                  <note>
@@ -514,8 +513,8 @@
          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
          determines whether the <option>balance</option> provider option (see
          <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>)
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
-          is the default. When BALANCE_PROVIDERS=Yes, then the
+          the default. When BALANCE_PROVIDERS=Yes, then the
          <option>balance</option> option is assumed unless the
          <option>fallback</option>, <option>loose</option>,
          <option>load</option> or <option>tproxy</option> option is
@@ -531,8 +530,8 @@
        <listitem>
          <para>Added in Shorewall-4.6.0. When set to <emphasis
          role="bold">Yes</emphasis>, causes entries in <ulink
-          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
-          to generate a basic filter rather than a u32 filter. This setting
+          generate a basic filter rather than a u32 filter. This setting
          requires the <firstterm>Basic Ematch</firstterm> capability in your
          kernel and iptables.</para>
@@ -589,8 +588,7 @@
          <para>The BLACKLIST_DISPOSITION setting determines the disposition
          of packets sent to the <emphasis role="bold">blacklog</emphasis>
-          target of <ulink
+          target of <ulink url="shorewall-blrules.html">shorewall-blrules
          url="shorewall-blrules.html">shorewall-blrules
          </ulink>(5), but otherwise does not affect entries in that
          file.</para>
        </listitem>
@@ -652,8 +650,8 @@
          not supply an /etc/shorewall/tcstart file. That way, your traffic
          shaping rules can still use the “fwmark” classifier based on packet
          marking defined in <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
-          If not specified, CLEAR_TC=Yes is assumed.</para>
+          specified, CLEAR_TC=Yes is assumed.</para>
          <warning>
            <para>When you specify TC_ENABLED=shared (see below), then you
@@ -943,14 +941,37 @@
                </important>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>log</term>
              <listitem>
                <para>Added in Shorewall 5.2.5. When specified, successful
                'blacklist' and 'allow' commands will log a message to the
                system log.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>noupdate</term>
              <listitem>
                <para>Added in Shorewall 5.2.5. Normally, once an address has
                been blacklisted, each time that a packet is received from the
                packet, the ipset's entry for the address is updated to reset
                the timeout to the value specifyed in the
                <option>timeout</option> option above. Setting the
                <option>noupdate</option> option, inhibits this resetting of
                the entry's timeout. This option is ignored when the
                <option>timeout</option> option is not specified.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>When ipset-based dynamic blacklisting is enabled, the contents
          of the blacklist will be preserved over
          <command>stop</command>/<command>reboot</command>/<command>start</command>
-          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+          sequences.</para>
          <replaceable>setname</replaceable> is included in the list of sets
          to be saved in SAVE_IPSETS.</para>
        </listitem>
      </varlistentry>
@@ -1159,12 +1180,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <para>Subzones are defined by following their name with ":" and a
          list of parent zones (in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5)).
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
-          Normally, you want to have a set of special rules for the subzone
+          you want to have a set of special rules for the subzone and if a
-          and if a connection doesn't match any of those subzone-specific
+          connection doesn't match any of those subzone-specific rules then
-          rules then you want the parent zone rules and policies to be
+          you want the parent zone rules and policies to be applied; see
-          applied; see <ulink
+          <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
          url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
          With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
          <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -1182,10 +1202,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          INVALID packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
-          When a packet in INVALID state fails to match any rule in the
+          packet in INVALID state fails to match any rule in the INVALID
-          INVALID section, the packet is disposed of based on this setting.
+          section, the packet is disposed of based on this setting. The
-          The default value is CONTINUE for compatibility with earlier
+          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -1197,9 +1217,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
          do not match any rule in the INVALID section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
-          logged at this level. The default value is empty which means no
+          this level. The default value is empty which means no logging is
-          logging is performed.</para>
+          performed.</para>
        </listitem>
      </varlistentry>
@@ -1482,8 +1502,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          sample configurations use this as the default log level and changing
          it will change all packet logging done by the configuration. In any
          configuration file (except <ulink
-          url="shorewall-params.html">shorewall-params(5)</ulink>),
+          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
-          $LOG_LEVEL will expand to this value.</para>
+          will expand to this value.</para>
        </listitem>
      </varlistentry>
@@ -1635,8 +1655,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
          <note>
            <para>The setting of LOGFORMAT has an effect of the permitted
            length of zone names. See <ulink
-            url="shorewall-zones.html">shorewall-zones</ulink>
+            url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
            (5).</para>
          </note>
          <caution>
@@ -1793,8 +1812,8 @@ LOG:info:,bar                        net                    fw</programlisting>
        <listitem>
          <para>The performance of configurations with a large numbers of
          entries in <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5)
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
-          can be improved by setting the MACLIST_TTL variable in <ulink
+          improved by setting the MACLIST_TTL variable in <ulink
          url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
          <para>If your iptables and kernel support the "Recent Match" (see
@@ -1804,15 +1823,14 @@ LOG:info:,bar                        net                    fw</programlisting>
          <para>When a new connection arrives from a 'maclist' interface, the
          packet passes through then list of entries for that interface in
-          <ulink
+          <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
+          there is a match then the source IP address is added to the 'Recent'
-          If there is a match then the source IP address is added to the
+          set for that interface. Subsequent connection attempts from that IP
-          'Recent' set for that interface. Subsequent connection attempts from
+          address occurring within $MACLIST_TTL seconds will be accepted
-          that IP address occurring within $MACLIST_TTL seconds will be
+          without having to scan all of the entries. After $MACLIST_TTL from
-          accepted without having to scan all of the entries. After
+          the first accepted connection request from an IP address, the next
-          $MACLIST_TTL from the first accepted connection request from an IP
+          connection request from that IP address will be checked against the
-          address, the next connection request from that IP address will be
+          entire list.</para>
          checked against the entire list.</para>
          <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
          MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -2386,13 +2404,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
+          (5). Concern about the safety of this practice resulted in the
-          Concern about the safety of this practice resulted in the addition
+          addition of this option. When a packet in RELATED state fails to
-          of this option. When a packet in RELATED state fails to match any
+          match any rule in the RELATED section, the packet is disposed of
-          rule in the RELATED section, the packet is disposed of based on this
+          based on this setting. The default value is ACCEPT for compatibility
-          setting. The default value is ACCEPT for compatibility with earlier
+          with earlier versions.</para>
          versions.</para>
        </listitem>
      </varlistentry>
@@ -2403,9 +2420,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
-          logged at this level. The default value is empty which means no
+          this level. The default value is empty which means no logging is
-          logging is performed.</para>
+          performed.</para>
        </listitem>
      </varlistentry>
@@ -2506,8 +2523,7 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
          at least one optional interface must be up in order for the firewall
          to be in the started state. Intended to be used with the <ulink
-          url="shorewall-init.html">Shorewall Init
+          url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
          Package</ulink>.</para>
        </listitem>
      </varlistentry>
@@ -2593,18 +2609,17 @@ INLINE          -       -       -       ;; -j REJECT
          <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
          addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5) and
+          url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
-          <ulink url="shorewall-masq.html">shorewall-masq</ulink>(5)
+          url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
-          are processed then are re-added later. This is done to help ensure
+          then are re-added later. This is done to help ensure that the
-          that the addresses can be added with the specified labels but can
+          addresses can be added with the specified labels but can have the
-          have the undesirable side effect of causing routes to be quietly
+          undesirable side effect of causing routes to be quietly deleted.
-          deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
+          When RETAIN_ALIASES is set to Yes, existing addresses will not be
-          not be deleted. Regardless of the setting of RETAIN_ALIASES,
+          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
-          addresses added during <emphasis role="bold">shorewall
+          added during <emphasis role="bold">shorewall start</emphasis> are
-          start</emphasis> are still deleted at a subsequent <emphasis
+          still deleted at a subsequent <emphasis role="bold">shorewall
-          role="bold">shorewall [stop</emphasis>, <emphasis
+          [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
-          role="bold">shorewall reload</emphasis> or <emphasis
+          or <emphasis role="bold">shorewall restart</emphasis>.</para>
          role="bold">shorewall restart</emphasis>.</para>
        </listitem>
      </varlistentry>
@@ -2708,9 +2723,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. Determines the disposition of
          packets matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
-          the <option>routeback</option> option.<footnote>
+          <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote></para>
@@ -2724,9 +2739,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added on Shorewall 4.4.20. Determines the logging of packets
          matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
-          the <option>routeback</option> option.<footnote>
+          <option>routeback</option> option.<footnote>
              <para>Hairpin packets are packets that are routed out of the
              same interface that they arrived on.</para>
            </footnote> The default is <option>info</option>. If you don't
@@ -2754,9 +2769,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.4.20. The default setting is DROP which
          causes smurf packets (see the nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
-          to be dropped. A_DROP causes the packets to be audited prior to
+          be dropped. A_DROP causes the packets to be audited prior to being
-          being dropped and requires AUDIT_TARGET support in the kernel and
+          dropped and requires AUDIT_TARGET support in the kernel and
          iptables.</para>
        </listitem>
      </varlistentry>
@@ -2768,8 +2783,8 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Specifies the logging level for smurf packets (see the
          nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
-          If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
          logged.</para>
        </listitem>
      </varlistentry>
@@ -2871,8 +2886,7 @@ INLINE          -       -       -       ;; -j REJECT
          <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
          simple traffic shaping using <ulink
          url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
-          and <ulink
+          and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
          url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
          enabled.</para>
          <para>If you set TC_ENABLED=Internal or internal or leave the option
@@ -2936,10 +2950,10 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Determines the disposition of TCP packets that fail the checks
          enabled by the <emphasis role="bold">tcpflags</emphasis> interface
          option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
-          and must have a value of ACCEPT (accept the packet), REJECT (send an
+          must have a value of ACCEPT (accept the packet), REJECT (send an RST
-          RST response) or DROP (ignore the packet). If not set or if set to
+          response) or DROP (ignore the packet). If not set or if set to the
-          the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
          TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
          <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@@ -2968,8 +2982,8 @@ INLINE          -       -       -       ;; -j REJECT
          <para>Added in Shorewall 4.4.3. When set to Yes, causes the
          <option>track</option> option to be assumed on all providers defined
          in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>(5).
