Correct syntax error when REQUIRE_INTERFACE=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Samples/one-interface/shorewall.conf

@@ -205,6 +205,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/three-interfaces/shorewall.conf

@@ -205,6 +205,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples/two-interfaces/shorewall.conf

@@ -212,6 +212,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/one-interface/shorewall6.conf

@@ -153,6 +153,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/three-interfaces/shorewall6.conf

@@ -153,6 +153,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Samples6/two-interfaces/shorewall6.conf

@@ -153,6 +153,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=Yes
 
+REQUIRE_INTERFACE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall-init/install.sh

@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {
@@ -285,7 +285,12 @@ fi
 if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-init
+	    else
+		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    fi
+
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall-init/shorewall-init.spec

@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.10
-%define release 0base
+%define release 3
 
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,8 +99,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-3
+* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-2
+* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-1
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall-init/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {

Shorewall-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {
@@ -354,7 +354,13 @@ if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-lite
+	    else
+		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+	    fi
+
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall-lite/shorewall-lite

@@ -777,14 +777,9 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE
 
 	if [ -x $g_restorepath ]; then
-
-	    if [ -x ${g_restorepath}-ipsets ]; then
-		rm -f ${g_restorepath}-ipsets
-		echo "    ${g_restorepath}-ipsets removed"
-	    fi
-
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall-lite/shorewall-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.10
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,8 +102,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-3
+* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-2
+* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-1
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {

Shorewall/Perl/Shorewall/Actions.pm

@@ -57,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_10';
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -834,7 +834,7 @@ sub allowBcast( $$$ ) {
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
-	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
+	    add_rule $chainref, '-d ff00::/10 -j ACCEPT';
 	}
     }
 }
@@ -868,7 +868,8 @@ sub allowInvalid ( $$$ ) {
 }
 
 sub forwardUPnP ( $$$ ) {
-    dont_optimize 'forwardUPnP';
+    my $chainref = dont_optimize 'forwardUPnP';
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 
 sub allowinUPnP ( $$$ ) {

Shorewall/Perl/Shorewall/Chains.pm

@@ -161,6 +161,8 @@ our %EXPORT_TAGS = (
 				       get_interface_mac
 				       have_global_variables
 				       set_global_variables
+				       save_dynamic_chains
+				       load_ipsets
 				       create_netfilter_load
 				       preview_netfilter_load
 				       create_chainlist_reload
@@ -3591,6 +3593,128 @@ sub emitr1( $$ ) {
     }
 }
 
+#
+# Emit code to save the dynamic chains to hidden files in ${VARDIR}
+#
+
+sub save_dynamic_chains() {
+
+    my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+
+    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
+    push_indent;
+
+emit <<"EOF";
+if chain_exists 'UPnP -t nat'; then
+    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
+else
+    rm -f \${VARDIR}/.UPnP
+fi
+
+if chain_exists forwardUPnP; then
+    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
+else
+    rm -f \${VARDIR}/.forwardUPnP
+fi
+
+if chain_exists dynamic; then
+    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+else
+    rm -f \${VARDIR}/.dynamic
+fi
+EOF
+
+    pop_indent;
+    emit ( 'else' );
+    push_indent;
+
+emit <<"EOF";
+rm -f \${VARDIR}/.UPnP
+rm -f \${VARDIR}/.forwardUPnP
+
+if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
+    if chain_exists dynamic; then
+        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    fi
+fi
+EOF
+    pop_indent;
+
+    emit ( 'fi' ,
+	   '' );
+}
+
+sub load_ipsets() {
+
+    my @ipsets = all_ipsets;
+
+    if ( @ipsets || $config{SAVE_IPSETS} ) {
+	emit ( '',
+	       'local hack',
+	       '',
+	       'case $IPSET in',
+	       '    */*)',
+	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+	       '        ;;',
+	       '    *)',
+	       '        IPSET="$(mywhich $IPSET)"',
+	       '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+	       '        ;;',
+	       'esac',
+	       '',
+	       'if [ "$COMMAND" = start ]; then' ,
+	       '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+	       '        $IPSET -F' ,
+	       '        $IPSET -X' ,
+	       '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+	       '    fi' ,
+	       'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+	       '    if [ -f $(my_pathname)-ipsets ]; then' ,
+	       '        if chain_exists shorewall; then' ,
+	       '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+	       '        else' ,
+	       '            $IPSET -F' ,
+	       '            $IPSET -X' ,
+	       '            $IPSET -R < $(my_pathname)-ipsets' ,
+	       '        fi' ,
+	       '    fi' ,
+	     );
+	
+	if ( @ipsets ) {
+	    emit '';
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   'elif [ "$COMMAND" = restart ]; then' ,
+		   '' );
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		   '        #',
+		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		   '        #',
+		   '        hack=\'| grep -v /31\'' ,
+		   '    else' ,
+		   '        hack=' ,
+		   '    fi' ,
+		   '',
+		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi',
+		   'elif [ "$COMMAND" = refresh ]; then' );
+
+	    emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	}
+
+	emit ( 'fi' ,
+	       '' );
+    }
+}
+
+#
 #
 # Generate the netfilter input
 #

