diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/changelog.txt shorewall-5.0.9/changelog.txt
--- shorewall-5.0.8/changelog.txt 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-5.0.9/changelog.txt 2016-06-04 14:49:09.383267082 -0700
@@ -1,3 +1,49 @@
+Changes in 5.0.9 Final
+
+1) Update release documents
+
+2) Document DOCKER fix.
+
+Changes in 5.0.9 RC 1
+
+1) Update release documents
+
+2) Cross-check core version during compilation.
+
+3) Cross-check Shorewall6 version during IPv6 compilation.
+
+4) Turn on AUTOMAKE in the sample configurations.
+
+5) Date/time in 'date' format.
+
+Changes in 5.0.9 Beta 2
+
+1) Update release documents
+
+2) Improve compile date/time implementation
+
+3) Add VERBOSE_MESSAGES option.
+
+4) Allow NFLOG in the mangle file
+
+Changes in 5.0.9 Beta 1
+
+1) Update release documents
+
+2) Fix handling of optional provider with no IP address
+
+3) Correct typos in the Events article
+
+4) Implement standard error messages in the CLI
+
+5) Include compile time and date in the output of 'status'
+
+6) Apply Matt Darfeuille's patch set.
+
+Changes in 5.0.8 Final
+
+1) Update release documents
+
Changes in 5.0.8 RC 2
1) Update release documents.
@@ -16,9 +62,7 @@
8) Add an ESTABLISHED,RELATED rule for o => docker0
-9) ?WARNING and ?INFO
-
-10) Warning on optional provider in the DUPLICATE column
+9) Add ?WARNING and ?INFO directives.
Changes in 5.0.8 RC 1
@@ -28,7 +72,7 @@
3) Correct many issues with save/restore of ipsets.
-4) Update DHCP article (refresh -> restart)
+4) Update DHCP article (refresh -> reload)
5) Correct start command's handling of AUTOMAKE.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/configfiles/mangle.annotated shorewall-5.0.9/configfiles/mangle.annotated
--- shorewall-5.0.8/configfiles/mangle.annotated 2016-04-23 06:42:37.223009000 -0700
+++ shorewall-5.0.9/configfiles/mangle.annotated 2016-06-04 14:49:43.875436442 -0700
@@ -316,7 +316,7 @@
# then
# 0xc0a80403 >> 0 = 0xc0a80403
# 0xc0a80403 LAND 0xFF = 0x03
-# 0x03 LOR 0x0x10100 = 0x10103 or class ID 1:103
+# 0x03 LOR 0x10100 = 0x10103 or class ID 1:103
#
# It is important to realize that, while class IDs are composed of a
# major and a minor value, the set of values must be unique. That is, the
@@ -376,6 +376,21 @@
# then ( 2 ** MASK_BITS ) - 1 is assumed (MASK_BITS is set in
# shorewall.conf(5)).
#
+# NFLOG[(nflog-parameters)]
+#
+# Added in Shorewall 5.0.9. Logs matching packets using NFLOG. The
+# nflog-parameters are a comma-separated list of up to 3 numbers:
+#
+# ☆ The first number specifies the netlink group (0-65535). If omitted
+# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
+#
+# ☆ The second number specifies the maximum number of bytes to copy. If
+# omitted, 0 (no limit) is assumed.
+#
+# ☆ The third number specifies the number of log messages that should
+# be buffered in the kernel before they are sent to user space. The
+# default is 1.
+#
# RESTORE[(mask)]
#
# Restore the packet's mark from the connection's mark using the supplied
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/configfiles/rules.annotated shorewall-5.0.9/configfiles/rules.annotated
--- shorewall-5.0.8/configfiles/rules.annotated 2016-04-23 06:42:40.039009000 -0700
+++ shorewall-5.0.9/configfiles/rules.annotated 2016-06-04 14:49:47.186140256 -0700
@@ -342,9 +342,21 @@
# logging daemon via a netlink socket then continues to the next rule.
# See http://www.shorewall.net/shorewall_logging.html.
#
-# Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is
-# not changed when this ACTION is used in an action or macro body and the
-# invocation of that action or macro specifies a log level.
+# The nflog-parameters are a comma-separated list of up to 3 numbers:
+#
+# ☆ The first number specifies the netlink group (0-65535). If omitted
+# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
+#
+# ☆ The second number specifies the maximum number of bytes to copy. If
+# omitted, 0 (no limit) is assumed.
+#
+# ☆ The third number specifies the number of log messages that should
+# be buffered in the kernel before they are sent to user space. The
+# default is 1.
+#
+# NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
+# level is not changed when this ACTION is used in an action or macro
+# body and the invocation of that action or macro specifies a log level.
#
# NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/configfiles/shorewall.conf shorewall-5.0.9/configfiles/shorewall.conf
--- shorewall-5.0.8/configfiles/shorewall.conf 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/configfiles/shorewall.conf 2016-05-22 17:50:51.000000000 -0700
@@ -242,6 +242,8 @@
USE_RT_NAMES=No
+VERBOSE_MESSAGES=Yes
+
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/configfiles/shorewall.conf.annotated shorewall-5.0.9/configfiles/shorewall.conf.annotated
--- shorewall-5.0.8/configfiles/shorewall.conf.annotated 2016-04-23 06:42:40.759009000 -0700
+++ shorewall-5.0.9/configfiles/shorewall.conf.annotated 2016-06-04 14:49:48.018820296 -0700
@@ -1705,6 +1705,16 @@
#
# Without these entries, the firewall will fail to start.
#
+VERBOSE_MESSAGES=Yes
+#
+# VERBOSE_MESSAGES=[Yes|No]
+#
+# Added in Shorewall 5.0.9. When Yes (the default), messages produced by the
+# ?INFO and ?WARNING directives include the filename and linenumber of the
+# directive. When set to No, that additional information is omitted. The
+# setting may be overridden on a directive by directive basis by following ?
+# INFO or ?WARNING with '!' (no intervening white space).
+#
WARNOLDCAPVERSION=Yes
#
# WARNOLDCAPVERSION=[Yes|No]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/configure shorewall-5.0.9/configure
--- shorewall-5.0.8/configure 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-5.0.9/configure 2016-06-04 14:49:09.387270351 -0700
@@ -28,7 +28,7 @@
#
# Build updates this
#
-VERSION=5.0.8
+VERSION=5.0.9
case "$BASH_VERSION" in
[4-9].*)
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/configure.pl shorewall-5.0.9/configure.pl
--- shorewall-5.0.8/configure.pl 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-5.0.9/configure.pl 2016-06-04 14:49:09.387270351 -0700
@@ -31,7 +31,7 @@
# Build updates this
#
use constant {
- VERSION => '5.0.8'
+ VERSION => '5.0.9'
};
my %params;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/install.sh shorewall-5.0.9/install.sh
--- shorewall-5.0.8/install.sh 2016-04-23 06:42:06.251009000 -0700
+++ shorewall-5.0.9/install.sh 2016-06-04 14:49:09.299198423 -0700
@@ -22,7 +22,7 @@
# along with this program; if not, see .
#
-VERSION=5.0.8
+VERSION=5.0.9
#
# Change to the directory containing this script
@@ -514,7 +514,7 @@
# Install the Standard Actions file
#
install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
+echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std"
cd configfiles
@@ -1177,6 +1177,8 @@
# Install the Man Pages
#
+if [ -n "$MANDIR" ]; then
+
cd manpages
[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
@@ -1196,6 +1198,7 @@
cd ..
echo "Man Pages Installed"
+fi
if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/lib.cli-std shorewall-5.0.9/lib.cli-std
--- shorewall-5.0.8/lib.cli-std 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/lib.cli-std 2016-05-22 17:50:51.000000000 -0700
@@ -493,13 +493,13 @@
case "$g_doing" in
Compiling|Checking)
- progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+ progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
;;
Updating)
progress_message3 "Updating $g_product configuration to $SHOREWALL_VERSION..."
;;
*)
- [ -n "$g_doing" ] && progress_message3 "$g_doing using $g_product $SHOREWALL_VERSION..."
+ [ -n "$g_doing" ] && progress_message3 "$g_doing using Shorewall $SHOREWALL_VERSION..."
;;
esac
#
@@ -604,7 +604,7 @@
option=${option#C}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -620,7 +620,8 @@
0)
;;
1)
- [ -n "$g_shorewalldir" -o -n "$g_fast" ] && usage 2
+ [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
+ [ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -634,7 +635,7 @@
AUTOMAKE=
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -663,8 +664,6 @@
shift
option=${option#-}
- [ -z "$option" ] && usage 1
-
while [ -n "$option" ]; do
case $option in
e*)
@@ -701,7 +700,7 @@
option=
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -723,7 +722,7 @@
[ -d "$g_file" ] && fatal_error "$g_file is a directory"
;;
2)
- [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+ [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -737,7 +736,7 @@
g_file=$2
;;
*)
- usage 1
+ too_many_arguments $3
;;
esac
@@ -791,7 +790,7 @@
option=${option#i}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -807,7 +806,7 @@
0)
;;
1)
- [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2
+ [ -n "$g_shorewalldir" -a -z "$g_export" ] && fatal_error "A directory has already been specified: $1"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -820,7 +819,7 @@
g_shorewalldir=$(resolve_file $1)
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -883,7 +882,7 @@
option=${option#A}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -899,7 +898,7 @@
0)
;;
1)
- [ -n "$g_shorewalldir" ] && usage 2
+ [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -912,7 +911,7 @@
g_shorewalldir=$(resolve_file $1)
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -977,7 +976,7 @@
option=${option#C}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -993,7 +992,7 @@
0)
;;
1)
- [ -n "$g_shorewalldir" ] && usage 2
+ [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -1008,7 +1007,7 @@
AUTOMAKE=
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -1086,7 +1085,7 @@
fi
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -1169,7 +1168,7 @@
shift;
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -1185,7 +1184,7 @@
0)
;;
1)
- [ -n "$g_shorewalldir" ] && usage 2
+ [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -1198,7 +1197,7 @@
g_shorewalldir=$(resolve_file $1)
;;
*)
- usage 1
+ too_many_arguments $2
;;
esac
@@ -1286,7 +1285,7 @@
timeout=
handle_directory() {
- [ -n "$g_shorewalldir" ] && usage 2
+ [ -n "$g_shorewalldir" ] && fatal_error "A directory has already been specified: $1"
if [ ! -d $1 ]; then
if [ -e $1 ]; then
@@ -1316,7 +1315,7 @@
option=${option#n}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -1330,7 +1329,7 @@
case $# in
0)
- usage 1
+ missing_argument
;;
1)
handle_directory $1
@@ -1341,7 +1340,7 @@
timeout=$2
;;
*)
- usage 1
+ too_many_arguments $3
;;
esac
@@ -1480,7 +1479,7 @@
option=${option#i}
;;
*)
- usage 1
+ option_error $option
;;
esac
done
@@ -1493,6 +1492,9 @@
done
case $# in
+ 0)
+ missing_argument
+ ;;
1)
g_shorewalldir="."
system=$1
@@ -1502,7 +1504,7 @@
system=$2
;;
*)
- usage 1
+ too_many_arguments $3
;;
esac
@@ -1742,7 +1744,7 @@
safe_commands $@
;;
*)
- usage 1
+ fatal_error "Invalid command: $COMMAND"
;;
esac
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall.8 shorewall-5.0.9/manpages/shorewall.8
--- shorewall-5.0.8/manpages/shorewall.8 2016-04-23 06:42:33.147009000 -0700
+++ shorewall-5.0.9/manpages/shorewall.8 2016-06-04 14:49:39.283686412 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL" "8" "04/23/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL" "8" "06/04/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-accounting.5 shorewall-5.0.9/manpages/shorewall-accounting.5
--- shorewall-5.0.8/manpages/shorewall-accounting.5 2016-04-23 06:42:08.667009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-accounting.5 2016-06-04 14:49:11.969379130 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-accounting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ACCOUNTIN" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ACCOUNTIN" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-actions.5 shorewall-5.0.9/manpages/shorewall-actions.5
--- shorewall-5.0.8/manpages/shorewall-actions.5 2016-04-23 06:42:09.195009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-actions.5 2016-06-04 14:49:12.569869543 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-actions
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ACTIONS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ACTIONS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-arprules.5 shorewall-5.0.9/manpages/shorewall-arprules.5
--- shorewall-5.0.8/manpages/shorewall-arprules.5 2016-04-23 06:42:09.763009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-arprules.5 2016-06-04 14:49:13.190376304 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-arprules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ARPRULES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ARPRULES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-blrules.5 shorewall-5.0.9/manpages/shorewall-blrules.5
--- shorewall-5.0.8/manpages/shorewall-blrules.5 2016-04-23 06:42:10.343009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-blrules.5 2016-06-04 14:49:13.822892873 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-blrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-BLRULES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-BLRULES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall.conf.5 shorewall-5.0.9/manpages/shorewall.conf.5
--- shorewall-5.0.8/manpages/shorewall.conf.5 2016-04-23 06:42:13.043009000 -0700
+++ shorewall-5.0.9/manpages/shorewall.conf.5 2016-06-04 14:49:16.749282823 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall.conf
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\&.CONF" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\&.CONF" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -2401,6 +2401,11 @@
.RE
.RE
.PP
+\fBVERBOSE_MESSAGES=\fR[\fBYes\fR|\fBNo\fR]
+.RS 4
+Added in Shorewall 5\&.0\&.9\&. When Yes (the default), messages produced by the ?INFO and ?WARNING directives include the filename and linenumber of the directive\&. When set to No, that additional information is omitted\&. The setting may be overridden on a directive by directive basis by following ?INFO or ?WARNING with \*(Aq!\*(Aq (no intervening white space)\&.
+.RE
+.PP
\fBVERBOSITY=\fR[\fInumber\fR]
.RS 4
Shorewall has traditionally been very noisy (produced lots of output)\&. You may set the default level of verbosity using the VERBOSITY OPTION\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-conntrack.5 shorewall-5.0.9/manpages/shorewall-conntrack.5
--- shorewall-5.0.8/manpages/shorewall-conntrack.5 2016-04-23 06:42:13.763009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-conntrack.5 2016-06-04 14:49:17.473874588 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall6-conntrack
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL6\-CONNTRAC" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL6\-CONNTRAC" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-ecn.5 shorewall-5.0.9/manpages/shorewall-ecn.5
--- shorewall-5.0.8/manpages/shorewall-ecn.5 2016-04-23 06:42:14.379009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-ecn.5 2016-06-04 14:49:18.038335577 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ecn
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ECN" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ECN" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-exclusion.5 shorewall-5.0.9/manpages/shorewall-exclusion.5
--- shorewall-5.0.8/manpages/shorewall-exclusion.5 2016-04-23 06:42:14.919009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-exclusion.5 2016-06-04 14:49:18.678858685 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-exclusion
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-EXCLUSION" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-EXCLUSION" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-hosts.5 shorewall-5.0.9/manpages/shorewall-hosts.5
--- shorewall-5.0.8/manpages/shorewall-hosts.5 2016-04-23 06:42:15.491009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-hosts.5 2016-06-04 14:49:19.351407948 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-hosts
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-HOSTS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-HOSTS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-init.8 shorewall-5.0.9/manpages/shorewall-init.8
--- shorewall-5.0.8/manpages/shorewall-init.8 2016-04-23 06:42:15.959009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-init.8 2016-06-04 14:49:19.911865668 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-init
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Administrative Commands
.\" Source: Administrative Commands
.\" Language: English
.\"
-.TH "SHOREWALL\-INIT" "8" "04/23/2016" "Administrative Commands" "Administrative Commands"
+.TH "SHOREWALL\-INIT" "8" "06/04/2016" "Administrative Commands" "Administrative Commands"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-interfaces.5 shorewall-5.0.9/manpages/shorewall-interfaces.5
--- shorewall-5.0.8/manpages/shorewall-interfaces.5 2016-04-23 06:42:16.735009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-interfaces.5 2016-06-04 14:49:20.780575133 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-interfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-INTERFACE" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-INTERFACE" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-ipsets.5 shorewall-5.0.9/manpages/shorewall-ipsets.5
--- shorewall-5.0.8/manpages/shorewall-ipsets.5 2016-04-23 06:42:17.379009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-ipsets.5 2016-06-04 14:49:21.413091702 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-ipsets
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-IPSETS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-IPSETS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-maclist.5 shorewall-5.0.9/manpages/shorewall-maclist.5
--- shorewall-5.0.8/manpages/shorewall-maclist.5 2016-04-23 06:42:17.987009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-maclist.5 2016-06-04 14:49:22.113663851 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-maclist
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MACLIST" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MACLIST" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-mangle.5 shorewall-5.0.9/manpages/shorewall-mangle.5
--- shorewall-5.0.8/manpages/shorewall-mangle.5 2016-04-23 06:42:18.967009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-mangle.5 2016-06-04 14:49:23.082455052 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-mangle
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MANGLE" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MANGLE" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -449,7 +449,7 @@
0xc0a80403 LAND 0xFF = 0x03
.RE
.RS 4
-0x03 LOR 0x0x10100 = 0x10103 or class ID
+0x03 LOR 0x10100 = 0x10103 or class ID
1:103
.RE
It is important to realize that, while class IDs are composed of a
@@ -508,6 +508,46 @@
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[2]\d\s+2(5))\&.