+          url="shorewall-providers.html">shorewall-providers</ulink>(5). May
-          May be overridden on an individual provider through use of the
+          be overridden on an individual provider through use of the
          <option>notrack</option> option. The default value is 'No'.</para>
          <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@@ -3023,10 +3037,10 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
          UNTRACKED packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
-          When a packet in UNTRACKED state fails to match any rule in the
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
-          UNTRACKED section, the packet is disposed of based on this setting.
+          section, the packet is disposed of based on this setting. The
-          The default value is CONTINUE for compatibility with earlier
+          default value is CONTINUE for compatibility with earlier
          versions.</para>
        </listitem>
      </varlistentry>
@@ -3038,9 +3052,9 @@ INLINE          -       -       -       ;; -j REJECT
        <listitem>
          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
          do not match any rule in the UNTRACKED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
-          logged at this level. The default value is empty which means no
+          this level. The default value is empty which means no logging is
-          logging is performed.</para>
+          performed.</para>
        </listitem>
      </varlistentry>
@@ -3062,8 +3076,8 @@ INLINE          -       -       -       ;; -j REJECT
          <orderedlist>
            <listitem>
              <para>Both the DUPLICATE and the COPY columns in <ulink
-              url="shorewall-providers.html">providers</ulink>(5)
+              url="shorewall-providers.html">providers</ulink>(5) file must
-              file must remain empty (or contain "-").</para>
+              remain empty (or contain "-").</para>
            </listitem>
            <listitem>
@@ -3083,9 +3097,9 @@ INLINE          -       -       -       ;; -j REJECT
            <listitem>
              <para>Packets are sent through the main routing table by a rule
              with priority 999. In <ulink
-              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5),
+              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
-              the range 1-998 may be used for inserting rules that bypass the
+              range 1-998 may be used for inserting rules that bypass the main
-              main table.</para>
+              table.</para>
            </listitem>
            <listitem>
--- a/Shorewall6/configfiles/snat
+++ b/Shorewall6/configfiles/snat
@@ -5,5 +5,7 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
+?FORMAT 2
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+###################################################################################################################################################
 #ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -40,7 +40,11 @@
  <note>
    <para>This information is provided primarily for Shorewall developers.
-    Users are expected to install from pre-built tarballs or packages.</para>
+	    Users are expected to install from pre-built tarballs or packages.
 	    In addition to the below, it is also suggested to read the
 	    <ulink url="https://gitlab.com/shorewall/tools/raw/master/files/shorewall-release-process.txt">README file</ulink>
 	    located in the root directory of the tools repository.
    </para>
  </note>
  <section>
@@ -98,6 +102,21 @@
      version.</para>
    </section>
    <section>
      <title>release (Clone of Release)</title>
      <para>Added in Shorewall 4.4.22, this directory contains the files that
      contain release-dependent information (change.txt, releasenotes.txt,
      .spec files, etc). This is actually a symbolic link to ../release which
      has its own Git repository.</para>
    </section>
    <section>
      <title>testing (Clone of Testing)</title>
      <para> This directory contains the regression library files.</para>
    </section>
    <section>
      <title>tools (Clone of Tools)</title>
@@ -117,7 +136,8 @@
          <term>tools/files</term>
          <listitem>
-            <para>Files that are used during the release process.</para>
+		  <para>Files that are used during the release process.
 		  The license and readme files are also kept there.</para>
          </listitem>
        </varlistentry>
@@ -145,15 +165,6 @@
      <para>The files from the web site that are maintained in HTML format.
      are kept in this directory.</para>
    </section>
    <section>
      <title>release (Clone of Release)</title>
      <para>Added in Shorewall 4.4.22, this directory contains the files that
      contain release-dependent information (change.txt, releasenotes.txt,
      .spec files, etc). This is actually a symbolic link to ../release which
      has its own Git repository.</para>
    </section>
  </section>
  <section>
@@ -180,10 +191,11 @@
    </section>
    <section>
-      <title>build45, build46 and build50</title>
+      <title>build45, build46, and build</title>
      <para>These are the scripts that respectively build Shorewall 4.5,
-      Shorewall 4.6 and Shorewall 5.[012] packages from Git.</para>
+      Shorewall 4.6 and Shorewall 5.[012] packages from Git.
      Build is actually a symlink to the current build script.</para>
      <para>The scripts copy content from Git using the <command>git
      archive</command> command. They then use that content to build the
@@ -297,7 +309,7 @@
      <para>The general form of the build command is:</para>
      <blockquote>
-        <para><command>build</command>xx [ -<replaceable>options</replaceable>
+	      <para><command>build</command>[<replaceable>xx</replaceable>] [ -<replaceable>options</replaceable>
        ] <replaceable>release</replaceable> [ <replaceable>prior
        release</replaceable> ]</para>
      </blockquote>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2592,7 +2592,7 @@ eth0            External        50mbit:200kb            5.0mbit:100kb:200ms:100m
      <programlisting><emphasis role="bold">ethtool -K eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
    </section>
-    <section>
+    <section id="faq97a">
      <title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
      rate is way below what I specified</title>
--- a/docs/SharedConfig.xml
+++ b/docs/SharedConfig.xml
@@ -2,7 +2,7 @@
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
-  <!--mangle$Id$-->
+  <!--$Id$-->
  <articleinfo>
    <title>Shared Shorewall and Shorewall6 Configuration</title>
@@ -20,6 +20,8 @@
    <copyright>
      <year>2017</year>
      <year>2020</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -37,7 +39,7 @@
  <section>
    <title>Introduction</title>
-    <para>Netfilter separates management of IPv4 and IPv6 configurations. Each
+    <para>Iptables separates management of IPv4 and IPv6 configurations. Each
    address family has its own utility (iptables and ip6tables), and changes
    made to the configuration of one address family do not affect the other.
    While Shorewall also separates the address families in this way, it is
@@ -66,9 +68,39 @@
    provides access to a container running irssi under screen, allowing
    constant access to and monitoring of IRC channels.</para>
    <para>The firewall's local ethernet interface (eth2) is connected to a
    Netgear GS108E smart switch with two vlans:</para>
    <itemizedlist>
      <listitem>
        <para>VLAN 1 (eth2.1) is connected to a wireless access point
        supporting both IPv4 (172.20.1.0/24) and IPv6
        (2601:601:a000:16f2::/64).</para>
      </listitem>
      <listitem>
        <para>VLAN 2 (eth2.2) is connected to devices located in my office
        supporting both IPv4 (172.20.1.0/24) and IPv6
        (2601:601:a000:16f2::/64).</para>
      </listitem>
    </itemizedlist>
    <para>The switch's management interface is accessed via eth2
    (192.168.0.0/24).</para>
    <note>
      <para>The GS108E does not currently support restricting the management
      interface to a particular VLAN -- it is accessible from any connected
      host whose IP configuration allows unrouted access to the switch's IP
      address.</para>
    </note>
    <para>Here is a diagram of this installation:</para>
-    <graphic fileref="images/Network2017.png"/>
+    <graphic fileref="images/Network2020.png"/>
    <para>The boxes in the diagram represent the six shorewall zones (The
    firewall and IPSec vpn zone are not shown).</para>
  </section>
  <section>
@@ -76,35 +108,38 @@
    <para>Here are the contents of /etc/shorewall/ and /etc/shorewal6/:</para>
-    <programlisting>root@gateway:~# ls -l /etc/shorewall/
