Rest of the Shorewall6 manpages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9045 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-05-29 06:07:34 +02:00 · 2008-12-14 17:37:30 +00:00 · 2008-12-14 17:37:30 +00:00 · 3f85cc86aa
commit 3f85cc86aa
parent 3272f6797e
26 changed files with 837 additions and 2117 deletions
--- a/manpages6-lite/shorewall6-lite-vardir.xml
+++ b/manpages6-lite/shorewall6-lite-vardir.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-lite-vardir</refentrytitle>
+    <refentrytitle>shorewall6-lite-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>vardir</refname>
-    <refpurpose>Shorewall Lite file</refpurpose>
+    <refpurpose>Shorewall6 Lite file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall-lite/vardir</command>
+      <command>/etc/shorewall6-lite/vardir</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -22,9 +24,9 @@
    <title>Description</title>
    <para>This file does not exist by default. You may create the file if you
-    want to change the directory used by Shorewall Lite to store state
+    want to change the directory used by Shorewall6 Lite to store state
    information, including compiled firewall scripts. By default, the
-    directory used is <filename>/var/lib/shorewall-lite/</filename>.</para>
+    directory used is <filename>/var/lib/shorewall6-lite/</filename>.</para>
    <para>The file contains a single variable assignment:</para>
@ -32,33 +34,31 @@
    <para>where <replaceable>directory</replaceable> is the name of a
    directory. If you add this file, you should copy the files from
-    <filename>/var/lib/shorewall-lite</filename> to the new directory before
+    <filename>/var/lib/shorewall6-lite</filename> to the new directory before
-    performing a <command>shorewall-lite restart</command>.</para>
+    performing a <command>shorewall6-lite restart</command>.</para>
  </refsect1>
  <refsect1>
    <title>Example</title>
-    <para>VARDIR=/root/shorewall</para>
+    <para>VARDIR=/root/shorewall6</para>
  </refsect1>
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall-lite/vardir</para>
+    <para>/etc/shorewall6-lite/vardir</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6-lite/shorewall6-lite.conf.xml
+++ b/manpages6-lite/shorewall6-lite.conf.xml
@ -1,27 +1,29 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-lite.conf</refentrytitle>
+    <refentrytitle>shorewall6-lite.conf</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
  <refnamediv>
-    <refname>shorewall-lite.conf</refname>
+    <refname>shorewall6-lite.conf</refname>
-    <refpurpose>Shorewall Lite global configuration file</refpurpose>
+    <refpurpose>Shorewall6 Lite global configuration file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall-lite/shorewall-lite.conf</command>
+      <command>/etc/shorewall6-lite/shorewall6-lite.conf</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
-    <para>This file sets options that apply to Shorewall Lite as a
+    <para>This file sets options that apply to Shorewall6 Lite as a
    whole.</para>
    <para>The file consists of Shell comments (lines beginning with '#'),
@ -31,15 +33,15 @@
    it's effect.</para>
    <para>Any option not specified in this file gets its value from the
-    shorewall.conf file used during compilation of
+    shorewall6.conf file used during compilation of
-    /var/lib/shorewall-lite/firewall. Those settings may be found in the file
+    /var/lib/shorewall6-lite/firewall. Those settings may be found in the file
-    /var/lib/shorewall-lite/firewall.conf.</para>
+    /var/lib/shorewall6-lite/firewall.conf.</para>
  </refsect1>
  <refsect1>
    <title>OPTIONS</title>
-    <para>The following options may be set in shorewall.conf.</para>
+    <para>The following options may be set in shorewall6.conf.</para>
    <variablelist>
      <varlistentry>
@ -48,7 +50,7 @@
        <listitem>
          <para>This parameter names the iptables executable to be used by
-          Shorewall. If not specified or if specified as a null value, then
+          Shorewall6. If not specified or if specified as a null value, then
          the iptables executable located using the PATH option is
          used.</para>
        </listitem>
@ -59,8 +61,8 @@
        role="bold">LOGFILE=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
-          <para>This parameter tells the /sbin/shorewall program where to look
+          <para>This parameter tells the /sbin/shorewall6 program where to look
-          for Shorewall messages when processing the <emphasis
+          for Shorewall6 messages when processing the <emphasis
          role="bold">dump</emphasis>, <emphasis
          role="bold">logwatch</emphasis>, <emphasis role="bold">show
          log</emphasis>, and <emphasis role="bold">hits</emphasis> commands.
@ -76,7 +78,7 @@
        <listitem>
          <para>The value of this variable generate the --log-prefix setting
-          for Shorewall logging rules. It contains a “printf” formatting
+          for Shorewall6 logging rules. It contains a “printf” formatting
          template which accepts three arguments (the chain name, logging rule
          number (optional) and the disposition). To use LOGFORMAT with
          fireparse, set it as:</para>
@ -87,7 +89,7 @@
          logging rule number is calculated and formatted in that position; if
          that substring is not included then the rule number is not included.
