Add target file(s) 5.2.6-base

Signed-off-by: Tom Eastep <teastep@shorewall.net>

.gitattributes

@@ -0,0 +1 @@
+*targetname export-ignore

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.5-Beta1
+5.2.6-base

Shorewall-core/lib.cli

@@ -937,11 +937,28 @@ show_events() {
     fi
 }
 
+sort_actions() {
+    local sep #separates sort keys from the action[.std] record
+    sep="##"
+
+    awk -v sep="$sep" \
+         'BEGIN		  { action = ""; ifrec = ""; nr = 0; };\
+	  /^#/	  	  { next; };\
+	  /^\?(if|IF|If)/ { ifrec = $0; nr = NR; next; };\
+	  /^( |\t|\?)/	  { if ( action != "" ) print action, NR, sep $0; next; };\
+			  { action = $1; };\
+	  nr != 0	  { print action , nr, sep ifrec; nr = 0; };\
+			  { print action , NR, sep $0; }' | sort -k 1,2 | sed "s/^.*${sep}//"
+}
+
 show_actions() {
-    if [ -f ${g_confdir}/actions ]; then
-	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^[#?[:space:]]|^$'
+    local actions
+    actions=$(find_file actions)
+
+    if [ -f ${actions} ]; then
+	cat ${actions} ${g_sharedir}/actions.std | sort_actions
     else
-	grep -Ev '^[#?[:space:]]|^$' ${g_sharedir}/actions.std
+        sort_actions < ${g_sharedir}/actions.std
     fi
 }
 
@@ -1108,10 +1125,6 @@ show_blacklists() {
     show_bl;
 }
 
-show_actions_sorted() {
-    show_actions | sort
-}
-
 show_macros() {
     for directory in $(split $CONFIG_PATH); do
 	temp=
@@ -1543,7 +1556,7 @@ show_command() {
 			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
-			    eval show_actions_sorted $g_pager
+			    eval show_actions $g_pager
 			    return
 			    ;;
 			macro)
@@ -2651,6 +2664,7 @@ allow_command() {
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
 			allowed=Yes
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 		    fi
 		fi
 
@@ -2667,6 +2681,7 @@ allow_command() {
 	    *)
 		if [ -n "$g_blacklistipset" ]; then
 		    if qt $IPSET -D $g_blacklistipset $1; then
+			[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Allowed"
 			allowed=Yes
 		    fi
 		fi
@@ -3640,12 +3655,17 @@ blacklist_command() {
 	    ;;
     esac
 
-    echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    if [ $COMMAND = 'blacklist!' ]; then
+	timeout='timeout 0'
+    else
+	echo "$@" | fgrep -q ' timeout ' || timeout="timeout $g_dbltimeout"
+    fi
 
     if $IPSET -A $g_blacklistipset $@ $timeout -exist; then
 	local message
 
 	progress_message2 "$1 Blacklisted"
+	[ -n "$g_dbllog" ] && mylogger daemon.info "$g_product: $1 Blacklisted"
 
 	if [ -n "$g_disconnect" ]; then
 	    message="$(conntrack -D -s $1 2>&1)"
@@ -3900,7 +3920,7 @@ setup_dbl() {
     case $DYNAMIC_BLACKLIST in
 	ipset*,src-dst*)
 	    #
-	    # This utility doesn't need to know about 'src-dst'
+	    # Capture 'src-dst'
 	    #
 	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,src-dst//')
 
@@ -3908,6 +3928,26 @@ setup_dbl() {
 	    ;;
     esac
 
+    case $DYNAMIC_BLACKLIST in
+	ipset*,log*)
+	    #
+	    # Capture 'log'
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,log//')
+
+	    g_dbllog=Yes
+	    ;;
+    esac
+
+    case $DYNAMIC_BLACKLIST in
+	ipset*,noupdate*)
+	    #
+	    # This utility doesn't use this option
+	    #
+	    DYNAMIC_BLACKLIST=$(echo $DYNAMIC_BLACKLIST | sed 's/,noupdate//')
+	    ;;
+    esac
+
     case $DYNAMIC_BLACKLIST in
 	ipset*,timeout*)
 	    #
@@ -3985,7 +4025,7 @@ get_config() {
 
     ensure_config_path
 
-    [ -f $g_firewall.conf ] && . ${VARDIR}/firewall.conf
+    [ -f ${VARDIR}/firewall.conf ] && . ${VARDIR}/firewall.conf
 
     [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 
@@ -4148,7 +4188,7 @@ start_command() {
 	    rc=$?
 	else
 	    error_message "$g_firewall is missing or is not executable"
-	    mylogger kern.err "ERROR:$g_product start failed"
+	    mylogger daemon.err "ERROR:$g_product start failed"
 	    rc=6
 	fi
 
@@ -4281,7 +4321,7 @@ restart_command() {
 	rc=$?
     else
 	error_message "$g_firewall is missing or is not executable"
-	mylogger kern.err "ERROR:$g_product $COMMAND failed"
+	mylogger daemon.err "ERROR:$g_product $COMMAND failed"
 	rc=6
     fi
 
@@ -4319,9 +4359,9 @@ usage() # $1 = exit status
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
     echo "   blacklist <address> [ <option> ... ]"
-    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
+    ecko "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ -D ] [ <directory> ]"
     echo "   clear"
-    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
+    ecko "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ -D ] [ <directory name> ] [ <path name> ]"
     echo "   close <source> <dest> [ <protocol> [ <port> ] ]" 
     echo "   delete <interface>[:<host-list>] ... <zone>"
     echo "   disable <interface>"
@@ -4361,7 +4401,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   reload [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   reload [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     if [ -z "$g_lite" ]; then
@@ -4377,7 +4417,7 @@ usage() # $1 = exit status
     if [ -n "$g_lite" ]; then
 	echo "   restart [ -n ] [ -p ] [ -f ] [ -C ] [ <directory> ]"
     else
-	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ <directory> ]"
+	echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ -i ] [ -C ] [ -D ] [ <directory> ]"
     fi
 
     echo "   restore [ -n ] [ -p ] [ -C ] [ <file name> ]"
@@ -4480,6 +4520,7 @@ shorewall_cli() {
     g_havemutex=
     g_trace=
     g_dbltimeout=
+    g_dbllog=
 
     VERBOSE=
     VERBOSITY=1
@@ -4701,7 +4742,7 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	blacklist)
+	blacklist|blacklist!)
 	    only_root
 	    get_config Yes
 	    shift
@@ -4779,7 +4820,7 @@ shorewall_cli() {
 	    ;;
 	allow)
 	    only_root
-	    get_config
+	    get_config Yes
 	    allow_command $@
 	    ;;
 	add)

Shorewall-core/lib.common

@@ -55,13 +55,13 @@ startup_error() # $* = Error Message
 
     case $COMMAND in
         start)
-	    mylogger kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    mylogger kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    mylogger kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    mylogger daemon.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
     esac
 

Shorewall-core/manpages/shorewall.xml

@@ -48,7 +48,7 @@
 
       <arg>options</arg>
 
-      <arg choice="plain"><option>blacklist</option></arg>
+      <arg choice="plain"><option>blacklist[!]</option></arg>
 
       <arg
       choice="plain"><replaceable>address</replaceable><arg><replaceable>option</replaceable>
@@ -1151,7 +1151,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">blacklist</emphasis>
+        <term><emphasis role="bold">blacklist[!]</emphasis>
         <replaceable>address</replaceable> [ <replaceable>option</replaceable>
         ... ]</term>
 
@@ -1172,6 +1172,11 @@
 
           <programlisting>    shorewall blacklist 192.0.2.22 timeout 0</programlisting>
 
+          <para>Beginning with Shorewall 5.2.5, the above command can be
+          shortened to:</para>
+
+          <programlisting>    shorewall blacklist! 192.0.2.22</programlisting>
+
           <para>If the <option>disconnect</option> option is specified in the
           DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
           determines the amount of information displayed:</para>
@@ -2113,10 +2118,6 @@
           url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
           (<ulink
           url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
-
-          <para>The <emphasis role="bold">-D </emphasis>option was added in
-          Shoewall 5.2.4 and causes the compiler to write a large amount of
-          debugging information to standard output.</para>
         </listitem>
       </varlistentry>
 