+    <programlisting>root@gateway:~# ls -l /etc/shorewall
-total 92
+total 132
-rw-r--r-- 1 root root  201 Mar 19  2017 action.Mirrors
+-rw-r--r-- 1 root root 1152 May 18 10:51 action.NotSyn
-rw-r--r-- 1 root root  109 Oct 20 09:18 actions
+-rw-r--r-- 1 root root  180 Jun 27 09:24 actions
-rw-r--r-- 1 root root  654 Oct 13 13:46 conntrack
+-rw-r--r-- 1 root root   60 May 31 17:55 action.SSHLIMIT
-rw-r--r-- 1 root root  104 Oct 13 13:21 hosts
+-rw-r--r-- 1 root root   82 Oct  5  2018 arprules
-rw-r--r-- 1 root root  867 Jul  1 10:50 interfaces
+-rw-r--r-- 1 root root  528 May 25 15:39 blrules
-rw-r--r-- 1 root root  107 Jun 29 15:14 isusable
+-rw-r--r-- 1 root root 1797 Sep 16  2019 capabilities
-rw-r--r-- 1 root root  240 Oct 13 13:34 macro.FTP
+-rw-r--r-- 1 root root  722 Jul  2 13:49 conntrack
-rw-r--r-- 1 root root  559 Oct 19 12:56 mangle
+-rw-r--r-- 1 root root  104 Oct 13  2017 hosts
-rw-r--r-- 1 root root 1290 Jun 29 15:16 mirrors
+-rw-r--r-- 1 root root 1119 Jul  4 14:02 interfaces
-rw-r--r-- 1 root root 2687 Oct 15 14:20 params
+-rw-r--r-- 1 root root  107 Jun 29  2017 isusable
-rw-r--r-- 1 root root  738 Oct 15 12:16 policy
+-rw-r--r-- 1 root root  240 Oct 13  2017 macro.FTP
-rw-r--r-- 1 root root 1838 Oct 11 08:29 providers
+-rw-r--r-- 1 root root  773 Jul  2 15:04 mangle
 -rw-r--r-- 1 root root 3108 Jul  3 15:51 params
 -rw-r--r-- 1 root root 1108 Jul  3 16:25 policy
 -rw-r--r-- 1 root root 2098 Apr 23 17:19 providers
 -rw-r--r-- 1 root root  398 Mar 18  2017 proxyarp
-rw-r--r-- 1 root root  738 Nov  8 09:34 routes
+-rw-r--r-- 1 root root  726 Oct 24  2018 routes
-rw-r--r-- 1 root root  729 Nov  7 12:52 rtrules
+-rw-r--r-- 1 root root  729 Mar  1 11:08 rtrules
-rw-r--r-- 1 root root 6367 Oct 13 13:21 rules
+-rw-r--r-- 1 root root 8589 Jul  4 09:34 rules
-rw-r--r-- 1 root root 5520 Oct 19 10:01 shorewall.conf
+-rw-r--r-- 1 root root 5503 Jun  5 17:29 shorewall.conf
-rw-r--r-- 1 root root 1090 Oct 25 15:17 snat
+-rw-r--r-- 1 root root 1090 Jul  2 14:32 snat
-rw-r--r-- 1 root root  181 Jun 29 15:12 started
+-rw-r--r-- 1 root root  180 Jan 30  2018 started
-rw-r--r-- 1 root root  435 Oct 13 13:21 tunnels
+-rw-r--r-- 1 root root  468 Apr 25 14:42 stoppedrules
-rw-r--r-- 1 root root  941 Oct 15 11:27 zones
+-rw-r--r-- 1 root root  435 Oct 13  2017 tunnels
-root@gateway:~# ls -l /etc/shorewall6/
+-rw-r--r-- 1 root root  978 Jul  3 12:28 zones
-total 8
+root@gateway:~# ls -l /etc/shorewall6
-lrwxrwxrwx 1 root root   20 Jul  6 16:35 mirrors -&gt; ../shorewall/mirrors
+total 12
-lrwxrwxrwx 1 root root   19 Jul  6 12:48 params -&gt; ../shorewall/params
+-rw-r--r-- 1 root root 1786 Sep 16  2019 capabilities
-rw-r--r-- 1 root root 5332 Oct 14 11:53 shorewall6.conf
+lrwxrwxrwx 1 root root   19 Jul  6  2017 params -&gt; ../shorewall/params
-root@gateway:~# 
+-rw-r--r-- 1 root root 5338 Jun  7 16:40 shorewall6.conf
 </programlisting>
    <para>The various configuration files are described in the sections that
@@ -171,7 +206,7 @@ DEFAULT_PAGER=/usr/bin/less
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at https://shorewall.org/manpages/shorewall.conf.html
+#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -197,14 +232,15 @@ INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=1
 LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT=": %s %s"
+LOGFORMAT="%s %s"
 LOGTAGONLY=Yes
 LOGLIMIT="s:5/min"
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
-RELATED_LOG_LEVEL="$LOG_LEVEL:,related"
+RELATED_LOG_LEVEL="$LOG_LEVEL:"
-RPFILTER_LOG_LEVEL="$LOG_LEVEL:,rpfilter"
+RPFILTER_LOG_LEVEL="$LOG_LEVEL:"
 SFILTER_LOG_LEVEL="$LOG_LEVEL"
 SMURF_LOG_LEVEL="$LOG_LEVEL"
 STARTUP_LOG=/var/log/shorewall-init.log
@@ -246,7 +282,7 @@ RSH_COMMAND='ssh ${root}@${system} ${command}'
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
-ACCOUNTING_TABLE=mangle
+ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
@@ -256,7 +292,7 @@ AUTOMAKE=Yes
 BALANCE_PROVIDERS=No
 BASIC_FILTERS=No
 BLACKLIST="NEW,INVALID,UNTRACKED"
-CLAMPMSS=Yes
+CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DEFER_DNS_RESOLUTION=No
@@ -265,23 +301,20 @@ DETECT_DNAT_IPADDRS=No
 DISABLE_IPV6=No
 DOCKER=No
 DONT_LOAD="nf_nat_sip,nf_conntrack_sip,nf_conntrack_h323,nf_nat_h323"
-DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
+DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200,log,noupdate"
-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=No
 HELPERS="ftp,irc"
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=Yes
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Yes
 KEEP_RT_TABLES=Yes
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=60
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MINIUPNPD=No
 MULTICAST=No
@@ -291,6 +324,7 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=12345
 REJECT_ACTION=
 RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -332,8 +366,7 @@ TC_BITS=8
 PROVIDER_BITS=2
 PROVIDER_OFFSET=16
 MASK_BITS=8
-ZONE_BITS=0
+ZONE_BITS=0</programlisting>
 </programlisting>
      </section>
      <section>
@@ -348,7 +381,7 @@ ZONE_BITS=0
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
-#  https://shorewall.org/manpages/shorewall.conf.html
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -373,13 +406,14 @@ BLACKLIST_LOG_LEVEL="none"
 INVALID_LOG_LEVEL=
 LOG_BACKEND=netlink
 LOG_VERBOSITY=2
 LOG_ZONE=Src
 LOGALLNEW=
 LOGFILE=/var/log/ulogd/ulogd.syslogemu.log
-LOGFORMAT="%s %s "
+LOGFORMAT="%s %s"
 LOGLIMIT="s:5/min"
 LOGTAGONLY=Yes
 MACLIST_LOG_LEVEL="$LOG_LEVEL"
-RELATED_LOG_LEVEL=
+RELATED_LOG_LEVEL="$LOG_LEVEL"
 RPFILTER_LOG_LEVEL="$LOG_LEVEL"
 SFILTER_LOG_LEVEL="$LOG_LEVEL"
 SMURF_LOG_LEVEL="$LOG_LEVEL"
@@ -407,7 +441,7 @@ TC=
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
-BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),dropNotSyn:$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
+BLACKLIST_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP),NotSyn(DROP):$LOG_LEVEL,dropInvalid:$LOG_LEVEL,DropDNSrep:$LOG_LEVEL"
 DROP_DEFAULT="AllowICMPs,Broadcast(DROP),Multicast(DROP)"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -435,19 +469,17 @@ COMPLETE=No
 DEFER_DNS_RESOLUTION=Yes
 DELETE_THEN_ADD=No
 DONT_LOAD=
-DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200"
+DYNAMIC_BLACKLIST="ipset-only,disconnect,timeout=7200,log,noupdate"
-EXPAND_POLICIES=Yes
+EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=No
 HELPERS=ftp
 IGNOREUNKNOWNVARIABLES=No
 IMPLICIT_CONTINUE=No
 INLINE_MATCHES=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Keep
 KEEP_RT_TABLES=Yes
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
@@ -458,6 +490,7 @@ OPTIMIZE=All
 OPTIMIZE_ACCOUNTING=No
 PERL_HASH_SEED=0
 REJECT_ACTION=
 RENAME_COMBINED=No
 REQUIRE_INTERFACE=No
 RESTART=restart
 RESTORE_DEFAULT_ROUTE=No
@@ -470,7 +503,7 @@ TRACK_PROVIDERS=Yes
 TRACK_RULES=No
 USE_DEFAULT_RT=Yes
 USE_NFLOG_SIZE=Yes
-USE_PHYSICAL_NAMES=No
+USE_PHYSICAL_NAMES=Yes
 USE_RT_NAMES=No
 VERBOSE_MESSAGES=No
 WARNOLDCAPVERSION=Yes
@@ -515,35 +548,38 @@ ZONE_BITS=0
      <para>The contents of /etc/shorewall/params is as follows:</para>
-      <programlisting>INCLUDE mirrors #Sets the MIRRORS variable for the Mirrors action
+      <programlisting>#
 #
 # Set compile-time variables depending on the address family
 #
 if [ $g_family = 4 ]; then
    #
    # IPv4 compilation
    #
-    FALLBACK=Yes	   # Make FAST_IF the primary and PROD_IF the fallback interface
+    FALLBACK=Yes           # Make FAST_IF the primary and PROD_IF the fallback interface
 			   # See /etc/shorewall/providers
-    STATISTICAL=No	   # Don't use statistical load balancing
+    STATISTICAL=	   # Use statistical load balancing
    LISTS=70.90.191.124	   # IP address of lists.shorewall.net (MX)
    MAIL=70.90.191.122	   # IP address of mail.shorewall.net  (IMAPS)
-    SERVER=70.90.191.125   # IP address of shorewall.org
+    SERVER=70.90.191.125   # IP address of www.shorewall.org
-    PROXY=		   # Use TPROXY for local web access
+    IRSSIEXT=10.2.10.2 	   # External address of irssi.shorewall.net
    IRSSIINT=172.20.2.44   # Internal IP address of irssi.shorewall.net
    PROXY=Yes		   # Use TPROXY for local web access
    ALL=0.0.0.0/0	   # Entire address space
    LOC_ADDR=172.20.1.253  # IP address of the local LAN interface
    FAST_GATEWAY=10.2.10.1 # Default gateway through the IF_FAST interface
    FAST_MARK=0x20000	   # Multi-ISP mark setting for IF_FAST
    IPSECMSS=1460
    DBL_SET=SW_DBL4
    #
    # Interface Options
    #
-    LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,routeback,tcpflags=0,nodbl,physical=eth2
+    LOC_OPTIONS=dhcp,ignore=1,wait=5,routefilter,tcpflags=0,nodbl,physical=eth2.2
-    FAST_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth0
+    WLAN_OPTIONS=dhcp,ignore=1,wait=5,routefilter,tcpflags=0,nodbl,physical=eth2.1
-    PROD_OPTIONS=optional,dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,upnp,nosmurfs,physical=eth1