.RE
.PP
+\fBNFLOG\fR[(\fInflog\-parameters\fR)]
+.RS 4
+Added in Shorewall 5\&.0\&.9\&. Logs matching packets using NFLOG\&. The
+\fInflog\-parameters\fR
+are a comma\-separated list of up to 3 numbers:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The first number specifies the netlink group (0\-65535)\&. If omitted (e\&.g\&., NFLOG(,0,10)) then a value of 0 is assumed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The second number specifies the maximum number of bytes to copy\&. If omitted, 0 (no limit) is assumed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The third number specifies the number of log messages that should be buffered in the kernel before they are sent to user space\&. The default is 1\&.
+.RE
+.RE
+.PP
\fBRESTORE\fR[(\fImask\fR)]
.RS 4
Restore the packet\*(Aqs mark from the connection\*(Aqs mark using the supplied mask if any\&. Your kernel and iptables must include CONNMARK support\&.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-masq.5 shorewall-5.0.9/manpages/shorewall-masq.5
--- shorewall-5.0.8/manpages/shorewall-masq.5 2016-04-23 06:42:19.651009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-masq.5 2016-06-04 14:49:23.823059895 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-masq
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MASQ" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MASQ" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-modules.5 shorewall-5.0.9/manpages/shorewall-modules.5
--- shorewall-5.0.8/manpages/shorewall-modules.5 2016-04-23 06:42:20.171009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-modules.5 2016-06-04 14:49:24.423550309 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-modules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-MODULES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-MODULES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-nat.5 shorewall-5.0.9/manpages/shorewall-nat.5
--- shorewall-5.0.8/manpages/shorewall-nat.5 2016-04-23 06:42:20.743009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-nat.5 2016-06-04 14:49:25.020037453 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-nat
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NAT" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NAT" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-nesting.5 shorewall-5.0.9/manpages/shorewall-nesting.5
--- shorewall-5.0.8/manpages/shorewall-nesting.5 2016-04-23 06:42:21.299009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-nesting.5 2016-06-04 14:49:25.628534405 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-nesting
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NESTING" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NESTING" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-netmap.5 shorewall-5.0.9/manpages/shorewall-netmap.5
--- shorewall-5.0.8/manpages/shorewall-netmap.5 2016-04-23 06:42:21.827009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-netmap.5 2016-06-04 14:49:26.245037897 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-netmap
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-NETMAP" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-NETMAP" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-params.5 shorewall-5.0.9/manpages/shorewall-params.5
--- shorewall-5.0.8/manpages/shorewall-params.5 2016-04-23 06:42:22.355009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-params.5 2016-06-04 14:49:26.853534849 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-params
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PARAMS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PARAMS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-policy.5 shorewall-5.0.9/manpages/shorewall-policy.5
--- shorewall-5.0.8/manpages/shorewall-policy.5 2016-04-23 06:42:22.903009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-policy.5 2016-06-04 14:49:27.498061227 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-policy
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-POLICY" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-POLICY" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-providers.5 shorewall-5.0.9/manpages/shorewall-providers.5
--- shorewall-5.0.8/manpages/shorewall-providers.5 2016-04-23 06:42:23.495009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-providers.5 2016-06-04 14:49:28.162603952 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-providers
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PROVIDERS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PROVIDERS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-proxyarp.5 shorewall-5.0.9/manpages/shorewall-proxyarp.5
--- shorewall-5.0.8/manpages/shorewall-proxyarp.5 2016-04-23 06:42:24.023009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-proxyarp.5 2016-06-04 14:49:28.763094364 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-proxyarp
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-PROXYARP" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-PROXYARP" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-routes.5 shorewall-5.0.9/manpages/shorewall-routes.5
--- shorewall-5.0.8/manpages/shorewall-routes.5 2016-04-23 06:42:24.567009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-routes.5 2016-06-04 14:49:29.347571701 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-routes
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ROUTES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ROUTES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-rtrules.5 shorewall-5.0.9/manpages/shorewall-rtrules.5
--- shorewall-5.0.8/manpages/shorewall-rtrules.5 2016-04-23 06:42:25.107009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-rtrules.5 2016-06-04 14:49:29.948062114 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-rtrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-RTRULES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-RTRULES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-rules.5 shorewall-5.0.9/manpages/shorewall-rules.5
--- shorewall-5.0.8/manpages/shorewall-rules.5 2016-04-23 06:42:26.535009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-rules.5 2016-06-04 14:49:31.649451620 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-rules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-RULES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-RULES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
@@ -444,7 +444,44 @@
Added in Shorewall 4\&.5\&.9\&.3\&. Queues matching packets to a back end logging daemon via a netlink socket then continues to the next rule\&. See
\m[blue]\fBhttp://www\&.shorewall\&.net/shorewall_logging\&.html\fR\m[]\&\s-2\u[6]\d\s+2\&.
.sp
-Similar to\fB LOG:NFLOG\fR[(\fInflog\-parameters\fR)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that action or macro specifies a log level\&.
+The
+\fInflog\-parameters\fR
+are a comma\-separated list of up to 3 numbers:
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The first number specifies the netlink group (0\-65535)\&. If omitted (e\&.g\&., NFLOG(,0,10)) then a value of 0 is assumed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The second number specifies the maximum number of bytes to copy\&. If omitted, 0 (no limit) is assumed\&.
+.RE
+.sp
+.RS 4
+.ie n \{\
+\h'-04'\(bu\h'+03'\c
+.\}
+.el \{\
+.sp -1
+.IP \(bu 2.3
+.\}
+The third number specifies the number of log messages that should be buffered in the kernel before they are sent to user space\&. The default is 1\&.
+.RE
+.sp
+NFLOG is similar to\fB LOG:NFLOG\fR[(\fInflog\-parameters\fR)], except that the log level is not changed when this ACTION is used in an action or macro body and the invocation of that action or macro specifies a log level\&.
.RE
.PP
\fBNFQUEUE\fR[([\fIqueuenumber\fR1[:\fIqueuenumber2\fR][,bypass]]|bypass)]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-secmarks.5 shorewall-5.0.9/manpages/shorewall-secmarks.5
--- shorewall-5.0.8/manpages/shorewall-secmarks.5 2016-04-23 06:42:27.087009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-secmarks.5 2016-06-04 14:49:32.297981266 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-secmarks
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-SECMARKS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-SECMARKS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-stoppedrules.5 shorewall-5.0.9/manpages/shorewall-stoppedrules.5
--- shorewall-5.0.8/manpages/shorewall-stoppedrules.5 2016-04-23 06:42:27.631009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-stoppedrules.5 2016-06-04 14:49:32.890465141 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-stoppedrules
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-STOPPEDRU" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-STOPPEDRU" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-tcclasses.5 shorewall-5.0.9/manpages/shorewall-tcclasses.5
--- shorewall-5.0.8/manpages/shorewall-tcclasses.5 2016-04-23 06:42:28.227009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-tcclasses.5 2016-06-04 14:49:33.571020944 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcclasses
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCCLASSES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCCLASSES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-tcdevices.5 shorewall-5.0.9/manpages/shorewall-tcdevices.5
--- shorewall-5.0.8/manpages/shorewall-tcdevices.5 2016-04-23 06:42:28.791009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-tcdevices.5 2016-06-04 14:49:34.235563669 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcdevices
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCDEVICES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCDEVICES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-tcfilters.5 shorewall-5.0.9/manpages/shorewall-tcfilters.5
--- shorewall-5.0.8/manpages/shorewall-tcfilters.5 2016-04-23 06:42:29.359009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-tcfilters.5 2016-06-04 14:49:34.848063890 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcfilters
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCFILTERS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCFILTERS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-tcinterfaces.5 shorewall-5.0.9/manpages/shorewall-tcinterfaces.5
--- shorewall-5.0.8/manpages/shorewall-tcinterfaces.5 2016-04-23 06:42:29.879009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-tcinterfaces.5 2016-06-04 14:49:35.476577189 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcinterfaces
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCINTERFA" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCINTERFA" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-tcpri.5 shorewall-5.0.9/manpages/shorewall-tcpri.5
--- shorewall-5.0.8/manpages/shorewall-tcpri.5 2016-04-23 06:42:30.419009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-tcpri.5 2016-06-04 14:49:36.153129723 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tcpri
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TCPRI" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TCPRI" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-tunnels.5 shorewall-5.0.9/manpages/shorewall-tunnels.5
--- shorewall-5.0.8/manpages/shorewall-tunnels.5 2016-04-23 06:42:30.979009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-tunnels.5 2016-06-04 14:49:36.781643022 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-tunnels
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-TUNNELS" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-TUNNELS" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-vardir.5 shorewall-5.0.9/manpages/shorewall-vardir.5
--- shorewall-5.0.8/manpages/shorewall-vardir.5 2016-04-23 06:42:31.495009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-vardir.5 2016-06-04 14:49:37.382133436 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-vardir
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-VARDIR" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-VARDIR" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/manpages/shorewall-zones.5 shorewall-5.0.9/manpages/shorewall-zones.5
--- shorewall-5.0.8/manpages/shorewall-zones.5 2016-04-23 06:42:33.767009000 -0700
+++ shorewall-5.0.9/manpages/shorewall-zones.5 2016-06-04 14:49:39.996268369 -0700
@@ -2,12 +2,12 @@
.\" Title: shorewall-zones
.\" Author: [FIXME: author] [see http://docbook.sf.net/el/author]
.\" Generator: DocBook XSL Stylesheets v1.78.1
-.\" Date: 04/23/2016
+.\" Date: 06/04/2016
.\" Manual: Configuration Files
.\" Source: Configuration Files
.\" Language: English
.\"
-.TH "SHOREWALL\-ZONES" "5" "04/23/2016" "Configuration Files" "Configuration Files"
+.TH "SHOREWALL\-ZONES" "5" "06/04/2016" "Configuration Files" "Configuration Files"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/lib.core shorewall-5.0.9/Perl/lib.core
--- shorewall-5.0.8/Perl/lib.core 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/Perl/lib.core 1969-12-31 16:00:00.000000000 -0800
@@ -1,1376 +0,0 @@
-# (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
-#
-# This program is part of Shorewall.
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by the
-# Free Software Foundation, either version 2 of the license or, at your
-# option, any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, see .
-#
-# Options are:
-#
-# -n Do not alter Routing
-# -v and -q Standard Shorewall Verbosity control
-# -t Timestamp progress messages
-# -p Purge conntrack table
-# -r Recover from failed start/reload
-# -V Set verbosity level explicitly
-# -R Overrides RESTOREFILE setting
-#
-# Commands are:
-#
-# clear Removes all firewall rules
-# disable Disable an optional interface
-# down Stop an optional interface
-# enable Enable an optional interface
-# help Show command syntax
-# reenable Disable then nable an optional
-# interface
-# refresh Refresh the firewall
-# reload Reload the firewall
-# restart Restarts the firewall
-# restore Restore a saved configuration
-# reset Reset byte and packet counters
-# run Call a function in this program
-# savesets Save the ipset contents
-# status Displays firewall status
-# start Starts the firewall
-# stop Stops the firewall
-# up Start an optional interface
-# version Displays the version of Shorewall that
-# generated this program
-#
-################################################################################
-# Functions imported from /usr/share/shorewall/lib.core
-################################################################################
-# Address family-neutral Functions
-################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
- local timestamp
- timestamp=
-
- if [ $VERBOSITY -gt 1 ]; then
- [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
- echo "${timestamp}$@"
- fi
-
- if [ $LOG_VERBOSITY -gt 1 ]; then
- timestamp="$(date +'%b %e %T') "
- echo "${timestamp}$@" >> $STARTUP_LOG
- fi
-}
-
-progress_message2() # $* = Message
-{
- local timestamp
- timestamp=
-
- if [ $VERBOSITY -gt 0 ]; then
- [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
- echo "${timestamp}$@"
- fi
-
- if [ $LOG_VERBOSITY -gt 0 ]; then
- timestamp="$(date +'%b %e %T') "
- echo "${timestamp}$@" >> $STARTUP_LOG
- fi
-}
-
-progress_message3() # $* = Message
-{
- local timestamp
- timestamp=
-
- if [ $VERBOSITY -ge 0 ]; then
- [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
- echo "${timestamp}$@"
- fi
-
- if [ $LOG_VERBOSITY -ge 0 ]; then
- timestamp="$(date +'%b %e %T') "
- echo "${timestamp}$@" >> $STARTUP_LOG
- fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
- run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
- ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipvX address
-#
-find_all_interfaces1() {
- ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
- while [ $# -gt 1 ]; do
- [ "x$1" = xdev ] && echo $2 && return
- shift
- done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
- while [ $# -gt 1 ]; do
- [ "x$1" = xvia ] && echo $2 && return
- shift
- done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
- while [ $# -gt 1 ]; do
- [ "x$1" = xmtu ] && echo $2 && return
- shift
- done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
- while [ $# -gt 1 ]; do
- [ "x$1" = xpeer ] && echo ${2%/*} && return
- shift
- done
-}
-
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
- echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
- $IP -$g_family route list | while read first rest; do
- [ "$first" = default ] && echo $(find_device $rest) && return
- done
-}
-
-#
-# Determine if Interface is up
-#
-interface_is_up() {
- [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
- local address
- local rest
- local mask
-
- [ $g_family -eq 4 ] && mask=32 || mask=128
-
- $IP -$g_family route show dev $1 2> /dev/null |
- while read address rest; do
- case "$address" in
- default)
- if [ $# -gt 1 ]; then
- shift
- fatal_error "$@"
- else
- echo "WARNING: default route ignored on interface $1" >&2
- fi
- ;;
- multicast|broadcast|prohibit|nat|throw|nexthop)
- ;;
- [2-3]*)
- [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
- echo $address
- ;;
- *)
- if [ $g_family -eq 4 ]; then
- [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
- echo $address
- fi
- ;;
- esac
- done
-}
-
-#
-# Clear the current traffic shaping configuration
-#
-
-delete_tc1()
-{
- clear_one_tc() {
- $TC qdisc del dev ${1%@*} root 2> /dev/null
- $TC qdisc del dev ${1%@*} ingress 2> /dev/null
-
- }
-
- run_tcclear_exit
-
- run_ip link list | \
- while read inx interface details; do
- case $inx in
- [0-9]*)
- clear_one_tc ${interface%:}
- ;;
- *)
- ;;
- esac
- done
-}
-
-#
-# Detect a device's MTU -- echos the passed device's MTU
-#
-get_device_mtu() # $1 = device
-{
- local output
- output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-
- if [ -n "$output" ]; then
- echo $(find_mtu $output)
- else
- echo 1500
- fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu ' otherwise, where is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
- local output
- output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
- local mtu
-
- if [ -n "$output" ]; then
- mtu=$(find_mtu $output)
- if [ -n "$mtu" ]; then
- [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
- fi
- fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
- local undofiles
- local f
-
- if [ -z "$g_noroutes" ]; then
- #
- # Restore rt_tables database
- #
- if [ -f ${VARDIR}/rt_tables ]; then
- [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
- rm -f ${VARDIR}/rt_tables
- fi
- #
- # Restore the rest of the routing table
- #
- undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
- if [ -n "$undofiles" ]; then
- for f in $undofiles; do
- . $f
- done
-
- rm -f $undofiles
-
- progress_message "Shorewall-generated routing tables and routing rules removed"
- fi
- fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
- awk \
- 'BEGIN {defroute=0;};
- /^default / {defroute=1; print; next};
- /nexthop/ {if (defroute == 1 ) {print ; next} };
- { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
- #
- # default_route and result are inherited from the caller
- #
- if [ -n "$default_route" ]; then
- case "$default_route" in
- *metric*)
- #
- # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
- #
- [ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
- default_route=
- ;;
- *)
- qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
- result=0
- default_route=
- ;;
- esac
- fi
-}
-
-#
-# Delete default routes with metric 0 from the passed routing table
-#
-delete_default_routes() # $1 = table number
-{
- $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
- qt $IP -$g_family route del $route
- done
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
- local result
- result=1
-
- if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
- local default_route
- default_route=
- local route
-
- while read route ; do
- case $route in
- default*)
- replace_default_route $1
- default_route="$default_route $route"
- ;;
- *)
- default_route="$default_route $route"
- ;;
- esac
- done < ${VARDIR}/default_route
-
- replace_default_route $1
-
- if [ $result = 1 ]; then
- #
- # We didn't restore a default route with metric 0
- #
- if $IP -$g_family -o route list 2> /dev/null | grep -F default | grep -qvF metric; then
- #
- # But we added a default route with metric 0
- #
- qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
- fi
- fi
-
- rm -f ${VARDIR}/default_route
- fi
-
- return $result
-}
-
-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
- if [ -n "$g_purge" ]; then
- if [ -n $(mywhich conntrack) ]; then
- conntrack -F
- else
- error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
- fi
- fi
-}
-
-#
-# Issue a message and stop/restore the firewall.
