Add target file(s) 5.2.8-base

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/Shorewall-core-targetname

@@ -1 +1 @@
-5.2.6-base
+5.2.8-RC1

Shorewall-core/lib.cli

@@ -247,10 +247,39 @@ search_log() # $1 = IP address to search for
 #
 # Show traffic control information
 #
-show_tc1() {
+show_one_classifier() {
+    local class
 
+    qt tc -s filter ls root dev $1 && tc -s filter ls root dev $device | grep -v '^$'
+    tc filter show dev $1
+    tc class show dev $1 | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
+	if [ -n "$class" ]; then
+	    echo
+	    echo Node $class
+	    tc filter show dev $device parent $class
+	fi
+    done
+    echo
+}
+
+show_classifier1() {
+    local device
+    local qdisc
+
+    device=${1%@*}
+    qdisc=$(tc qdisc list dev $device)
+    if [ -n "$qdisc" ]; then
+	echo Device $device:
+	show_one_classifier $device
+    fi
+}
+
+show_tc1() {
     show_one_tc() {
 	local device
+	local qdisc
+	local ingress
+
 	device=${1%@*}
 	qdisc=$(tc qdisc list dev $device)
 
@@ -260,6 +289,7 @@ show_tc1() {
 	    echo
 	    tc -s -d class show dev $device
 	    echo
+	    show_one_classifier $device "$qdisc"
 	fi
     }
 
@@ -270,7 +300,6 @@ show_tc1() {
 	    show_one_tc ${interface%:}
 	done
     fi
-
 }
 
 show_tc() {
@@ -291,28 +320,8 @@ show_tc() {
 #
 show_classifiers() {
 
-    show_one_classifier() {
-	local device
-	device=${1%@*}
-	qdisc=$(tc qdisc list dev $device)
-
-	if [ -n "$qdisc" ]; then
-	    echo Device $device:
-	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
-	    tc filter show dev $device
-	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
-		if [ -n "$class" ]; then
-		    echo
-		    echo Node $class
-		    tc filter show dev $device parent $class
-		fi
-	    done
-	    echo
-	fi
-    }
-
     ip -o link list | while read inx interface details; do
-	show_one_classifier ${interface%:}
+	show_classifier1 ${interface%:}
     done
 
 }
@@ -1017,6 +1026,8 @@ show_mangle() {
 show_classifiers_command() {
     echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
     echo
+    echo "Warning: This command is deprecated in favor of the 'show tc' command"
+    echo
     show_classifiers
 }
 
@@ -1904,8 +1915,6 @@ do_dump_command() {
     if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
 	show_tc1
-	heading "TC Filters"
-	show_classifiers
 	fi
 }
 
@@ -3596,7 +3605,7 @@ status_command() {
 
     [ $# -eq 0 ] || missing_argument
 
-    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product} $SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
     show_status
     [ -n "$interfaces" ] && show_interfaces
     exit $status
@@ -4010,9 +4019,15 @@ setup_dbl() {
 # the Standard CLI by loading lib.cli-std
 ################################################################################
 #
-# Set the configuration variables from shorewall[6]-lite.conf.
+# Set the configuration variables from shorewall[6]-lite.conf. This function
+# is replaced by the one in lib.cli-std (Shorewall product) when Shorewall or
+# Shorewall6 is being run.
 #
-get_config() {
+#     $1 = Yes: read the params file
+#     $2 = Yes: check for STARTUP_ENABLED
+#     $3 = Yes: Check for LOGFILE
+#
+lite_get_config() {
     local config
     local lib
 
@@ -4161,7 +4176,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -4174,10 +4189,22 @@ get_config() {
     [ -f $lib ] && . $lib
 
 }
+
+#
+# get_config() -- calls the appropriate xxx_get_config()
+#
+get_config() {
+    if [ -z "$g_lite" ]; then
+	std_get_config $@
+    else
+	lite_get_config $@
+    fi
+}
+
 #
 # Start Command Executor
 #
-start_command() {
+lite_start_command() {
     local finished
     finished=0
 