+    FAST_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth0
-    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,dhcp,nodbl,physical=br0
+    PROD_OPTIONS=optional,dhcp,tcpflags,nosmurfs,sourceroute=0,arp_ignore=1,proxyarp=0,nosmurfs,rpfilter,physical=eth1
    DMZ_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=70.90.191.120/29,nodbl,physical=br0
    IRC_OPTIONS=routeback,proxyarp=1,required,wait=30,nets=172.20.2.0/24,dhcp,nodbl,physical=br1
    SWCH_OPTIONS=dhcp,tcpflags=0,nodbl,physical=eth2
 else
    #
    # IPv6 compilation
@@ -553,21 +589,24 @@ else
    STATISTICAL=No			      # Don't use statistical load balancing
    LISTS=[2001:470:b:227::42]		      # IP address of lists.shorewall.net (MX and HTTPS)
    MAIL=[2001:470:b:227::45]		      # IP address of mail.shorewall.net  (IMAPS and HTTPS)
-    SERVER=[2001:470:b:227::43]		      # IP address of shorewall.org   (HTTP, FTP and RSYNC)
+    SERVER=[2001:470:b:227::43]		      # IP address of server.shorewall.net(FTP)
-    PROXY=3				      # Use TPROXY for local web access
+    IRSSI=[2601:601:a000:16f1::]/64	      # IP address of irssi.shorewall.net
    PROXY=Yes				      # Use TPROXY for local web access
    ALL=[::]/0				      # Entire address space
    LOC_ADDR=[2601:601:a000:16f0::1]	      # IP address of the local LAN interface
-    FAST_GATEWAY=fe80::22e5:2aff:feb7:f2cf    # Default gateway through the IF_FAST interface
+    FAST_GATEWAY=2601:601:a000:1600:22e5:2aff:feb7:f2cf
    FAST_MARK=0x100			      # Multi-ISP mark setting for IF_FAST
    IPSECMSS=1440
    DBL_SET=SW_DBL6
    #
    # Interface Options
    #
-    PROD_OPTIONS=forward=1,optional,physical=sit1
+    PROD_OPTIONS=forward=1,optional,rpfilter,routeback,physical=sit1
-    FAST_OPTIONS=forward=1,optional,dhcp,upnp,physical=eth0
+    FAST_OPTIONS=forward=1,optional,dhcp,rpfilter,physical=eth0
-    LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2
+    LOC_OPTIONS=forward=1,nodbl,routeback,physical=eth2.2
    DMZ_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br0
    IRC_OPTIONS=routeback,forward=1,required,wait=30,nodbl,physical=br1
    WLAN_OPTIONS=forward=1,nodbl,routeback,physical=eth2.1
 fi</programlisting>
    </section>
@@ -576,8 +615,7 @@ fi</programlisting>
      <para>Here is the /etc/shorewall/zones file:</para>
-      <programlisting>###############################################################################
+      <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 #
@@ -590,7 +628,10 @@ loc	{ TYPE=ip }
 dmz	{ TYPE=ip }
 apps	{ TYPE=ip }
 vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
-</programlisting>
+wlan    { TYPE=ip }
 ?if __IPV4
 swch	{ TYPE=local }
 ?endif</programlisting>
    </section>
    <section>
@@ -599,7 +640,11 @@ vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
      <para>/etc/shorewall/interfaces makes heavy use of variables set in
      /etc/shorewall/params:</para>
-      <programlisting>#
+      <programlisting>?FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 #
 # The two address families use different production interfaces and different 
 #
 # LOC_IF is the local LAN for both families
@@ -609,13 +654,18 @@ vpn	{ TYPE=ipsec, OPTIONS=mode=tunnel,proto=esp,mss=$IPSECMSS }
 #     For IPv6, it is sit1 (Hurricane Electric 6in4 link)
 # DMZ_IF is a bridge to the production containers
 # IRC_IF is a bridge to a container that currently runs irssi under screen
 # WLAN_IF is a vlan interface that connects to the wireless networks
 # SWCH_IF is the vlan trunk interface used for switch management
 loc  { INTERFACE=LOC_IF,  OPTIONS=$LOC_OPTIONS }
 wlan { INTERFACE=WLAN_IF, OPTIONS=$WLAN_OPTIONS }
 net  { INTERFACE=FAST_IF, OPTIONS=$FAST_OPTIONS }
 net  { INTERFACE=PROD_IF, OPTIONS=$PROD_OPTIONS }
 dmz  { INTERFACE=DMZ_IF,  OPTIONS=$DMZ_OPTIONS }
 apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
-</programlisting>
+?if __IPV4
 swch { INTERFACE=SWCH_IF, OPTIONS=$SWCH_OPTIONS }
 ?endif</programlisting>
    </section>
    <section>
@@ -623,11 +673,10 @@ apps { INTERFACE=IRC_IF,  OPTIONS=$IRC_OPTIONS }
      <para>/etc/shorewall/hosts is used to define the vpn zone:</para>
-      <programlisting>#ZONE		HOSTS				OPTIONS
+      <programlisting>##ZONE		HOSTS				OPTIONS
 vpn { HOSTS=PROD_IF:$ALL }
 vpn { HOSTS=FAST_IF:$ALL }
-vpn { HOSTS=LOC_IF:$ALL }
+vpn { HOSTS=LOC_IF:$ALL }</programlisting>
 </programlisting>
    </section>
    <section>
@@ -635,23 +684,31 @@ vpn { HOSTS=LOC_IF:$ALL }
      <para>The same set of policies apply to both address families:</para>
-      <programlisting>#SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
+      <programlisting>SOURCE	       DEST		 POLICY									  LOGLEVEL	      RATE
-$FW	     { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+$FW	      { DEST=dmz,net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 $FW	     { DEST=all,	 POLICY=ACCEPT }
-loc	     { DEST=net,	 POLICY=ACCEPT }
+?if __IPV4
-loc,vpn,apps { DEST=loc,vpn,apps POLICY=ACCEPT }
+$FW	      { DEST=all,	 POLICY=ACCEPT:Broadcast(ACCEPT),Multicast(ACCEPT),			  LOGLEVEL=$LOG_LEVEL }
-loc	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+?else
 $FW	      { DEST=all,	 POLICY=ACCEPT:AllowICMPs,Broadcast(ACCEPT),Multicast(ACCEPT)		  LOGLEVEL=$LOG_LEVEL }
 ?endif
-net	     { DEST=net,	 POLICY=NONE }
+loc,apps,wlan { DEST=net,	 POLICY=ACCEPT }
-net	     { DEST=fw,		 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+loc,vpn,apps  { DEST=loc,vpn,apps POLICY=ACCEPT }
-net	     { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
+loc	      { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-dmz	     { DEST=fw,		 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+?if __IPV4
 net	      { DEST=net,	 POLICY=NONE }
 ?else
 net	      { DEST=net,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 ?endif
 net	      { DEST=fw,	 POLICY=BLACKLIST:+Broadcast(DROP),Multicast(DROP),DropDNSrep:$LOG_LEVEL, LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
 net	      { DEST=all,	 POLICY=BLACKLIST:+DropDNSrep:$LOG_LEVEL,				  LOGLEVEL=$LOG_LEVEL, RATE=8/sec:30 }
-all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
+dmz	      { DEST=fw, 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
-</programlisting>
+dmz	      { DEST=dmz, 	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 all	      { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }</programlisting>
    </section>
    <section>
@@ -676,7 +733,9 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
        </listitem>
      </orderedlist>
-      <programlisting>#
+      <programlisting>#NAME		NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
 #
 # This could be cleaned up a bit, but I'm leaving it as is for now
 #
 #   - The two address families use different fw mark geometry
@@ -687,7 +746,9 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
 ?if $FALLBACK
    # FAST_IF is primary, PROD_IF is fallback
    #
-    ?info Compiling with FALLBACK
+    ?if $VERBOSITY &gt; 0
        ?info Compiling with FALLBACK
    ?endif
    IPv6Beta	    { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,primary,persistent,noautosrc }
    ?if __IPV4
 	ComcastB    { NUMBER=4, MARK=0x10000,	 INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,fallback,persistent }
@@ -696,25 +757,29 @@ all	     { DEST=all,	 POLICY=REJECT,								  LOGLEVEL=$LOG_LEVEL }
    ?endif
 ?elsif $STATISTICAL
    # Statistically balance traffic between FAST_IF and PROD_IF
-    ?info Compiling with STATISTICAL
+    ?if $VERBOSITY &gt; 0
        ?info Compiling with STATISTICAL
    ?endif
    ?if __IPV4
-    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary }
+    	IPv6Beta    { NUMBER=1, MARK=0x20000, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=loose,load=0.66666667,primary,persistent }
 	ComcastB    { NUMBER=4, MARK=0x10000, INTERFACE=PROD_IF, GATEWAY=10.1.10.1, OPTIONS=loose,load=0.33333333,fallback,persistent }
    ?else
 	HE	    { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,                        OPTIONS=track,load=0.33333333,persistent }
    ?endif
 ?else
-    ?INFO Compiling with BALANCE
+    ?if $VERBOSITY &gt; 0
-    IPv6Beta	 { NUMBER=1, MARK=0x100,   INTERFACE=eth0,    GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
+        ?info Compiling with BALANCE
    ?endif
    IPv6Beta	 { NUMBER=1, MARK=$FAST_MARK, INTERFACE=FAST_IF, GATEWAY=$FAST_GATEWAY, OPTIONS=track,balance=2,loose,persistent }
    ?if __IPV4
-	ComcastB { NUMBER=4, MARK=0x10000, INTERFACE=IPV4_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
+	ComcastB { NUMBER=4, MARK=0x10000,    INTERFACE=PROD_IF, GATEWAY=10.1.10.1,     OPTIONS=nohostroute,loose,balance,persistent }
    ?else
        ?warning No BALANCE IPv6 configuration
 	HE	 { NUMBER=2, MARK=0x200,   INTERFACE=PROD_IF,			     OPTIONS=fallback,persistent }