Shorewall/Perl/Shorewall/Compiler.pm

@@ -303,7 +303,6 @@ sub generate_script_2() {
     
 }
 
-#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -354,80 +353,17 @@ sub generate_script_3($) {
     }
 
     if ( $family == F_IPV4 ) {
-	my @ipsets = all_ipsets;
-
-	if ( @ipsets || $config{SAVE_IPSETS} ) {
-	    emit ( '',
-		   'local hack',
-		   '',
-		   'case $IPSET in',
-		   '    */*)',
-		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
-		   '        ;;',
-		   '    *)',
-		   '        IPSET="$(mywhich $IPSET)"',
-		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
-		   '        ;;',
-		   'esac',
-		   '',
-		   'if [ "$COMMAND" = start ]; then' ,
-		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-		   '        $IPSET -F' ,
-		   '        $IPSET -X' ,
-		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-		   '    fi' ,
-		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
-		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
-		   '        if chain_exists shorewall; then' ,
-		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
-		   '        else' ,
-		   '            $IPSET -F' ,
-		   '            $IPSET -X' ,
-		   '            $IPSET -R < $(my_pathname)-ipsets' ,
-		   '        fi' ,
-		   '    fi' ,
-		 );
-
-	    if ( @ipsets ) {
-		emit '';
-
-		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-		emit ( '' ,
-		       'elif [ "$COMMAND" = restart ]; then' ,
-		       '' );
-
-		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-		emit ( '' ,
-		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		       '        #',
-		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		       '        #',
-		       '        hack=\'| grep -v /31\'' ,
-		       '    else' ,
-		       '        hack=' ,
-		       '    fi' ,
-		       '',
-		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		       '    fi' );
-	    }
-
-	    emit ( 'fi',
-		   '' );
-	}
+	load_ipsets;
 
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' );
-
-	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	emit ( 'else' ,
+	       '   run_refresh_exit' ,
+	       'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 
+	save_dynamic_chains;
+
 	mark_firewall_not_started;
 
 	emit ('',
@@ -450,6 +386,7 @@ sub generate_script_3($) {
     } else {
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
+	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
     }
@@ -520,7 +457,6 @@ EOF
         set_state "Started"
     else
         setup_netfilter
-        restore_dynamic_rules
         conditionally_flush_conntrack
 EOF
     setup_forwarding( $family , 0 );

Shorewall/Perl/Shorewall/Config.pm

@@ -341,7 +341,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.10",
+		    VERSION => "4.4.10.3",
 		    CAPVERSION => 40408 ,
 		  );
 
@@ -1899,9 +1899,11 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
     my ( $var, $val ) = @_;
 
-    my $curval = "\L$config{$var}";
+    my $curval = $config{$var};
 
     if ( defined $curval && $curval ne '' ) {
+	$curval = lc $curval;
+
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -2351,7 +2353,7 @@ sub IPSet_Match() {
     my $ipset  = $config{IPSET} || 'ipset';
     my $result = 0;
 
-    $ipset = which $ipset unless $ipset =~ '//';
+    $ipset = which $ipset unless $ipset =~ '/';
 
     if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );

Shorewall/Perl/Shorewall/Providers.pm

@@ -905,7 +905,7 @@ sub handle_optional_interfaces( $ ) {
 	
 	    emit( '                fatal_error "No network interface available"',
 		  '            else',
-		  '                startup_error "No network interface available',
+		  '                startup_error "No network interface available"',
 		  '            fi',
 		  '            ;;',
 		  '    esac',

Shorewall/Perl/Shorewall/Rules.pm

@@ -443,6 +443,7 @@ sub add_common_rules() {
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
 	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
+	add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
     }
 
     setup_mss;
@@ -647,7 +648,9 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
 
-	    dont_optimize new_nat_chain( 'UPnP' );
+	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
+
+	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
 
 	    $announced = 1;
 

Shorewall/Perl/Shorewall/Zones.pm

@@ -633,7 +633,9 @@ sub add_group_to_zone($$$$$)
     my $allip    = 0;
 
     for my $host ( @$networks ) {
-	$interfaces{$interface}{nets}++;
+	$interfaceref = $interfaces{$interface};
+
+	$interfaceref->{nets}++;
 
 	fatal_error "Invalid Host List" unless defined $host and $host ne '';
 