          If not supplied or supplied as empty (LOGFORMAT="") then
-          “Shorewall:%s:%s:” is assumed.</para>
+          “Shorewall6:%s:%s:” is assumed.</para>
        </listitem>
      </varlistentry>
@ -96,7 +98,7 @@
        role="bold">:</emphasis><emphasis>pathname</emphasis>]...]</term>
        <listitem>
-          <para>Determines the order in which Shorewall searches directories
+          <para>Determines the order in which Shorewall6 searches directories
          for executable files.</para>
        </listitem>
      </varlistentry>
@ -106,22 +108,22 @@
        role="bold">RESTOREFILE=</emphasis>[<emphasis>filename</emphasis>]</term>
        <listitem>
-          <para>Specifies the simple name of a file in /var/lib/shorewall to
+          <para>Specifies the simple name of a file in /var/lib/shorewall6 to
          be used as the default restore script in the <emphasis
-          role="bold">shorewall save</emphasis>, <emphasis
+          role="bold">shorewall6 save</emphasis>, <emphasis
-          role="bold">shorewall restore</emphasis>, <emphasis
+          role="bold">shorewall6 restore</emphasis>, <emphasis
-          role="bold">shorewall forget </emphasis>and <emphasis
+          role="bold">shorewall6 forget </emphasis>and <emphasis
-          role="bold">shorewall -f start</emphasis> commands.</para>
+          role="bold">shorewall6 -f start</emphasis> commands.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
-        role="bold">SHOREWALL_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
+        role="bold">SHOREWALL6_SHELL=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>This option is used to specify the shell program to be used to
-          run the Shorewall compiler and to interpret the compiled script. If
+          run the Shorewall6 compiler and to interpret the compiled script. If
          not specified or specified as a null value, /bin/sh is assumed.
          Using a light-weight shell such as ash or dash can significantly
          improve performance.</para>
@ -135,10 +137,10 @@
        <listitem>
          <para>This parameter should be set to the name of a file that the
          firewall should create if it starts successfully and remove when it
-          stops. Creating and removing this file allows Shorewall to work with
+          stops. Creating and removing this file allows Shorewall6 to work with
          your distribution's initscripts. For RedHat, this should be set to
-          /var/lock/subsys/shorewall. For Debian, the value is
+          /var/lock/subsys/shorewall6. For Debian, the value is
-          /var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
+          /var/state/shorewall6 and in LEAF it is /var/run/shorwall.</para>
        </listitem>
      </varlistentry>
@ -146,7 +148,7 @@
        <term>VERBOSITY=[<emphasis role="bold">number</emphasis>]</term>
        <listitem>
-          <para>Shorewall has traditionally been very noisy (produced lots of
+          <para>Shorewall6 has traditionally been very noisy (produced lots of
          output). You may set the default level of verbosity using the
          VERBOSITY OPTION.</para>
@ -171,7 +173,7 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall-lite/shorewall.conf</para>
+    <para>/etc/shorewall6-lite/shorewall6.conf</para>
  </refsect1>
  <refsect1>
@ -180,13 +182,13 @@
    <para><ulink
    url="http://www.shorewall.net/Documentation_Index.html">http://www.shorewall.net/Documentation_Index.html</ulink></para>
-    <para>shorewall-lite(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6-lite(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6-rules(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6-lite/shorewall6-lite.xml
+++ b/manpages6-lite/shorewall6-lite.xml
@ -1,21 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-lite</refentrytitle>
+    <refentrytitle>shorewall6-lite</refentrytitle>
    <manvolnum>8</manvolnum>
  </refmeta>
  <refnamediv>
-    <refname>shorewall-lite</refname>
+    <refname>shorewall6-lite</refname>
-    <refpurpose>Administration tool for Shoreline Firewall Lite
+    <refpurpose>Administration tool for Shoreline Firewall 6 Lite
-    (Shorewall-lite)</refpurpose>
+    (Shorewall6-lite)</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -28,7 +30,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -39,7 +41,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -52,7 +54,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -66,7 +68,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -78,7 +80,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -88,7 +90,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -98,38 +100,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>ipcalc</option></arg>
      <group choice="req">
        <arg choice="plain"><replaceable>address</replaceable>
        <replaceable>mask</replaceable></arg>
        <arg
        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
      </group>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>iprange</option></arg>
      <arg
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -142,7 +113,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -156,7 +127,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -169,7 +140,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -182,7 +153,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -194,7 +165,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -207,7 +178,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -220,7 +191,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -231,14 +202,14 @@
      <arg><option>-x</option></arg>
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>
      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -252,7 +223,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -265,7 +236,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -279,7 +250,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -291,7 +262,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -305,22 +276,19 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>start</option></arg>
+      <arg
-
+      choice="plain"><option>start</option><arg>-<option>n</option></arg><arg>-<option>p</option></arg><arg>-<option>f</option></arg></arg>
      <arg><option>-n</option></arg>
      <arg><option>-f</option><arg><option>-p</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -331,7 +299,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -341,7 +309,7 @@