    ?endif    
 ?endif
-Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
+Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }</programlisting>
 </programlisting>
    </section>
    <section>
@@ -754,28 +819,23 @@ Tproxy   { NUMBER=3, INTERFACE=lo, OPTIONS=tproxy }
    # not effective in routing the 'ping' request packets out of FAST_IF.
    # The following route solves that problem.
    #
-    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=fe80::22e5:2aff:feb7:f2cf, DEVICE=FAST_IF, OPTIONS=persistent }
+    { PROVIDER=main, DEST=2001:558:4082:d3::1/128, GATEWAY=$FAST_GATEWAY, DEVICE=FAST_IF, OPTIONS=persistent }
 ?endif</programlisting>
    </section>
    <section>
      <title>actions</title>
-      <para>/etc/shorewall/actions defines one action:</para>
+      <para>/etc/shorewall/actions defines a single action:</para>
-      <programlisting>#ACTION                         COMMENT
+      <programlisting>#ACTION      OPTIONS            COMMENT
-Mirrors	   	                # Accept traffic from Shorewall Mirrors
+SSHLIMIT     proto=tcp,\	# Blacklist overzealous SSHers
-</programlisting>
+	     dport=ssh</programlisting>
-      <para>/etc/shorewall/action.Mirrors:</para>
+      <para>/etc/shorewall/action.SSHLIMIT:</para>
-      <programlisting>#TARGET SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
+      <programlisting>ACCEPT { RATE=s:3/min:3 }
-#                       	        	PORT    PORT(S)    DEST		LIMIT
+BLACKLIST:$LOG_LEVEL:net_SSHLIMIT</programlisting>
 ?COMMENT Accept traffic from Mirrors
 ?FORMAT  2
 DEFAULTS -
 $1	$MIRRORS
 </programlisting>
    </section>
    <section>
@@ -798,10 +858,12 @@ PARAM	-	-	tcp	21
      <para>In addition to invoking the FTP helper on TCP port 21, this file
      notracks some IPv4 traffic:</para>
-      <programlisting>#ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH
+      <programlisting>?FORMAT 3
 ######################################################################################################
 #ACTION			SOURCE		DEST		PROTO	DPORT		SPORT	USER	SWITCH
-CT:helper:ftp:P { PROTO=tcp, DPORT=21 }
+CT:helper:ftp:P	 { PROTO=tcp, DPORT=21 }
-CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
+CT:helper:ftp:O  { PROTO=tcp, DPORT=21 }
 ?if __IPV4
    #
@@ -810,10 +872,10 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
    NOTRACK:P       { SOURCE=LOC_IF, DEST=172.20.1.255,   PROTO=udp }
    NOTRACK:P       { DEST=255.255.255.255, 	          PROTO=udp }
    NOTRACK:O       { DEST=255.255.255.255, 	          PROTO=udp }
-    NOTRACK:O       { DEST=172.20.1.255,    	          PROTO=udp }
+    NOTRACK:O       { DEST=LOC_IF:172.20.0.255,    	  PROTO=udp }
-    NOTRACK:O       { DEST=70.90.191.127,                 PROTO=udp }
+    NOTRACK:O       { DEST=LOC_IF:172.20.1.255,    	  PROTO=udp }
-?endif
+    NOTRACK:O       { DEST=PROD_IF:70.90.191.127,         PROTO=udp }
-</programlisting>
+?endif</programlisting>
    </section>
    <section>
@@ -822,12 +884,13 @@ CT:helper:ftp:O { PROTO=tcp, DPORT=21 }
      <para>/etc/shorewall/rules has only a couple of rules that are
      conditional based on address family:</para>
-      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
+      <programlisting>##############################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	ORIGDEST	RATE	USER	MARK	CONNLIMIT	TIME	HEADERS	SWITCH	HELPER
 ?SECTION ALL
-Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
+Ping(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
-Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping:2/sec:10 }
+Trcrt(ACCEPT)	{ SOURCE=net, DEST=all, RATE=d:ping(1024,65536):2/sec:10 }
 ?SECTION ESTABLISHED
@@ -841,12 +904,13 @@ ACCEPT		{ SOURCE=loc, DEST=$FW,		PROTO=tcp,  helper=ftp }
 ACCEPT		{ SOURCE=all, DEST=all,		PROTO=icmp }
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 ACCEPT		{ SOURCE=dmz, DEST=dmz }
 ACCEPT		{ SOURCE=$FW, DEST=$FW }
 ?SECTION INVALID
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 FIN(ACCEPT)	{ SOURCE=all, DEST=all }
 DROP		{ SOURCE=net, DEST=all }
 FIN		{ SOURCE=all, DEST=all }
 ?SECTION UNTRACKED
@@ -863,17 +927,26 @@ CONTINUE	  { SOURCE=$FW, DEST=all }
 # Stop certain outgoing traffic to the net
 #
 REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=tcp, DPORT=25 }		#Stop direct loc-&gt;net SMTP (Comcast uses submission).
-REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
+#REJECT:$LOG_LEVEL { SOURCE=loc,vpn,apps DEST=net, PROTO=udp, DPORT=1025:1031 }	#MS Messaging
-REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=tcp, DPORT=137,445, comment="Stop NETBIOS Crap" }
-REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
+REJECT		{ SOURCE=all!dmz,apps, DEST=net, PROTO=udp, DPORT=137:139, comment="Stop NETBIOS Crap" }
 REJECT		{ SOURCE=all, DEST=net, PROTO=tcp, DPORT=3333, comment="Disallow port 3333" }
 REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ?if __IPV6
 DROP		{ SOURCE=net:PROD_IF, DEST=net:PROD_IF }
 ?endif
 ?COMMENT
 ######################################################################################################
 # SACK
 #
 DROP:$LOG_LEVEL	 { SOURCE=net, DEST=all } ;;+ -p tcp -m tcpmss --mss 1:535
 ######################################################################################################
 # 6in4
 #
@@ -884,22 +957,36 @@ REJECT		{ SOURCE=all, DEST=net, PROTO=udp, DPORT=3544, comment="Stop Teredo" }
 ######################################################################################################
 # Ping
 #
-Ping(ACCEPT)	  { SOURCE=$FW,loc,dmz,vpn, DEST=$FW,loc,dmz,vpn }
+Ping(ACCEPT)	  { SOURCE=all!net, DEST=all }
-Ping(ACCEPT)	  { SOURCE=all,              DEST=net }
+Ping(ACCEPT)	  { SOURCE=dmz, DEST=dmz }
 ?if __IPV4
 Ping(ACCEPT)	  { source=$FW, DEST=swch }
 ?endif
 ######################################################################################################
 # Logging
 #
 Syslog(ACCEPT)	  { SOURCE=dmz, DEST=$FW }
 ######################################################################################################
 # SSH
 #
-AutoBL(SSH,60,-,-,-,-,$LOG_LEVEL)\
+SSH(DROP)	  { SOURCE=net, DEST=dmz:$SERVER }
-		  { SOURCE=net,              DEST=all,         PROTO=tcp, DPORT=22 }
+SSHLIMIT	  { SOURCE=net, DEST=all }
 SSH(ACCEPT)	  { SOURCE=all, DEST=all }
 ?if __IPV4
 SSH(ACCEPT)	  { SOURCE=all+!swch, DEST=all+ }
 SSH(DNAT-)	  { SOURCE=net,              DEST=172.20.2.44, PROTO=tcp, DPORT=ssh, ORIGDEST=70.90.191.123 }
 ?else
 SSH(ACCEPT)	  { SOURCE=all+, DEST=all+ }
 ?endif
 ######################################################################################################
 # DNS
 #
-DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps, DEST=$FW }
+DNS(ACCEPT)	  { SOURCE=loc,dmz,vpn,apps,wlan, DEST=$FW }
-DNS(ACCEPT)	  { SOURCE=$FW, DEST=net }
+DNS(ACCEPT)	  { SOURCE=$FW,  DEST=net }
 ?if $TEST
 DNS(REDIRECT)	  loc		53	 -	53	-	!&amp;LOC_IF
 DNS(REDIRECT)	  fw		53	 -	53	-	!::1
 ?endif
 DropDNSrep        { SOURCE=net, DEST=all }
 ######################################################################################################
 # Traceroute
 #
@@ -910,41 +997,43 @@ Trcrt(ACCEPT)	  { SOURCE=net, DEST=$FW,dmz }
 #
 SMTP(ACCEPT)	   { SOURCE=net,$FW, DEST=dmz:$LISTS }
 SMTP(ACCEPT)	   { SOURCE=dmz:$LISTS, DEST=net:PROD_IF }
 SMTP(ACCEPT)	   { SOURCE=dmz, DEST=dmz:$LISTS }
 SMTP(REJECT)	   { SOURCE=dmz:$LISTS, DEST=net }
 IMAPS(ACCEPT)  	   { SOURCE=all, DEST=dmz:$MAIL }
 Submission(ACCEPT) { SOURCE=all, DEST=dmz:$LISTS }
 SMTPS(ACCEPT) 	   { SOURCE=all, DEST=dmz:$LISTS }
-IMAP(ACCEPT)	   { SOURCE=loc,vpn, DEST=net }
+IMAP(REJECT)	   { SOURCE=net, DEST=all }
 ######################################################################################################
 # NTP
 #
 NTP(ACCEPT)	   { SOURCE=all, DEST=net }
 NTP(ACCEPT)	   { SOURCE=loc,vpn,dmz,apps DEST=$FW }
 ######################################################################################################
 # Squid
-ACCEPT { SOURCE=loc,vpn, DEST=$FW, PROTO=tcp, DPORT=3128 } 
+ACCEPT { SOURCE=loc,vpn,wlan, DEST=$FW, PROTO=tcp, DPORT=3128 } 
 ######################################################################################################
 # HTTP/HTTPS
 #
-Web(ACCEPT)	   { SOURCE=loc,vpn DEST=$FW }
+Web(ACCEPT)	   { SOURCE=loc,vpn,wlan DEST=$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=proxy }
 Web(DROP)	   { SOURCE=net, DEST=fw, PROTO=tcp, comment="Do not blacklist web crawlers" }
-HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
+HTTP(ACCEPT)	   { SOURCE=net,loc,vpn,wlan,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
-HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,apps,$FW DEST=dmz:$LISTS,$MAIL }
+HTTPS(ACCEPT)	   { SOURCE=net,loc,vpn,wlan,$FW DEST=dmz:$SERVER,$LISTS,$MAIL }
-Web(ACCEPT)	   { SOURCE=dmz,apps DEST=net,$FW }
+Web(ACCEPT)	   { SOURCE=dmz,apps,loc,wlan, DEST=net,$FW }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=root }
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=teastep }
 ?if __IPV4
 Web(ACCEPT)	   { SOURCE=$FW, DEST=swch, USER=teastep }
 ?endif
 Web(ACCEPT)	   { SOURCE=$FW, DEST=net, USER=_apt }
 ######################################################################################################
 # FTP
 #
-FTP(ACCEPT)	   { SOURCE=loc,vpn,apps DEST=net }
+FTP(ACCEPT)	   { SOURCE=dmz,               DEST=net }
-FTP(ACCEPT)	   { SOURCE=dmz,          DEST=net }
+FTP(ACCEPT)	   { SOURCE=$FW,               DEST=net, USER=root }
-FTP(ACCEPT)	   { SOURCE=$FW,          DEST=net, USER=root }
+FTP(ACCEPT)	   { SOURCE=all,               DEST=dmz:$SERVER }
 FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 # Some FTP clients seem prone to sending the PORT command split over two packets.