@@ -650,6 +652,13 @@ sub add_group_to_zone($$$$$)
 		if ( $host eq ALLIP ) {
 		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
 		    $interfaces{$interface}{zone} = $zone;
+		    #
+		    # Make 'find_hosts_by_option()' work correctly for this zone
+		    #
+		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
+			$options->{$_} = 1 if $interfaceref->{options}{$_};
+		    }
+
 		    $allip = 1;
 		}
 	    }
@@ -1186,6 +1195,7 @@ sub find_interfaces_by_option1( $ ) {
     for my $interface ( keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 
+	next unless defined $interfaceref->{physical};
 	next if $interfaceref->{physical} =~ /\+/;
 
 	my $optionsref = $interfaceref->{options};

Shorewall/Perl/prog.footer

@@ -218,6 +218,7 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
+	    COMMAND=start
 	fi
 
 	detect_configuration

Shorewall/Perl/prog.footer6

@@ -219,6 +219,7 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
+		COMMAND=start
 	    fi
 
 	    detect_configuration

Shorewall/Perl/prog.header

@@ -774,34 +774,6 @@ run_tc() {
     fi
 }
 
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #

Shorewall/Perl/prog.header6

@@ -728,34 +728,6 @@ run_tc() {
     fi
 }
 
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #

Shorewall/changelog.txt

@@ -1,3 +1,29 @@
+Changes in Shorewall 4.4.10.3
+
+1)  Fix 'debug' and 'trace' handling.
+
+2)  Make find_hosts_by_option() work correctly where ALL_IP appears in
+    hosts file.
+
+3)  Correct syntax error in the generated script when REQUIRE_INTERFACE=Yes.
+
+Changes in Shorewall 4.4.10.2
+
+1)  Make IPv6 log and connections output readable.
+
+2)  Add REQUIRE_INTERFACE to shorewall*.conf
+
+3)  Avoid run-time diagnostic when options are omitted from
+    shorewall*.conf.
+
+4)  On Debian, run insserv when it is installed.
+
+Changes in Shorewall 4.4.10.1
+
+1)  Apply patch from Gabriel.
+
+2)  Fix IPSET match detection when a pathname is specified for IPSET.
+
 Changes in Shorewall 4.4.10
 
 1)  Fix regression with scripts.

Shorewall/configfiles/shorewall.conf

@@ -194,6 +194,8 @@ OPTIMIZE_ACCOUNTING=No
 
 LOAD_HELPERS_ONLY=No
 
+REQUIRE_INTERFACE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

Shorewall/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {
@@ -867,7 +867,13 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
-	ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+
+	if [ -x /sbin/insserv ]; then
+	    insserv /etc/init.d/shorewall
+	else
+	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+	fi
+
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log