-#
-fatal_error()
-{
- echo " ERROR: $@" >&2
-
- if [ $LOG_VERBOSITY -ge 0 ]; then
- timestamp="$(date +'%b %e %T') "
- echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
- fi
-
- stop_firewall
- [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
- mutex_off
- exit 2
-}
-
-#
-# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
- local status
-
- while [ 1 ]; do
- eval $g_tool $@
- status=$?
- [ $status -ne 4 ] && break
- done
-
- if [ $status -ne 0 ]; then
- error_message "ERROR: Command \"$g_tool $@\" Failed"
- stop_firewall
- exit 2
- fi
-}
-
-#
-# Run iptables/ip6tables retrying exit status 4
-#
-do_iptables()
-{
- local status
-
- while [ 1 ]; do
- $g_tool $@
- status=$?
- [ $status -ne 4 ] && return $status;
- done
-}
-
-#
-# Run ip and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
- if ! $IP -$g_family $@; then
- error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
- stop_firewall
- exit 2
- fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
- if ! $TC $@ ; then
- error_message "ERROR: Command \"$TC $@\" Failed"
- stop_firewall
- exit 2
- fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
- local first second rest table chain
- #
- # Clear the ruleset
- #
- qt1 $g_tool -t mangle -F
- qt1 $g_tool -t mangle -X
-
- for chain in PREROUTING INPUT FORWARD POSTROUTING; do
- qt1 $g_tool -t mangle -P $chain ACCEPT
- done
-
- qt1 $g_tool -t raw -F
- qt1 $g_tool -t raw -X
-
- for chain in PREROUTING OUTPUT; do
- qt1 $g_tool -t raw -P $chain ACCEPT
- done
-
- qt1 $g_tool -t rawpost -F
- qt1 $g_tool -t rawpost -X
-
- for chain in POSTROUTING; do
- qt1 $g_tool -t rawpost -P $chain ACCEPT
- done
-
- qt1 $g_tool -t nat -F
- qt1 $g_tool -t nat -X
-
- for chain in PREROUTING POSTROUTING; do
- qt1 $g_tool -t nat -P $chain ACCEPT
- done
-
- qt1 $g_tool -t filter -F
- qt1 $g_tool -t filter -X
-
- for chain in INPUT FORWARD OUTPUT; do
- qt1 $g_tool -t filter -P $chain -P ACCEPT
- done
-
- while read first second rest; do
- case $first in
- -*)
- #
- # We can't call run_iptables() here because the rules may contain quoted strings
- #
- eval $g_tool -t $table $first $second $rest
-
- if [ $? -ne 0 ]; then
- error_message "ERROR: Command \"$g_tool -t $table $first $second $rest\" Failed"
- stop_firewall
- exit 2
- fi
- ;;
- :*)
- chain=${first#:}
-
- if [ "x$second" = x- ]; then
- do_iptables -t $table -N $chain
- else
- do_iptables -t $table -P $chain $second
- fi
-
- if [ $? -ne 0 ]; then
- error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
- stop_firewall
- exit 2
- fi
- ;;
- #
- # This grotesque hack with the table names works around a bug/feature with ash
- #
- '*'raw)
- table=raw
- ;;
- '*'rawpost)
- table=rawpost
- ;;
- '*'mangle)
- table=mangle
- ;;
- '*'nat)
- table=nat
- ;;
- '*'filter)
- table=filter
- ;;
- esac
- done
-}
-
-interface_enabled() {
- return $(cat ${VARDIR}/$1.status)
-}
-
-distribute_load() {
- local interface
- local currentload # Total load of enabled interfaces
- local load # Specified load of an enabled interface
- local mark # Mark of an enabled interface
- local totalload # Total load of all interfaces - usually 1.000000
- local nload # Normalized load of an enabled interface
- local var # Interface name to embed in a variable name
-
- totalload=$1
- shift
-
- currentload=0
-
- for interface in $@; do
- if interface_enabled $interface; then
- var=$(echo $interface | sed 's/[.-]/_/g')
- load=$(cat ${VARDIR}/${interface}_load)
- eval ${var}_load=$load
- mark=$(cat ${VARDIR}/${interface}_mark)
- eval ${var}_mark=$mark
- currentload=$( bc < /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-#
-# Find the value 'weight' in the passed arguments then echo the next value
-#
-find_weight() {
- while [ $# -gt 1 ]; do
- [ "x$1" = xweight ] && echo $2 && return
- shift
- done
-}
-
-#
-# Find the interfaces that have a route to the passed address - the default
-# route is not used.
-#
-
-find_rt_interface() {
- $IP -4 route list | while read addr rest; do
- case $addr in
- */*)
- in_network ${1%/*} $addr && echo $(find_device $rest)
- ;;
- default)
- ;;
- *)
- if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
- echo $(find_device $rest)
- fi
- ;;
- esac
- done
-}
-
-#
-# Echo the name of the interface(s) that will be used to send to the
-# passed address
-#
-
-find_interface_by_address() {
- local dev
- dev="$(find_rt_interface $1)"
- local first
- local rest
-
- [ -z "$dev" ] && dev=$(find_default_interface)
-
- [ -n "$dev" ] && echo $dev
-}
-
-#
-# echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
- local address
- local rest
-
- $IP -4 route show dev $1 2> /dev/null |
- while read address rest; do
- case "$address" in
- default)
- if [ $# -gt 1 ]; then
- shift
- fatal_error "$@"
- else
- echo "WARNING: default route ignored on interface $1" >&2
- fi
- ;;
- multicast|broadcast|prohibit|nat|throw|nexthop)
- ;;
- *)
- [ "$address" = "${address%/*}" ] && address="${address}/32"
- echo $address
- ;;
- esac
- done
-}
-
-#
-# Get the broadcast addresses associated with an interface
-#
-get_interface_bcasts() # $1 = interface
-{
- local addresses
- addresses=
-
- $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Delete IP address
-#
-del_ip_addr() # $1 = address, $2 = interface
-{
- [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
-}
-
-# Add IP Aliases
-#
-add_ip_aliases() # $* = List of addresses
-{
- local local
- local addresses
- local external
- local interface
- local inet
- local cidr
- local rest
- local val
- local arping
- arping=$(mywhich arping)
-
- address_details()
- {
- #
- # Folks feel uneasy if they don't see all of the same
- # decoration on these IP addresses that they see when their
- # distro's net config tool adds them. In an attempt to reduce
- # the anxiety level, we have the following code which sets
- # the VLSM and BRD from an existing address in the same network
- #
- # Get all of the lines that contain inet addresses with broadcast
- #
- $IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
- case $cidr in
- */*)
- if in_network $external $cidr; then
- echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
- break
- fi
- ;;
- esac
- done
- }
-
- do_one()
- {
- val=$(address_details)
-
- $IP addr add ${external}${val} dev $interface $label
- [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
- echo "$external $interface" >> $VARDIR/nat
- [ -n "$label" ] && label="with $label"
- progress_message " IP Address $external added to interface $interface $label"
- }
-
- progress_message "Adding IP Addresses..."
-
- while [ $# -gt 0 ]; do
- external=$1
- interface=$2
- label=
-
- if [ "$interface" != "${interface%:*}" ]; then
- label="${interface#*:}"
- interface="${interface%:*}"
- label="label $interface:$label"
- fi
-
- shift 2
-
- list_search $external $(find_interface_addresses $interface) || do_one
- done
-}
-
-#
-# Detect the gateway through a PPP or DHCP-configured interface
-#
-detect_dynamic_gateway() { # $1 = interface
- local interface
- interface=$1
- local GATEWAYS
- GATEWAYS=
- local gateway
- local file
-
- gateway=$(run_findgw_exit $1);
-
- if [ -z "$gateway" ]; then
- gateway=$( find_peer $($IP addr list $interface ) )
- fi
-
- file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
- if [ -z "$gateway" -a -f "${file}" ]; then
- eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
- [ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
- fi
-
- for file in \
- "${VARLIB}/dhcp/dhclient-${1}.lease" \
- "${VARLIB}/dhcp/dhclient.${1}.leases"
- do
- [ -n "$gateway" ] && break
- if [ -f "${file}" ]; then
- gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
- fi
- done
-
- [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Detect the gateway through an interface
-#
-detect_gateway() # $1 = interface
-{
- local interface
- interface=$1
- local gateway
- #
- # First assume that this is some sort of dynamic interface
- #
- gateway=$( detect_dynamic_gateway $interface )
- #
- # Maybe there's a default route through this gateway already
- #
- [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
- #
- # Last hope -- is there a load-balancing route through the interface?
- #
- [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
- #
- # Be sure we found one
- #
- [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Disable IPV6
-#
-disable_ipv6() {
- local temp
- temp="$($IP -f inet6 addr list 2> /dev/null)"
-
- if [ -n "$temp" ]; then
- if [ -x "$IP6TABLES" ]; then
- $IP6TABLES -P FORWARD DROP
- $IP6TABLES -P INPUT DROP
- $IP6TABLES -P OUTPUT DROP
- $IP6TABLES -F
- $IP6TABLES -X
-
- for temp in $(find_loopback_interfaces); do
- $IP6TABLES -A OUTPUT -o $temp -j ACCEPT
- $IP6TABLES -A INPUT -i $temp -j ACCEPT
- done
- else
- error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
- fi
- fi
-}
-
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
- local route
- local weight
- local delta
- local dev
-
- route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
-
- if [ -z "$route" ]; then
- run_ip route add default scope global table $2 $1
- else
- delta=$1
-
- if ! echo $route | grep -qF ' nexthop '; then
- if echo $route | grep -qF via; then
- route=`echo $route | sed 's/via/nexthop via/'`
- else
- route="nexthop $route"
- fi
-
- dev=$(find_device $route)
- if [ -f ${VARDIR}/${dev}_weight ]; then
- weight=`cat ${VARDIR}/${dev}_weight`
- route="$route weight $weight"
- fi
- fi
-
- run_ip route replace default scope global table $2 $route $delta
- fi
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
- local route
- local gateway
- local dev
-
- route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
- gateway=$1
-
- if [ -n "$route" ]; then
- if echo $route | grep -qF ' nexthop '; then
- gateway="nexthop $gateway"
- eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
- run_ip route replace table $2 $route
- else
- dev=$(find_device $route)
- [ "$dev" = "$3" ] && run_ip route delete default table $2
- fi
- fi
-}
-
-#
-# Determine the MAC address of the passed IP through the passed interface
-#
-find_mac() # $1 = IP address, $2 = interface
-{
- if interface_is_usable $2 ; then
- qt ping -nc 1 -t 2 -I $2 $1
-
- local result
- result=$($IP neigh list | awk "/^$1 / {print \$5}")
-
- case $result in
- \<*\>)
- ;;
- *)
- [ -n "$result" ] && echo $result
- ;;
- esac
- fi
-}
-
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
- if [ -f ${VARDIR}/proxyarp ]; then
- while read address interface external haveroute; do
- qtnoin $IP -4 neigh del proxy $address dev $external
- [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
- f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
- [ -f $f ] && echo 0 > $f
- done < ${VARDIR}/proxyarp
-
- rm -f ${VARDIR}/proxyarp
- fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
- stop_firewall
-
- setpolicy INPUT ACCEPT
- setpolicy FORWARD ACCEPT
- setpolicy OUTPUT ACCEPT
-
- run_iptables -F
- qt $IPTABLES -t raw -F
-
- echo 1 > /proc/sys/net/ipv4/ip_forward
-
- if [ -n "$DISABLE_IPV6" ]; then
- if [ -x $IP6TABLES ]; then
- $IP6TABLES -P INPUT ACCEPT 2> /dev/null
- $IP6TABLES -P OUTPUT ACCEPT 2> /dev/null
- $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
- fi
- fi
-
- run_clear_exit
-
- set_state "Cleared"
-
- logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
- $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-?else
-#################################################################################
-# IPv6-specific Functions
-#################################################################################
-#
-# Determine if interface is usable from a Netfilter perspective
-#
-interface_is_usable() # $1 = interface
-{
- local status;
- status=0
-
- if [ "$1" != lo ]; then
- if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
- [ "$COMMAND" = enable ] || run_isusable_exit $1
- status=$?
- else
- status=1
- fi
- fi
-
- return $status
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed device
-#
-find_interface_addresses() # $1 = interface
-{
- $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
-#
-# Get all interface addresses with VLSMs
-#
-
-find_interface_full_addresses() # $1 = interface
-{
- $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
-}
-
-#
-# Normalize an IPv6 Address by compressing out consecutive zero elements
-#
-normalize_address() # $1 = valid IPv6 Address
-{
- local address
- address=$1
- local j
-
- while true; do
- case $address in
- ::*)
- address=0$address
- ;;
- *::*)
- list_count $(split $address)
-
- j=$?