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall-lite</command>
+      <command>shorewall6-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
@ -354,8 +322,8 @@
  <refsect1>
    <title>Description</title>
-    <para>The shorewall-lite utility is used to control the Shoreline Firewall
+    <para>The shorewall6-lite utility is used to control the Shoreline
-    (Shorewall) Lite.</para>
+    Firewall 6 (Shorewall6) Lite.</para>
  </refsect1>
  <refsect1>
@ -366,8 +334,8 @@
    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
+    attempting to acquire the Shorewall6 Lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
+    need to include <command>shorewall6-lite</command> commands in the
    <filename>started</filename> extension script.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
@ -375,7 +343,7 @@
    role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
    options are omitted, the amount of output is determined by the setting of
    the VERBOSITY parameter in <ulink
-    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
+    url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
@ -394,29 +362,6 @@
    <para>The available commands are listed below.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">add</emphasis></term>
        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
          with VPN's.</para>
          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.<caution>
              <para>The <command>add</command> command is not very robust. If
              there are errors in the <replaceable>host-list</replaceable>,
              you may see a large number of error messages yet a subsequent
              <command>shorewall show zones</command> command will indicate
              that all hosts were added. If this happens, replace
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">allow</emphasis></term>
@ -433,28 +378,13 @@
        <term><emphasis role="bold">clear</emphasis></term>
        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
+          <para>Clear will remove all rules and chains installed by Shorewall6
          Lite. The firewall is then wide open and unprotected. Existing
          connections are untouched. Clear is often used to see if the
          firewall is causing connection problems.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">delete</emphasis></term>
        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
          role="bold">add</emphasis> command.</para>
          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">drop</emphasis></term>
@ -474,7 +404,7 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall6 Lite log
          messages to be displayed.</para>
        </listitem>
      </varlistentry>
@ -483,11 +413,11 @@
        <term><emphasis role="bold">forget</emphasis></term>
        <listitem>
-          <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
+          <para>Deletes /var/lib/shorewall6-lite/<emphasis>filenam</emphasis>e
-          and /var/lib/shorewall-lite/save. If no
+          and /var/lib/shorewall6-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@ -504,30 +434,11 @@
        <term><emphasis role="bold">hits</emphasis></term>
        <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
+          <para>Generates several reports from Shorewall6 Lite log messages in
          the current log file.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ipcalc</emphasis></term>
        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
          network in CIDR notation and netmask corresponding to the
          input[s].</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">iprange</emphasis></term>
        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
          the equivalent list of network/host addresses.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>
@ -542,14 +453,14 @@
        <listitem>
          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
+          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          produces an audible alarm when new Shorewall6 Lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
          <replaceable>refresh-interval</replaceable> specifies the time in
          seconds between screen refreshes. You can enter a negative number by
-          preceding the number with "--" (e.g., <command>shorewall-lite
+          preceding the number with "--" (e.g., <command>shorewall6-lite
          logwatch -- -30</command>). In this case, when a packet count
          changes, you will be prompted to hit any key to resume screen
          refreshes.</para>
@ -578,11 +489,11 @@
        <term><emphasis role="bold">restart</emphasis></term>
        <listitem>
-          <para>Restart is similar to <emphasis role="bold">shorewall-lite
+          <para>Restart is similar to <emphasis role="bold">shorewall6-lite
-          stop</emphasis> followed by <emphasis role="bold">shorewall-lite
+          stop</emphasis> followed by <emphasis role="bold">shorewall6-lite
          start</emphasis>. Existing connections are maintained.</para>
-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option causes the connection tracking
@ -595,14 +506,14 @@
        <term><emphasis role="bold">restore</emphasis></term>
        <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall6 Lite to a state saved using the <emphasis
-          role="bold">shorewall-lite save</emphasis> command. Existing
+          role="bold">shorewall6-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
-          a restore file in /var/lib/shorewall-lite created using <emphasis
+          a restore file in /var/lib/shorewall6-lite created using <emphasis
-          role="bold">shorewall-lite save</emphasis>; if no
+          role="bold">shorewall6-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall6 Lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -611,13 +522,13 @@
        <listitem>
          <para>The dynamic blacklist is stored in
-          /var/lib/shorewall-lite/save. The state of the firewall is stored in
+          /var/lib/shorewall6-lite/save. The state of the firewall is stored
-          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
+          in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
+          the <emphasis role="bold">shorewall6-lite restore</emphasis> and
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
+          <emphasis role="bold">shorewall6-lite -f start</emphasis> commands.