@@ -2896,25 +2897,18 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">stop</emphasis>
-        [-<option>f</option>]</term>
+        <term><emphasis role="bold">stop</emphasis></term>
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
           listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or permitted by the ADMINISABSENTMINDED option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5), are
-          taken down. The only new traffic permitted through the firewall is
-          from systems listed in <ulink
-          url="/manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> The only
+          new traffic permitted through the firewall is from systems listed in
+          <ulink
+          url="/manpages/shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
           or by ADMINISABSENTMINDED.</para>
-
-          <para>If <option>-f</option> is given, the command will be processed
-          by the compiled script that executed the last successful <emphasis
-          role="bold">start</emphasis>, <emphasis
-          role="bold">restart</emphasis> or <emphasis
-          role="bold">reload</emphasis> command if that script exists.</para>
         </listitem>
       </varlistentry>
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -320,6 +320,7 @@ our $VERSION = 'MODULEVERSION';
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               wild         => undef|1 -- If 1, source or dest is 'all'. Only applies to policy chains
 #                                               provisional  => undef|1 -- See below.
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
@@ -893,7 +894,7 @@ sub validate_port( $$ ) {
 
     fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
 
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])";
 }
 
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -543,13 +543,13 @@ date > ${VARDIR}/restarted
 
 case $COMMAND in
     start)
-        mylogger kern.info "$g_product started"
+        mylogger daemon.info "$g_product started"
         ;;
     reload)
-        mylogger kern.info "$g_product reloaded"
+        mylogger daemon.info "$g_product reloaded"
         ;;
     restore)
-        mylogger kern.info "$g_product restored"
+        mylogger daemon.info "$g_product restored"
         ;;
 esac
 EOF
@@ -858,13 +858,14 @@ sub compiler {
 	if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
+	    # Optimize the ruleet
+	    #
+	    optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
+	    optimize_policy_chains;
 	}
 
 	enable_script;
@@ -928,16 +929,16 @@ sub compiler {
 
 	    optimize_level0;
 
-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
-		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		#
+		# Optimize Policy Chains
+		#
+		optimize_policy_chains if $optimize & OPTIMIZE_POLICY_MASK;
 	    }
 
 	    enable_script if $debug;

Shorewall/Perl/Shorewall/Config.pm

@@ -311,7 +311,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 
 				       OPTIMIZE_MASK
 				       OPTIMIZE_POLICY_MASK
-				       OPTIMIZE_POLICY_MASK2n4
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_ALL
 				     ) , ] ,
@@ -555,7 +554,6 @@ use constant {
 #
 use constant {
 	       OPTIMIZE_POLICY_MASK    => 0x02 , # Call optimize_policy_chains()
-	       OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
 	       OPTIMIZE_RULESET_MASK   => 0x1C , # Call optimize_ruleset()
                OPTIMIZE_MASK           => 0x1E , # Do optimizations beyond level 1
 	       OPTIMIZE_ALL            => 0x1F , # Maximum value for documented categories.
@@ -657,6 +655,30 @@ our %params;
 #
 our %compiler_params;
 #
+# Entries conditionally exported to the compiled script via the aux config file
+#
+our @exported_params = ( qw(
+			 VERBOSITY
+			 LOGFILE
+			 LOGFORMAT
+			 APRTABLES
+			 IPTABLES
+			 IP6TABLES
+			 IP
+			 TC
+			 IPSET
+			 PATH
+			 SHOREWALL_SHELL
+			 SHELL
+			 SUBSYSLOCK
+			 LOCKFILE
+			 RESTOREFILE
+			 RESTART
+			 DYNAMIC_BLACKLIST
+			 PAGER
+			 )
+    );
+#
 # Action parameters
 #
 our %actparams;
@@ -6671,7 +6693,7 @@ sub get_configuration( $$$ ) {
 
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
-	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
+	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1, 'log' => 1, 'noupdate' => 1, );
 
 	    my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
 
@@ -7196,8 +7218,8 @@ sub generate_aux_config() {
 
     emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
 
-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST PAGER) ) {
-	conditionally_add_option $option;
+    for my $param ( @exported_params ) {
+	conditionally_add_option $param;
     }
 
     conditionally_add_option1 'TC_ENABLED';

Shorewall/Perl/Shorewall/Misc.pm

@@ -735,6 +735,7 @@ sub add_common_rules ( $ ) {
     my $dbl_tag;
     my $dbl_src_target;
     my $dbl_dst_target;
+    my $dbl_options;
 
     if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
@@ -796,9 +797,10 @@ sub add_common_rules ( $ ) {
 
 	if ( $dbl_ipset ) {
 	    if ( $val = $globals{DBL_TIMEOUT} ) {
-		$dbl_src_target = $globals{DBL_OPTIONS} =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
+		$dbl_options    = $globals{DBL_OPTIONS};
+		$dbl_src_target = $dbl_options =~ /src-dst/ ? 'dbl_src' : 'dbl_log';
 
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -809,11 +811,11 @@ sub add_common_rules ( $ ) {
 				'add',
 				'',
 				$origin{DYNAMIC_BLACKLIST} ) if $dbl_level;
-		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} );
+		add_ijump_extended( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $val", $origin{DYNAMIC_BLACKLIST} ) unless $dbl_options =~ /noupdate/;
 		add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
 
 		if ( $dbl_src_target eq 'dbl_src' ) {
-		    $chainref = set_optflags( new_standard_chain( $dbl_dst_target = 'dbl_dst' ) , DONT_OPTIMIZE | DONT_DELETE );
+		    $chainref = new_standard_chain( $dbl_dst_target = 'dbl_dst' );
 
 		    log_rule_limit( $dbl_level,
 				    $chainref,
@@ -830,7 +832,7 @@ sub add_common_rules ( $ ) {
 		    $dbl_dst_target = $dbl_src_target;
 		}		    
 	    } elsif ( $dbl_level ) {
-		my $chainref = set_optflags( new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
+		my $chainref = new_standard_chain( $dbl_src_target = $dbl_dst_target = 'dbl_log' );
 
 		log_rule_limit( $dbl_level,
 				$chainref,
@@ -2580,13 +2582,13 @@ EOF
     emit <<'EOF';
             case $COMMAND in
 	        start)
-	            mylogger kern.err "ERROR:$g_product start failed"
+	            mylogger daemon.err "ERROR:$g_product start failed"
 	            ;;
 	        reload)
-	            mylogger kern.err "ERROR:$g_product reload failed"
+	            mylogger daemon.err "ERROR:$g_product reload failed"
 	            ;;
                 enable)
-                    mylogger kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    mylogger daemon.err "ERROR:$g_product 'enable $g_interface' failed"
                     ;;
             esac
 
@@ -2809,7 +2811,7 @@ EOF
     emit '
 
     set_state "Stopped"
-    mylogger kern.info "$g_product Stopped"
+    mylogger daemon.info "$g_product Stopped"
 
     case $COMMAND in
     stop|clear)

Shorewall/Perl/Shorewall/Rules.pm

@@ -443,6 +443,7 @@ sub convert_to_policy_chain($$$$$$)
     my ($chainref, $source, $dest, $policy, $provisional, $audit ) = @_;
 
     $chainref->{is_policy}   = 1;
+    $chainref->{wild}        = $source eq 'all' || $dest eq 'all';
     $chainref->{policy}      = $policy;
     $chainref->{provisional} = $provisional;
     $chainref->{audit}       = $audit;
@@ -660,7 +661,7 @@ sub handle_nfqueue( $ ) {
 
     if ( supplied $queue2 ) {
 	require_capability 'CPU_FANOUT', '"c"', 's' if $fanout;
-	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${fanout}${bypass}";
+	return "NFQUEUE --queue-balance ${queuenum1}:${queuenum2}${bypass}${fanout}";
     } else {
 	return "NFQUEUE --queue-num ${queuenum1}${bypass}";
     }
@@ -1000,6 +1001,24 @@ sub determine_action_protocol( $$ ) {
     $proto;
 }
 
+sub determine_action_dport( $$$ ) {
+    my ( $action, $proto, $dport ) = @_;
+
+    if ( my $actiondport = $actions{$action}{dport} ) {
+	if ( $dport eq '-' ) {
+	    $dport = $actiondport;
+	} else {
+	    fatal_error( "The $action action is only usable with destination port $actiondport" ) if $dport =~ /[,]/;
+	    if ( ( my $portnum = validate_port( $proto, $dport ) ) ne '-' ) {
+		fatal_error( "The $action action is only usable with destination port $actiondport"  ) unless $actiondport = $portnum;
+		$dport = $portnum;
+	    }
+	}
+    }
+
+    $dport;
+}
+
 sub add_policy_rules( $$$$$ ) {
     my ( $chainref , $target, $loglevel, $pactions, $dropmulticast ) = @_;
 