-
- if [ $j -eq 7 ]; then
- address=${address%::*}:0:${address#*::}
- elif [ $j -eq 8 ]; then
- $address=${address%::*}:${address#*::}
- break 2
- else
- address=${address%::*}:0::${address#*::}
- fi
- ;;
- *)
- echo $address
- break 2
- ;;
- esac
- done
-}
-
-#
-# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
-# that defines a /120 or larger network, it sends to STDOUT:
-#
-# The corresponding subnet-router anycast address (all host address bits are zero)
-# The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
-#
-convert_to_anycast() {
- local address
- local badress
- local vlsm
- local host
- local o
- local m
- m=
- local z
- z=65535
- local l
-
- while read address; do
- case $address in
- 2*|3*)
- vlsm=${address#*/}
- vlsm=${vlsm:=128}
-
- if [ $vlsm -le 120 ]; then
- #
- # Defines a viable subnet -- first get the subnet-router anycast address
- #
- host=$((128 - $vlsm))
-
- address=$(normalize_address ${address%/*})
-
- while [ $host -ge 16 ]; do
- address=${address%:*}
- host=$(($host - 16))
- done
-
- if [ $host -gt 0 ]; then
- #
- # VLSM is not a multiple of 16
- #
- host=$((16 - $host))
- o=$((0x${address##*:}))
- m=0
- while [ $host -gt 0 ]; do
- m=$((($m >> 1) | 0x8000))
- z=$(($z >> 1))
- host=$(($host - 1))
- done
-
- o=$(($o & $m))
-
- badress=${address%:*}
-
- address=$badress:$(printf %04x $o)
-
- z=$(($o | $z))
-
- if [ $vlsm -gt 112 ]; then
- z=$(($z & 0xff80))
- fi
-
- badress=$badress:$(printf %04x $z)
- else
- badress=$address
- fi
- #
- # Note: at this point $address and $badress are the same except possibly for
- # the contents of the last half-word
- #
- list_count $(split $address)
-
- l=$?
- #
- # Now generate the anycast addresses defined by RFC 2526
- #
- if [ $l -lt 8 ]; then
- #
- # The subnet-router address
- #
- echo $address::
-
- while [ $l -lt 8 ]; do
- badress=$badress:ffff
- l=$(($l + 1 ))
- done
- else
- #
- # The subnet-router address
- #
- echo $address
- fi
- #
- # And the RFC 2526 addresses
- #
- echo $badress/121
- fi
- ;;
- esac
- done
-}
-
-#
-# Generate a list of anycast addresses for a given interface
-#
-
-get_interface_acasts() # $1 = interface
-{
- local addresses
- addresses=
-
- find_interface_full_addresses $1 | convert_to_anycast | sort -u
-}
-
-#
-# Get a list of all configured anycast addresses on the system
-#
-get_all_acasts()
-{
- find_interface_full_addresses | convert_to_anycast | sort -u
-}
-
-#
-# Detect the gateway through an interface
-#
-detect_gateway() # $1 = interface
-{
- local interface
- interface=$1
- #
- # First assume that this is some sort of point-to-point interface
- #
- gateway=$( find_peer $($IP -6 addr list $interface ) )
- #
- # Maybe there's a default route through this gateway already
- #
- [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
- #
- # Last hope -- is there a load-balancing route through the interface?
- #
- [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
- #
- # Be sure we found one
- #
- [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
- local route
- local weight
- local delta
- local dev
-
- run_ip route add default scope global table $2 $1
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
- local route
- local gateway
- local dev
-
- route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
- gateway=$1
-
- dev=$(find_device $route)
- [ "$dev" = "$3" ] && run_ip route delete default table $2
-}
-
-#
-# Clear Proxy NDP
-#
-delete_proxyndp() {
- if [ -f ${VARDIR}/proxyndp ]; then
- while read address interface external haveroute; do
- qt $IP -6 neigh del proxy $address dev $external
- [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
- f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
- [ -f $f ] && echo 0 > $f
- done < ${VARDIR}/proxyndp
-
- rm -f ${VARDIR}/proxyndp
- fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
- stop_firewall
-
- setpolicy INPUT ACCEPT
- setpolicy FORWARD ACCEPT
- setpolicy OUTPUT ACCEPT
-
- run_iptables -F
- qt $IP6TABLES -t raw -F
-
- echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
- run_clear_exit
-
- set_state "Cleared"
-
- logger -p kern.info "$g_product Cleared"
-}
-
-?endif # IPv6-specific functions.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/lib.runtime shorewall-5.0.9/Perl/lib.runtime
--- shorewall-5.0.8/Perl/lib.runtime 1969-12-31 16:00:00.000000000 -0800
+++ shorewall-5.0.9/Perl/lib.runtime 2016-05-22 17:50:51.000000000 -0700
@@ -0,0 +1,1376 @@
+# (c) 1999-2016 - Tom Eastep (teastep@shorewall.net)
+#
+# This program is part of Shorewall.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by the
+# Free Software Foundation, either version 2 of the license or, at your
+# option, any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, see .
+#
+# Options are:
+#
+# -n Do not alter Routing
+# -v and -q Standard Shorewall Verbosity control
+# -t Timestamp progress messages
+# -p Purge conntrack table
+# -r Recover from failed start/reload
+# -V Set verbosity level explicitly
+# -R Overrides RESTOREFILE setting
+#
+# Commands are:
+#
+# clear Removes all firewall rules
+# disable Disable an optional interface
+# down Stop an optional interface
+# enable Enable an optional interface
+# help Show command syntax
+# reenable Disable then nable an optional
+# interface
+# refresh Refresh the firewall
+# reload Reload the firewall
+# restart Restarts the firewall
+# restore Restore a saved configuration
+# reset Reset byte and packet counters
+# run Call a function in this program
+# savesets Save the ipset contents
+# status Displays firewall status
+# start Starts the firewall
+# stop Stops the firewall
+# up Start an optional interface
+# version Displays the version of Shorewall that
+# generated this program
+#
+################################################################################
+# Functions imported from /usr/share/shorewall/lib.runtime
+################################################################################
+# Address family-neutral Functions
+################################################################################
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+ local timestamp
+ timestamp=
+
+ if [ $VERBOSITY -gt 1 ]; then
+ [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+ echo "${timestamp}$@"
+ fi
+
+ if [ $LOG_VERBOSITY -gt 1 ]; then
+ timestamp="$(date +'%b %e %T') "
+ echo "${timestamp}$@" >> $STARTUP_LOG
+ fi
+}
+
+progress_message2() # $* = Message
+{
+ local timestamp
+ timestamp=
+
+ if [ $VERBOSITY -gt 0 ]; then
+ [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+ echo "${timestamp}$@"
+ fi
+
+ if [ $LOG_VERBOSITY -gt 0 ]; then
+ timestamp="$(date +'%b %e %T') "
+ echo "${timestamp}$@" >> $STARTUP_LOG
+ fi
+}
+
+progress_message3() # $* = Message
+{
+ local timestamp
+ timestamp=
+
+ if [ $VERBOSITY -ge 0 ]; then
+ [ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+ echo "${timestamp}$@"
+ fi
+
+ if [ $LOG_VERBOSITY -ge 0 ]; then
+ timestamp="$(date +'%b %e %T') "
+ echo "${timestamp}$@" >> $STARTUP_LOG
+ fi
+}
+
+#
+# Set a standard chain's policy
+#
+setpolicy() # $1 = name of chain, $2 = policy
+{
+ run_iptables -P $1 $2
+}
+
+#
+# Generate a list of all network interfaces on the system
+#
+find_all_interfaces() {
+ ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipvX address
+#
+find_all_interfaces1() {
+ ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Find the value 'dev' in the passed arguments then echo the next value
+#
+
+find_device() {
+ while [ $# -gt 1 ]; do
+ [ "x$1" = xdev ] && echo $2 && return
+ shift
+ done
+}
+
+#
+# Find the value 'via' in the passed arguments then echo the next value
+#
+
+find_gateway() {
+ while [ $# -gt 1 ]; do
+ [ "x$1" = xvia ] && echo $2 && return
+ shift
+ done
+}
+
+#
+# Find the value 'mtu' in the passed arguments then echo the next value
+#
+
+find_mtu() {
+ while [ $# -gt 1 ]; do
+ [ "x$1" = xmtu ] && echo $2 && return
+ shift
+ done
+}
+
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+ while [ $# -gt 1 ]; do
+ [ "x$1" = xpeer ] && echo ${2%/*} && return
+ shift
+ done
+}
+
+#
+# Try to find the gateway through an interface looking for 'nexthop'
+
+find_nexthop() # $1 = interface
+{
+ echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
+}
+
+#
+# Find the default route's interface
+#
+find_default_interface() {
+ $IP -$g_family route list | while read first rest; do
+ [ "$first" = default ] && echo $(find_device $rest) && return
+ done
+}
+
+#
+# Determine if Interface is up
+#
+interface_is_up() {
+ [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+ local address
+ local rest
+ local mask
+
+ [ $g_family -eq 4 ] && mask=32 || mask=128
+
+ $IP -$g_family route show dev $1 2> /dev/null |
+ while read address rest; do
+ case "$address" in
+ default)
+ if [ $# -gt 1 ]; then
+ shift
+ fatal_error "$@"
+ else
+ echo "WARNING: default route ignored on interface $1" >&2
+ fi
+ ;;
+ multicast|broadcast|prohibit|nat|throw|nexthop)
+ ;;
+ [2-3]*)
+ [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+ echo $address
+ ;;
+ *)
+ if [ $g_family -eq 4 ]; then
+ [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+ echo $address
+ fi
+ ;;
+ esac
+ done
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
+delete_tc1()
+{
+ clear_one_tc() {
+ $TC qdisc del dev ${1%@*} root 2> /dev/null
+ $TC qdisc del dev ${1%@*} ingress 2> /dev/null
+
+ }
+
+ run_tcclear_exit
+
+ run_ip link list | \
+ while read inx interface details; do
+ case $inx in
+ [0-9]*)
+ clear_one_tc ${interface%:}
+ ;;
+ *)
+ ;;
+ esac
+ done
+}
+
+#
+# Detect a device's MTU -- echos the passed device's MTU
+#
+get_device_mtu() # $1 = device
+{
+ local output
+ output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+
+ if [ -n "$output" ]; then
+ echo $(find_mtu $output)
+ else
+ echo 1500
+ fi
+}
+
+#
+# Version of the above that doesn't generate any output for MTU 1500.
+# Generates 'mtu ' otherwise, where is the device's MTU + 100
+#
+get_device_mtu1() # $1 = device
+{
+ local output
+ output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+ local mtu
+
+ if [ -n "$output" ]; then
+ mtu=$(find_mtu $output)
+ if [ -n "$mtu" ]; then
+ [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
+ fi
+ fi
+
+}
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+ local undofiles
+ local f
+
+ if [ -z "$g_noroutes" ]; then
+ #
+ # Restore rt_tables database
+ #
+ if [ -f ${VARDIR}/rt_tables ]; then
+ [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+ rm -f ${VARDIR}/rt_tables
+ fi
+ #
+ # Restore the rest of the routing table
+ #
+ undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+ if [ -n "$undofiles" ]; then
+ for f in $undofiles; do
+ . $f
+ done
+
+ rm -f $undofiles
+
+ progress_message "Shorewall-generated routing tables and routing rules removed"
+ fi
+ fi
+
+}
+
+#
+# Save the default route
+#
+save_default_route() {
+ awk \
+ 'BEGIN {defroute=0;};
+ /^default / {defroute=1; print; next};
+ /nexthop/ {if (defroute == 1 ) {print ; next} };
+ { defroute=0; };'
+}
+
+#
+# Restore the default route that was in place before the initial 'shorewall start'
+#
+replace_default_route() # $1 = USE_DEFAULT_RT
+{
+ #
+ # default_route and result are inherited from the caller
+ #
+ if [ -n "$default_route" ]; then
+ case "$default_route" in
+ *metric*)
+ #
+ # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+ #
+ [ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+ default_route=
+ ;;
+ *)
+ qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+ result=0
+ default_route=
+ ;;
+ esac
+ fi
+}
+
+#
+# Delete default routes with metric 0 from the passed routing table
+#
+delete_default_routes() # $1 = table number
+{
+ $IP -$g_family route ls table $1 | grep -F default | grep -vF metric | while read route; do
+ qt $IP -$g_family route del $route
+ done
+}
+
+restore_default_route() # $1 = USE_DEFAULT_RT
+{
+ local result
+ result=1
+
+ if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+ local default_route
+ default_route=
+ local route
+
+ while read route ; do
+ case $route in
+ default*)
+ replace_default_route $1
+ default_route="$default_route $route"
+ ;;
+ *)
+ default_route="$default_route $route"
+ ;;
+ esac
+ done < ${VARDIR}/default_route
+
+ replace_default_route $1
+
+ if [ $result = 1 ]; then
+ #
+ # We didn't restore a default route with metric 0
+ #
+ if $IP -$g_family -o route list 2> /dev/null | grep -F default | grep -qvF metric; then
+ #
+ # But we added a default route with metric 0
+ #
+ qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
+ fi
+ fi
+
+ rm -f ${VARDIR}/default_route
+ fi
+
+ return $result
+}
+
+#
+# Flush the conntrack table if $g_purge is non-empty
+#
+conditionally_flush_conntrack() {
+
+ if [ -n "$g_purge" ]; then
+ if [ -n $(mywhich conntrack) ]; then
+ conntrack -F
+ else
+ error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+ fi
+ fi
+}
+
+#
+# Issue a message and stop/restore the firewall.
+#
+fatal_error()
+{
+ echo " ERROR: $@" >&2
+
+ if [ $LOG_VERBOSITY -ge 0 ]; then
+ timestamp="$(date +'%b %e %T') "
+ echo "${timestamp} ERROR: $@" >> $STARTUP_LOG
+ fi
+
+ stop_firewall
+ [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+ mutex_off
+ exit 2
+}
+
+#
+# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+ local status
+
+ while [ 1 ]; do
+ eval $g_tool $@
+ status=$?
+ [ $status -ne 4 ] && break
+ done
+
+ if [ $status -ne 0 ]; then
+ error_message "ERROR: Command \"$g_tool $@\" Failed"
+ stop_firewall
+ exit 2
+ fi
+}
+
+#
+# Run iptables/ip6tables retrying exit status 4
+#
+do_iptables()
+{
+ local status
+
+ while [ 1 ]; do
+ $g_tool $@
+ status=$?