          If <emphasis>filename</emphasis> is not given then the state is
          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -655,7 +566,7 @@
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
-                displayed using the <emphasis role="bold">iptables
+                displayed using the <emphasis role="bold">ip6tables
                -L</emphasis> <emphasis>chain</emphasis> <emphasis
                role="bold">-n -v</emphasis> command. If no
                <emphasis>chain</emphasis> is given, all of the chains in the
@ -679,8 +590,8 @@
              <listitem>
                <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
+                defined on the system as a result of traffic shaping
-                shaping configuration.</para>
+                configuration.</para>
              </listitem>
            </varlistentry>
@ -715,7 +626,7 @@
              <listitem>
                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n
+                <emphasis role="bold">ip6tables -t mangle -L -n
                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
                is passed directly through to iptables and causes actual
                packet and byte counts to be displayed. Without this option,
@ -728,7 +639,7 @@
              <listitem>
                <para>Displays the Netfilter nat table using the command
-                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
+                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
@ -749,7 +660,7 @@
              <term><emphasis role="bold">zones</emphasis></term>
              <listitem>
-                <para>Displays the current composition of the Shorewall Lite
+                <para>Displays the current composition of the Shorewall6 Lite
                zones on the system.</para>
              </listitem>
            </varlistentry>
@ -761,16 +672,16 @@
        <term><emphasis role="bold">start</emphasis></term>
        <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start shorewall6 Lite. Existing connections through
-          shorewall-lite managed interfaces are untouched. New connections
+          shorewall6-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
          policies. If <emphasis role="bold">-f</emphasis> is specified, the
          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
+          url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) will
          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall. </para>
+          more recently than the files in /etc/shorewall6.</para>
-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option causes the connection tracking
@ -785,11 +696,11 @@
        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
-          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
+          or permitted by the ADMINISABSENTMINDED option in
-          are taken down. The only new traffic permitted through the firewall
+          shorewall6.conf(5), are taken down. The only new traffic permitted
-          is from systems listed in <ulink
+          through the firewall is from systems listed in <ulink
-          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
        </listitem>
      </varlistentry>
@ -799,7 +710,7 @@
        <listitem>
          <para>Produces a short report about the state of the
-          Shorewall-configured firewall.</para>
+          Shorewall6-configured firewall.</para>
        </listitem>
      </varlistentry>
@ -807,7 +718,7 @@
        <term><emphasis role="bold">version</emphasis></term>
        <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall6-lite's version.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@ -816,23 +727,21 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall-lite/</para>
+    <para>/etc/shorewall6-lite/</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
    <para><ulink
-    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall6.htm">http://www.shorewall.net/starting_and_stopping_shorewall6.htm</ulink></para>
-    <para>shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@ -156,12 +156,12 @@
          role="bold">udp</emphasis> (6 or 17).</para>
          <para>You may place a comma-separated list of port names or numbers
-          in this column if your kernel and iptables include multiport match
+          in this column if your kernel and ip6tables include multiport match
          support.</para>
          <para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
          this column must contain an <emphasis>ipp2p-option</emphasis>
-          ("iptables -m ipp2p --help") without the leading "--". If no option
+          ("ip6tables -m ipp2p --help") without the leading "--". If no option
          is given in this column, <emphasis role="bold">ipp2p</emphasis> is
          assumed.</para>
        </listitem>
@ -179,7 +179,7 @@
          UDP (6 or 17).</para>
          <para>You may place a comma-separated list of port numbers in this
-          column if your kernel and iptables include multiport match
+          column if your kernel and ip6tables include multiport match
          support.</para>
        </listitem>
      </varlistentry>
@ -287,8 +287,7 @@
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested. This option is only supported by
+                mark's value is tested.</para>
                Shorewall-perl.</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/manpages6/shorewall6-actions.xml
+++ b/manpages6/shorewall6-actions.xml
@ -25,7 +25,7 @@
    <para>This file allows you to define new ACTIONS for use in rules (see
    <ulink url="shorewall-rules.html">shorewall6-rules(5)</ulink>). You define
-    the iptables rules to be performed in an ACTION in
+    the ip6tables rules to be performed in an ACTION in
    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>
    <para>ACTION names should begin with an upper-case letter to distinguish
@ -47,7 +47,7 @@
    <title>See ALSO</title>
    <para><ulink
-    url="http://shorewall.net/Actions.html">http://shorewall6.net/Actions.html</ulink></para>
+    url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@ -37,7 +37,7 @@
        <listitem>
          <para>Host address, network address, MAC address, IP address range
-          (if your kernel and iptables contain iprange match support) or ipset
+          (if your kernel and ip6tables contain iprange match support) or ipset
          name prefaced by "+" (if your kernel supports ipset match).</para>
          <para>MAC addresses must be prefixed with "~" and use "-" as a
@ -128,7 +128,7 @@
    <title>See ALSO</title>
    <para><ulink
-    url="http://shorewall.net/blacklisting_support.htm">http://shorewall6.net/blacklisting_support.htm</ulink></para>
+    url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
--- a/manpages6/shorewall6-exclusion.xml
+++ b/manpages6/shorewall6-exclusion.xml
@ -29,7 +29,7 @@
    from a definition. An exclaimation point is followed by a comma-separated
    list of addresses. The addresses may be single host addresses (e.g.,
    fe80::2a0:ccff:fedb:31c4) or they may be network addresses in CIDR format
-    (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and iptables include
+    (e.g., fe80::2a0:ccff:fedb:31c4/64). If your kernel and ip6tables include