@@ -1014,7 +1033,11 @@ sub add_policy_rules( $$$$$ ) {
 		# Policy action is a regular action -- jump to the action chain
 		#
 		if ( ( my $proto = determine_action_protocol( $action, '-' ) ) ne '-' ) {
-		    add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    if ( my $dport = determine_action_dport( $action, $proto, '' ) ) {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto, dport => $dport );
+		    } else {
+			add_ijump( $chainref, j => use_policy_action( $paction, $chainref->{name} ), p => $proto );
+		    }
 		} else {
 		    add_ijump $chainref, j => use_policy_action( $paction, $chainref->{name} );
 		}
@@ -1147,7 +1170,7 @@ sub complete_policy_chains() {
 		}
 	    }
 
-	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+	    if ( $chainref->{wild} ) {
 		add_policy_rules $chainref , $policy, $loglevel , $defaults, $config{MULTICAST};
 	    }
 	}
@@ -1252,6 +1275,7 @@ sub finish_chain_section ($$$) {
 	$state )            = @_;
     my $chain               = $chainref->{name};
     my $save_comment        = push_comment;
+    my $wild                = $chainref->{wild} && ! $config{EXPAND_RULES};
     my %state;
 
     $state{$_} = 1 for split ',', $state;
@@ -1262,74 +1286,76 @@ sub finish_chain_section ($$$) {
 
     $chain1ref->{sections}{$_} = 1 for keys %state;
 
-    for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
-	if ( $state{$_} ) {
-	    my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
-	    my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
+    unless ( $wild ) {
+	for ( qw( ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+	    if ( $state{$_} ) {
+		my ( $char, $level, $tag, $target , $origin, $level_origin ) = @{$statetable{$_}};
+		my $twochains = substr( $chainref->{name}, 0, 1 ) eq $char;
 
-	    if ( $twochains || $level || $target ne 'ACCEPT' ) {
-		if ( $level ) {
-		    my $chain2ref;
+		if ( $twochains || $level || $target ne 'ACCEPT' ) {
+		    if ( $level ) {
+			my $chain2ref;
+
+			if ( $twochains ) {
+			    $chain2ref = $chainref;
+			} else {
+			    $chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			}
+
+			log_rule_limit( $level,
+					$chain2ref,
+					$chain2ref->{logname},
+					uc $target,
+					$globals{LOGLIMIT},
+					$tag ,
+					'add' ,
+					'',
+					$level_origin );
+
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+
+			add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
+
+			$target = $chain2ref->{name} unless $twochains;
+		    }
 
 		    if ( $twochains ) {
-			$chain2ref = $chainref;
-		    } else {
-			$chain2ref = new_chain( 'filter', "${char}$chainref->{name}" , "${char}$chainref->{logname}" );
+			add_ijump_extended $chainref, g => $target , $origin if $target;
+			delete $state{$_};
+			last;
 		    }
 
-		    log_rule_limit( $level,
-				    $chain2ref,
-				    $chain2ref->{logname},
-				    uc $target,
-				    $globals{LOGLIMIT},
-				    $tag ,
-				    'add' ,
-				    '',
-				    $level_origin );
+		    if ( $target ) {
+			$target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			#
+			# Always handle ESTABLISHED first
+			#
+			if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
+			    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
+			    delete $state{ESTABLISHED};
+			}
 
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
+			add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
+		    }
 
-		    add_ijump_extended( $chain2ref, g => $target , $origin ) if $target;
-
-		    $target = $chain2ref->{name} unless $twochains;
-		}
-
-		if ( $twochains ) {
-		    add_ijump_extended $chainref, g => $target , $origin if $target;
 		    delete $state{$_};
-		    last;
 		}
-
-		if ( $target ) {
-		    $target = ensure_audit_chain( $target ) if ( $targets{$target} || 0 ) & AUDIT;
-		    #
-		    # Always handle ESTABLISHED first
-		    #
-		    if ( $state{ESTABLISHED} && $_ ne 'ESTABLISHED' ) {
-			add_ijump( $chain1ref, j => 'ACCEPT', state_imatch 'ESTABLISHED' );
-			delete $state{ESTABLISHED};
-		    }
-
-		    add_ijump_extended( $chainref, j => $target, $origin, state_imatch $_ );
-		}
-
-		delete $state{$_};
-	    }
-	}
-    }
-
-    if ( keys %state ) {
-	my @state;
-
-	unless ( $config{FASTACCEPT} ) {
-	    for ( qw/ESTABLISHED RELATED/ ) {
-		push @state, $_ if $state{$_};
 	    }
 	}
 
-	push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+	if ( keys %state ) {
+	    my @state;
 
-	add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	    unless ( $config{FASTACCEPT} ) {
+		for ( qw/ESTABLISHED RELATED/ ) {
+		    push @state, $_ if $state{$_};
+		}
+	    }
+
+	    push( @state, 'UNTRACKED' ),if $state{UNTRACKED} && $globals{UNTRACKED_TARGET} eq 'ACCEPT';
+
+	    add_ijump( $chain1ref, j => 'ACCEPT', state_imatch join(',', @state ) ) if @state;
+	}
     }
 
     if ($sections{NEW} ) {
@@ -1497,13 +1523,13 @@ sub external_name( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$$$$$ ) {
+sub new_action( $$$$$$$ ) {
 
-    my ( $action , $type, $options , $actionfile , $state, $proto ) = @_;
+    my ( $action , $type, $options , $actionfile , $state, $proto, $dport ) = @_;
 
     fatal_error "Reserved action name ($action)" if reserved_name( $action );
 
-    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto };
+    $actions{$action} = { file => $actionfile, actchain => '' , type => $type, options => $options , state => $state, proto => $proto, dport => $dport };
 
     $targets{$action} = $type;
 }
@@ -1774,7 +1800,7 @@ sub isolate_basic_target( $ ) {
 
 sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
 sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
-sub process_snat1( $$$$$$$$$$$$ );
+sub process_snat1( $$$$$$$$$$$$$ );
 sub perl_action_helper( $$;$$ );
 
 #
@@ -1968,23 +1994,49 @@ sub process_action(\$\$$) {
 		set_inline_matches( $matches );
 	    }
 	} else {
-	    my ( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
-		split_line2( 'snat file',
-			     { action =>0,
-			       source => 1,
-			       dest => 2,
-			       proto => 3,
-			       port => 4,
-			       ipsec => 5,
-			       mark => 6,
-			       user => 7,
-			       switch => 8,
-			       origdest => 9,
-			       probability => 10,
-			     },
-			     {},
-			     11,
-			     1 );
+	    my ( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability);
+
+	    if ( $file_format == 1 ) {
+		( $action, $source, $dest, $protos, $port, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   ipsec => 5,
+				   mark => 6,
+				   user => 7,
+				   switch => 8,
+				   origdest => 9,
+				   probability => 10,
+				 },
+				 {},
+				 11,
+				 1 );
+		$sport = '-';
+	    } else {
+		( $action, $source, $dest, $protos, $port, $sport, $ipsec, $mark, $user, $condition, $origdest, $probability) =
+		    split_line2( 'snat file',
+				 { action =>0,
+				   source => 1,
+				   dest => 2,
+				   proto => 3,
+				   port => 4,
+				   dport => 4,
+				   sport => 5,
+				   ipsec => 6,
+				   mark => 7,
+				   user => 8,
+				   switch => 9,
+				   origdest => 10,
+				   probability => 11,
+				 },
+				 {},
+				 12,
+				 1 );
+	    }
 
 	    fatal_error 'ACTION must be specified' if $action eq '-';
 