@@ -4264,10 +4291,21 @@ start_command() {
     do_it
 }
 
+#
+# start_command() -- calls the appropriate xxx_start_command()
+#
+start_command() {
+    if [ -z "$g_lite" ]; then
+	std_start_command $@
+    else
+	lite_start_command $@
+    fi
+}
+
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+lite_restart_command() {
     local finished
     finished=0
     local rc
@@ -4336,6 +4374,17 @@ restart_command() {
     return $rc
 }
 
+#
+# restart_command() -- calls the appropriate xxx_restart_command()
+#
+restart_command() {
+    if [ -z "$g_lite" ]; then
+	std_restart_command $@
+    else
+	lite_restart_command $@
+    fi
+}
+
 run_command() {
     if [ -x $g_firewall ] ; then
 	run_it $g_firewall $@
@@ -4439,12 +4488,11 @@ usage() # $1 = exit status
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
-    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] {classifiers|filters)"
     echo "   [ show | list | ls ] config"
     echo "   [ show | list | ls ] connections"
     echo "   [ show | list | ls ] event [ <event> ...]"
     echo "   [ show | list | ls ] events"
-    echo "   [ show | list | ls ] filters"
     echo "   [ show | list | ls ] ip"
 
     if [ $g_family -eq 4 ]; then
@@ -4705,7 +4753,7 @@ shorewall_cli() {
 	exit 1
     fi
 
-    banner="${g_product}-${SHOREWALL_VERSION} Status at $g_hostname -"
+    banner="${g_product} ${SHOREWALL_VERSION} Status at $g_hostname -"
 
     COMMAND=$1
 
@@ -4795,7 +4843,7 @@ shorewall_cli() {
 	logwatch)
 	    only_root
 	    get_config Yes Yes Yes
-	    banner="${g_product}-$SHOREWALL_VERSION Logwatch at $g_hostname -"
+	    banner="${g_product} $SHOREWALL_VERSION Logwatch at $g_hostname -"
 	    logwatch_command $@
 	    ;;
 	drop)

Shorewall-core/manpages/shorewall.xml

@@ -981,7 +981,22 @@
               <td><command>shorewall -6</command> or <command>shorewall
               -6l</command></td>
             </tr>
+
+            <tr>
+              <td><command>shorewall</command></td>
+
+              <td><command>shorewall -l</command></td>
+            </tr>
           </table>
+
+          <para>Note that when Shorewall isn't installed, the 'shorewall'
+          command behaves like shorewall-lite. The same is not true with
+          respect to Shorewall6, "shorewall6" and 'shorewall6-lite". You can
+          make 'shorewall6' behave like 'shorewallt-lite' by adding the
+          following command to root's .profile file (or to .bashrc, if root's
+          shell is bash):</para>
+
+          <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
         </listitem>
       </varlistentry>
 
@@ -2527,7 +2542,9 @@
               <listitem>
                 <para>Displays information about the packet classifiers
                 defined on the system as a result of traffic shaping
-                configuration.</para>
+                configuration. Beginning with Shorewall 5.2.8, this command is
+                deprecated, as its output is included in the information
+                displayed by the 'show tc' command.</para>
               </listitem>
             </varlistentry>
 

Shorewall-core/uninstall.sh

@@ -134,6 +134,7 @@ fi
 
 remove_directory ${SHAREDIR}/shorewall
 remove_file ~/.shorewallrc
+remove_file ${SBINDIR}/shorewall
 
 #
 # Report Success

Shorewall/Macros/macro.NFS

@@ -0,0 +1,12 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.NFS
+#
+# This macro handles NFS v4.1+ traffic with default ports.
+# You should only allow NFS traffic between hosts you fully trust.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	111		# portmapper, rpcbind
+PARAM	-	-	tcp	2049		# nfs
+PARAM	-	-	tcp	20048		# mountd

Shorewall/Perl/Shorewall/Chains.pm

@@ -7478,9 +7478,9 @@ sub have_address_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-sub set_global_variables( $$ ) {
+sub set_global_variables( $$$ ) {
 