    iprange support, you may also specify ranges of ip addresses of the form
    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>
--- a/manpages6/shorewall6-hosts.xml
+++ b/manpages6/shorewall6-hosts.xml
@ -83,7 +83,7 @@
            <listitem>
              <para>An IP address range of the form
              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
-              Your kernel and iptables must have iprange match support.</para>
+              Your kernel and ip6tables must have iprange match support.</para>
            </listitem>
            <listitem>
--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@ -78,7 +78,7 @@ loc     eth2            -</programlisting>
          url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for a
          discussion of this problem.</para>
-          <para>Shorewall6-perl allows '+' as an interface name.</para>
+          <para>Shorewall6 allows '+' as an interface name.</para>
          <para>There is no need to define the loopback interface (lo) in this
          file.</para>
@ -127,8 +127,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">bridge</emphasis></term>
              <listitem>
-                <para>(shorewall6-perl only) Designates the interface as a
+                <para>Designates the interface as a bridge.</para>
                bridge.</para>
              </listitem>
            </varlistentry>
@ -188,8 +187,7 @@ loc     eth2            -</programlisting>
                <para>Turn on kernel route filtering for this interface
                (anti-spoofing measure).</para>
-                <para>The option value (0 or 1) may only be specified if you
+                <para>If a value (0 or 1) is specified, then only those
                are using shorewall6-perl. With shorewall6-perl, only those
                interfaces with the <option>routefilter</option> option will
                have their setting changes; the value assigned to the setting
                will be the value specified (if any) or 1 if no value is
@ -248,16 +246,6 @@ loc     eth2            -</programlisting>
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">upnp</emphasis></term>
              <listitem>
                <para>Incoming requests from this interface may be remapped
                via UPNP (upnpd). See <ulink
                url="../UPnP.html">http://www.shorewall.net/UPnP.html</ulink>.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/manpages6/shorewall6-maclist.xml
+++ b/manpages6/shorewall6-maclist.xml
@ -80,9 +80,9 @@
        <listitem>
          <para>If specified, both the MAC and IP address must match. This
          column can contain a comma-separated list of host and/or subnet
-          addresses. If your kernel and iptables have iprange match support
+          addresses. If your kernel and ip6tables have iprange match support
          then IP address ranges are also allowed. Similarly, if your kernel
-          and iptables include ipset support than set names (prefixed by "+")
+          and ip6tables include ipset support than set names (prefixed by "+")
          are also allowed.</para>
        </listitem>
      </varlistentry>
--- a/manpages6/shorewall6-modules.xml
+++ b/manpages6/shorewall6-modules.xml
@ -24,7 +24,7 @@
    <title>Description</title>
    <para>This file specifies which kernel modules shorewall6 will load before
-    trying to determine your iptables/kernel's capabilities. Each record in
+    trying to determine your ip6tables/kernel's capabilities. Each record in
    the file has the following format:</para>
    <cmdsynopsis>
--- a/manpages6/shorewall6-params.xml
+++ b/manpages6/shorewall6-params.xml
@ -57,7 +57,7 @@ net     eth0            -               dhcp,nosmurfs</programlisting>
    <title>See ALSO</title>
    <para><ulink
-    url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall6.net/configuration_file_basics.htm#Variables</ulink></para>
+    url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
--- a/manpages6/shorewall6-policy.xml
+++ b/manpages6/shorewall6-policy.xml
@ -165,9 +165,9 @@
              <term><emphasis role="bold">NFQUEUE</emphasis></term>
              <listitem>
-                <para>Added in shorewall6-perl 4.0.3. Queue the request for a
+                <para>Queue the request for a user-space application using the
-                user-space application using the nfnetlink_queue mechanism. If
+                nfnetlink_queue mechanism. If a
-                a <replaceable>queuenumber</replaceable> is not given, queue
+                <replaceable>queuenumber</replaceable> is not given, queue
                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>
@ -243,17 +243,17 @@
        <emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
        <listitem>
-          <para>Added in shorewall6-perl 4.2.1. May be used to limit the
+          <para>May be used to limit the number of simultaneous connections
-          number of simultaneous connections from each individual host to
+          from each individual host to <replaceable>limit</replaceable>
-          <replaceable>limit</replaceable> connections. While the limit is
+          connections. While the limit is only checked on connections to which
-          only checked on connections to which this policy could apply, the
+          this policy could apply, the number of current connections is
-          number of current connections is calculated over all current
+          calculated over all current connections from the SOURCE host. By
-          connections from the SOURCE host. By default, the limit is applied
+          default, the limit is applied to each host individually but can be
-          to each host individually but can be made to apply to networks of
+          made to apply to networks of hosts by specifying a
-          hosts by specifying a <replaceable>mask</replaceable>. The
+          <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
-          <replaceable>mask</replaceable> specifies the width of a VLSM mask
+          specifies the width of a VLSM mask to be applied to the source
-          to be applied to the source address; the number of current
+          address; the number of current connections is then taken over all
-          connections is then taken over all hosts in the subnet
+          hosts in the subnet
          <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.</para>
        </listitem>
      </varlistentry>
--- a/manpages6/shorewall6-providers.xml
+++ b/manpages6/shorewall6-providers.xml
@ -285,7 +285,7 @@
    <title>See ALSO</title>
    <para><ulink
-    url="http://shorewall6.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
+    url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
--- a/manpages6/shorewall6-routestopped.xml
+++ b/manpages6/shorewall6-routestopped.xml
@ -48,7 +48,7 @@
        <listitem>
          <para>Comma-separated list of IP/subnet addresses. If your kernel
-          and iptables include iprange match support, IP address ranges are
+          and ip6tables include iprange match support, IP address ranges are
          also allowed.</para>
          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@ -32,13 +32,6 @@
    first terminating match is the one that determines the disposition of the
    request. All rules are terminating except LOG and QUEUE rules.</para>