Shorewall/known_problems.txt

@@ -1 +1,99 @@
-There are no known problems in Shorewall 4.4.10
+1)  The IPv6 allowBcast built-in action generates an invalid ip6tables
+    rule. This defect is present in all versions of Shorewall that 
+    support IPv6.
+
+    Fixed in Shorewall 4.4.10.1.
+
+2)  If IPSET=<pathname> is specified in shorewall.conf, then when an
+    ipset is used in a configuration file entry, the following fatal
+    compilation error occurs:
+
+    ERROR: ipset names in Shorewall configuration files require Ipset
+    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
+
+    You can work around this problem by executing the following at a
+    root shell prompt:
+
+    	 shorewall show -f capabilities > /etc/shorewall/capabilities
+
+    Fixed in Shorewall 4.4.10.1. After installing this fix, if you 
+    executed the above command to work around the problem, we recommend
+    that you remove /etc/shorewall/capabilities.
+
+3)  The new REQUIRE_INTERFACE option was not added to shorewall.conf
+    and shorewall6.conf.
+
+    You can simply add it if you need it.
+
+    Fixed in Shorewall 4.4.10.2.
+
+4)  Under Perl 5.12.1, a harmless Perl run-time diagnostic is
+    produced when options are omitted from shorewall.conf or
+    shorewall6.conf. 
+
+    Example:
+
+	Use of uninitialized value
+	$Shorewall::Config::config{"REQUIRE_INTERFACE"} in lc at
+    	/usr/share/shorewall/Shorewall/Config.pm line 1902.
+
+    Fixed in Shorewall 4.4.10.2.
+
+5)  On Debian and Debian-based systems, the start/stop priorities of
+    Shorewall products may be incorrect when the insserv package is
+    installed.
+
+    You may correct this problem by running insserv (as root).
+
+    Fixed in Shorewall 4.4.10.2.
+
+6)  If 'trace' or 'debug' is specified on a command that runs the
+    compiled script, an invalid command line is passed to that script
+    resulting in a failure:
+
+    Shorewall configuration compiled to /var/lib/shorewall/.start
+    Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset|
+     refresh|restart|status|up|version ]
+ 
+    Options are:
+ 
+    -v and -q        Standard Shorewall verbosity controls
+    -n               Don't unpdate routing configuration
+    -p               Purge Conntrack Table
+    -t               Timestamp progress Messages
+    -V <verbosity>   Set verbosity explicitly
+    -R <file>        Override RESTOREFILE setting
+
+   This issue affects Shorewall and Shorewall6 4.4.8 and later.
+
+   To work around the problem (IPv4 'debug restart' command):
+
+      shorewall compile /var/lib/shorewall/.restart
+      /var/lib/shorewall/.restart debug restart
+
+   Fixed in Shorewall 4.4.10.3.
+
+7) If the following options are specified in /etc/shorewall/interfaces
+   for an interface with '-' in the ZONE column, then these options
+   will be ignored if there is an entry in the hosts file for the
+   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
+   implied when the host list begins with '!').
+
+   	blacklist
+	maclist
+	nosmurfs
+	tcpflags
+
+   You can work around this issue by specifying these options in the
+   hosts file entry rather than in the interfaces file.
+
+   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
+
+   Fixed in Shorewall 4.4.10.3.
+
+8) When REQUIRE_INTERFACE=Yes, the generated script is missing a
+   closing quote.
+
+   Fixed in Shorewall 4.4.10.3.
+
+

Shorewall/lib.cli

@@ -362,17 +362,7 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-
-		    if chain_exists dynamic; then
-			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
-			    echo "   Dynamic Rules Saved"
-			    do_save
-			else
-		            echo "Error Saving the Dynamic Rules" >&2
-			fi
-		    else
-			do_save && rm -f ${VARDIR}/save
-		    fi
+		    do_save && rm -f ${VARDIR}/save
 		    ;;
 	    esac
 	fi

Shorewall/lib.common

@@ -94,7 +94,12 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	options='-'
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	    options="$1 -"
+	    shift;
+	else
+	    options='-'
+	fi
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                       S H O R E W A L L  4 . 4 . 10
+                     S H O R E W A L L  4 . 4 . 1 0 . 3
 ----------------------------------------------------------------------------
 
 I.    RELEASE 4.4 HIGHLIGHTS
@@ -218,6 +218,78 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 
+4.4.10.3
+
+1)  If 'trace' or 'debug' was specified on a command that ran the
+    compiled script, an invalid command line was passed to that script
+    resulting in a failure:
+
+    Shorewall configuration compiled to /var/lib/shorewall/.start
+    Usage: /var/lib/shorewall/.start [ options ] [ start|stop|clear|down|reset|
+     refresh|restart|status|up|version ]
+ 
+    Options are:
+ 
+    -v and -q        Standard Shorewall verbosity controls
+    -n               Don't unpdate routing configuration
+    -p               Purge Conntrack Table
+    -t               Timestamp progress Messages
+    -V <verbosity>   Set verbosity explicitly
+    -R <file>        Override RESTOREFILE setting
+
+2) If the following options were specified in /etc/shorewall/interfaces
+   for an interface with '-' in the ZONE column, then these options
+   would be ignored if there was an entry in the hosts file for the
+   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
+   implied when the host list begins with '!').
+
+   	blacklist
+	maclist
+	nosmurfs
+	tcpflags
+
+   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
+
+3) When REQUIRE_INTERFACE=Yes, the generated script was missing a
+   closing quote.
+
+4.4.10.2
+
+1)  The start priorities of the Shorewall products were incorrect on
+    Debian when the insserv package is installed. This is corrected for
+    new installs, but existing users who have both insserv and a
+    Shorewall product are urged to run insserv just be be sure.
+
+2)  The log output from IPv6 logs was almost unreadable due to display
+    of IPv6 addresses in uncompressed format. A similar problem
+    occurred with 'shorewall6 show connections'. This update makes the
+    displays much clearer at the expense of opening the slight
+    possibility of two '::' sequences being incorrectly shown in the
+    same address.
+
+3)  The new REQUIRE_INTERFACE was inadvertently omitted from
+    shorewall.conf and shorewall6.conf. It has been added.
+
+4)  Under Perl 5.12.1, a Perl run-time diagnostic was produced
+    when options were omitted from shorewall.conf or shorewall6.conf. 
+
+4.4.10.1
+
+1)  The IPv6 allowBcast action generated an invalid rule.
+
+2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
+    ipset was used in a configuration file entry, the following
+    fatal compilation error occurred:
+
+    ERROR: ipset names in Shorewall configuration files require Ipset
+    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
+
+    If you applied the workaround given in the "Known Problems", then
+    you should remove /etc/shorewall/capabilities after installing
+    this fix.
+
+4.4.10
+
 1)  Startup Errors (those that are detected before the state of the
     system has been altered), were previously not sent to the
     STARTUP_LOG.
@@ -263,6 +335,8 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 
     This configuration now works correctly.
 