-    my ( $setall, $conditional ) = @_;
+    my ( $setall, $conditional, $call_generate_all_acasts ) = @_;
 
     if ( $conditional ) {
 	my ( $interface, @interfaces );
@@ -7513,16 +7513,17 @@ sub set_global_variables( $$ ) {
     }
 
     if ( $setall ) {
-	emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
-	emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	if ( $conditional ) {
+	    emit $interfaceaddr{$_}         for sortkeysiftest %interfaceaddr;
+	    emit $interfacenets{$_}         for sortkeysiftest %interfacenets;
+	}
 
 	unless ( have_capability( 'ADDRTYPE' ) ) {
-
 	    if ( $family == F_IPV4 ) {
 		emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
 		emit $interfacebcasts{$_} for sortkeysiftest %interfacebcasts;
 	    } else {
-		emit 'ALL_ACASTS="$(get_all_acasts)"';
+		emit $call_generate_all_acasts;
 		emit $interfaceacasts{$_} for sortkeysiftest %interfaceacasts;
 	    }
 	}

Shorewall/Perl/Shorewall/Compiler.pm

@@ -276,12 +276,18 @@ sub generate_script_2() {
 
     emit "}\n"; # End of initialize()
 
+    #
+    # Conditionally emit the 'generate_all_acasts() function
+    #
+    my $call_generate_all_acasts = $family == F_IPV6 && ! have_capability( 'ADDRTYPE' ) ? generate_all_acasts : '';
+
     emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
-	  '{' );
+	  '{'
+	);
 
     my $global_variables    = have_global_variables;
     my $optional_interfaces = find_interfaces_by_option( 'optional' );
@@ -312,7 +318,7 @@ sub generate_script_2() {
 
 	    if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 		verify_required_interfaces(0);
-		set_global_variables(0, 0);
+		set_global_variables( $family == F_IPV6, 0, $call_generate_all_acasts );
 		handle_optional_interfaces;
 	    }
 
@@ -326,7 +332,7 @@ sub generate_script_2() {
 	}
 
 	verify_required_interfaces(1);
-	set_global_variables(1,1);
+	set_global_variables(1, 1, $call_generate_all_acasts );
 	handle_optional_interfaces;
 
 	if ( $global_variables & NOT_RESTORE ) {

Shorewall/Perl/Shorewall/Config.pm

@@ -884,7 +884,7 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.7-Beta1',
+		    VERSION                 => '5.2.8-RC1',
 		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -5683,6 +5683,11 @@ sub process_shorewall_conf( $$ ) {
 	$globals{CONFIGDIR} =  $configfile = $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;
 
+	if ( $export ) {
+	    use Sys::Hostname;
+	    $globals{CONFIGDIR} = join( ':', hostname, $globals{CONFIGDIR} );
+	}
+
 	if ( -r _ ) {
 	    open_file $file;
 

Shorewall/Perl/Shorewall/Tc.pm

@@ -72,6 +72,9 @@ our %flow_keys = ( 'src'            => 1,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
+#                              flow          => Comma-separated flow tupple
+#                              classify      => 0|1
+#                              pfifo         => 0|1
 #                              tablenumber   => <next u32 table to be allocated for this device>
 #                              default       => <default class mark value>
 #                              redirected    => [ <dev1>, <dev2>, ... ]
@@ -80,6 +83,13 @@ our %flow_keys = ( 'src'            => 1,
 #                              qdisc         => htb|hfsc
 #                              guarantee     => <total RATE of classes seen so far>
 #                              name          => <interface>
+#                              filters       => [ filter, ... ]
+#                              linklayer     => <type> (optional)
+#                              overhead      => <number>
+#                              mtu           => <number>
+#                              tsize         => <number>
+#                              filterpri     => <number> (initially 0)
+#                              connmark      => 0|1
 #                                               }
 #
 our @tcdevices;
@@ -365,9 +375,7 @@ sub process_simple_device() {
 
     emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip6 protocol 6 0xff" .
-	  "\\\n    match u8 0x05 0x0f at 0" .
-	  "\\\n    match u16 0x0000 0xffc0 at 2" .
-	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+	  "\\\n    match u8 0x10 0xff at 53 flowid $number:1\n" );
 
     save_progress_message_short qq("   TC Device $physical defined.");
 