-# This prevents the FTP connection tracking code from processing the command  and setting
+# This prevents the FTP connection tracking code from processing the command and setting
 # up the proper expectation.
 #
 # The following rule allows active FTP to work in these cases
@@ -952,23 +1041,52 @@ FTP(ACCEPT)	   { SOURCE=all,          DEST=dmz:$SERVER }
 #
 ACCEPT:$LOG_LEVEL  { SOURCE=dmz, DEST=net, PROTO=tcp, DPORT=1024:, SPORT=20 }
 ######################################################################################################
 # Git
 #
 Git(ACCEPT)        { source=all, DEST=dmz:$SERVER }
 ######################################################################################################
 # whois
 #
 Whois(ACCEPT)	   { SOURCE=all, DEST=net }
 ######################################################################################################
 # SMB
 #
-SMBBI(ACCEPT)	    { SOURCE=loc, DEST=$FW }
+SMBBI(ACCEPT)	    { SOURCE=loc,wlan, DEST=$FW }
-SMBBI(ACCEPT)	    { SOURCE=vpn, DEST=$FW }
+SMBBI(ACCEPT)	    { SOURCE=vpn,      DEST=$FW }
 ######################################################################################################
 # IRC
 #
-IRC(ACCEPT)	    { SOURCE=loc,apps, DEST=net }
+SetEvent(IRC)	                      { SOURCE=loc,apps,wlan, DEST=net, PROTO=tcp, DPORT=6667 }
 IfEvent(IRC,ACCEPT,10,1,dst,reset)    { SOURCE=net, DEST=loc,apps,wlan, PROTO=tcp, DPORT=113 }
 ######################################################################################################
-# Rsync
+# AUTH
 Auth(REJECT)	{ SOURCE=net, DEST=all }
 ######################################################################################################
 # IPSEC
 #
-Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
+?if __IPV4
-</programlisting>
+DNAT		{ SOURCE=loc,net,wlan, DEST=apps:172.20.2.44, PROTO=udp, DPORT=500,4500, ORIGDEST=70.90.191.123 }
 ?else
 ACCEPT		{ SOURCE=loc,net,wlan, DEST=apps, PROTO=udp, DPORT=500,4500 }
 ACCEPT		{ SOURCE=loc,net,wlan, DEST=apps, PROTO=esp }
 ?endif
 ACCEPT		{ SOURCE=$FW,     DEST=net,  PROTO=udp, SPORT=4500 }
 ######################################################################################################
 # VNC
 ACCEPT		{ SOURCE=loc,	  DEST=$FW,	  PROTO=tcp,		DPORT=5900 }
 ######################################################################################################
 # FIN &amp; RST
 RST(ACCEPT)	{ SOURCE=all, DEST=all }
 FIN(ACCEPT)	{ SOURCE=all, DEST=all }
 ######################################################################################################
 # Multicast
 ?if __IPV4
 Multicast(ACCEPT) { SOURCE=all, DEST=$FW }
 ?endif
 ######################################################################################################
 ?if __IPV4
 ACCEPT		{ SOURCE=fw, DEST=all, PROTO=icmp, DPORT=host-unreachable }
 ?endif</programlisting>
    </section>
    <section>
@@ -979,6 +1097,10 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
      <programlisting>#ACTION		SOURCE		DEST		PROTO	DPORT	SPORT	USER	TEST	LENGTH	TOS	CONNBYTES	HELPER	PROBABILITY	DSCP
 ?if $VERSION &gt;= 50109
 TCPMSS(pmtu,none) { PROTO=tcp }
 ?endif
 ?if __IPV4
    #
    # I've had a checksum issue with certain IPv4 UDP packets
@@ -993,9 +1115,12 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
    #
    DIVERT:R { PROTO=tcp, SPORT=80 }
    DIVERT:R { PROTO=tcp, DPORT=80 }
-    TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=80 }
+    TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF,  PROTO=tcp, DPORT=80 }
-?endif
+    TPROXY(3129,$LOC_ADDR) { SOURCE=WLAN_IF, PROTO=tcp, DPORT=80 }
-</programlisting>
+#    DIVERT:R { PROTO=tcp, SPORT=443 }
 #    DIVERT:R { PROTO=tcp, DPORT=443 }
 #    TPROXY(3129,$LOC_ADDR) { SOURCE=LOC_IF, PROTO=tcp, DPORT=443 }
 ?endif</programlisting>
    </section>
    <section>
@@ -1006,16 +1131,15 @@ Mirrors(ACCEPT:none) { SOURCE=net, DEST=dmz:$SERVER, PROTO=tcp, DPORT=873 }
      <programlisting>#ACTION         SOURCE			DEST            PROTO   PORT   IPSEC  MARK   USER    SWITCH  ORIGDEST   PROBABILITY
 ?if __IPV4
-    MASQUERADE		{ SOURCE=172.20.1.0/24,172.20.2.0/23, DEST=FAST_IF }
+    MASQUERADE			{ SOURCE=172.20.0.0/22,               DEST=FAST_IF }
-    MASQUERADE 		{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
+    MASQUERADE			{ SOURCE=70.90.191.120/29, 	      DEST=FAST_IF }
-    SNAT(70.90.191.121) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
+    SNAT(70.90.191.121) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,  PROBABILITY=0.50, COMMENT="Masquerade Local Network" }
-    SNAT(70.90.191.123) { SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
+    SNAT(70.90.191.123) 	{ SOURCE=!70.90.191.120/29,	      DEST=PROD_IF,                    COMMENT="Masquerade Local Network" }
-    SNAT(172.20.1.253)  { SOURCE=172.20.3.0/24,	 	      DEST=LOC_IF:172.20.1.100 }
+    SNAT(172.20.1.253)  	{ SOURCE=!172.20.1.0/24, 	      DEST=LOC_IF:172.20.1.100 }
 ?else
-    SNAT(&amp;PROD_IF)	{ SOURCE=2601:601:8b00:bf0::/60,                DEST=PROD_IF }
+    SNAT(&amp;PROD_IF)		{ SOURCE=2601:601:a000:16f0::/60,               DEST=PROD_IF }
-    SNAT(&amp;FAST_IF)	{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
+    SNAT(&amp;FAST_IF)		{ SOURCE=2001:470:b:227::/64,2001:470:a:227::2,	DEST=FAST_IF }
-?endif
+?endif</programlisting>
 </programlisting>
    </section>
    <section>
@@ -1032,8 +1156,6 @@ ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
    <section>
      <title>proxyarp</title>
      <para>This file is only used in the IPv4 configuration:</para>
      <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
 70.90.191.122 { INTERFACE=br0, EXTERNAL=eth1, HAVEROUTE=yes, PERSISTENT=no }
@@ -1066,6 +1188,17 @@ return $status
    qt $IP -4 route replace 70.90.191.124 dev br0
    qt $IP -4 route replace 70.90.191.125 dev br0
 fi
 </programlisting>
    </section>
    <section>
      <title>stoppedrules</title>
      <para>/etc/shorewall/stoppedrules allow SSH connections into the
      firewall system when Shorewall[6] is in the stopped state.</para>
      <programlisting>#ACTION		SOURCE			DEST		PROTO	DPORT	SPORT
 ACCEPT		-			$FW		tcp	22
 </programlisting>
    </section>
  </section>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -250,14 +250,36 @@ DROP            net:200.55.14.18        all
          </important>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>log</term>
        <listitem>
          <para>Added in Shorewall 5.2.5. When specified, successful
          'blacklist' and 'allow' commands will log a message to the system
          log.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>noupdate</term>
        <listitem>
          <para>Added in Shorewall 5.2.5. Normally, once an address has been
          blacklisted, each time that a packet is received from the packet,
          the ipset's entry for the address is updated to reset the timeout to
          the value specifyed in the <option>timeout</option> option above.