@@ -2000,6 +2052,7 @@ sub process_action(\$\$$) {
 			       $dest,
 			       $proto,
 			       $port,
+			       $sport,
 			       $ipsec,
 			       $mark,
 			       $user,
@@ -2098,6 +2151,7 @@ sub process_actions() {
 
 	    my $state = '';
 	    my $proto = 0;
+	    my $dport = 0;
 
 	    if ( $action =~ /:/ ) {
 		warning_message 'Policy Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -2117,6 +2171,10 @@ sub process_actions() {
 		    } elsif ( /^proto=(.+)$/ ) {
 			fatal_error "Unknown Protocol ($1)" unless defined( $proto = resolve_proto( $1 ) );
 			fatal_error "A protocol may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
+		    } elsif ( /^dport=(.+)$/ ) {
+			fatal_error "The 'dport' option requires the 'proto' option" unless $proto;
+			$dport = validate_port($proto, $1);
+			fatal_error "A destination port may not be specified on the REJECT_ACTION ($action)" if $action eq $config{REJECT_ACTION};
 		    } else {
 			fatal_error "Invalid option ($_)" unless $options{$_};
 			$opts |= $options{$_};
@@ -2138,10 +2196,12 @@ sub process_actions() {
 		    }
 
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} elsif ( ( $actiontype & INLINE ) && ( $type == ACTION ) && $opts & NOINLINE_OPT ) {
 		    $proto = $actions{$action}{proto} unless $proto;
+		    $dport = $actions{$action}{dport} unless $dport;
 		    delete $actions{$action};
 		    delete $targets{$action};
 		} else {
@@ -2185,7 +2245,7 @@ sub process_actions() {
 
 		fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 
-		new_action ( $action, $type, $opts, $actionfile , $state , $proto );
+		new_action ( $action, $type, $opts, $actionfile , $state , $proto , $dport );
 	    }
 	}
     }
@@ -3064,9 +3124,11 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
 
     if ( $actiontype & ACTION ) {
 	#
-	# Verify action 'proto', if any
+	# Verify action 'proto', and 'dport' if any
 	#
-	$proto = determine_action_protocol( $basictarget, $proto );
+	if ( ( $proto = determine_action_protocol( $basictarget, $proto ) ) ne '-' ) {
+	    $ports = determine_action_dport( $basictarget, $proto, $ports );
+	}
 	#
 	# Save NAT-oriented column contents
 	#
@@ -4818,9 +4880,11 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
 	function          => sub() {
 	    fatal_error( qq(Action $cmd may not be used in the mangle file) ) unless $actiontype & MANGLE_TABLE;
 	    #
-	    # Verify action 'proto', if any
+	    # Verify action 'proto' and 'dport' if any
 	    #
-	    $proto = determine_action_protocol( $cmd, $proto );
+	    if ( ( $proto = determine_action_protocol( $cmd, $proto ) ) ne '-' ) {
+		$ports = determine_action_dport( $cmd, $proto, $ports );
+	    }
 	    #
 	    # Create the action:level:tag:param tuple.
 	    #
@@ -5364,8 +5428,8 @@ sub process_mangle_rule( $ ) {
     }
 }
 
-sub process_snat_inline( $$$$$$$$$$$$$$ ) {
-    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat_inline( $$$$$$$$$$$$$$$ ) {
+    my ($inline, $chainref, $params, $loglevel, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my ( $level,
 	 $tag )    = split( ':', $loglevel, 2 );
@@ -5384,28 +5448,54 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 
     progress_message "..Expanding inline action $inlinefile...";
 
-    push_open $inlinefile, 2, 1, undef , 2;
+    push_open $inlinefile, 2, 1, undef , 1;
 
     my $save_comment = push_comment;
 
     while ( read_a_line( NORMAL_READ ) ) {
-	my ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
-	    split_line2( 'snat file',
-			 { action =>0,
-			   source => 1,
-			   dest => 2,
-			   proto => 3,
-			   port => 4,
-			   ipsec => 5,
-			   mark => 6,
-			   user => 7,
-			   switch => 8,
-			   origdest => 9,
-			   probability => 10,
-			 },
-			 {},
-			 11,
-			 1 );
+	my ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability);
+
+	if ( $file_format == 1 ) {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       ipsec => 5,
+			       mark => 6,
+			       user => 7,
+			       switch => 8,
+			       origdest => 9,
+			       probability => 10,
+			     },
+			     {},
+			     11,
+			     1 );
+	    $msports = '-';
+	} else {
+	    ( $maction, $msource, $mdest, $mprotos, $mports, $msports, $mipsec, $mmark, $muser, $mcondition, $morigdest, $mprobability) =
+		split_line2( 'snat file',
+			     { action =>0,
+			       source => 1,
+			       dest => 2,
+			       proto => 3,
+			       port => 4,
+			       dport => 4,
+			       sport => 5,
+			       ipsec => 6,
+			       mark => 7,
+			       user => 8,
+			       switch => 9,
+			       origdest => 10,
+			       probability => 11,
+			     },
+			     {},
+			     12,
+			     1 );
+	}
 
 	fatal_error 'ACTION must be specified' if $maction eq '-';
 
@@ -5433,6 +5523,7 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 			   $mdest,
 			   $proto,
 			   merge_macro_column( $mports,          $ports ),
+			   merge_macro_column( $msports,         $sports ),
 			   merge_macro_column( $mipsec,          $ipsec ),
 			   merge_macro_column( $mmark,           $mark ),
 			   merge_macro_column( $muser,           $user ),
@@ -5459,8 +5550,8 @@ sub process_snat_inline( $$$$$$$$$$$$$$ ) {
 #
 # Process a record in the snat file
 #
-sub process_snat1( $$$$$$$$$$$$ ) {
-    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
+sub process_snat1( $$$$$$$$$$$$$ ) {
+    my ( $chainref, $origaction, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) = @_;
 
     my $inchain;
     my $inaction;
@@ -5480,6 +5571,13 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     my ( $action, $loglevel ) = split_action( $origaction );
     my $logaction;
     my $param;
+    #
+    # Handle early matches
+    #
+    if ( $inlinematches =~ s/^s*\+// ) {
+	$prerule = $inlinematches;
+	$inlinematches = '';
+    }
 
     if ( $action =~ /^MASQUERADE(\+)?(?:\((.+)\))?$/ ) {
 	$target     = 'MASQUERADE';
@@ -5572,7 +5670,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
     #
     # Handle Protocol, Ports and Condition
     #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, $sports );
     #
     # Handle Mark
     #
@@ -5819,6 +5917,7 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 				 supplied( $destnets ) && $destnets ne '-' ? $inaction || $interface ? join( ':', $interface, $destnets ) : $destnets : $inaction ? '-' : $interface,
 				 $proto,
 				 $ports,
+				 $sports,
 				 $ipsec,
 				 $mark,
 				 $user,
@@ -5829,9 +5928,11 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 	    if ( $actiontype & ACTION ) {
 		fatal_error( qq(Action $target may not be used in the snat file) ) unless $actiontype & NAT_TABLE;
 		#
-		# Verify action 'proto', if any
+		# Verify action 'proto' and 'dport', if any
 		#
-		$proto = determine_action_protocol( $target, $proto );
+		if ( ( $proto = determine_action_protocol( $target, $proto ) ) ne '-' ) {
+		    $ports = determine_action_dport( $target, $proto, $ports );
+		}
 		#
 		# Create the action:level:tag:param tuple. Since we don't allow logging out of nat POSTROUTING, we store
 		# the interface name in the log tag
@@ -5929,18 +6030,30 @@ sub process_snat1( $$$$$$$$$$$$ ) {
 
 sub process_snat( )
 {
-    my ($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
-	split_line2( 'snat file',
-		     { action => 0, source => 1, dest => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
-		     {},    #Nopad
-		     undef, #Columns
-		     1 );   #Allow inline matches
+    my ($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+
+    if ( $file_format == 1 ) {
+	($action, $source, $dest, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9, probability => 10 },
+			 {},    #Nopad
+			 11,    #Columns
+			 1 );   #Allow inline matches
+	$sports = '-';
+    } else {
+	($action, $source, $dest, $protos, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability ) =
+	    split_line2( 'snat file',
+			 { action => 0, source => 1, dest => 2, proto => 3, port => 4, dport => 4, sport => 5, ipsec => 6, mark => 7, user => 8, switch => 9, origdest => 10, probability => 11 },
+			 {},    #Nopad
+			 12,    #Columns
+			 1 );   #Allow inline matches
+    }
 
     fatal_error 'ACTION must be specified' if $action eq '-';
     fatal_error 'DEST must be specified' if $dest eq '-';
 
     for my $proto ( split_list $protos, 'Protocol' ) {
-	process_snat1( undef, $action, $source, $dest, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest, $probability );
+	process_snat1( undef, $action, $source, $dest, $proto, $ports, $sports, $ipsec, $mark, $user, $condition, $origdest, $probability );
     }
 }
 