@@ -2394,7 +2402,6 @@ sub setup_tc( $ ) {
     }
 
     if ( $config{MANGLE_ENABLED} ) {
-
 	if ( $convert ) {
 	    my $have_tcrules;
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -103,6 +103,7 @@ our @EXPORT = ( qw( NOTHING
 		    find_zone_hosts_by_option
 		    find_zones_by_option
 		    have_ipsec
+		    generate_all_acasts
 		 ),
 	      );
 
@@ -176,7 +177,8 @@ our %reservedName = ( all => 1,
 #				      number	  => <ordinal position in the interfaces file>
 #				      physical	  => <physical interface name>
 #				      base	  => <shell variable base representing this interface>
-#				      wildcard	  => undef|1 # Wildcard Name
+#				      wildcard	  => undef|1 # Wildcard Logical Name
+#				      physwild	  => undef|1 # Wildcard Physical Name
 #				      zones	  => { zone1 => 1, ... }
 #				      origin	  => <where defined>
 #				    }
@@ -418,7 +420,8 @@ sub initialize( $$ ) {
 		       32  => 'loopback',
 		       64  => 'local' );
     } else {
-	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+	%validinterfaceoptions = (
+				    accept_ra	=> NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
@@ -430,6 +433,7 @@ sub initialize( $$ ) {
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nodbl       => SIMPLE_IF_OPTION,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				    omitanycast	=> SIMPLE_IF_OPTION + IF_OPTION_WILDOK,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
@@ -1370,7 +1374,7 @@ sub process_interface( $$ ) {
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		if ( $option eq 'arp_ignore' ) {
-		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $physwild;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1487,7 +1491,7 @@ sub process_interface( $$ ) {
 
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
-	    fatal_error "Bridges may not have wildcard names" if $wildcard;
+	    fatal_error "Bridges may not have wildcard names" if $physwild;
 	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}
 
@@ -1536,7 +1540,7 @@ sub process_interface( $$ ) {
 						   zones      => {},
 						   origin     => shortlineinfo( '' ),
 						   wildcard   => $wildcard,
-						   physwild   => $physwild, # Currently unused
+						   physwild   => $physwild,
 					         };
 
     $interfaces{$physical} = $interfaceref if $physical ne $interface;
@@ -1717,6 +1721,7 @@ sub known_interface($)
 					       physical => $physical ,
 					       base     => $interfaceref->{base} ,
 					       wildcard => $interfaceref->{wildcard} ,
+					       physwild => $interfaceref->{physwild} ,
 					       zones    => $interfaceref->{zones} ,
 		                              };
 		return $interfaceref;
@@ -2385,4 +2390,110 @@ sub find_zones_by_option( $$ ) {
     \@zns;
 }
 
+#
+# Generate the shell code to populate the ALL_ACASTS run-time variable
+#
+
+sub generate_all_acasts() {
+    my ( @acasts, @noacasts, @wildacasts, @wildnoacasts );
+
+    for my $interface ( @interfaces ) {
+	my $interfaceref = $interfaces{$interface};
+	my $physical     = $interfaceref->{physical};
+
+	next if ( $interfaceref->{options}{port} ||
+		  $interfaceref->{options}{unmanaged} );
+
+	if ( $interfaceref->{physwild} ) {
+	    $physical =~ s/\+/*/;
+
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		if ( $physical eq '*' ) {
+		    @wildnoacasts = ( '*' );
+		} else {
+		    push @wildnoacasts, $physical;
+		}
+	    } else {
+		if ( $physical eq '*' ) {
+		    @wildacasts = ( '*' );
+		} else {
+		    push @wildacasts, $physical;
+		}
+	    }
+	} else {
+	    if ( $interfaceref->{options}{omitanycast} ) {
+		push @noacasts, $physical;
+	    } else {
+		push @acasts, $physical;
+	    }
+	}
+    }
+
+    return 'ALL_ACASTS="$(get_all_acasts)"' unless @noacasts || @wildnoacasts;
+
+    @wildacasts = '*' unless @wildacasts;
+
+    emit( "#\n# Populate the ALL_ACASTS variable\n#",
+	  'generate_all_acasts()',
+	  '{' );
+    push_indent;
+
+    emit( 'ALL_ACASTS=',
+	  '',
+	  'for iface in $(find_all_interfaces1); do' );
+
+    push_indent;
+
+    emit( 'case $iface in' );
+
+    push_indent;
+
+    if ( @noacasts ) {
+	unless ( @wildacasts ) {
+	    push @noacasts, @wildnoacasts;
+	    @wildnoacasts = ();
+	}
+
+	emit( join( '|', @noacasts) . ')',
+	      '    ;;' );
+    }
+
+    if ( @wildnoacasts ) {
+	if ( @acasts ) {
+	    emit( join( '|', @acasts) . ')',
+		  '    if [ -n "$ALL_ACASTS" ]; then',
+		  '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+		  '    else',
+		  '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+		  '    fi',
+		  '    ;;' );
+	}
+
+	emit( join( '|', @wildnoacasts) . ')',
+	      '    ;;' );
+
+    } else {
+	@wildacasts = ( '*' );
+    }
+
+    if ( @wildacasts ) {
+	emit( join( '|', @wildacasts ) . ')',
+	      '    if [ -n "$ALL_ACASTS" ]; then',
+	      '        ALL_ACASTS="$ALL_ACASTS $(get_interface_acasts $iface)"',
+	      '    else',
+	      '        ALL_ACASTS="$(get_interface_acasts $iface)"',
+	      '    fi',
+	      '    ;;' );
+    }
+
+    pop_indent;
+    emit( 'esac');
+    pop_indent;
+    emit( 'done');
+    pop_indent;
+    emit( "}\n" );
+
+    return 'generate_all_acasts';
+}
+
 1;