+ [ $status -ne 4 ] && return $status;
+ done
+}
+
+#
+# Run ip and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+ if ! $IP -$g_family $@; then
+ error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
+ stop_firewall
+ exit 2
+ fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+ if ! $TC $@ ; then
+ error_message "ERROR: Command \"$TC $@\" Failed"
+ stop_firewall
+ exit 2
+ fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+ local first second rest table chain
+ #
+ # Clear the ruleset
+ #
+ qt1 $g_tool -t mangle -F
+ qt1 $g_tool -t mangle -X
+
+ for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+ qt1 $g_tool -t mangle -P $chain ACCEPT
+ done
+
+ qt1 $g_tool -t raw -F
+ qt1 $g_tool -t raw -X
+
+ for chain in PREROUTING OUTPUT; do
+ qt1 $g_tool -t raw -P $chain ACCEPT
+ done
+
+ qt1 $g_tool -t rawpost -F
+ qt1 $g_tool -t rawpost -X
+
+ for chain in POSTROUTING; do
+ qt1 $g_tool -t rawpost -P $chain ACCEPT
+ done
+
+ qt1 $g_tool -t nat -F
+ qt1 $g_tool -t nat -X
+
+ for chain in PREROUTING POSTROUTING; do
+ qt1 $g_tool -t nat -P $chain ACCEPT
+ done
+
+ qt1 $g_tool -t filter -F
+ qt1 $g_tool -t filter -X
+
+ for chain in INPUT FORWARD OUTPUT; do
+ qt1 $g_tool -t filter -P $chain -P ACCEPT
+ done
+
+ while read first second rest; do
+ case $first in
+ -*)
+ #
+ # We can't call run_iptables() here because the rules may contain quoted strings
+ #
+ eval $g_tool -t $table $first $second $rest
+
+ if [ $? -ne 0 ]; then
+ error_message "ERROR: Command \"$g_tool -t $table $first $second $rest\" Failed"
+ stop_firewall
+ exit 2
+ fi
+ ;;
+ :*)
+ chain=${first#:}
+
+ if [ "x$second" = x- ]; then
+ do_iptables -t $table -N $chain
+ else
+ do_iptables -t $table -P $chain $second
+ fi
+
+ if [ $? -ne 0 ]; then
+ error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+ stop_firewall
+ exit 2
+ fi
+ ;;
+ #
+ # This grotesque hack with the table names works around a bug/feature with ash
+ #
+ '*'raw)
+ table=raw
+ ;;
+ '*'rawpost)
+ table=rawpost
+ ;;
+ '*'mangle)
+ table=mangle
+ ;;
+ '*'nat)
+ table=nat
+ ;;
+ '*'filter)
+ table=filter
+ ;;
+ esac
+ done
+}
+
+interface_enabled() {
+ return $(cat ${VARDIR}/$1.status)
+}
+
+distribute_load() {
+ local interface
+ local currentload # Total load of enabled interfaces
+ local load # Specified load of an enabled interface
+ local mark # Mark of an enabled interface
+ local totalload # Total load of all interfaces - usually 1.000000
+ local nload # Normalized load of an enabled interface
+ local var # Interface name to embed in a variable name
+
+ totalload=$1
+ shift
+
+ currentload=0
+
+ for interface in $@; do
+ if interface_enabled $interface; then
+ var=$(echo $interface | sed 's/[.-]/_/g')
+ load=$(cat ${VARDIR}/${interface}_load)
+ eval ${var}_load=$load
+ mark=$(cat ${VARDIR}/${interface}_mark)
+ eval ${var}_mark=$mark
+ currentload=$( bc < /dev/null | grep inet\ | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+#
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+find_weight() {
+ while [ $# -gt 1 ]; do
+ [ "x$1" = xweight ] && echo $2 && return
+ shift
+ done
+}
+
+#
+# Find the interfaces that have a route to the passed address - the default
+# route is not used.
+#
+
+find_rt_interface() {
+ $IP -4 route list | while read addr rest; do
+ case $addr in
+ */*)
+ in_network ${1%/*} $addr && echo $(find_device $rest)
+ ;;
+ default)
+ ;;
+ *)
+ if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
+ echo $(find_device $rest)
+ fi
+ ;;
+ esac
+ done
+}
+
+#
+# Echo the name of the interface(s) that will be used to send to the
+# passed address
+#
+
+find_interface_by_address() {
+ local dev
+ dev="$(find_rt_interface $1)"
+ local first
+ local rest
+
+ [ -z "$dev" ] && dev=$(find_default_interface)
+
+ [ -n "$dev" ] && echo $dev
+}
+
+#
+# echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+ local address
+ local rest
+
+ $IP -4 route show dev $1 2> /dev/null |
+ while read address rest; do
+ case "$address" in
+ default)
+ if [ $# -gt 1 ]; then
+ shift
+ fatal_error "$@"
+ else
+ echo "WARNING: default route ignored on interface $1" >&2
+ fi
+ ;;
+ multicast|broadcast|prohibit|nat|throw|nexthop)
+ ;;
+ *)
+ [ "$address" = "${address%/*}" ] && address="${address}/32"
+ echo $address
+ ;;
+ esac
+ done
+}
+
+#
+# Get the broadcast addresses associated with an interface
+#
+get_interface_bcasts() # $1 = interface
+{
+ local addresses
+ addresses=
+
+ $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Delete IP address
+#
+del_ip_addr() # $1 = address, $2 = interface
+{
+ [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+}
+
+# Add IP Aliases
+#
+add_ip_aliases() # $* = List of addresses
+{
+ local local
+ local addresses
+ local external
+ local interface
+ local inet
+ local cidr
+ local rest
+ local val
+ local arping
+ arping=$(mywhich arping)
+
+ address_details()
+ {
+ #
+ # Folks feel uneasy if they don't see all of the same
+ # decoration on these IP addresses that they see when their
+ # distro's net config tool adds them. In an attempt to reduce
+ # the anxiety level, we have the following code which sets
+ # the VLSM and BRD from an existing address in the same network
+ #
+ # Get all of the lines that contain inet addresses with broadcast
+ #
+ $IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
+ case $cidr in
+ */*)
+ if in_network $external $cidr; then
+ echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
+ break
+ fi
+ ;;
+ esac
+ done
+ }
+
+ do_one()
+ {
+ val=$(address_details)
+
+ $IP addr add ${external}${val} dev $interface $label
+ [ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
+ echo "$external $interface" >> $VARDIR/nat
+ [ -n "$label" ] && label="with $label"
+ progress_message " IP Address $external added to interface $interface $label"
+ }
+
+ progress_message "Adding IP Addresses..."
+
+ while [ $# -gt 0 ]; do
+ external=$1
+ interface=$2
+ label=
+
+ if [ "$interface" != "${interface%:*}" ]; then
+ label="${interface#*:}"
+ interface="${interface%:*}"
+ label="label $interface:$label"
+ fi
+
+ shift 2
+
+ list_search $external $(find_interface_addresses $interface) || do_one
+ done
+}
+
+#
+# Detect the gateway through a PPP or DHCP-configured interface
+#
+detect_dynamic_gateway() { # $1 = interface
+ local interface
+ interface=$1
+ local GATEWAYS
+ GATEWAYS=
+ local gateway
+ local file
+
+ gateway=$(run_findgw_exit $1);
+
+ if [ -z "$gateway" ]; then
+ gateway=$( find_peer $($IP addr list $interface ) )
+ fi
+
+ file="${VARLIB}/dhcpcd/dhcpcd-${1}.info"
+ if [ -z "$gateway" -a -f "${file}" ]; then
+ eval $(grep ^GATEWAYS= "${file}" 2> /dev/null)
+ [ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
+ fi
+
+ for file in \
+ "${VARLIB}/dhcp/dhclient-${1}.lease" \
+ "${VARLIB}/dhcp/dhclient.${1}.leases"
+ do
+ [ -n "$gateway" ] && break
+ if [ -f "${file}" ]; then
+ gateway=$(grep 'option routers' "${file}" | tail -n 1 | while read j1 j2 gateway; do echo "${gateway%\;}" ; return 0; done)
+ fi
+ done
+
+ [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+ local interface
+ interface=$1
+ local gateway
+ #
+ # First assume that this is some sort of dynamic interface
+ #
+ gateway=$( detect_dynamic_gateway $interface )
+ #
+ # Maybe there's a default route through this gateway already
+ #
+ [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+ #
+ # Last hope -- is there a load-balancing route through the interface?
+ #
+ [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+ #
+ # Be sure we found one
+ #
+ [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Disable IPV6
+#
+disable_ipv6() {
+ local temp
+ temp="$($IP -f inet6 addr list 2> /dev/null)"
+
+ if [ -n "$temp" ]; then
+ if [ -x "$IP6TABLES" ]; then
+ $IP6TABLES -P FORWARD DROP
+ $IP6TABLES -P INPUT DROP
+ $IP6TABLES -P OUTPUT DROP
+ $IP6TABLES -F
+ $IP6TABLES -X
+
+ for temp in $(find_loopback_interfaces); do
+ $IP6TABLES -A OUTPUT -o $temp -j ACCEPT
+ $IP6TABLES -A INPUT -i $temp -j ACCEPT
+ done
+ else
+ error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
+ fi
+ fi
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+ local route
+ local weight
+ local delta
+ local dev
+
+ route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+ if [ -z "$route" ]; then
+ run_ip route add default scope global table $2 $1
+ else
+ delta=$1
+
+ if ! echo $route | grep -qF ' nexthop '; then
+ if echo $route | grep -qF via; then
+ route=`echo $route | sed 's/via/nexthop via/'`
+ else
+ route="nexthop $route"
+ fi
+
+ dev=$(find_device $route)
+ if [ -f ${VARDIR}/${dev}_weight ]; then
+ weight=`cat ${VARDIR}/${dev}_weight`
+ route="$route weight $weight"
+ fi
+ fi
+
+ run_ip route replace default scope global table $2 $route $delta
+ fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+ local route
+ local gateway
+ local dev
+
+ route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+ gateway=$1
+
+ if [ -n "$route" ]; then
+ if echo $route | grep -qF ' nexthop '; then
+ gateway="nexthop $gateway"
+ eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+ run_ip route replace table $2 $route
+ else
+ dev=$(find_device $route)
+ [ "$dev" = "$3" ] && run_ip route delete default table $2
+ fi
+ fi
+}
+
+#
+# Determine the MAC address of the passed IP through the passed interface
+#
+find_mac() # $1 = IP address, $2 = interface
+{
+ if interface_is_usable $2 ; then
+ qt ping -nc 1 -t 2 -I $2 $1
+
+ local result
+ result=$($IP neigh list | awk "/^$1 / {print \$5}")
+
+ case $result in
+ \<*\>)
+ ;;
+ *)
+ [ -n "$result" ] && echo $result
+ ;;
+ esac
+ fi
+}
+
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+ if [ -f ${VARDIR}/proxyarp ]; then
+ while read address interface external haveroute; do
+ qtnoin $IP -4 neigh del proxy $address dev $external
+ [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+ f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+ [ -f $f ] && echo 0 > $f
+ done < ${VARDIR}/proxyarp
+
+ rm -f ${VARDIR}/proxyarp
+ fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+ stop_firewall
+
+ setpolicy INPUT ACCEPT
+ setpolicy FORWARD ACCEPT
+ setpolicy OUTPUT ACCEPT
+
+ run_iptables -F
+ qt $IPTABLES -t raw -F
+
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+
+ if [ -n "$DISABLE_IPV6" ]; then
+ if [ -x $IP6TABLES ]; then
+ $IP6TABLES -P INPUT ACCEPT 2> /dev/null
+ $IP6TABLES -P OUTPUT ACCEPT 2> /dev/null
+ $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+ fi
+ fi
+
+ run_clear_exit
+
+ set_state "Cleared"
+
+ logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+ $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+?else
+#################################################################################
+# IPv6-specific Functions
+#################################################################################
+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+ local status;
+ status=0
+
+ if [ "$1" != lo ]; then
+ if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
+ [ "$COMMAND" = enable ] || run_isusable_exit $1
+ status=$?
+ else
+ status=1
+ fi
+ fi
+
+ return $status
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed device
+#
+find_interface_addresses() # $1 = interface
+{
+ $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer [0-9a-f:]*//'
+}
+
+#
+# Get all interface addresses with VLSMs
+#
+
+find_interface_full_addresses() # $1 = interface
+{
+ $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer [0-9a-f:]*//'
+}
+
+#
+# Normalize an IPv6 Address by compressing out consecutive zero elements
+#
+normalize_address() # $1 = valid IPv6 Address
+{
+ local address
+ address=$1
+ local j
+
+ while true; do
+ case $address in
+ ::*)
+ address=0$address
+ ;;
+ *::*)
+ list_count $(split $address)
+
+ j=$?
+
+ if [ $j -eq 7 ]; then
+ address=${address%::*}:0:${address#*::}
+ elif [ $j -eq 8 ]; then
+ $address=${address%::*}:${address#*::}
+ break 2
+ else
+ address=${address%::*}:0::${address#*::}
+ fi
+ ;;
+ *)
+ echo $address
+ break 2
+ ;;
+ esac
+ done
+}
+
+#
+# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
+# that defines a /120 or larger network, it sends to STDOUT:
+#
+# The corresponding subnet-router anycast address (all host address bits are zero)
+# The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
+#
+convert_to_anycast() {
+ local address
+ local badress
+ local vlsm
+ local host
+ local o
+ local m
+ m=
+ local z
+ z=65535
+ local l
+
+ while read address; do
+ case $address in
+ 2*|3*)
+ vlsm=${address#*/}
+ vlsm=${vlsm:=128}
+
+ if [ $vlsm -le 120 ]; then
+ #
+ # Defines a viable subnet -- first get the subnet-router anycast address
+ #
+ host=$((128 - $vlsm))
+
+ address=$(normalize_address ${address%/*})
+
+ while [ $host -ge 16 ]; do
+ address=${address%:*}
+ host=$(($host - 16))
+ done
+
+ if [ $host -gt 0 ]; then
+ #
+ # VLSM is not a multiple of 16
+ #
+ host=$((16 - $host))
+ o=$((0x${address##*:}))
+ m=0
+ while [ $host -gt 0 ]; do
+ m=$((($m >> 1) | 0x8000))
+ z=$(($z >> 1))
+ host=$(($host - 1))
+ done
+
+ o=$(($o & $m))
+
+ badress=${address%:*}
+
+ address=$badress:$(printf %04x $o)
+
+ z=$(($o | $z))
+
+ if [ $vlsm -gt 112 ]; then
+ z=$(($z & 0xff80))
+ fi
+
+ badress=$badress:$(printf %04x $z)
+ else
+ badress=$address
+ fi
+ #
+ # Note: at this point $address and $badress are the same except possibly for
+ # the contents of the last half-word
+ #
+ list_count $(split $address)
+
+ l=$?
+ #
+ # Now generate the anycast addresses defined by RFC 2526
+ #
+ if [ $l -lt 8 ]; then
+ #
+ # The subnet-router address
+ #
+ echo $address::
+
+ while [ $l -lt 8 ]; do
+ badress=$badress:ffff
+ l=$(($l + 1 ))
+ done
+ else
+ #
+ # The subnet-router address
+ #
+ echo $address
+ fi
+ #
+ # And the RFC 2526 addresses
+ #
+ echo $badress/121
+ fi
+ ;;
+ esac
+ done
+}
+
+#
+# Generate a list of anycast addresses for a given interface
+#
+
+get_interface_acasts() # $1 = interface
+{
+ local addresses
+ addresses=
+
+ find_interface_full_addresses $1 | convert_to_anycast | sort -u
+}
+
+#
+# Get a list of all configured anycast addresses on the system
+#
+get_all_acasts()
+{
+ find_interface_full_addresses | convert_to_anycast | sort -u
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+ local interface
+ interface=$1
+ #
+ # First assume that this is some sort of point-to-point interface
+ #
+ gateway=$( find_peer $($IP -6 addr list $interface ) )
+ #
+ # Maybe there's a default route through this gateway already
+ #
+ [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
+ #
+ # Last hope -- is there a load-balancing route through the interface?
+ #
+ [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+ #
+ # Be sure we found one
+ #
+ [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+ local route
+ local weight
+ local delta
+ local dev
+
+ run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+ local route
+ local gateway
+ local dev
+
+ route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+ gateway=$1
+
+ dev=$(find_device $route)
+ [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
+#
+# Clear Proxy NDP
+#
+delete_proxyndp() {
+ if [ -f ${VARDIR}/proxyndp ]; then
+ while read address interface external haveroute; do
+ qt $IP -6 neigh del proxy $address dev $external
+ [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
+ f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
+ [ -f $f ] && echo 0 > $f
+ done < ${VARDIR}/proxyndp
+
+ rm -f ${VARDIR}/proxyndp
+ fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+ stop_firewall
+
+ setpolicy INPUT ACCEPT
+ setpolicy FORWARD ACCEPT
+ setpolicy OUTPUT ACCEPT
+
+ run_iptables -F
+ qt $IP6TABLES -t raw -F
+
+ echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+ run_clear_exit
+
+ set_state "Cleared"
+
+ logger -p kern.info "$g_product Cleared"
+}
+
+?endif # IPv6-specific functions.