@@ -5955,7 +6068,7 @@ sub setup_snat()
 	#
 	# Masq file was empty or didn't exist
 	#
-	if ( $fn = open_file( 'snat', 1, 1 ) ) {
+	if ( $fn = open_file( 'snat', 2, 1, undef, 1 ) ) {
 	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty snat file" , 's'; } );
 	    process_snat while read_a_line( NORMAL_READ );
 	}

Shorewall/Perl/Shorewall/Zones.pm

@@ -560,7 +560,8 @@ sub process_zone( \$ ) {
 	@parents = split_list $2, 'zone';
     }
 
-    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
+    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i;
+    fatal_error "Zone name ($zone) too long"     unless length $zone <= $globals{MAXZONENAMELENGTH};
     fatal_error "Invalid zone name ($zone)"      if $reservedName{$zone} || $zone =~ /^all2|2all$/;
     fatal_error( "Duplicate zone name ($zone)" ) if $zones{$zone};
 

Shorewall/Perl/lib.runtime

@@ -1089,7 +1089,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 #
@@ -1389,7 +1389,7 @@ clear_firewall() {
 
     set_state "Cleared"
 
-    logger -p kern.info "$g_product Cleared"
+    logger -p daemon.info "$g_product Cleared"
 }
 
 ?endif # IPv6-specific functions.

Shorewall/Samples/three-interfaces/snat

@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/three-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:43:47 PDT 2016
 #

Shorewall/Samples/two-interfaces/snat

@@ -12,8 +12,9 @@
 # For information about entries in this file, type "man shorewall-snat"
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
-###########################################################################################################################################
-#ACTION			SOURCE			DEST            PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST            PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
 #
 # Rules generated from masq file /home/teastep/shorewall/trunk/Shorewall/Samples/two-interfaces/masq by Shorewall 5.0.13-RC1 - Sat Oct 15 11:41:40 PDT 2016
 #

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.4.5
+5.2.6-RC1

Shorewall/configfiles/snat

@@ -5,5 +5,6 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY

Shorewall/lib.cli-std

@@ -338,7 +338,7 @@ get_config() {
 
     if [ -n "$DYNAMIC_BLACKLIST" -a "$(id -u)" = 0 ]; then
 	case $COMMAND in
-	    blacklist|allow|drop|logdrop|reject)
+	    blacklist*|allow|drop|logdrop|reject)
 		setup_dbl
 		;;
 	esac

Shorewall/manpages/shorewall-actions.xml

@@ -26,8 +26,8 @@
     <title>Description</title>
 
     <para>This file allows you to define new ACTIONS for use in rules (see
-    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>).
-    You define the iptables rules to be performed in an ACTION in
+    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
+    the iptables rules to be performed in an ACTION in
     /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
 
     <para>Columns are:</para>
@@ -148,8 +148,8 @@
               <listitem>
                 <para>Added in Shorewall 5.0.7. Specifies that this action is
                 to be used in <ulink
-                url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-                rather than <ulink
+                url="shorewall-mangle.html">shorewall-mangle(5)</ulink> rather
+                than <ulink
                 url="shorewall-rules.html">shorewall-rules(5)</ulink>.</para>
               </listitem>
             </varlistentry>
@@ -160,11 +160,11 @@
               <listitem>
                 <para>Added in Shorewall 5.0.13. Specifies that this action is
                 to be used in <ulink
-                url="shorewall-snat.html">shorewall-snat(5)</ulink>
-                rather than <ulink
-                url="shorewall-rules.html">shorewall-rules(5)</ulink>.
-                The <option>mangle</option> and <option>nat</option> options
-                are mutually exclusive.</para>
+                url="shorewall-snat.html">shorewall-snat(5)</ulink> rather
+                than <ulink
+                url="shorewall-rules.html">shorewall-rules(5)</ulink>. The
+                <option>mangle</option> and <option>nat</option> options are
+                mutually exclusive.</para>
               </listitem>
             </varlistentry>
 
@@ -212,6 +212,24 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>dport</option>=<replaceable>portorservice</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.6. Requires that the <emphasis
+                role="bold">proto</emphasis> option be previously given and
+                indicates that this action may only be applied to flows with
+                the specified <replaceable>protocol</replaceable> and
+                <replaceable>portorservice</replaceable>.
+                <replaceable>portorservice</replaceable> may be a valid port
+                number or the name of a service defined in /etc/services to be
+                usable with the specified <replaceable>protocol</replaceable>.
+                If a port or service is specified in the DPORT column of an
+                invocation, then it must match the named
+                <replaceable>portorservice</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>section</option></term>
 

Shorewall/manpages/shorewall-providers.xml

@@ -79,13 +79,13 @@
 
         <listitem>
           <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          url="shorewall-mangle.html">shorewall-mangle(5)</ulink>
-          file to direct packets to this provider.</para>
+          url="shorewall-mangle.html">shorewall-mangle(5)</ulink> file to
+          direct packets to this provider.</para>
 
           <para>If PROVIDER_OFFSET is non-zero in <ulink
-          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then
-          the value must be a multiple of 2^^PROVIDER_OFFSET. In all cases,
-          the number of significant bits may not exceed PROVIDER_OFFSET +
+          url="shorewall.conf.html">shorewall.conf(5)</ulink>, then the value
+          must be a multiple of 2^^PROVIDER_OFFSET. In all cases, the number
+          of significant bits may not exceed PROVIDER_OFFSET +
           PROVIDER_BITS.</para>
         </listitem>
       </varlistentry>
@@ -111,8 +111,8 @@
         <listitem>
           <para>The name of the network interface to the provider. Must be
           listed in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>.
-          In general, that interface should not have the
+          url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>. In
+          general, that interface should not have the
           <option>proxyarp</option> or <option>proxyndp</option> option
           specified unless <option>loose</option> is given in the OPTIONS
           column of this entry.</para>
@@ -190,9 +190,8 @@
 
                 <para>Beginning with Shorewall 4.4.3, <option>track</option>
                 defaults to the setting of the TRACK_PROVIDERS option in
-                <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>
-                (5). If you set TRACK_PROVIDERS=Yes and want to override that
+                <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).
+                If you set TRACK_PROVIDERS=Yes and want to override that
                 setting for an individual provider, then specify
                 <option>notrack</option> (see below).</para>
               </listitem>
@@ -343,7 +342,7 @@
                 <replaceable>weight</replaceable> is given, a balanced route
                 is added with the weight of this provider equal to the
                 specified <replaceable>weight</replaceable>. If the option is
-                given without a <replaceable>weight</replaceable>, an separate
+                given without a <replaceable>weight</replaceable>, a separate
                 default route is added through the provider's gateway; the
                 route has a metric equal to the provider's NUMBER.</para>
 

Shorewall/manpages/shorewall-snat.xml

@@ -39,12 +39,26 @@
       <para>If you have more than one ISP link, adding entries to this file
       will <emphasis role="bold">not</emphasis> force connections to go out
       through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
       url="shorewall-mangle.html">shorewall-mangle</ulink>(5) to do
       that.</para>
     </warning>
 
+    <para>Beginning with Shorewall 5.2.6, the snat file supports two different
+    formats:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The SPORT (source port) column is omitted. This is the default
+        unless a "?FORMAT 2" compiler directive is included.</para>
+      </listitem>
+
+      <listitem>
+        <para>The SPORT column immediately follows the DPORT column.</para>
+      </listitem>
+    </orderedlist>
+
     <para>The columns in the file are as follows.</para>
 
     <variablelist>
@@ -68,10 +82,10 @@
               <listitem>
                 <para>where <replaceable>action</replaceable> is an action
                 declared in <ulink
-                url="shorewall-actions.html">shorewall-actions(5)</ulink>
-                with the <option>nat</option> option. See <ulink
-                url="../Actions.html">https://shorewall.org/Actions.html</ulink> for
-                further information.</para>
+                url="shorewall-actions.html">shorewall-actions(5)</ulink> with
+                the <option>nat</option> option. See <ulink
+                url="../Actions.html">https://shorewall.org/Actions.html</ulink>
+                for further information.</para>
               </listitem>
             </varlistentry>
 
@@ -165,9 +179,9 @@
                 <para>If you specify an address here, matching packets will
                 have their source address set to that address. If
                 ADD_SNAT_ALIASES is set to Yes or yes in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5)
-                then Shorewall will automatically add this address to the
-                INTERFACE named in the first column (IPv4 only).</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5) then
+                Shorewall will automatically add this address to the INTERFACE
+                named in the first column (IPv4 only).</para>
 