Shorewall/Perl/compiler.pl

@@ -47,7 +47,7 @@
 #
 use strict;
 use FindBin;
-use lib "$FindBin::Bin";
+use lib "$FindBin::Bin"; # Required to allow modules to reside in ${BASEDIR}/Shorewall/
 use Shorewall::Compiler;
 use Getopt::Long;
 

Shorewall/Shorewall-targetname

@@ -1 +1 @@
-5.2.7-Beta1
+5.2.8-base

Shorewall/lib.cli-std

@@ -29,7 +29,7 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #
-get_config() {
+std_get_config() {
     local prog
     local lib
 
@@ -216,6 +216,8 @@ get_config() {
 		echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 		SHOREWALL_SHELL=/bin/sh
 	    fi
+	else
+	    SHOREWALL_SHELL=/bin/sh
 	fi
 
 	if [ -n "$IP" ]; then
@@ -332,7 +334,7 @@ get_config() {
 
 	    [ -x "$g_pager" ] || fatal_error "PAGER $g_pager is not executable"
 
-	    g_pager="| $g_pager"
+	    g_pager="2>&1 | $g_pager"
 	fi
     fi
 
@@ -566,7 +568,7 @@ compiler() {
 #
 # Start Command Executor
 #
-start_command() {
+std_start_command() {
     local finished
     finished=0
     local rc
@@ -965,7 +967,7 @@ update_command() {
 #
 # Reload/Restart Command Executor
 #
-restart_command() {
+std_restart_command() {
     local finished
     finished=0
     local rc

Shorewall/manpages/shorewall-interfaces.xml

@@ -653,6 +653,56 @@ loc     eth2            -</programlisting>
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term>omitanycast</term>
+
+              <listitem>
+                <para>IPv6 only. Added in Shorewall 5.2.8.</para>
+
+                <para>Shorewall6 has traditionally generated rules for IPv6
+                <emphasis>anycast</emphasis> addresses. These rules
+                include:</para>
+
+                <orderedlist numeration="loweralpha">
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    dropped by REJECT rules.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these source IP addresses are dropped
+                    by the 'nosmurfs' interface option and by the 'dropSmurfs'
+                    action.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are not
+                    logged during policy enforcement.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Packets with these destination IP addresses are
+                    processes by the 'Broadcast' action.</para>
+                  </listitem>
+                </orderedlist>
+
+                <para>This can be inhibited for individual interfaces by
+                specifying <emphasis role="bold">noanycast</emphasis> for
+                those interfaces.</para>
+
+                <note>
+                  <para>RFC 2526 describes IPv6 subnet anycast addresses. The
+                  RFC makes a distinction between subnets with "IPv6 address
+                  types required to have 64-bit interface identifiers in
+                  EUI-64 format" and all other subnets. When generating these
+                  anycast addresses, the Shorewall compiler does not make this
+                  distinction and unconditionally assumes that the last 128
+                  addresses in the subnet are reserved as anycast
+                  addresses.</para>
+                </note>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">optional</emphasis></term>
 