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/prog.footer shorewall-5.0.9/Perl/prog.footer
--- shorewall-5.0.8/Perl/prog.footer 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/Perl/prog.footer 2016-05-22 17:50:51.000000000 -0700
@@ -25,6 +25,7 @@
echo " savesets "
echo " call [ ... ]"
echo " version"
+ echo " info"
echo
echo "Options are:"
echo
@@ -469,6 +470,10 @@
echo $SHOREWALL_VERSION
status=0
;;
+ info)
+ [ $# -ne 1 ] && usage 2
+ info_command
+ ;;
help)
[ $# -ne 1 ] && usage 2
usage 0
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/ARP.pm shorewall-5.0.9/Perl/Shorewall/ARP.pm
--- shorewall-5.0.8/Perl/Shorewall/ARP.pm 2016-04-23 06:42:06.547009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/ARP.pm 2016-06-04 14:49:09.407286698 -0700
@@ -34,7 +34,7 @@
our @ISA = qw(Exporter);
our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
-our $VERSION = '4.6_0';
+our $VERSION = '5.0_9';
our %arp_table;
our $arp_input;
@@ -244,7 +244,7 @@
emit "exec 3>\${VARDIR}/.arptables-input";
- my $date = localtime;
+ my $date = compiletime;
unless ( $test ) {
emit_unindented '#';
@@ -294,7 +294,7 @@
#
sub preview_arptables_load() {
- my $date = localtime;
+ my $date = compiletime;
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Chains.pm shorewall-5.0.9/Perl/Shorewall/Chains.pm
--- shorewall-5.0.8/Perl/Shorewall/Chains.pm 2016-04-23 06:42:06.575009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Chains.pm 2016-06-04 14:49:09.427303045 -0700
@@ -296,7 +296,7 @@
Exporter::export_ok_tags('internal');
-our $VERSION = '5.0_8';
+our $VERSION = '5.0_9';
#
# Chain Table
@@ -8575,7 +8575,7 @@
enter_cat_mode;
- my $date = localtime;
+ my $date = compiletime;
unless ( $test ) {
emit_unindented '#';
@@ -8683,7 +8683,7 @@
enter_cat_mode1;
- my $date = localtime;
+ my $date = compiletime;
print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
@@ -8919,7 +8919,7 @@
enter_cat_mode;
unless ( $test ) {
- my $date = localtime;
+ my $date = compiletime;
emit_unindented '#';
emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
emit_unindented '#';
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Compiler.pm shorewall-5.0.9/Perl/Shorewall/Compiler.pm
--- shorewall-5.0.8/Perl/Shorewall/Compiler.pm 2016-04-23 06:42:06.587009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Compiler.pm 2016-06-04 14:49:09.443316123 -0700
@@ -45,7 +45,7 @@
our @ISA = qw(Exporter);
our @EXPORT = qw( compiler );
our @EXPORT_OK = qw( $export );
-our $VERSION = '5.0_8';
+our $VERSION = '5.0_9';
our $export;
@@ -76,7 +76,7 @@
#
# First stage of script generation.
#
-# Copy lib.core and lib.common to the generated script.
+# Copy lib.runtime and lib.common to the generated script.
# Generate the various user-exit jacket functions.
#
# Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -90,11 +90,11 @@
if ( $test ) {
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
} else {
- my $date = localtime;
+ my $date = compiletime;
emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
- copy $globals{SHAREDIRPL} . '/lib.core', 0;
+ copy $globals{SHAREDIRPL} . '/lib.runtime', 0;
copy2 $globals{SHAREDIRPL} . '/lib.common', $debug;
}
@@ -597,6 +597,21 @@
}
#
+# Generate info_command()
+#
+sub compile_info_command() {
+ my $date = compiletime;
+
+ emit( "\n",
+ "#",
+ "# Echo the date and time when this script was compiled along with the Shorewall version",
+ "#",
+ "info_command() {" ,
+ qq( echo "compiled $date by Shorewall version $globals{VERSION}") ,
+ "}\n" );
+}
+
+#
# The Compiler.
#
# Arguments are named -- see %parms below.
@@ -922,6 +937,10 @@
#
compile_updown;
#
+ # Echo the compilation time and date
+ #
+ compile_info_command unless $test;
+ #
# Copy the footer to the script
#
copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Config.pm shorewall-5.0.9/Perl/Shorewall/Config.pm
--- shorewall-5.0.8/Perl/Shorewall/Config.pm 2016-04-23 06:42:06.599009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Config.pm 2016-06-04 14:49:09.455325931 -0700
@@ -84,6 +84,8 @@
require_capability
report_used_capabilities
kernel_version
+
+ compiletime
);
our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -238,7 +240,7 @@
Exporter::export_ok_tags('internal');
-our $VERSION = '5.0_8';
+our $VERSION = '5.0_9';
#
# describe the current command, it's present progressive, and it's completion.
@@ -681,6 +683,8 @@
#
our %filecache;
+our $compiletime;
+
sub process_shorewallrc($$);
sub add_variables( \% );
#
@@ -737,7 +741,7 @@
TC_SCRIPT => '',
EXPORT => 0,
KLUDGEFREE => '',
- VERSION => "5.0.8",
+ VERSION => "5.0.9",
CAPVERSION => 50004 ,
BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '',
@@ -889,6 +893,7 @@
DOCKER => undef ,
PAGER => undef ,
MINIUPNPD => undef ,
+ VERBOSE_MESSAGES => undef ,
#
# Packet Disposition
#
@@ -1171,6 +1176,12 @@
%shorewallrc1 = %shorewallrc unless $shorewallrc1;
add_variables %shorewallrc1;
+
+ $compiletime = `date`;
+
+ chomp $compiletime;
+
+ $compiletime =~ s/ +/ /g;
}
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -1183,6 +1194,10 @@
sort keys %ipsets;
}
+sub compiletime() {
+ $compiletime;
+}
+
#
# Create 'currentlineinfo'
#
@@ -2543,18 +2558,54 @@
fatal_error $_[0];
}
-sub directive_warning( $$$ ) {
+sub directive_warning( $$$$ ) {
+ if ( shift ) {
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
( my $warning, $currentfilename, $currentlinenumber ) = @_;
warning_message $warning;
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+ } else {
+ our @localtime;
+
+ handle_first_entry if $first_entry;
+
+ $| = 1; #Reset output buffering (flush any partially filled buffers).
+
+ if ( $log ) {
+ @localtime = localtime;
+ printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+ print $log " WARNING: $_[0]\n";
}
-sub directive_info( $$$ ) {
+ print STDERR " WARNING: $_[0]\n";
+
+ $| = 0; #Re-allow output buffering
+ }
+}
+
+sub directive_info( $$$$ ) {
+ if ( shift ) {
my ( $savefilename, $savelineno ) = ( $currentfilename, $currentlinenumber );
( my $info, $currentfilename, $currentlinenumber ) = @_;
info_message $info;
( $currentfilename, $currentlinenumber ) = ( $savefilename, $savelineno );
+ } else {
+ our @localtime;
+
+ handle_first_entry if $first_entry;
+
+ $| = 1; #Reset output buffering (flush any partially filled buffers).
+
+ if ( $log ) {
+ @localtime = localtime;
+ printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+ print $log " INFO: $_[0]\n";
+ }
+
+ print STDERR " INFO: $_[0]\n";
+
+ $| = 0; #Re-allow output buffering
+ }
}
#
@@ -2703,7 +2754,7 @@
print "CD===> $line\n" if $debug;
- directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+)(.*)$/i;
+ directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
my ($keyword, $expression) = ( uc $1, $2 );
@@ -2811,14 +2862,14 @@
delete $actparams{$var}
}
} else {
- directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+ directive_warning( 'Yes', "Shorewall variable $2 does not exist", $filename, $linenumber );
}
} else {
if ( exists $variables{$2} ) {
delete $variables{$2};
} else {
- directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+ directive_warning( 'Yes', "Shell variable $2 does not exist", $filename, $linenumber );
}
}
}
@@ -2832,7 +2883,7 @@
( $comment = $line ) =~ s/^\s*\?COMMENT\s*//;
$comment =~ s/\s*$//;
} else {
- directive_warning( "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
+ directive_warning( 'Yes', "COMMENTs ignored -- require comment support in iptables/Netfilter" , $filename, $linenumber ) unless $warningcount++;
}
}
} else {
@@ -2851,7 +2902,8 @@
} ,
WARNING => sub() {
- directive_warning( evaluate_expression( $expression ,
+ directive_warning( $config{VERBOSE_MESSAGES} ,
+ evaluate_expression( $expression ,
$filename ,
$linenumber ,
1 ),
@@ -2860,7 +2912,28 @@
} ,
INFO => sub() {
- directive_info( evaluate_expression( $expression ,
+ directive_info( $config{VERBOSE_MESSAGES} ,
+ evaluate_expression( $expression ,
+ $filename ,
+ $linenumber ,
+ 1 ),
+ $filename ,
+ $linenumber ) unless $omitting;
+ } ,
+
+ 'WARNING!' => sub() {
+ directive_warning( ! $config{VERBOSE_MESSAGES} ,
+ evaluate_expression( $expression ,
+ $filename ,
+ $linenumber ,
+ 1 ),
+ $filename ,
+ $linenumber ) unless $omitting;
+ } ,
+
+ 'INFO!' => sub() {
+ directive_info( ! $config{VERBOSE_MESSAGES} ,
+ evaluate_expression( $expression ,
$filename ,
$linenumber ,
1 ),
@@ -5678,6 +5751,24 @@
$ENV{PATH} = $default_path;
}
+ fatal_error "Shorewall-core does not appear to be installed" unless open_file "$globals{SHAREDIRPL}coreversion";
+
+ fatal_error "$globals{SHAREDIRPL}coreversion is empty" unless read_a_line( PLAIN_READ );
+
+ close_file;
+
+ warning_message "Version Mismatch: Shorewall-core is version $currentline, while the Shorewall version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+
+ if ( $family == F_IPV6 ) {
+ open_file( "$globals{SHAREDIR}/version" ) || fatal_error "Unable to open $globals{SHAREDIR}/version";
+
+ fatal_error "$globals{SHAREDIR}/version is empty" unless read_a_line( PLAIN_READ );
+
+ close_file;
+
+ warning_message "Version Mismatch: Shorewall6 is version $currentline, while the Shorewal version is $globals{VERSION}" unless $currentline eq $globals{VERSION};
+ }
+
my $have_capabilities;
if ( $export || $> != 0 ) {
@@ -6109,6 +6200,7 @@
default_yes_no 'WARNOLDCAPVERSION' , 'Yes';
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
default_yes_no 'MINIUPNPD' , '';
+ default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Misc.pm shorewall-5.0.9/Perl/Shorewall/Misc.pm
--- shorewall-5.0.8/Perl/Shorewall/Misc.pm 2016-04-23 06:42:06.607009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Misc.pm 2016-06-04 14:49:09.467335740 -0700
@@ -48,7 +48,7 @@
generate_matrix
);
our @EXPORT_OK = qw( initialize );
-our $VERSION = '5.0_8';
+our $VERSION = '5.0_9';
our $family;
@@ -302,7 +302,7 @@
if ( @rules ) {
my $fn1 = find_writable_file( 'blrules' );
my $blrules;
- my $date = localtime;
+ my $date = compiletime;
if ( -f $fn1 ) {
open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
@@ -393,7 +393,7 @@
my ( @allhosts, %source, %dest , %notrack, @rule );
my $seq = 0;
- my $date = localtime;
+ my $date = compiletime;
my ( $stoppedrules, $fn1 );
@@ -421,7 +421,7 @@
first_entry(
sub {
- my $date = localtime;
+ my $date = compiletime;
progress_message2 "$doing $fn...";
print( $stoppedrules
"#\n" ,
@@ -649,9 +649,15 @@
add_ijump( $chainref, j => 'ACCEPT', o => 'docker0', state_imatch 'ESTABLISHED,RELATED' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => '! docker0' );
add_ijump( $chainref, j => 'ACCEPT', i => 'docker0', o => 'docker0' ) if $dockerref->{options}{routeback};
- add_ijump( $filter_table->{OUTPUT}, j => 'DOCKER' );
decr_cmd_level( $chainref );
add_commands( $chainref, 'fi' );
+
+ my $outputref;
+ add_commands( $outputref = $filter_table->{OUTPUT}, 'if [ -n "$g_docker" ]; then' );
+ incr_cmd_level( $outputref );
+ add_ijump( $outputref, j => 'DOCKER' );
+ decr_cmd_level( $outputref );
+ add_commands( $outputref, 'fi' );
}
add_commands( $chainref, '[ -f ${VARDIR}/.filter_FORWARD ] && cat $VARDIR/.filter_FORWARD >&3', );
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Providers.pm shorewall-5.0.9/Perl/Shorewall/Providers.pm
--- shorewall-5.0.8/Perl/Shorewall/Providers.pm 2016-04-23 06:42:06.615009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Providers.pm 2016-06-04 14:49:09.479345548 -0700
@@ -47,7 +47,7 @@
map_provider_to_interface
);
our @EXPORT_OK = qw( initialize provider_realm );
-our $VERSION = '5.0_6';
+our $VERSION = '5.0_9';
use constant { LOCAL_TABLE => 255,
MAIN_TABLE => 254,
@@ -1096,7 +1096,7 @@
if ( $optional ) {
if ( $persistent ) {
- emit( "persistent_${what}_${table}\n" );
+ emit( "do_persistent_${what}_${table}\n" );
}
if ( $shared ) {
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Raw.pm shorewall-5.0.9/Perl/Shorewall/Raw.pm
--- shorewall-5.0.8/Perl/Shorewall/Raw.pm 2016-04-23 06:42:06.619009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Raw.pm 2016-06-04 14:49:09.479345548 -0700
@@ -36,7 +36,7 @@
our @ISA = qw(Exporter);
our @EXPORT = qw( setup_conntrack );
our @EXPORT_OK = qw( handle_helper_rule );
-our $VERSION = '5.0_4';
+our $VERSION = '5.0_9';
our %valid_ctevent = ( new => 1,
related => 1,
@@ -368,7 +368,7 @@
if ( $convert ) {
my $conntrack;
my $empty = 1;
- my $date = localtime;
+ my $date = compiletime;
if ( $fn ) {
open $conntrack, '>>', $fn or fatal_error "Unable to open $fn for notrack conversion: $!";
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Rules.pm shorewall-5.0.9/Perl/Shorewall/Rules.pm
--- shorewall-5.0.8/Perl/Shorewall/Rules.pm 2016-04-23 06:42:06.627009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Rules.pm 2016-06-04 14:49:09.491355355 -0700
@@ -77,7 +77,7 @@
Exporter::export_ok_tags('Traffic');
-our $VERSION = '5.0_8';
+our $VERSION = '5.0_9';
#
# Globals are documented in the initialize() function
#
@@ -4464,6 +4464,16 @@
},
},
+ NFLOG => {
+ defaultchain => 0,
+ allowedchains => ALLCHAINS,
+ minparams => 0,
+ maxparams => 3,
+ function => sub () {
+ $target = validate_level( "NFLOG($params)" );
+ }
+ },
+
RESTORE => {
defaultchain => 0,
allowedchains => PREROUTING | INPUT | FORWARD | OUTPUT | POSTROUTING,
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Perl/Shorewall/Tc.pm shorewall-5.0.9/Perl/Shorewall/Tc.pm
--- shorewall-5.0.8/Perl/Shorewall/Tc.pm 2016-04-23 06:42:06.631009000 -0700
+++ shorewall-5.0.9/Perl/Shorewall/Tc.pm 2016-06-04 14:49:09.495358625 -0700
@@ -2166,7 +2166,7 @@
if ( my $fn = open_file 'tos' ) {
first_entry(
sub {
- my $date = localtime;
+ my $date = compiletime;
progress_message2 "Converting $fn...";
print( $mangle
"#\n" ,
@@ -2332,7 +2332,7 @@
first_entry(
sub {
- my $date = localtime;
+ my $date = compiletime;
progress_message2 "Converting $fn...";
print( $mangle
"#\n" ,
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/releasenotes.txt shorewall-5.0.9/releasenotes.txt
--- shorewall-5.0.8/releasenotes.txt 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-5.0.9/releasenotes.txt 2016-06-04 14:49:09.383267082 -0700
@@ -1,7 +1,7 @@
----------------------------------------------------------------------------
- S H O R E W A L L 5 . 0 . 8
+ S H O R E W A L L 5 . 0 . 9
----------------------------
- A p r i l 2 4 , 2 0 1 6
+ J u n e 0 4 , 2 0 1 6
----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE
@@ -14,7 +14,265 @@
I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
----------------------------------------------------------------------------
-1) This release includes defect repair through Shorewall 5.0.7.2.