          Setting the <option>noupdate</option> option, inhibits this
          resetting of the entry's timeout. This option is ignored when the
          <option>timeout</option> option is not specified.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>When ipset-based dynamic blacklisting is enabled, the contents of
    the blacklist will be preserved over
    <command>stop</command>/<command>reboot</command>/<command>start</command>
-    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+    sequences.</para>
    <replaceable>setname</replaceable> is included in the list of sets to be
    saved in SAVE_IPSETS.</para>
  </section>
  <section>
@@ -275,4 +297,69 @@ DROP            net:200.55.14.18        all
    <command>shorewall show action BLACKLIST</command> command for
    details.</para>
  </section>
  <section id="fail2ban">
    <title>BLACKLIST and Fail2ban</title>
    <para>The BLACKLIST command can be used as 'blocktype' in
    /etc/fail2ban/actions.d/shorewall.conf. Prior to Shorewall 5.2.5, this
    works best if there is no <emphasis role="bold">timeout</emphasis>
    specified in the DYNAMIC_BLACKLIST setting or if <emphasis
    role="bold">timeout=0</emphasis> is given.</para>
    <para>Beginning with Shorewall 5.2.5, Shorewall includes new features that
    allow fail2ban to work most seamlessly with Shorewall's ipset-based
    dynamic blacklisting:</para>
    <itemizedlist>
      <listitem>
        <para>When a <emphasis role="bold">timeout</emphasis> is specified in
        the DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset is
        created with default timeout 0. As entries are added by BLACKLIST
        policies or by the <emphasis role="bold">blacklist</emphasis> command,
        the created entry is given the specified timeout value.</para>
      </listitem>
      <listitem>
        <para>The <emphasis role="bold">noupdate</emphasis> option has been
        added. Specifying this option prevents 'timeout 0' ipset entries from
        being changed to finite timeout entries as a result of blacklisted ip
        addresses continuing to send packets to the firewall.</para>
      </listitem>
      <listitem>
        <para>The <emphasis role="bold">blacklist!</emphasis> command has been
        added. specifying that command as the fail2ban 'blocktype' causes
        entries created by fail2ban to persist until fail2ban unbans them
        using the Shorewall <emphasis role="bold">allow</emphasis>
        comand.</para>
      </listitem>
    </itemizedlist>
    <para>There are a couple of additional things to note:</para>
    <itemizedlist>
      <listitem>
        <para>The documentation in /etc/fail2ban/action.d/shorewall.conf
        states that you should set BLACKLIST=All. A better approach when using
        BLACKLIST as the 'blocktype' is to specify the <emphasis
        role="bold">disconnect</emphasis> option in the setting of
        DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
        firewall from the net must be checked against the dynamic-blacklisting
        ipset. That is not required when you specify <emphasis
        role="bold">disconnect</emphasis>.</para>
      </listitem>
      <listitem>
        <para>The <emphasis role="bold">noupdate</emphasis> option allows
        fail2ban full control when a host is 'unbanned'. The cost of using
        this option is that after the specified <emphasis
        role="bold">timeout</emphasis>, the entry for an attacking host will
        be removed from the dynamic-blacklisting ipset, even if the host has
        continued the attack while blacklisted. This isn't a great concern, as
        the first attempt to access an unauthorized service will result in the
        host being re-blacklisted.</para>
      </listitem>
    </itemizedlist>
  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -663,7 +663,7 @@ ACCEPT      net:\
          <row>
            <entry>mangle</entry>
-            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
          </row>
          <row>
@@ -738,6 +738,14 @@ ACCEPT      net:\
            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
          </row>
          <row>
            <entry>snat</entry>
            <entry>action,source,dest,proto,port,sport,ipsec,mark,user,switch,origdest,probability
            (Note: 'port' may be specified as 'dport', beginning with
            Shorewall 5.2.6).</entry>
          </row>
          <row>
            <entry>tcclasses</entry>
@@ -1867,6 +1875,9 @@ SSH(ACCEPT)    net:$MYIP      $FW
      </listitem>
    </itemizedlist>
    <para>They may also be used as the parameter to SNAT() in <ulink
    url="manpages/shorewall-snat.html">shorewall-snat</ulink>(5).</para>
    <para>For optional interfaces, if the interface is not usable at the time
    that the firewall starts, one of two approaches are taken, depending on
    the context:</para>
--- a/docs/docs-targetname
+++ b/docs/docs-targetname
@@ -1 +1 @@
-5.2.4.1
+5.2.6.1
--- a/docs/images/Network2017.dia
+++ b/docs/images/Network2017.dia
--- a/docs/images/Network2017.png
+++ b/docs/images/Network2017.png
--- a/docs/images/Network2020.dia
+++ b/docs/images/Network2020.dia
--- a/docs/images/Network2020.png
+++ b/docs/images/Network2020.png
--- a/docs/images/docs-images-targetname
+++ b/docs/images/docs-images-targetname
@@ -1 +1 @@
-5.2.4-Beta1
+5.2.6.1
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -192,11 +192,19 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    ipv4 ipsets are saved. Both features require ipset version 5 or
    later.</para>
    <caution>
      <para>After setting SAVE_IPSETS, it is important to recompile the
      firewall script (e.g., 'shorewall compile', 'shorewall reload' or
      'shorewall restart') before rebooting</para>
    </caution>
    <para>Although Shorewall can save the definition of your ipsets and
    restore them when Shorewall starts, in most cases you must use the ipset
    utility to initially create and load your ipsets. The exception is that
    Shorewall will automatically create an empty iphash ipset to back each
-    dynamic zone.</para>
+    dynamic zone. It will also create the ipset required by the
    DYNAMIC_BLACKLIST=ipset:.. setting in <ulink
    url="manpages/shorewall.conf.html">shorewall[6].conf(5)</ulink>,</para>
  </section>
  <section>
@@ -220,6 +228,32 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
    the ipsets will be save to and restored from. Shorewall-init will create
    any necessary directories during the first 'save' operation.</para>
    <caution>
      <para>If you set SAVE_IPSETS in /etc/sysconfig/shorewall-init
      (/etc/default/shorewall-init on Debian and derivatives) when
      shorewall-init has not been started by systemd, then when the system is
      going down during reboot, the ipset contents will not be saved. You can
      work around that as follows:</para>
      <itemizedlist>
        <listitem>
          <para>Suppose that you have set
          SAVE_IPSETS=/var/lib/shorewall/init-save-ipsets.</para>
        </listitem>
        <listitem>
          <para>Before rebooting, execute this command:</para>
          <programlisting>ipset save &gt; /var/lib/shorewall/init-save-ipsets</programlisting>
        </listitem>
        <listitem>
          <para>Be sure to enable shoewall-init (e.g., <emphasis
          role="bold">systemctl enable shorewall-init</emphasis>).</para>
        </listitem>
      </itemizedlist>
    </caution>
    <para>If you configure Shorewall-init to save/restore ipsets, be sure to
    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.</para>
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -355,5 +355,9 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
      <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
      refers to them as bands 0-2.</para>
    </caution>
    <para>If you encounter performance problems after enabling simple traffic
    shaping, check out <ulink url="FAQ.htm#faq97">FAQ 97</ulink> and <ulink
    url="FAQ.htm#faq97a">FAQ97a</ulink></para>
  </section>
 </article>
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -42,10 +42,10 @@
    <itemizedlist>
      <listitem>
        <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
+        url="ReleaseModel.html">major release</ulink>s are , 5.1 and 5.2.</para>
        <note>
-          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
+          <para>Shorewall versions earlier than 5.1.0 are no longer supported;
          we will try to help but we will not spend time reading earlier code
          to try to help you solve a problem and we will not release a patch
          to correct any defect found.</para>
Author	SHA1	Message	Date
Tom Eastep	109ae7e038	Link the simple TC article to FAQs 97 and 97a Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-18 17:01:33 -07:00
Tom Eastep	49ba75252e	Add target file(s) 5.2.6.1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-12 19:46:23 -07:00
Tom Eastep	c835fead34	Add target file(s) 5.2.6.1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-12 19:46:13 -07:00
Tom Eastep	d1d8371eb8	Rules tweak Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-07 12:27:48 -07:00
Tom Eastep	5d58b5da72	Avoid '::' in $CONFIG_PATH Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-06 16:00:15 -07:00
Tom Eastep	4469ddb861	Don't apply the deprecated directory more than once Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-06 15:38:28 -07:00
Tom Eastep	cd5409d633	Take care of '$LOG_LEVEL' during update Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-06 15:38:01 -07:00
Tom Eastep	2f58d4e368	Don't create a zone forwarding chain for local zones Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-06 09:06:03 -07:00
Tom Eastep	31844d22cd	Update Shared Config article for July 2020 configuration Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-06 08:56:31 -07:00
Tom Eastep	628f5f0903	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2020-07-05 15:31:03 -07:00
Tom Eastep	ce73c783dc	Avoid Perl diagnostic when updating shorewall[6].conf Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-05 15:29:34 -07:00
Tom Eastep	e7318459f1	Avoid double colons in the CONFIG_PATH Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-05 15:27:47 -07:00
Tom Eastep	467d41f0cc	Merge branch '5.2.6' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-05 13:23:48 -07:00
Tom Eastep	ff64539de3	Update shared config document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-05 13:19:15 -07:00
Tom Eastep	418f96082e	Add target file(s) 5.2.6-base Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-04 10:48:56 -07:00
Tom Eastep	b761a6eaa0	Call optimize_policy_chains() after doing other ruleset optimization - This insures that ACCEPT policy chains are optimized when EXPAND_POLICIES=No Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-04 10:40:43 -07:00
Tom Eastep	f8b7815375	Call optimize_policy_chains() after doing other ruleset optimization - This insures that ACCEPT policy chains are optimized when EXPAND_POLICIES=No Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-07-04 09:49:28 -07:00
Tom Eastep	d643f57bc1	Add the -D option to shorewall usage output - Also delete an incorrect -D description in shorewall(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-30 14:56:41 -07:00
Tom Eastep	d1c7b3d9da	Add target file(s) 5.2.6-RC1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-29 13:48:53 -07:00
Tom Eastep	d399fd0815	Add target file(s) 5.2.6-RC1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-29 13:48:15 -07:00
Tom Eastep	3dc14e3575	Work around for Centos 7 iptables bug Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-29 11:27:14 -07:00
Tom Eastep	7ba6ac71e3	Delete blank line Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-28 20:41:21 -07:00