+5)  The 'forget' command now correctly removes saved ipsets.
+
 ----------------------------------------------------------------------------
            I V.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
@@ -410,6 +484,11 @@ None.
 	shorewall-init: 4.4.10-RC1
 	gateway:~# 
 
+3)  Beginning with this release, the 'restart' and 'refresh' commands
+    now retain the contents of the dynamic blacklist as well as the
+    current UPnP rules. The dynamic blacklist is also preserved over
+    stop/start.
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
       I N   P R I O R  R E L E A S E S

Shorewall/shorewall

@@ -1829,6 +1829,7 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
+	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"

Shorewall/shorewall.spec

@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.10
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,8 +108,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-3
+* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-2
+* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-1
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {

Shorewall6-lite/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {
@@ -350,7 +350,13 @@ if [ -z "$DESTDIR" ]; then
     if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall6-lite
+	    else
+		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+	    fi
+
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then

Shorewall6-lite/shorewall6-lite.spec

@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.10
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,8 +93,16 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-3
+* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-2
+* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-1
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall6-lite/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {

Shorewall6/install.sh

@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {
@@ -718,7 +718,13 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
     if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
+
+	if [ -x /sbin/insserv ]; then
+	    insserv /etc/init.d/shorewall6
+	else
+	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
+	fi
+
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log

Shorewall6/lib.cli

@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     fi
 }
 
 search_log() # $1 = IP address to search for
 {
     if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
     fi
 }    
 
@@ -439,7 +439,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1

Shorewall6/lib.common

@@ -92,7 +92,12 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	options='-'
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	    options="$1 -"
+	    shift;
+	else
+	    options='-'
+	fi
 
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t

Shorewall6/shorewall6.spec

@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.10
-%define release 0base
+%define release 3
 
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,8 +98,16 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 
 %changelog
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+* Sun Jul 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-3
+* Thu Jun 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-2
+* Sat Jun 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-1
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
+* Mon Jun 07 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net

Shorewall6/uninstall.sh

@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.4.10
+VERSION=4.4.10.3
 
 usage() # $1 = exit status
 {

docs/UPnP.xml

@@ -109,6 +109,11 @@ forwardUPnP        net     loc</programlisting>
       this route during <command>start</command> and deletes it during
       <command>stop</command>.</para>
     </note>
+
+    <caution>
+      <para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
+      added by linux-idg over a <command>shorewall restart</command>.</para>
+    </caution>
   </section>
 
   <section>

docs/blacklisting_support.xml

@@ -188,6 +188,11 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
         <para>save - save the dynamic blacklisting configuration so that it
         will be automatically restored the next time that the firewall is
         restarted.</para>
+
+        <para><emphasis role="bold">Update:</emphasis> Beginning with
+        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
+        <command>stop/start</command> sequences and over
+        <command>restart</command>.</para>
       </listitem>
 
       <listitem>

docs/configuration_file_basics.xml

@@ -48,6 +48,17 @@
     before you use them with Shorewall.</para>
   </caution>
 
+  <section>
+    <title id="Intro">Introduction</title>
+
+    <para>This article offers hints about how to accomplish common tasks with
+    Shorewall. The <ulink url="Introduction.html">Introduction to
+    Shorewall</ulink> is required reading for being able to use this article
+    effectively. For information about setting up your first Shorewall-based
+    firewall, see the <ulink url="GettingStarted.html">Quickstart
+    Guides</ulink>.</para>
+  </section>
+
   <section id="Files">
     <title>Files</title>
 
@@ -111,8 +122,9 @@
         </listitem>
 
         <listitem>
-          <para><filename>/etc/shorewall/tcrules </filename>- defines marking
-          of packets for later use by traffic control/shaping or policy
+          <para><filename>/etc/shorewall/tcrules </filename>- The file has a
+          rather unfortunate name because it is used to define marking of
+          packets for later use by both traffic control/shaping and policy
           routing.</para>
         </listitem>