                 <para>You may also specify a range of up to 256 IP addresses
                 if you want the SNAT address to be assigned from that range in
@@ -237,10 +251,10 @@
 
           <para>Normally Masq/SNAT rules are evaluated after those for
           one-to-one NAT (defined in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you
-          want the rule to be applied before one-to-one NAT rules, follow the
-          action name with "+": This feature should only be required if you
-          need to insert rules in this file that preempt entries in <ulink
+          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
+          rule to be applied before one-to-one NAT rules, follow the action
+          name with "+": This feature should only be required if you need to
+          insert rules in this file that preempt entries in <ulink
           url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
         </listitem>
       </varlistentry>
@@ -279,23 +293,23 @@
           networks. Multiple interfaces may be listed when the ACTION is
           MASQUERADE, but this is usually just your internet interface. If
           ADD_SNAT_ALIASES=Yes in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5), you
-          may add ":" and a <emphasis>digit</emphasis> to indicate that you
-          want the alias added with that name (e.g., eth0:0). This will allow
-          the alias to be displayed with ifconfig. <emphasis role="bold">That
-          is the only use for the alias name; it may not appear in any other
-          place in your Shorewall configuration.</emphasis></para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
+          and a <emphasis>digit</emphasis> to indicate that you want the alias
+          added with that name (e.g., eth0:0). This will allow the alias to be
+          displayed with ifconfig. <emphasis role="bold">That is the only use
+          for the alias name; it may not appear in any other place in your
+          Shorewall configuration.</emphasis></para>
 
           <para>Beginning with Shorewall 5.1.12, SNAT may be performed in the
           nat table's INPUT chain by specifying $FW rather than one or more
-          interfaces. </para>
+          interfaces.</para>
 
           <para>Each interface must match an entry in <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
           Shorewall allows loose matches to wildcard entries in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
-          For example, <filename class="devicefile">ppp0</filename> in this
-          file will match a <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5). For
+          example, <filename class="devicefile">ppp0</filename> in this file
+          will match a <ulink
           url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
           entry that defines <filename
           class="devicefile">ppp+</filename>.</para>
@@ -315,8 +329,8 @@
           addresses to indicate that you only want to change the source IP
           address for packets being sent to those particular destinations.
           Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))
-          as are ipset names preceded by a plus sign '+';</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>
 
           <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
           entry then include the ":" but omit the digit:</para>
@@ -341,8 +355,7 @@
         <listitem>
           <para>If you wish to restrict this entry to a particular protocol
           then enter the protocol name (from protocols(5)) or number here. See
-          <ulink
-          url="shorewall-rules.html">shorewall-rules(5)</ulink> for
+          <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink> for
           details.</para>
 
           <para>Beginning with Shorewall 4.5.12, this column can accept a
@@ -356,10 +369,14 @@
       </varlistentry>
 
       <varlistentry>
-        <term><emphasis role="bold">PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">{PORT|DPORT}</emphasis> (Optional) -
         {-|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...|+<replaceable>ipset</replaceable>}</term>
 
         <listitem>
+          <para>The column was renamed to DPORT in Shorewall 5.2.6. Beginning
+          with that release, both PORT and DPORT are accepted in the
+          alternative input format,</para>
+
           <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
           SCTP (132) or UDPLITE (136) then you may list one or more port
           numbers (or names from services(5)) or port ranges separated by
@@ -375,6 +392,27 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">SPORT
+        {-|[!]<replaceable>port-name-or-number</replaceable>[,<replaceable>port-name-or-number</replaceable>]...|+<replaceable>ipset</replaceable>}</emphasis></term>
+
+        <listitem>
+          <para>FORMAT 2 only.</para>
+
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) or port ranges separated by
+          commas.</para>
+
+          <para>Port ranges are of the form
+          <emphasis>lowport</emphasis>:<emphasis>highport</emphasis>.</para>
+
+          <para>An <replaceable>ipset</replaceable> name can be specified in
+          this column. This is intended to be used with
+          <firstterm>bitmap:port</firstterm> ipsets.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">IPSEC</emphasis> (Optional) -
         [<emphasis>option</emphasis>[<emphasis

Shorewall/manpages/shorewall.conf.xml

@@ -245,8 +245,8 @@
         <listitem>
           <para>Added in Shorewall 4.4.7. If set to Yes, Shorewall accounting
           is enabled (see <ulink
-          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)).
-          If not specified or set to the empty value, ACCOUNTING=Yes is
+          url="shorewall-accounting.html">shorewall-accounting</ulink>(5)). If
+          not specified or set to the empty value, ACCOUNTING=Yes is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -271,8 +271,8 @@
         <listitem>
           <para>This parameter determines whether Shorewall automatically adds
           the external address(es) in <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is
-          only available in IPv4 configurations. If the variable is set to
+          url="shorewall-nat.html">shorewall-nat</ulink>(5), and is only
+          available in IPv4 configurations. If the variable is set to
           <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis> then Shorewall automatically adds these
           aliases. If it is set to <emphasis role="bold">No</emphasis> or
@@ -300,8 +300,8 @@
         <listitem>
           <para>This parameter determines whether Shorewall automatically adds
           the SNAT ADDRESS in <ulink
-          url="shorewall-masq.html">shorewall-masq</ulink>(5), and
-          is only available in IPv4 configurations. If the variable is set to
+          url="shorewall-masq.html">shorewall-masq</ulink>(5), and is only
+          available in IPv4 configurations. If the variable is set to
           <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis> then Shorewall automatically adds these
           addresses. If it is set to <emphasis role="bold">No</emphasis> or
@@ -445,8 +445,7 @@
 
                 <listitem>
                   <para>Specify the appropriate helper in the HELPER column in
-                  <ulink
-                  url="shorewall-rules.html">shorewall-rules</ulink>
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
                   (5).</para>
 
                   <note>
@@ -514,8 +513,8 @@
           <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
           determines whether the <option>balance</option> provider option (see
           <ulink
-          url="shorewall-providers.html">shorewall-providers(5)</ulink>)
-          is the default. When BALANCE_PROVIDERS=Yes, then the
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
           <option>balance</option> option is assumed unless the
           <option>fallback</option>, <option>loose</option>,
           <option>load</option> or <option>tproxy</option> option is
@@ -531,8 +530,8 @@
         <listitem>
           <para>Added in Shorewall-4.6.0. When set to <emphasis
           role="bold">Yes</emphasis>, causes entries in <ulink
-          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>
-          to generate a basic filter rather than a u32 filter. This setting
+          url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink> to
+          generate a basic filter rather than a u32 filter. This setting
           requires the <firstterm>Basic Ematch</firstterm> capability in your
           kernel and iptables.</para>
 
@@ -589,8 +588,7 @@
 
           <para>The BLACKLIST_DISPOSITION setting determines the disposition
           of packets sent to the <emphasis role="bold">blacklog</emphasis>
-          target of <ulink
-          url="shorewall-blrules.html">shorewall-blrules
+          target of <ulink url="shorewall-blrules.html">shorewall-blrules
           </ulink>(5), but otherwise does not affect entries in that
           file.</para>
         </listitem>
@@ -652,8 +650,8 @@
           not supply an /etc/shorewall/tcstart file. That way, your traffic
           shaping rules can still use the “fwmark” classifier based on packet
           marking defined in <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).
-          If not specified, CLEAR_TC=Yes is assumed.</para>
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
+          specified, CLEAR_TC=Yes is assumed.</para>
 
           <warning>
             <para>When you specify TC_ENABLED=shared (see below), then you
@@ -943,14 +941,37 @@
                 </important>
               </listitem>
             </varlistentry>
+
+            <varlistentry>
+              <term>log</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.5. When specified, successful
+                'blacklist' and 'allow' commands will log a message to the
+                system log.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noupdate</term>
+
+              <listitem>
+                <para>Added in Shorewall 5.2.5. Normally, once an address has
+                been blacklisted, each time that a packet is received from the
+                packet, the ipset's entry for the address is updated to reset
+                the timeout to the value specifyed in the
+                <option>timeout</option> option above. Setting the
+                <option>noupdate</option> option, inhibits this resetting of
+                the entry's timeout. This option is ignored when the
+                <option>timeout</option> option is not specified.</para>
+              </listitem>
+            </varlistentry>
           </variablelist>
 