+1) This release contains defect repair through Shorewall 5.0.8.2.
+
+----------------------------------------------------------------------------
+ I I. K N O W N P R O B L E M S R E M A I N I N G
+----------------------------------------------------------------------------
+
+1) On systems running Upstart, shorewall-init cannot reliably secure
+ the firewall before interfaces are brought up.
+
+2) The 'enable', 'reenable' and 'disable' commands do not work
+ correctly in configurations with USE_DEFAULT_RT=No and optional
+ providers listed in the DUPLICATE column.
+
+3) Previously, if:
+
+ - DOCKER=Yes
+ - docker0 was defined in /etc/shorewall/interfaces
+ - Docker was not running
+
+ then Shorewall would fail to start with an error similar to this
+
+ iptables-restore v1.4.21: Couldn't load target `DOCKER':
+ No such file or directory
+ Error occurred at line: 29
+ Try `iptables-restore -h' or
+ 'iptables-restore --help' for more information.
+ ERROR: /sbin/iptables-restore Failed.
+
+ This has been corrected such that Shorewall starts correctly under
+ these conditions.
+
+----------------------------------------------------------------------------
+ I I I. N E W F E A T U R E S I N T H I S R E L E A S E
+----------------------------------------------------------------------------
+
+1) The file 'lib.core' has been renamed 'lib.runtime' to more
+ accurately reflect the file's role.
+
+2) The CLI now produces helpful error messages rather than simply
+ dumping out the complete usage syntax.
+
+3) The 'status' and 'version -a" command outputs now include the time
+ and date when the current firewall script was compiled.
+
+ This feature implements a new 'info' command that is recognized by
+ the compiled script. That command produces output similar to the
+ following:
+
+ compiled Thu Apr 28 14:18:58 2016 by Shorewall version 5.0.9
+
+ Note 1: The time and date of compilation will only be displayed
+ after the firewall script has been compiled using this or a later
+ Shorewall release.
+
+ Note 2: Information about the current firewall script is only
+ displayed by the 'version -a' command when the command is executed
+ by root.
+
+ Caution: If you execute 'shorewall compile', a subsequent 'status'
+ command will display the compilation information for the newly
+ compiled script and not for the one that was used to instantiate
+ the running firewall configuration. Note that the compilation
+ date/time, in this case, will be later than the started date/time:
+
+ Example:
+
+ State:Started Sun Apr 24 12:22:18 PDT 2016 from /etc/shorewall/
+ (/var/lib/shorewall/firewall compiled Thu Apr 28 14:18:58 2016
+ by Shorewall version 5.0.9)
+
+4) The ?INFO and ?WARNING directives added in Shorewall 5.0.8 include
+ the current filename and line number in the generated message. That
+ behavior can be suppressed by using ?INFO! AND ?WARNING!
+ instead. Additionally, the default behavior can be changed by
+ setting VERBOSE_MESSAGES=No in shorewall[6].conf. In that case,
+ including the exclaimation point causes the filename and line
+ number to be included.
+
+5) NFLOG(...) is now supported in the mangle files.
+
+6) The compiler now checks the version of the installed Shorewall-core
+ and issues a warning message if there is a mis-match.
+
+ Example (folded to fit within 72 columns):
+
+ WARNING: Version Mismatch: Shorewall-core is version 5.0.8.2,
+ while the Shorewall version is 5.0.9-Beta2
+
+ When compiling for IPv6, the Shorewall6 version is also verified
+ and a similar warning is issued in the case of a mismatch.
+
+7) The sample configurations now have AUTOMAKE enabled.
+
+8) Full date and time strings generated by the compiler are now in
+ 'date' format rather than Perl's 'localtime' format.
+
+----------------------------------------------------------------------------
+ I V. M I G R A T I O N I S S U E S
+----------------------------------------------------------------------------
+
+1) If you are migrating from Shorewall 4.4.x or earlier, please see
+ http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt
+
+2) It is strongly recommended that you first upgrade your installation
+ to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0.
+
+ Once you are on the Shorewall 4.6 release:
+
+ - shorewall update -A
+
+ If you also run Shorewall6:
+
+ - shorewall6 update -A
+
+ These steps are necessary because Shorewall 5.0:
+
+ - Does not contain support for the 'tcrules' and 'tos' files --
+ existing 'tcrules' and 'tos' files must be converted to an
+ equivalent set of 'mangle' file entries.
+
+ - Does not contain support for the 'blacklist' file -- it must
+ be converted to an equivalent 'blrules' file.
+
+ - Does not contain support for the 'notrack' file -- it must be
+ converted to an equivalent 'conntrack' file.
+
+ - Does not contain support for the 'routestopped' file -- it must
+ be converted to an equivalent 'stoppedrules' file.
+
+ Note that you can run the update command(s) after you upgrade to
+ Shorewall 5 but your firewall will not work correctly until
+ you do those update(s).
+
+3) The following configuration options have been eliminated:
+
+ - EXPORTPARAMS
+ - IPSECFILE
+ - LEGACY_FASTSTART
+ - LOGRATE *
+ - LOGBURST *
+ - WIDE_TC_MARKS *
+ - HIGH_ROUTE_MARKS *
+ - BLACKLISTNEWONLY *
+
+ A fatal error results if those flagged with an asterisk ("*")
+ appear in the .conf file -- run the 'shorewall[6] update' command
+ to convert their settings to use supported options.
+
+ A warning is issued if any of the rest appear in the .conf file.
+ 'shorewall[6] update' will drop them from the file.
+
+4) To make the command names more accurately reflect what they do,
+ several changes have been included:
+
+ a) Beginning with this release, the 'restart' command now does a
+ true restart and is equivalent to a 'stop' followed by a
+ 'start'.
+
+ b) The pre-5.0.0 'load' command has been renamed 'remote_start'.
+
+ c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'.
+
+ c) The 'reload' command now performs the same function as the
+ pre-5.0.0 'restart' command.
+
+ d) A 'remote_restart' command has been added to Shorewall and
+ Shorewall6 to allow a remote 'restart' after updating the
+ remote firewall system's compiled script.
+
+ For those that can't get used to the idea of using 'reload' in
+ place of 'restart', a RESTART option has been added. The
+ option defaults to 'reload' for compatibility with earlier
+ releases. If set to 'restart', then the 'restart' command
+ does a true restart (stop followed by start)
+
+5) While the WORKAROUNDS setting is still present in the
+ shorewall[6].conf file:
+
+ a) It's default setting has been changed to No.
+
+ b) All workarounds for old distributions have been eliminated.
+
+6) Beginning with Shorewall 5.0.0, all macros and actions are assumed
+ to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
+ and will be silently processed as if they were FORMAT-2. For most
+ macros and actions, this change will be of no concern, but may cause
+ compilation errors in rare cases.
+
+ To review, FORMAT-1 actions have the following columns:
+
+ TARGET
+ SOURCE
+ DEST
+ PROTO
+ DEST PORT(S)
+ SOURCE PORT(S)
+ RATE
+ USER/GROUP
+ MARK
+
+ FORMAT-1 macros have these columns:
+
+ TARGET
+ SOURCE
+ DEST
+ PROTO
+ DEST PORT(S)
+ SOURCE PORT(S)
+ RATE
+ USER/GROUP
+
+ FORMAT-2 actions and macros, on the other hand, have:
+
+ TARGET
+ SOURCE
+ DEST
+ PROTO
+ DEST PORT(S)
+ SOURCE PORT(S)
+ ORIGINAL DEST
+ RATE
+ USER/GROUP
+ MARK
+ CONNLIMIT
+ TIME
+ HEADERS (Only valid for IPv6)
+ SWITCH
+ HELPER
+
+ To summarize, if your action or macro only uses the first 6
+ columns (which most do), then it will process fine as
+ FORMAT-2. Otherwise, it must be modified to place specifications in
+ the proper columns.
+
+7) COMMENT, FORMAT and SECTION lines must now begin with a question
+ mark ("?"). The 'update' command will change all bare COMMENT,
+ FORMAT and SECTION lines to include the question mark.
+
+8) Beginning with Shorewall 5.0.8, the IPv6 default treatment of Auth
+ (TCP 113) is now consistent with IPv4; nothing special is done with
+ these requests, so they are simply logged and dropped.
+
+ IMPORTANT: If you want to continue to reject Auth requests, you
+ can do so by chaning your DROP_DEFAULT setting to make the second
+ parameter REJECT. For example, if you currently have:
+
+ DROP_DEFAULT=Drop
+
+ you can change it to:
+
+ DROP_DEFAULT="Drop(-,REJECT)"
+
+----------------------------------------------------------------------------
+ V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
+----------------------------------------------------------------------------
+ P R O B L E M S C O R R E C T E D I N 5 . 0 . 8
+----------------------------------------------------------------------------
+
+1) This release includes defect repair through Shorewall 5.0.7.2
2) If a physical interface name was used in the INTERFACE column of an
entry in /etc/shorewall/masq, then previously a Perl diagnostic was
@@ -147,34 +405,8 @@
restart
safe-*
-16) In the last several releases, the following Known Problem
- Remaining has been listed:
-
- The 'enable', 'reenable' and 'disable' commands do now work
- correctly in configurations with USE_DEFAULT_RT=No.
-
- That description is a bit broader than is necessary and is now
- restricted to the case where an optional provider is listed in the
- DUPLICATE column (see below). Additionally, the compiler now
- generates a warning in that case:
-
- WARNING: An optional provider (xxxx) is listed in the
- DUPLICATE column - enable and disable will not work
- correctly on that provider
-
-----------------------------------------------------------------------------
- I I. K N O W N P R O B L E M S R E M A I N I N G
-----------------------------------------------------------------------------
-
-1) On systems running Upstart, shorewall-init cannot reliably secure
- the firewall before interfaces are brought up.
-
-2) The 'enable', 'reenable' and 'disable' commands do not work
- correctly in configurations with USE_DEFAULT_RT=No and optional
- providers listed in the DUPLICATE column.
-
----------------------------------------------------------------------------
- I I I. N E W F E A T U R E S I N T H I S R E L E A S E
+ N E W F E A T U R E S I N 5 . 0 . 8
----------------------------------------------------------------------------
1) Support for later versions of miniupnpd has been added in the form
@@ -248,8 +480,8 @@
?INFO
The is written to STDERR prefaced by the directive name
- (WARNING or INFO) followed by a colon (':'). It is also written to
- the STARTUP_LOG if:
+ (WARNING or INFO) followed by a colon (':'). It is also written to the
+ STARTUP_LOG if:
- A STARTUP_LOG has been configured
- The command is start, try, restart, reload, refresh or one of the
@@ -259,164 +491,6 @@
aborted.
----------------------------------------------------------------------------
- I V. M I G R A T I O N I S S U E S
-----------------------------------------------------------------------------
-
-1) If you are migrating from Shorewall 4.4.x or earlier, please see
- http://www.shorewall.net/pub/shorewall/4.5/shorewall-4.5.21/releasenotes.txt
-
-2) It is strongly recommended that you first upgrade your installation
- to a 4.6 release >= 4.6.12 prior to upgrading to Shorewall 5.0.
-
- Once you are on the Shorewall 4.6 release:
-
- - shorewall update -A
-
- If you also run Shorewall6:
-
- - shorewall6 update -A
-
- These steps are necessary because Shorewall 5.0:
-
- - Does not contain support for the 'tcrules' and 'tos' files --
- existing 'tcrules' and 'tos' files must be converted to an
- equivalent set of 'mangle' file entries.
-
- - Does not contain support for the 'blacklist' file -- it must
- be converted to an equivalent 'blrules' file.
-
- - Does not contain support for the 'notrack' file -- it must be
- converted to an equivalent 'conntrack' file.
-
- - Does not contain support for the 'routestopped' file -- it must
- be converted to an equivalent 'stoppedrules' file.
-
- Note that you can run the update command(s) after you upgrade to
- Shorewall 5 but your firewall will not work correctly until
- you do those update(s).
-
-3) The following configuration options have been eliminated:
-
- - EXPORTPARAMS
- - IPSECFILE
- - LEGACY_FASTSTART
- - LOGRATE *
- - LOGBURST *
- - WIDE_TC_MARKS *
- - HIGH_ROUTE_MARKS *
- - BLACKLISTNEWONLY *
-
- A fatal error results if those flagged with an asterisk ("*")
- appear in the .conf file -- run the 'shorewall[6] update' command
- to convert their settings to use supported options.
-
- A warning is issued if any of the rest appear in the .conf file.
- 'shorewall[6] update' will drop them from the file.
-
-4) To make the command names more accurately reflect what they do,
- several changes have been included:
-
- a) Beginning with this release, the 'restart' command now does a
- true restart and is equivalent to a 'stop' followed by a
- 'start'.
-
- b) The pre-5.0.0 'load' command has been renamed 'remote_start'.
-
- c) The pre-5.0.0 'reload' command has been renamed 'remote_reload'.
-
- c) The 'reload' command now performs the same function as the
- pre-5.0.0 'restart' command.
-
- d) A 'remote_restart' command has been added to Shorewall and
- Shorewall6 to allow a remote 'restart' after updating the
- remote firewall system's compiled script.
-
- For those that can't get used to the idea of using 'reload' in
- place of 'restart', a RESTART option has been added. The
- option defaults to 'reload' for compatibility with earlier
- releases. If set to 'restart', then the 'restart' command
- does a true restart (stop followed by start)
-
-5) While the WORKAROUNDS setting is still present in the
- shorewall[6].conf file:
-
- a) It's default setting has been changed to No.
-
- b) All workarounds for old distributions have been eliminated.
-
-6) Beginning with Shorewall 5.0.0, all macros and actions are assumed
- to be FORMAT-2. FORMAT-1 macros and actions are no longer supported
- and will be silently processed as if they were FORMAT-2. For most
- macros and actions, this change will be of no concern, but may cause
- compilation errors in rare cases.
-
- To review, FORMAT-1 actions have the following columns:
-
- TARGET
- SOURCE
- DEST
- PROTO
- DEST PORT(S)
- SOURCE PORT(S)
- RATE
- USER/GROUP
- MARK
-
- FORMAT-1 macros have these columns:
-
- TARGET
- SOURCE
- DEST
- PROTO
- DEST PORT(S)
- SOURCE PORT(S)
- RATE
- USER/GROUP
-
- FORMAT-2 actions and macros, on the other hand, have:
-
- TARGET
- SOURCE
- DEST
- PROTO
- DEST PORT(S)
- SOURCE PORT(S)
- ORIGINAL DEST
- RATE
- USER/GROUP
- MARK
- CONNLIMIT
- TIME
- HEADERS (Only valid for IPv6)
- SWITCH
- HELPER
-
- To summarize, if your action or macro only uses the first 6
- columns (which most do), then it will process fine as
- FORMAT-2. Otherwise, it must be modified to place specifications in
- the proper columns.