    <warning>
      <para>If you masquerade or use SNAT from a local system to the internet,
      you cannot use an ACCEPT rule to allow traffic from the internet to that
      system. You <emphasis role="bold">must</emphasis> use a DNAT rule
      instead.</para>
    </warning>
    <para>The rules file is divided into sections. Each section is introduced
    by a "Section Header" which is a line beginning with SECTION and followed
    by the section name.</para>
@ -169,19 +162,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ACCEPT+</emphasis></term>
              <listitem>
                <para>like ACCEPT but also excludes the connection from any
                subsequent matching <emphasis
                role="bold">DNAT</emphasis>[<emphasis
                role="bold">-</emphasis>] or <emphasis
                role="bold">REDIRECT</emphasis>[<emphasis
                role="bold">-</emphasis>] rules</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ACCEPT!</emphasis></term>
@ -192,17 +172,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NONAT</emphasis></term>
              <listitem>
                <para>Excludes the connection from any subsequent <emphasis
                role="bold">DNAT</emphasis>[-] or <emphasis
                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
                a rule to accept the traffic.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DROP</emphasis></term>
@ -240,76 +209,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DNAT</emphasis></term>
              <listitem>
                <para>Forward the request to another system (and optionally
                another port).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">DNAT-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like <emphasis role="bold">DNAT</emphasis> but only
                generates the <emphasis role="bold">DNAT</emphasis> iptables
                rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">SAME</emphasis></term>
              <listitem>
                <para>Similar to <emphasis role="bold">DNAT</emphasis> except
                that the port may not be remapped and when multiple server
                addresses are listed, all requests from a given remote system
                go to the same server.<warning>
                    <para>Support for SAME is scheduled for removal from the
                    Linux kernel in 2008.</para>
                  </warning></para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">SAME-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like SAME but only generates the nat iptables rule and
                not the companion <emphasis role="bold">ACCEPT</emphasis>
                rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REDIRECT</emphasis></term>
              <listitem>
                <para>Redirect the request to a server running on the
                firewall.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">REDIRECT-</emphasis></term>
              <listitem>
                <para>Advanced users only.</para>
                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
                generates the <emphasis role="bold">REDIRECT</emphasis>
                iptables rule and not the companion <emphasis
                role="bold">ACCEPT</emphasis> rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">CONTINUE</emphasis></term>
@ -371,8 +270,6 @@
              <term>NFQUEUE</term>
              <listitem>
                <para>Only supported by Shorewall6-perl &gt;= 4.0.3.</para>
                <para>Queues the packet to a user-space application using the
                nfnetlink_queue mechanism. If a
                <replaceable>queuenumber</replaceable> is not specified, queue
@ -443,12 +340,8 @@
          <blockquote>
            <para>The <emphasis role="bold">ACTION</emphasis> may optionally
            be followed by ":" and a syslog log level (e.g, REJECT:info or
-            DNAT:debug). This causes the packet to be logged at the specified
+            ACCEPT:debug). This causes the packet to be logged at the
-            level. Note that if the <emphasis role="bold">ACTION</emphasis>
+            specified level.</para>
            involves destination network address translation (DNAT, REDIRECT,
            SAME, etc.) then the packet is logged <emphasis
            role="bold">before</emphasis> the destination address is
            rewritten.</para>
            <para>If the <emphasis role="bold">ACTION</emphasis> names an
            <emphasis>action</emphasis> declared in <ulink
@ -533,13 +426,17 @@
          <para>Hosts may also be specified as an IP address range using the
          syntax
          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
-          This requires that your kernel and iptables contain iprange match
+          This requires that your kernel and ip6tables contain iprange match
-          support. If your kernel and iptables have ipset match support then
+          support. If your kernel and ip6tables have ipset match support then
          you may give the name of an ipset prefaced by "+". The ipset name
          may be optionally followed by a number from 1 to 6 enclosed in
          square brackets ([]) to indicate the number of levels of source
          bindings to be matched.</para>
          <para>When an <replaceable>interface</replaceable> is not specified,
          you may omit the angled brackets ('&lt;' and '&gt;') around the
          address(es) or you may supply them to improve readability.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
@ -548,7 +445,7 @@
          <variablelist>
            <varlistentry>
-              <term>dmz:2002:ce7c:92b4:1::2</term>
+              <term>dmz:2002:ce7c::92b4:1::2</term>
              <listitem>
                <para>Host 2002:ce7c:92b4:1::2 in the DMZ</para>
@ -556,7 +453,7 @@
            </varlistentry>
            <varlistentry>
-              <term>net:2001:4d48:ad51:24:;/64</term>
+              <term>net:2001:4d48:ad51:24::/64</term>
              <listitem>
                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet</para>
@ -564,11 +461,11 @@
            </varlistentry>
            <varlistentry>
-              <term>loc:192.168.1.1,192.168.1.2</term>
+              <term>loc:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
              <listitem>
-                <para>Hosts 192.168.1.1 and 192.168.1.2 in the local
+                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
-                zone.</para>
+                local zone.</para>
              </listitem>
            </varlistentry>
@ -582,11 +479,11 @@
            </varlistentry>
            <varlistentry>
-              <term>net:155.186.235.0/24!155.186.235.16/28</term>
+              <term>net:2001:4d48:ad51:24::/64!2001:4d48:ad51:24:6:/80!2001:4d48:ad51:24:6:/80</term>
              <listitem>
-                <para>Subnet 155.186.235.0/24 on the Internet except for
+                <para>Subnet 2001:4d48:ad51:24::/64 on the Internet except for
-                155.186.235.16/28</para>
+                2001:4d48:ad51:24:6:/80.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@ -598,45 +495,22 @@
            client that communicates with the firewall system through eth1.