           <para>When ipset-based dynamic blacklisting is enabled, the contents
           of the blacklist will be preserved over
           <command>stop</command>/<command>reboot</command>/<command>start</command>
-          sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-          <replaceable>setname</replaceable> is included in the list of sets
-          to be saved in SAVE_IPSETS.</para>
+          sequences.</para>
         </listitem>
       </varlistentry>
 
@@ -1159,12 +1180,11 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
 
           <para>Subzones are defined by following their name with ":" and a
           list of parent zones (in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5)).
-          Normally, you want to have a set of special rules for the subzone
-          and if a connection doesn't match any of those subzone-specific
-          rules then you want the parent zone rules and policies to be
-          applied; see <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
+          you want to have a set of special rules for the subzone and if a
+          connection doesn't match any of those subzone-specific rules then
+          you want the parent zone rules and policies to be applied; see
+          <ulink url="shorewall-nesting.html">shorewall-nesting</ulink>(5).
           With IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
 
           <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -1182,10 +1202,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         <listitem>
           <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
           INVALID packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          When a packet in INVALID state fails to match any rule in the
-          INVALID section, the packet is disposed of based on this setting.
-          The default value is CONTINUE for compatibility with earlier
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
           versions.</para>
         </listitem>
       </varlistentry>
@@ -1197,9 +1217,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
         <listitem>
           <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
           do not match any rule in the INVALID section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -1482,8 +1502,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           sample configurations use this as the default log level and changing
           it will change all packet logging done by the configuration. In any
           configuration file (except <ulink
-          url="shorewall-params.html">shorewall-params(5)</ulink>),
-          $LOG_LEVEL will expand to this value.</para>
+          url="shorewall-params.html">shorewall-params(5)</ulink>), $LOG_LEVEL
+          will expand to this value.</para>
         </listitem>
       </varlistentry>
 
@@ -1635,8 +1655,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           <note>
             <para>The setting of LOGFORMAT has an effect of the permitted
             length of zone names. See <ulink
-            url="shorewall-zones.html">shorewall-zones</ulink>
-            (5).</para>
+            url="shorewall-zones.html">shorewall-zones</ulink> (5).</para>
           </note>
 
           <caution>
@@ -1793,8 +1812,8 @@ LOG:info:,bar                        net                    fw</programlisting>
         <listitem>
           <para>The performance of configurations with a large numbers of
           entries in <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5)
-          can be improved by setting the MACLIST_TTL variable in <ulink
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
+          improved by setting the MACLIST_TTL variable in <ulink
           url="shorewall.conf.html">shorewall[6].conf</ulink>(5).</para>
 
           <para>If your iptables and kernel support the "Recent Match" (see
@@ -1804,15 +1823,14 @@ LOG:info:,bar                        net                    fw</programlisting>
 
           <para>When a new connection arrives from a 'maclist' interface, the
           packet passes through then list of entries for that interface in
-          <ulink
-          url="shorewall-maclist.html">shorewall-maclist</ulink>(5).
-          If there is a match then the source IP address is added to the
-          'Recent' set for that interface. Subsequent connection attempts from
-          that IP address occurring within $MACLIST_TTL seconds will be
-          accepted without having to scan all of the entries. After
-          $MACLIST_TTL from the first accepted connection request from an IP
-          address, the next connection request from that IP address will be
-          checked against the entire list.</para>
+          <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+          there is a match then the source IP address is added to the 'Recent'
+          set for that interface. Subsequent connection attempts from that IP
+          address occurring within $MACLIST_TTL seconds will be accepted
+          without having to scan all of the entries. After $MACLIST_TTL from
+          the first accepted connection request from an IP address, the next
+          connection request from that IP address will be checked against the
+          entire list.</para>
 
           <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
           MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -2386,13 +2404,12 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
         <listitem>
           <para>Added in Shorewall 4.4.27. Shorewall has traditionally
           ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
-          setting. The default value is ACCEPT for compatibility with earlier
-          versions.</para>
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          (5). Concern about the safety of this practice resulted in the
+          addition of this option. When a packet in RELATED state fails to
+          match any rule in the RELATED section, the packet is disposed of
+          based on this setting. The default value is ACCEPT for compatibility
+          with earlier versions.</para>
         </listitem>
       </varlistentry>
 
@@ -2403,9 +2420,9 @@ RCP_COMMAND: scp ${files} ${root}@${system}:${destination}</programlisting>
         <listitem>
           <para>Added in Shorewall 4.4.27. Packets in the related state that
           do not match any rule in the RELATED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -2506,8 +2523,7 @@ INLINE          -       -       -       ;; -j REJECT
           <para>Added in Shorewall 4.4.10. The default is No. If set to Yes,
           at least one optional interface must be up in order for the firewall
           to be in the started state. Intended to be used with the <ulink
-          url="shorewall-init.html">Shorewall Init
-          Package</ulink>.</para>
+          url="shorewall-init.html">Shorewall Init Package</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -2593,18 +2609,17 @@ INLINE          -       -       -       ;; -j REJECT
           <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
           addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
           ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          url="shorewall-nat.html">shorewall-nat</ulink>(5) and
-          <ulink url="shorewall-masq.html">shorewall-masq</ulink>(5)
-          are processed then are re-added later. This is done to help ensure
-          that the addresses can be added with the specified labels but can
-          have the undesirable side effect of causing routes to be quietly
-          deleted. When RETAIN_ALIASES is set to Yes, existing addresses will
-          not be deleted. Regardless of the setting of RETAIN_ALIASES,
-          addresses added during <emphasis role="bold">shorewall
-          start</emphasis> are still deleted at a subsequent <emphasis
-          role="bold">shorewall [stop</emphasis>, <emphasis
-          role="bold">shorewall reload</emphasis> or <emphasis
-          role="bold">shorewall restart</emphasis>.</para>
+          url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
+          url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
+          then are re-added later. This is done to help ensure that the
+          addresses can be added with the specified labels but can have the
+          undesirable side effect of causing routes to be quietly deleted.
+          When RETAIN_ALIASES is set to Yes, existing addresses will not be
+          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
+          added during <emphasis role="bold">shorewall start</emphasis> are
+          still deleted at a subsequent <emphasis role="bold">shorewall
+          [stop</emphasis>, <emphasis role="bold">shorewall reload</emphasis>
+          or <emphasis role="bold">shorewall restart</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -2708,9 +2723,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.4.20. Determines the disposition of
           packets matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          the <option>routeback</option> option.<footnote>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
             </footnote></para>
@@ -2724,9 +2739,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added on Shorewall 4.4.20. Determines the logging of packets
           matching the <option>sfilter</option> option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and of <firstterm>hairpin</firstterm> packets on interfaces without
-          the <option>routeback</option> option.<footnote>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          of <firstterm>hairpin</firstterm> packets on interfaces without the
+          <option>routeback</option> option.<footnote>
               <para>Hairpin packets are packets that are routed out of the
               same interface that they arrived on.</para>
             </footnote> The default is <option>info</option>. If you don't
@@ -2754,9 +2769,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.4.20. The default setting is DROP which
           causes smurf packets (see the nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          to be dropped. A_DROP causes the packets to be audited prior to
-          being dropped and requires AUDIT_TARGET support in the kernel and
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) to
+          be dropped. A_DROP causes the packets to be audited prior to being
+          dropped and requires AUDIT_TARGET support in the kernel and
           iptables.</para>
         </listitem>
       </varlistentry>
@@ -2768,8 +2783,8 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Specifies the logging level for smurf packets (see the
           nosmurfs option in <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
-          If set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
+          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
           logged.</para>
         </listitem>
       </varlistentry>
@@ -2871,8 +2886,7 @@ INLINE          -       -       -       ;; -j REJECT
           <para>If you set TC_ENABLED=Simple (Shorewall 4.4.6 and later),
           simple traffic shaping using <ulink
           url="shorewall-tcinterfaces.html">shorewall-tcinterfaces</ulink>(5)
-          and <ulink
-          url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
+          and <ulink url="shorewall-tcpri.html">shorewall-tcpri</ulink>(5) is
           enabled.</para>
 