-
-7) COMMENT, FORMAT and SECTION lines must now begin with a question
- mark ("?"). The 'update' command will change all bare COMMENT,
- FORMAT and SECTION lines to include the question mark.
-
-8) Beginning with Shorewall 5.0.8, the IPv6 default treatment of Auth
- (TCP 113) is now consistent with IPv4; nothing special is done with
- these requests, so they are simply logged and dropped.
-
- IMPORTANT: If you want to continue to reject Auth requests, you
- can do so by chaning your DROP_DEFAULT setting to make the second
- parameter REJECT. For example, if you currently have:
-
- DROP_DEFAULT=Drop
-
- you can change it to:
-
- DROP_DEFAULT="Drop(-,REJECT)"
-
-----------------------------------------------------------------------------
- V. N O T E S F R O M O T H E R 5 . 0 R E L E A S E S
-----------------------------------------------------------------------------
P R O B L E M S C O R R E C T E D I N 5 . 0 . 7
----------------------------------------------------------------------------
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/one-interface/rules.annotated shorewall-5.0.9/Samples/one-interface/rules.annotated
--- shorewall-5.0.8/Samples/one-interface/rules.annotated 2016-04-23 06:42:44.199009000 -0700
+++ shorewall-5.0.9/Samples/one-interface/rules.annotated 2016-06-04 14:49:51.986060296 -0700
@@ -346,9 +346,21 @@
# logging daemon via a netlink socket then continues to the next rule.
# See http://www.shorewall.net/shorewall_logging.html.
#
-# Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is
-# not changed when this ACTION is used in an action or macro body and the
-# invocation of that action or macro specifies a log level.
+# The nflog-parameters are a comma-separated list of up to 3 numbers:
+#
+# ☆ The first number specifies the netlink group (0-65535). If omitted
+# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
+#
+# ☆ The second number specifies the maximum number of bytes to copy. If
+# omitted, 0 (no limit) is assumed.
+#
+# ☆ The third number specifies the number of log messages that should
+# be buffered in the kernel before they are sent to user space. The
+# default is 1.
+#
+# NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
+# level is not changed when this ACTION is used in an action or macro
+# body and the invocation of that action or macro specifies a log level.
#
# NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/one-interface/shorewall.conf shorewall-5.0.9/Samples/one-interface/shorewall.conf
--- shorewall-5.0.8/Samples/one-interface/shorewall.conf 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/Samples/one-interface/shorewall.conf 2016-05-22 17:50:51.000000000 -0700
@@ -147,7 +147,7 @@
AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,6 +253,8 @@
USE_RT_NAMES=No
+VERBOSE_MESSAGES=Yes
+
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/one-interface/shorewall.conf.annotated shorewall-5.0.9/Samples/one-interface/shorewall.conf.annotated
--- shorewall-5.0.8/Samples/one-interface/shorewall.conf.annotated 2016-04-23 06:42:44.599009000 -0700
+++ shorewall-5.0.9/Samples/one-interface/shorewall.conf.annotated 2016-06-04 14:49:52.510488591 -0700
@@ -758,7 +758,7 @@
# The macros for those applications requiring a helper automatically
# specify the appropriate HELPER where required.
#
-AUTOMAKE=No
+AUTOMAKE=Yes
#
# AUTOMAKE=[Yes|No]
#
@@ -1716,6 +1716,16 @@
#
# Without these entries, the firewall will fail to start.
#
+VERBOSE_MESSAGES=Yes
+#
+# VERBOSE_MESSAGES=[Yes|No]
+#
+# Added in Shorewall 5.0.9. When Yes (the default), messages produced by the
+# ?INFO and ?WARNING directives include the filename and linenumber of the
+# directive. When set to No, that additional information is omitted. The
+# setting may be overridden on a directive by directive basis by following ?
+# INFO or ?WARNING with '!' (no intervening white space).
+#
WARNOLDCAPVERSION=Yes
#
# WARNOLDCAPVERSION=[Yes|No]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/three-interfaces/rules.annotated shorewall-5.0.9/Samples/three-interfaces/rules.annotated
--- shorewall-5.0.8/Samples/three-interfaces/rules.annotated 2016-04-23 06:42:46.203009000 -0700
+++ shorewall-5.0.9/Samples/three-interfaces/rules.annotated 2016-06-04 14:49:54.255914060 -0700
@@ -346,9 +346,21 @@
# logging daemon via a netlink socket then continues to the next rule.
# See http://www.shorewall.net/shorewall_logging.html.
#
-# Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is
-# not changed when this ACTION is used in an action or macro body and the
-# invocation of that action or macro specifies a log level.
+# The nflog-parameters are a comma-separated list of up to 3 numbers:
+#
+# ☆ The first number specifies the netlink group (0-65535). If omitted
+# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
+#
+# ☆ The second number specifies the maximum number of bytes to copy. If
+# omitted, 0 (no limit) is assumed.
+#
+# ☆ The third number specifies the number of log messages that should
+# be buffered in the kernel before they are sent to user space. The
+# default is 1.
+#
+# NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
+# level is not changed when this ACTION is used in an action or macro
+# body and the invocation of that action or macro specifies a log level.
#
# NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/three-interfaces/shorewall.conf shorewall-5.0.9/Samples/three-interfaces/shorewall.conf
--- shorewall-5.0.8/Samples/three-interfaces/shorewall.conf 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/Samples/three-interfaces/shorewall.conf 2016-05-22 17:50:51.000000000 -0700
@@ -144,7 +144,7 @@
AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -250,6 +250,8 @@
USE_RT_NAMES=No
+VERBOSE_MESSAGES=Yes
+
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/three-interfaces/shorewall.conf.annotated shorewall-5.0.9/Samples/three-interfaces/shorewall.conf.annotated
--- shorewall-5.0.8/Samples/three-interfaces/shorewall.conf.annotated 2016-04-23 06:42:46.599009000 -0700
+++ shorewall-5.0.9/Samples/three-interfaces/shorewall.conf.annotated 2016-06-04 14:49:54.700276965 -0700
@@ -756,7 +756,7 @@
# The macros for those applications requiring a helper automatically
# specify the appropriate HELPER where required.
#
-AUTOMAKE=No
+AUTOMAKE=Yes
#
# AUTOMAKE=[Yes|No]
#
@@ -1714,6 +1714,16 @@
#
# Without these entries, the firewall will fail to start.
#
+VERBOSE_MESSAGES=Yes
+#
+# VERBOSE_MESSAGES=[Yes|No]
+#
+# Added in Shorewall 5.0.9. When Yes (the default), messages produced by the
+# ?INFO and ?WARNING directives include the filename and linenumber of the
+# directive. When set to No, that additional information is omitted. The
+# setting may be overridden on a directive by directive basis by following ?
+# INFO or ?WARNING with '!' (no intervening white space).
+#
WARNOLDCAPVERSION=Yes
#
# WARNOLDCAPVERSION=[Yes|No]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/two-interfaces/rules.annotated shorewall-5.0.9/Samples/two-interfaces/rules.annotated
--- shorewall-5.0.8/Samples/two-interfaces/rules.annotated 2016-04-23 06:42:48.367009000 -0700
+++ shorewall-5.0.9/Samples/two-interfaces/rules.annotated 2016-06-04 14:49:56.801993414 -0700
@@ -346,9 +346,21 @@
# logging daemon via a netlink socket then continues to the next rule.
# See http://www.shorewall.net/shorewall_logging.html.
#
-# Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is
-# not changed when this ACTION is used in an action or macro body and the
-# invocation of that action or macro specifies a log level.
+# The nflog-parameters are a comma-separated list of up to 3 numbers:
+#
+# ☆ The first number specifies the netlink group (0-65535). If omitted
+# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
+#
+# ☆ The second number specifies the maximum number of bytes to copy. If
+# omitted, 0 (no limit) is assumed.
+#
+# ☆ The third number specifies the number of log messages that should
+# be buffered in the kernel before they are sent to user space. The
+# default is 1.
+#
+# NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
+# level is not changed when this ACTION is used in an action or macro
+# body and the invocation of that action or macro specifies a log level.
#
# NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/two-interfaces/shorewall.conf shorewall-5.0.9/Samples/two-interfaces/shorewall.conf
--- shorewall-5.0.8/Samples/two-interfaces/shorewall.conf 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/Samples/two-interfaces/shorewall.conf 2016-05-22 17:50:51.000000000 -0700
@@ -147,7 +147,7 @@
AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -253,6 +253,8 @@
USE_RT_NAMES=No
+VERBOSE_MESSAGES=Yes
+
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/two-interfaces/shorewall.conf.annotated shorewall-5.0.9/Samples/two-interfaces/shorewall.conf.annotated
--- shorewall-5.0.8/Samples/two-interfaces/shorewall.conf.annotated 2016-04-23 06:42:48.743009000 -0700
+++ shorewall-5.0.9/Samples/two-interfaces/shorewall.conf.annotated 2016-06-04 14:49:57.250359589 -0700
@@ -758,7 +758,7 @@
# The macros for those applications requiring a helper automatically
# specify the appropriate HELPER where required.
#
-AUTOMAKE=No
+AUTOMAKE=Yes
#
# AUTOMAKE=[Yes|No]
#
@@ -1716,6 +1716,16 @@
#
# Without these entries, the firewall will fail to start.
#
+VERBOSE_MESSAGES=Yes
+#
+# VERBOSE_MESSAGES=[Yes|No]
+#
+# Added in Shorewall 5.0.9. When Yes (the default), messages produced by the
+# ?INFO and ?WARNING directives include the filename and linenumber of the
+# directive. When set to No, that additional information is omitted. The
+# setting may be overridden on a directive by directive basis by following ?
+# INFO or ?WARNING with '!' (no intervening white space).
+#
WARNOLDCAPVERSION=Yes
#
# WARNOLDCAPVERSION=[Yes|No]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/Universal/rules.annotated shorewall-5.0.9/Samples/Universal/rules.annotated
--- shorewall-5.0.8/Samples/Universal/rules.annotated 2016-04-23 06:42:50.287009000 -0700
+++ shorewall-5.0.9/Samples/Universal/rules.annotated 2016-06-04 14:49:59.003791597 -0700
@@ -342,9 +342,21 @@
# logging daemon via a netlink socket then continues to the next rule.
# See http://www.shorewall.net/shorewall_logging.html.
#
-# Similar to LOG:NFLOG[(nflog-parameters)], except that the log level is
-# not changed when this ACTION is used in an action or macro body and the
-# invocation of that action or macro specifies a log level.
+# The nflog-parameters are a comma-separated list of up to 3 numbers:
+#
+# ☆ The first number specifies the netlink group (0-65535). If omitted
+# (e.g., NFLOG(,0,10)) then a value of 0 is assumed.
+#
+# ☆ The second number specifies the maximum number of bytes to copy. If
+# omitted, 0 (no limit) is assumed.
+#
+# ☆ The third number specifies the number of log messages that should
+# be buffered in the kernel before they are sent to user space. The
+# default is 1.
+#
+# NFLOG is similar to LOG:NFLOG[(nflog-parameters)], except that the log
+# level is not changed when this ACTION is used in an action or macro
+# body and the invocation of that action or macro specifies a log level.
#
# NFQUEUE[([queuenumber1[:queuenumber2][,bypass]]|bypass)]
#
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/Universal/shorewall.conf shorewall-5.0.9/Samples/Universal/shorewall.conf
--- shorewall-5.0.8/Samples/Universal/shorewall.conf 2016-04-19 10:42:50.000000000 -0700
+++ shorewall-5.0.9/Samples/Universal/shorewall.conf 2016-05-22 17:50:51.000000000 -0700
@@ -136,7 +136,7 @@
AUTOHELPERS=Yes
-AUTOMAKE=No
+AUTOMAKE=Yes
BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -242,6 +242,8 @@
USE_RT_NAMES=No
+VERBOSE_MESSAGES=Yes
+
WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/Samples/Universal/shorewall.conf.annotated shorewall-5.0.9/Samples/Universal/shorewall.conf.annotated
--- shorewall-5.0.8/Samples/Universal/shorewall.conf.annotated 2016-04-23 06:42:50.723009000 -0700
+++ shorewall-5.0.9/Samples/Universal/shorewall.conf.annotated 2016-06-04 14:49:59.452157772 -0700
@@ -747,7 +747,7 @@
# The macros for those applications requiring a helper automatically
# specify the appropriate HELPER where required.
#
-AUTOMAKE=No
+AUTOMAKE=Yes
#
# AUTOMAKE=[Yes|No]
#
@@ -1705,6 +1705,16 @@
#
# Without these entries, the firewall will fail to start.
#
+VERBOSE_MESSAGES=Yes
+#
+# VERBOSE_MESSAGES=[Yes|No]
+#
+# Added in Shorewall 5.0.9. When Yes (the default), messages produced by the
+# ?INFO and ?WARNING directives include the filename and linenumber of the
+# directive. When set to No, that additional information is omitted. The
+# setting may be overridden on a directive by directive basis by following ?
+# INFO or ?WARNING with '!' (no intervening white space).
+#
WARNOLDCAPVERSION=Yes
#
# WARNOLDCAPVERSION=[Yes|No]
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/shorewall.spec shorewall-5.0.9/shorewall.spec
--- shorewall-5.0.8/shorewall.spec 2016-04-23 06:42:06.523009000 -0700
+++ shorewall-5.0.9/shorewall.spec 2016-06-04 14:49:09.383267082 -0700
@@ -1,5 +1,5 @@
%define name shorewall
-%define version 5.0.8
+%define version 5.0.9
%define release 0base
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -121,7 +121,7 @@
%attr(0644,root,root) /usr/share/shorewall/action.template
%attr(0644,root,root) /usr/share/shorewall/action.Untracked
%attr(0644,root,root) /usr/share/shorewall/lib.cli-std
-%attr(0644,root,root) /usr/share/shorewall/lib.core
+%attr(0644,root,root) /usr/share/shorewall/lib.runtime
%attr(0644,root,root) /usr/share/shorewall/macro.*
%attr(0644,root,root) /usr/share/shorewall/deprecated/macro.*
%attr(0644,root,root) /usr/share/shorewall/modules*
@@ -141,8 +141,14 @@
%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
%changelog
-* Tue Apr 19 2016 Tom Eastep tom@shorewall.net
-- Updated to 5.0.8-0base
+* Thu May 12 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0base
+* Thu May 05 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0RC1
+* Thu Apr 28 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0Beta2
+* Mon Apr 18 2016 Tom Eastep tom@shorewall.net
+- Updated to 5.0.9-0Beta1
* Fri Apr 15 2016 Tom Eastep tom@shorewall.net
- Updated to 5.0.8-0RC2
* Mon Apr 11 2016 Tom Eastep tom@shorewall.net
diff -Naurdw -X /home/teastep/shorewall/tools/build/exclude.txt shorewall-5.0.8/uninstall.sh shorewall-5.0.9/uninstall.sh
--- shorewall-5.0.8/uninstall.sh 2016-04-23 06:42:06.255009000 -0700
+++ shorewall-5.0.9/uninstall.sh 2016-06-04 14:49:09.299198423 -0700
@@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Shorewall Firewall
-VERSION=5.0.8
+VERSION=5.0.9
PRODUCT=shorewall
usage() # $1 = exit status
@@ -215,7 +215,7 @@
rm -rf ${SHAREDIR}/shorewall/Samples/
rm -rf ${SHAREDIR}/shorewall/Shorewall/
rm -f ${SHAREDIR}/shorewall/lib.cli-std
-rm -f ${SHAREDIR}/shorewall/lib.core
+rm -f ${SHAREDIR}/shorewall/lib.runtime
rm -f ${SHAREDIR}/shorewall/compiler.pl
rm -f ${SHAREDIR}/shorewall/prog.*
rm -f ${SHAREDIR}/shorewall/module*