Shorewall/manpages/shorewall-snat.xml

@@ -207,9 +207,6 @@
                 the IP addresses configured on the interface named in the DEST
                 column and substitute them in this column.</para>
 
-                <para>Finally, you may also specify a comma-separated list of
-                ranges and/or addresses in this column.</para>
-
                 <para>DNS Names names are not allowed.</para>
 
                 <para>Normally, Netfilter will attempt to retain the source
@@ -805,21 +802,16 @@
         <term>IPv4 Example 6:</term>
 
         <listitem>
-          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
-          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
-          (Shorewall 4.5.9 and later).</para>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 randomly
+          to addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9 (Shorewall 5.0.0 and
+          later).</para>
 
-          <programlisting>/etc/shorewall/tcrules:
-
-       #ACTION   SOURCE         DEST         PROTO   DPORT         SPORT    USER    TEST
-       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
-
-/etc/shorewall/snat:
+          <programlisting>/etc/shorewall/snat:
 
        #ACTION                 SOURCE          DEST
-       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { mark=1:C }
-       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { mark=2:C }
-       SNAT(1.1.1.9)           192.168.1.0/24  eth0  { mark=3:C }</programlisting>
+       SNAT(1.1.1.1)           192.168.1.0/24  eth0  { probability=0.33 }
+       SNAT(1.1.1.3)           192.168.1.0/24  eth0  { probability=0.50 }
+       SNAT(1.1.1.9)           192.168.1.0/24  eth0</programlisting>
         </listitem>
       </varlistentry>
 

Shorewall/uninstall.sh

@@ -149,7 +149,9 @@ if [ $configure -eq 1 ]; then
     fi
 fi
 
-remove_file ${SBINDIR}/$PRODUCT
+if [ $PRODUCT = shorewall6 ]; then
+    remove_file ${SBINDIR}/shorewall6
+fi
 
 if [ -h ${SHAREDIR}/$PRODUCT/init ]; then
     FIREWALL=$(readlink -m -q ${SHAREDIR}/$PRODUCT/init)

Shorewall6/configfiles/tcpri

@@ -6,5 +6,6 @@
 # See https://shorewall.org/simple_traffic_shaping.htm for additional
 # information.
 #
+?FORMAT 2
 ###############################################################################
 #BAND	PROTO	DPORT	SPORT	ADDRESS		INTERFACE	HELPER

docs/FAQ.xml

@@ -2592,7 +2592,7 @@ eth0            External        50mbit:200kb            5.0mbit:100kb:200ms:100m
       <programlisting><emphasis role="bold">ethtool -K eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
     </section>
 
-    <section>
+    <section id="faq97a">
       <title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
       rate is way below what I specified</title>
 

docs/ISO-3661.xml

@@ -57,11 +57,8 @@
 </programlisting>
 
     <para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
-    capability in your iptables and kernel. As of this writing, that
-    capability requires installing <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
-    or later and <ulink
-    url="http://xtables-addons.sourceforge.net/geoip.php">creating a
+    capability in your iptables and kernel. That capability requires <ulink
+    url="https://dev.maxmind.com/geoip/geoip2/geolite2/">creating a
     country-code database</ulink>.</para>
 
     <para>The Shorewall compiler uses the geoip country-code database to
@@ -83,11 +80,19 @@
     <para>To accomodate both big-endian and little-endian machines as well as
     any future ability to install the database at another location, Shorewall
     supports a GEOIPDIR option in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
-    url="manpages/shorewall.conf.html">shorewall6.conf</ulink> (5). The
-    default value of that option is
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5) and <ulink
+    url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5). The default
+    value of that option is
     <filename>/usr/share/xt_geoip/LE</filename>.</para>
 