           <para>If you set TC_ENABLED=Internal or internal or leave the option
@@ -2936,10 +2950,10 @@ INLINE          -       -       -       ;; -j REJECT
           <para>Determines the disposition of TCP packets that fail the checks
           enabled by the <emphasis role="bold">tcpflags</emphasis> interface
           option (see <ulink
-          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5))
-          and must have a value of ACCEPT (accept the packet), REJECT (send an
-          RST response) or DROP (ignore the packet). If not set or if set to
-          the empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
+          must have a value of ACCEPT (accept the packet), REJECT (send an RST
+          response) or DROP (ignore the packet). If not set or if set to the
+          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
           TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
 
           <para>A_DROP and A_REJECT are audited versions of DROP and REJECT
@@ -2968,8 +2982,8 @@ INLINE          -       -       -       ;; -j REJECT
           <para>Added in Shorewall 4.4.3. When set to Yes, causes the
           <option>track</option> option to be assumed on all providers defined
           in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>(5).
-          May be overridden on an individual provider through use of the
+          url="shorewall-providers.html">shorewall-providers</ulink>(5). May
+          be overridden on an individual provider through use of the
           <option>notrack</option> option. The default value is 'No'.</para>
 
           <para>Beginning in Shorewall 4.4.6, setting this option to 'Yes'
@@ -3023,10 +3037,10 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
           UNTRACKED packets through the NEW section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5).
-          When a packet in UNTRACKED state fails to match any rule in the
-          UNTRACKED section, the packet is disposed of based on this setting.
-          The default value is CONTINUE for compatibility with earlier
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
           versions.</para>
         </listitem>
       </varlistentry>
@@ -3038,9 +3052,9 @@ INLINE          -       -       -       ;; -j REJECT
         <listitem>
           <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
           do not match any rule in the UNTRACKED section of <ulink
-          url="shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
         </listitem>
       </varlistentry>
 
@@ -3062,8 +3076,8 @@ INLINE          -       -       -       ;; -j REJECT
           <orderedlist>
             <listitem>
               <para>Both the DUPLICATE and the COPY columns in <ulink
-              url="shorewall-providers.html">providers</ulink>(5)
-              file must remain empty (or contain "-").</para>
+              url="shorewall-providers.html">providers</ulink>(5) file must
+              remain empty (or contain "-").</para>
             </listitem>
 
             <listitem>
@@ -3083,9 +3097,9 @@ INLINE          -       -       -       ;; -j REJECT
             <listitem>
               <para>Packets are sent through the main routing table by a rule
               with priority 999. In <ulink
-              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5),
-              the range 1-998 may be used for inserting rules that bypass the
-              main table.</para>
+              url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5), the
+              range 1-998 may be used for inserting rules that bypass the main
+              table.</para>
             </listitem>
 
             <listitem>

Shorewall6/configfiles/snat

@@ -5,5 +5,7 @@
 #
 # See https://shorewall.org/manpages/shorewall-snat.html for more information
 #
-###########################################################################################################################################
-#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+?FORMAT 2
+###################################################################################################################################################
+#ACTION			SOURCE			DEST		PROTO	DPORT	SPORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
+

docs/blacklisting_support.xml

@@ -250,14 +250,36 @@ DROP            net:200.55.14.18        all
           </important>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>log</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.5. When specified, successful
+          'blacklist' and 'allow' commands will log a message to the system
+          log.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>noupdate</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.2.5. Normally, once an address has been
+          blacklisted, each time that a packet is received from the packet,
+          the ipset's entry for the address is updated to reset the timeout to
+          the value specifyed in the <option>timeout</option> option above.
+          Setting the <option>noupdate</option> option, inhibits this
+          resetting of the entry's timeout. This option is ignored when the
+          <option>timeout</option> option is not specified.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
 
     <para>When ipset-based dynamic blacklisting is enabled, the contents of
     the blacklist will be preserved over
     <command>stop</command>/<command>reboot</command>/<command>start</command>
-    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
-    <replaceable>setname</replaceable> is included in the list of sets to be
-    saved in SAVE_IPSETS.</para>
+    sequences.</para>
   </section>
 
   <section>
@@ -275,4 +297,69 @@ DROP            net:200.55.14.18        all
     <command>shorewall show action BLACKLIST</command> command for
     details.</para>
   </section>
+
+  <section id="fail2ban">
+    <title>BLACKLIST and Fail2ban</title>
+
+    <para>The BLACKLIST command can be used as 'blocktype' in
+    /etc/fail2ban/actions.d/shorewall.conf. Prior to Shorewall 5.2.5, this
+    works best if there is no <emphasis role="bold">timeout</emphasis>
+    specified in the DYNAMIC_BLACKLIST setting or if <emphasis
+    role="bold">timeout=0</emphasis> is given.</para>
+
+    <para>Beginning with Shorewall 5.2.5, Shorewall includes new features that
+    allow fail2ban to work most seamlessly with Shorewall's ipset-based
+    dynamic blacklisting:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>When a <emphasis role="bold">timeout</emphasis> is specified in
+        the DYNAMIC_BLACKLIST setting, the dynamic-blacklisting ipset is
+        created with default timeout 0. As entries are added by BLACKLIST
+        policies or by the <emphasis role="bold">blacklist</emphasis> command,
+        the created entry is given the specified timeout value.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">noupdate</emphasis> option has been
+        added. Specifying this option prevents 'timeout 0' ipset entries from
+        being changed to finite timeout entries as a result of blacklisted ip
+        addresses continuing to send packets to the firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">blacklist!</emphasis> command has been
+        added. specifying that command as the fail2ban 'blocktype' causes
+        entries created by fail2ban to persist until fail2ban unbans them
+        using the Shorewall <emphasis role="bold">allow</emphasis>
+        comand.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>There are a couple of additional things to note:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>The documentation in /etc/fail2ban/action.d/shorewall.conf
+        states that you should set BLACKLIST=All. A better approach when using
+        BLACKLIST as the 'blocktype' is to specify the <emphasis
+        role="bold">disconnect</emphasis> option in the setting of
+        DYNAMIC_BLACKLIST. With BLACKLIST=All, every packet entering the
+        firewall from the net must be checked against the dynamic-blacklisting
+        ipset. That is not required when you specify <emphasis
+        role="bold">disconnect</emphasis>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <emphasis role="bold">noupdate</emphasis> option allows
+        fail2ban full control when a host is 'unbanned'. The cost of using
+        this option is that after the specified <emphasis
+        role="bold">timeout</emphasis>, the entry for an attacking host will
+        be removed from the dynamic-blacklisting ipset, even if the host has
+        continued the attack while blacklisted. This isn't a great concern, as
+        the first attempt to access an unauthorized service will result in the
+        host being re-blacklisted.</para>
+      </listitem>
+    </itemizedlist>
+  </section>
 </article>

docs/configuration_file_basics.xml

@@ -663,7 +663,7 @@ ACCEPT      net:\
           <row>
             <entry>mangle</entry>
 
-            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+            <entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers,probability,dscp,switch</entry>
           </row>
 
           <row>
@@ -738,6 +738,14 @@ ACCEPT      net:\
             <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
           </row>
 
+          <row>
+            <entry>snat</entry>
+
+            <entry>action,source,dest,proto,port,sport,ipsec,mark,user,switch,origdest,probability
+            (Note: 'port' may be specified as 'dport', beginning with
+            Shorewall 5.2.6).</entry>
+          </row>
+
           <row>
             <entry>tcclasses</entry>
 
@@ -1867,6 +1875,9 @@ SSH(ACCEPT)    net:$MYIP      $FW
       </listitem>
     </itemizedlist>
 
+    <para>They may also be used as the parameter to SNAT() in <ulink
+    url="manpages/shorewall-snat.html">shorewall-snat</ulink>(5).</para>
+
     <para>For optional interfaces, if the interface is not usable at the time
     that the firewall starts, one of two approaches are taken, depending on
     the context:</para>

docs/docs-targetname

@@ -1 +1 @@
-5.2.5-Beta1
+5.2.6-RC1

docs/support.xml

@@ -42,10 +42,10 @@
     <itemizedlist>
       <listitem>
         <para>The currently-supported Shorewall <ulink
-        url="ReleaseModel.html">major release</ulink>s are 5.0 , 5.1 and 5.2.</para>
+        url="ReleaseModel.html">major release</ulink>s are , 5.1 and 5.2.</para>
 
         <note>
-          <para>Shorewall versions earlier than 5.0.0 are no longer supported;
+          <para>Shorewall versions earlier than 5.1.0 are no longer supported;
           we will try to help but we will not spend time reading earlier code
           to try to help you solve a problem and we will not release a patch
           to correct any defect found.</para>