            This may be optionally followed by another colon (":") and an
            IP/MAC/subnet address as described above (e.g., <emphasis
-            role="bold">loc:eth1:192.168.1.5</emphasis>).</para>
+            role="bold">loc:eth1:&lt;2002:ce7c::92b4:1::2&gt;</emphasis>).</para>
            <para>It is important to note that when <emphasis
            role="bold">using Shorewall6-shell</emphasis> and specifying an
            address list that will be split (i.e., a comma separated list),
            there is a subtle behavior which has the potential to cause
            confusion. Consider the two examples below:</para>
          </blockquote>
          <para>Examples:</para>
          <variablelist>
            <varlistentry>
-              <term>loc:eth1:192.168.1.3,192.168.1.5</term>
+              <term>loc:eth1:&lt;2002:cec792b4:1::2,2002:cec792b4:1::44&gt;</term>
              <listitem>
-                <para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
+                <para>Hosts 2002:cec792b4:1::2 and 2002:cec792b4:1::44 in the
-                with 192.168.1.3 coming from eth1 and 192.168.1.5 originating
+                Local zone, with <emphasis role="bold">both</emphasis>
-                from any interface in the zone.</para>
+                originating from eth1</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>loc:eth1:192.168.1.3,eth1:192.168.1.5</term>
              <listitem>
                <para>Hosts 192.168.1.3 and 192.168.1.5 in the Local zone,
                with <emphasis role="bold">both</emphasis> originating from
                eth1.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <blockquote>
            <para>That is, the interface name must be explicitly stated for
            each member of the comma separated list. Again, this distinction
            in behavior only occurs when <emphasis role="bold">using
            Shorewall6-shell</emphasis>.</para>
          </blockquote>
        </listitem>
      </varlistentry>
@ -647,8 +521,7 @@
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}]]</term>
        role="bold">random</emphasis>]]</term>
        <listitem>
          <para>Location of Server. May be a zone declared in <ulink
@ -667,10 +540,6 @@
          affected. When <emphasis role="bold">all+</emphasis> is used,
          intra-zone traffic is affected.</para>
          <para>Beginning with Shorewall6 4.1.4, the
          <replaceable>zone</replaceable> should be omitted in DNAT-,
          REDIRECT- and NONAT rules.</para>
          <para>If the DEST <replaceable>zone</replaceable> is a bport zone,
          then either:<orderedlist numeration="loweralpha">
              <listitem>
@ -689,8 +558,6 @@
            </orderedlist></para>
          <blockquote>
            <para></para>
            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
            further restricted to a particular network, host or interface by
@ -706,23 +573,7 @@
            <para>1. MAC addresses are not allowed (this is a Netfilter
            restriction).</para>
-            <para>2.Prior to Shorewall6 4.1.4, only IP addresses are allowed
+            <para>If you kernel and ip6tables have ipset match support then you
            in <emphasis role="bold">DNAT</emphasis> rules; no DNS names are
            permitted. In no case may a network be specified as the
            server.</para>
            <para>3. You may not specify both an interface and an
            address.</para>
            <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
            you may specify a range of IP addresses using the syntax
            <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
            When the <emphasis role="bold">ACTION</emphasis> is <emphasis
            role="bold">DNAT</emphasis> or <emphasis
            role="bold">DNAT-</emphasis>, the connections will be assigned to
            addresses in the range in a round-robin fashion.</para>
            <para>If you kernel and iptables have ipset match support then you
            may give the name of an ipset prefaced by "+". The ipset name may
            be optionally followed by a number from 1 to 6 enclosed in square
            brackets ([]) to indicate the number of levels of destination
@ -730,48 +581,6 @@
            role="bold">SOURCE</emphasis> and <emphasis
            role="bold">DEST</emphasis> columns may specify an ipset
            name.</para>
            <para>The <replaceable>port</replaceable> that the server is
            listening on may be included and separated from the server's IP
            address by ":". If omitted, the firewall will not modifiy the
            destination port. A destination port may only be included if the
            <emphasis role="bold">ACTION</emphasis> is <emphasis
            role="bold">DNAT</emphasis> or <emphasis
            role="bold">REDIRECT</emphasis>.</para>
            <variablelist>
              <varlistentry>
                <term>Example:</term>
                <listitem>
                  <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
                  specifies a local server at IP address 192.168.1.3 and
                  listening on port 3128.</para>
                </listitem>
              </varlistentry>
            </variablelist>
            <para>If you are using Shorewall6-shell or Shorewall6-perl before
            version 4.0.5, then the port number MUST be specified as an
            integer and not as a name from services(5). Shorewall6-perl 4.0.5
            and later permit the <emphasis>port</emphasis> to be specified as
            a service name. Additionally, Shorewall6-perl 4.0.5 and later
            permit specifying a port range in the form