+    <important>
+      <para>Recent versions of the country-code database are installed in
+      <filename>/usr/share/xt_geoip/, regardless of endian convention. This
+      requires modifying the setting of GEOIPDIR in <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
+      url="manpages/shorewall.conf.html">shorewall6.conf</ulink>(5).</filename></para>
+    </important>
+
     <para>The country codes at the time of this writing are shown in the
     following two sections.</para>
   </section>

docs/SharedConfig.xml

@@ -1150,7 +1150,7 @@ TCPMSS(pmtu,none) { PROTO=tcp }
       <programlisting>#TYPE			ZONE		GATEWAY			GATEWAY_ZONE
 ipsecnat {ZONE=net,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
 ipsecnat {ZONE=loc,  GATEWAY=$ALL, GATEWAY_ZONE=vpn }
-</programlisting>
+ipsecnat {ZONE=wlan, GATEWAY=$ALL, GATEWAY_ZONE=vpn }</programlisting>
     </section>
 
     <section>

docs/Shorewall-Lite.xml

@@ -547,6 +547,18 @@
             <command>remote-reload</command> command (e.g., <command>shorewall
             remote-reload -c gateway</command>).</para>
           </listitem>
+
+          <listitem>
+            <para>Shorewall6-lite works with Shorewall6 in the same way that
+            Shorewall-lite works with Shorewall. Beginning with Shorewall
+            5.0.0, running 'shorewall &lt;cmd&gt;" is the same as running
+            "shorewall-lite &lt;cmd&gt;" when Shorewall is not installed.. To
+            continue to use the "shorewall6" command after switching to
+            Shoerwall6-lite, you need to add this to your .profile (or to
+            .bashrc if root's shell is bash):</para>
+
+            <programlisting>    alias shorewall6=shorewall6-lite</programlisting>
+          </listitem>
         </orderedlist>
       </section>
     </section>

docs/docs-targetname

@@ -1 +1 @@
-5.2.7-Beta1
+5.2.8-RC1

docs/ipsets.xml

@@ -145,7 +145,8 @@ ACCEPT       net:+sshok       $FW      tcp      22</programlisting></para>
     <para>Beginning with Shorewall 4.4.14, multiple source or destination
     matches may be specified by placing multiple set names in '+[...]' (e.g.,
     +[myset,myotherset]). When so enclosed, the set names need not be prefixed
-    with a plus sign.</para>
+    with a plus sign. When such a list of sets is specified, matching packets
+    must match all of the listed sets.</para>
 
     <para>Shorewall can save/restore your ipset contents with certain
     restrictions:</para>

docs/simple_traffic_shaping.xml

@@ -93,6 +93,13 @@
     qdisc but seems to provide a benefit when the actual link output
     temporarily drops below the limit imposed by tbf or when tbf allows a
     burst of traffic to be released.</para>
+
+    <caution>
+      <para>IPSec traffic passes through traffic shaping twice - once en clair
+      and once encrypted and encapsulated. As a result, throughput may be
+      significantly less than configured if IPSEC packets form a significant
+      percentage of the traffic being shaped.</para>
+    </caution>
   </section>
 
   <section>
@@ -366,5 +373,9 @@ COMMENT And place echo requests in band 1 to avoid false line-down reports
       <para>Please note that Shorewall numbers the bands 1-3 whereas PRIO(8)
       refers to them as bands 0-2.</para>
     </caution>
+
+    <para>If you encounter performance problems after enabling simple traffic
+    shaping, check out <ulink url="FAQ.htm#faq97">FAQ 97</ulink> and <ulink
+    url="FAQ.htm#faq97a">FAQ97a</ulink></para>
   </section>
 </article>

docs/traffic_shaping.xml

@@ -385,6 +385,14 @@
             The default burst is 10kb, but on my 50mbit line, I specify 200kb.
             (50mbit:200kb).</para>
           </note>
+
+          <caution>
+            <para>Incoming IPSec traffic traverses traffic shaping twice -
+            firs as encrypted and encapsulated ESP packets and then en clair.
+            As a result, incoming bandwidth can be significantly less than
+            specified if IPSEC packets form a significant part of inoming
+            traffic.</para>
+          </caution>
         </listitem>
 
         <listitem>