Tom Eastep	10aef23ab1	Correct handling of ";;+" in the snat file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-28 11:03:04 -07:00
Tom Eastep	e3f139bbdb	Add SPORT column to the snat file (FORMAT 2) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-27 14:50:23 -07:00
Tom Eastep	e4f24f41fd	Add target file(s) 5.2.6-Beta1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-27 10:25:51 -07:00
Tom Eastep	d0e4c53bd0	Add target file(s) 5.2.6-Beta1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-27 10:24:45 -07:00
Tom Eastep	43ac903085	Correct action dport implementation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-26 16:55:39 -07:00
Tom Eastep	28b92dae32	Update version for PORT->DPORT snat column naming Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-26 15:34:16 -07:00
Tom Eastep	bac493c2c5	Merge branch '5.2.5'	2020-06-26 15:31:51 -07:00
Tom Eastep	3ed1cdec94	Rename the snat PORT column to DPORT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-26 14:44:00 -07:00
Tom Eastep	3f5bdfd705	Process the firewall.conf file when running shorewall[6]-lite Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-25 13:32:36 -07:00
Tom Eastep	c9512dfaf8	Make 'show actions' more robust - Show all lines, including continuation and compiler directives - Show both actions and actions.std entries - The actions file need not reside in /etc/shorewall[6] but may be in any directory on the CONFIG_PATH Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-25 11:28:08 -07:00
Tom Eastep	5cc626fa1d	Add target file(s) 5.2.5.1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-21 11:42:30 -07:00
Tom Eastep	a39ecf5b2b	Add target file(s) 5.2.5.1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-21 11:41:53 -07:00
Matt Darfeuille	631bec2762	List supported releases Signed-off-by: Matt Darfeuille <matt@shorewall.org> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-21 11:33:54 -07:00
Matt Darfeuille	aa126270b7	Avoid exporting targetfiles Signed-off-by: Matt Darfeuille <matt@shorewall.org> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-21 11:33:38 -07:00
Matt Darfeuille	af2b7e6fc1	List supported releases Signed-off-by: Matt Darfeuille <matt@shorewall.org> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-21 11:30:38 -07:00
Matt Darfeuille	01bfdabd5a	Avoid exporting targetfiles Signed-off-by: Matt Darfeuille <matt@shorewall.org> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-21 11:30:38 -07:00
Tom Eastep	c234a1a0ec	Merge branch '5.2.5'	2020-06-20 10:02:53 -07:00
Tom Eastep	4c50f3b9bf	Correct typo in shorewall-providers(5). Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-16 15:50:14 -07:00
Tom Eastep	3390897a45	Remove duplicates from the output of 'show actions' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-15 13:13:34 -07:00
Tom Eastep	7ca18c410b	Remove duplicates from the output of 'show actions' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-15 13:12:43 -07:00
Tom Eastep	e2aeed898d	Add the 'dport' option to the actions file(s) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-15 13:12:06 -07:00
Tom Eastep	2eb1c88555	Omit superfluous test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-14 15:00:49 -07:00
Tom Eastep	117e9ba5bd	Change kern.err to daemon.err in logger params Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-13 14:29:48 -07:00
Tom Eastep	3ce04a8ef3	Add "zone name too long" error Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-12 12:57:31 -07:00
Tom Eastep	737aca6a3d	Add target file(s) 5.2.5-RC1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-10 10:36:03 -07:00
Tom Eastep	d89d35a9f0	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2020-06-08 09:48:31 -07:00
Tom Eastep	220e89755e	Omit STATE-orientated rules in wildcard policy chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-07 20:57:55 -07:00
Tom Eastep	1d875b2909	Minor edit to the blacklisting doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-07 18:12:01 -07:00
Tom Eastep	011638ad7d	Document use of address variables in the snat file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-07 18:11:26 -07:00
Tom Eastep	3f5c47695e	Expand fail2ban documenation in the blacklisting article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-07 12:37:45 -07:00
Tom Eastep	fb14b0aafc	Update targetname files for 5.2.5-Beta2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-06 12:54:01 -07:00
Tom Eastep	54ab7cdeb5	Update blacklisting documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-06 12:23:32 -07:00
Tom Eastep	aa47554604	Add 'noupdate' DYNAMIC_BLACKLIST option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-06 10:14:32 -07:00
Tom Eastep	07160c5ed1	Add 'blacklist!' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-06 10:13:46 -07:00
Tom Eastep	527533ecb6	Add 'log' option to DYNAMIC_BLACKLIST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-03 14:28:08 -07:00
Tom Eastep	4ac64a545c	Change log facility to 'daemon' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-03 13:49:10 -07:00
Tom Eastep	6612ea6b8c	Store the exported configuration paramaters in a named array Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-03 11:50:27 -07:00
Tom Eastep	2646ec79a5	Read the params file when processing an 'allow' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-03 11:39:42 -07:00
Tom Eastep	023437a0e0	Add target files 5.2.5-Beta1 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-01 10:07:23 -07:00
Tom Eastep	ffb6ac178e	Shorten the disposition in ADD/DEL log messages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-06-01 09:36:00 -07:00
Tom Eastep	726d7cde65	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2020-05-31 17:39:38 -07:00
Tom Eastep	c061d87919	Fix links in shorewall(8) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-31 17:39:13 -07:00
Tom Eastep	5af7dce96b	Merge branch 'master' of ssh://gitlab.com/shorewall/code	2020-05-31 14:03:23 -07:00
Tom Eastep	eb5bc3d8a4	Create DBL ipset with 'timeout 0' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-31 12:37:42 -07:00
Tom Eastep	b34474df11	Remove the -f option from the documentation of the 'stop' command Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-30 20:10:07 -07:00
Tom Eastep	16a3384a70	Add an example of using 'blacklist ... timeout nnn' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-30 19:57:37 -07:00
Tom Eastep	67b421dc00	Correct a comment in the optimize level 8 code Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-21 11:37:04 -07:00
Matt Darfeuille	c518887a19	Reflect changes in tools repository Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-21 10:40:14 -07:00
Tom Eastep	5493a7e4a6	Merge branch '5.2.4'	2020-05-17 13:20:46 -07:00
Tom Eastep	1093f1ac32	Add target files 5.2.4.5 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-14 09:43:10 -07:00
Tom Eastep	7882c87afe	Allow AUTOMAKE to work with symbolic links Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-14 09:22:44 -07:00
Tom Eastep	7343b19abc	Clarify the 'optional' interface option. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-05-13 12:30:12 -07:00
Tom Eastep	f27ab4704c	Merge branch '5.2.4'	2020-04-30 11:18:18 -07:00
Tom Eastep	e5e8e6fbc0	Correct logic for deleting ipsets Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-29 13:07:04 -07:00
Tom Eastep	c11b647b1b	Fix defect which prevented dynamic blacklist ipsets from being created Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-29 12:34:41 -07:00
Tom Eastep	5706c5a860	Avoid hang during 'shorewall[6] start' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-29 12:33:50 -07:00
Tom Eastep	fd1d4a3f35	Update Shared Config Doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-25 14:48:45 -07:00
Tom Eastep	2bf9048057	Another Debian if_pre-down fix. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-24 16:47:42 -07:00
Tom Eastep	d618fd5812	Remove extraneous whitespace Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-23 20:31:07 -07:00
Tom Eastep	177cdb1b98	Move a block of code to keep function declarations adjacent Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-23 18:37:47 -07:00
Tom Eastep	dddde56454	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code # Conflicts: # Shorewall-init/install.sh # Shorewall/Perl/Shorewall/Providers.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-23 18:35:11 -07:00
Tom Eastep	9b196e87e9	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code # Conflicts: # Shorewall-init/shorewall-init Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-23 18:27:54 -07:00
Tom Eastep	c30a4fd080	Merge branch '5.2.4' of ssh://server.shorewall.net/home/teastep/shorewall/code into 5.2.4 # Conflicts: # Shorewall/Perl/Shorewall/Chains.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-22 16:27:03 -07:00
Tom Eastep	0a9d2d9a33	Don't install script in if_down.d on Debian - Eliminates need for Debian-specific code in generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-22 13:47:09 -07:00
Tom Eastep	39de88563f	Cleanup of Optimize 16 change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-21 13:02:56 -07:00
Tom Eastep	e14798b4a2	Make OPTIMIZE=16 an order of magnitude faster Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-21 13:02:34 -07:00
Tom Eastep	3042ae815e	Make OPTIMIZE=16 an order of magnitude faster Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-20 15:00:33 -07:00
Tom Eastep	86ebb22dd3	Cosmetic changes to shorewall-init Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-20 10:29:36 -07:00
Tom Eastep	18360471ab	Have Shorewall-init restore ipsets before stopping the firewalls Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-20 09:23:34 -07:00
Tom Eastep	086f7a0e6d	Only destroy ipsets that will be restored Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-20 09:11:03 -07:00
Tom Eastep	057a2dec70	Correct typo with bad consequences Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-19 18:44:19 -07:00
Tom Eastep	16af9ee2de	Revert "Don't install ifupdown script in if-down.d on Debian" This reverts commit `7d4d409799`.	2020-04-19 15:19:13 -07:00
Tom Eastep	cabadd4846	Honor 'wait=<seconds> when enabling an interface. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-19 14:31:12 -07:00
Tom Eastep	3c06be28be	Delete unnecessary check if IPv6 interface_is_usable() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-19 12:28:16 -07:00
Tom Eastep	7d4d409799	Don't install ifupdown script in if-down.d on Debian - Proper location for the script is if-post-down Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-19 12:18:44 -07:00
Tom Eastep	32ca53706c	Don't run the 'up' command twice when an dual-stack interface comes up Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-18 12:44:19 -07:00
Tom Eastep	0adb9c8f87	Don't run the 'up' command twice when an dual-stack interface comes up Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-18 12:43:27 -07:00
Tom Eastep	381d55760b	Don't install ifupdown script in /etc/network/if-down.d on Debian - Network Manager sets PHASE=post-down when calling our updown script so we must process down commands in that phase. - Modify the generated script to eliminate PHASE checks. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-18 11:42:32 -07:00
Tom Eastep	88a799b860	Allow IFUPDOWN=1 to work on Debian Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-18 11:27:15 -07:00
Tom Eastep	5101a6be4a	Merge branch 'master' of ssh://server.shorewall.net/home/teastep/shorewall/code	2020-04-18 09:36:20 -07:00
Tom Eastep	3c36d638a5	Use the correct error code when Shoerwall-init is not configured Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-15 09:17:51 -07:00
Tom Eastep	9d3da44dad	Ignore 'start' and 'stop' if firewall(s) is started Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-15 09:13:31 -07:00
Tom Eastep	a5d4cbd76c	Add cautions to the ipsets article Signed-off-by: Tom Eastep <teastep@shorewall.net>	2020-04-14 15:23:33 -07:00