            <emphasis>lowport-highport</emphasis> to cause connections to be
            assigned to ports in the range in round-robin fashion. When a port
            range is specified, <emphasis>lowport</emphasis> and
            <emphasis>highport</emphasis> must be given as integers; service
            names are not permitted. Beginning with Shorewall6 4.0.6, the port
            range may be optionally followed by <emphasis
            role="bold">:random</emphasis> which causes assignment to ports in
            the list to be random.</para>
            <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
            role="bold">REDIRECT</emphasis> or <emphasis
            role="bold">REDIRECT-</emphasis>, this column needs only to
            contain the port number on the firewall that the request should be
            redirected to. That is equivalent to specifying
            <option>$FW</option>::<replaceable>port</replaceable>.</para>
          </blockquote>
        </listitem>
      </varlistentry>
@ -787,7 +596,7 @@
        <listitem>
          <para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
-          ipp2p match support in your kernel and iptables. <emphasis
+          ipp2p match support in your kernel and ip6tables. <emphasis
          role="bold">tcp:syn</emphasis> implies <emphasis
          role="bold">tcp</emphasis> plus the SYN flag must be set and the
          RST,ACK and FIN flags must be reset.</para>
@ -827,13 +636,8 @@
          <para>1. There are 15 or less ports listed.</para>
-          <para>2. No port ranges are included or your kernel and iptables
+          <para>2. No port ranges are included or your kernel and ip6tables
          contain extended multiport match support.</para>
          <para>Otherwise, unless you are using <ulink
          url="../Shorewall6-perl.html">Shorewall6-perl</ulink>, a separate
          rule will be generated for each port. Shorewall6-perl does not
          automatically break up lists into individual rules.</para>
        </listitem>
      </varlistentry>
@ -857,8 +661,7 @@
          <blockquote>
            <para>If you don't want to restrict client ports but need to
-            specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
+            specify a later column, then place "-" in this column.</para>
            next column, then place "-" in this column.</para>
            <para>If your kernel contains multi-port match support, then only
            a single Netfilter rule will be generated if in this list and the
@ -866,61 +669,19 @@
            <para>1. There are 15 or less ports listed.</para>
-            <para>2. No port ranges are included or your kernel and iptables
+            <para>2. No port ranges are included or your kernel and ip6tables
            contain extended multiport match support.</para>
            <para>Otherwise, unless you are using <ulink
            url="../Shorewall6-perl.html">Shorewall6-perl</ulink>, a separate
            rule will be generated for each port. Shorewall6-perl does not
            automatically break up lists into individual rules.</para>
          </blockquote>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
-        [<emphasis
+        [<emphasis role="bold">-</emphasis>]</term>
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
-          <para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
+          <para>Included for compatibility with Shorewall. Enter '-' in this
-          role="bold">-</emphasis>] or <emphasis
+          column if you need to specify one of the later columns.</para>
          role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
          then if this column is included and is different from the IP address
          given in the <emphasis role="bold">SERVER</emphasis> column, then
          connections destined for that address will be forwarded to the IP
          and port specified in the <emphasis role="bold">DEST</emphasis>
          column.</para>
          <para>A comma-separated list of addresses may also be used. This is
          most useful with the <emphasis role="bold">REDIRECT</emphasis>
          target where you want to redirect traffic destined for particular
          set of hosts. Finally, if the list of addresses begins with "!"
          (<emphasis>exclusion</emphasis>) then the rule will be followed only
          if the original destination address in the connection request does
          not match any of the addresses listed.</para>
          <para>For other actions, this column may be included and may contain
          one or more addresses (host or network) separated by commas. Address
          ranges are not allowed. When this column is supplied, rules are
          generated that require that the original destination address matches
          one of the listed addresses. This feature is most useful when you
          want to generate a filter rule that corresponds to a <emphasis
          role="bold">DNAT-</emphasis> or <emphasis
          role="bold">REDIRECT-</emphasis> rule. In this usage, the list of
          addresses should not begin with "!".</para>
          <para>It is also possible to specify a set of addresses then exclude
          part of those addresses. For example, <emphasis
          role="bold">192.168.1.0/24!192.168.1.16/28</emphasis> specifies the
          addresses 192.168.1.0-182.168.1.15 and 192.168.1.32-192.168.1.255.
          See <ulink
          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5).</para>
          <para>See <ulink
          url="../PortKnocking.html">http://shorewall6.net/PortKnocking.html</ulink>
          for an example of using an entry in this column with a user-defined
          action rule.</para>
        </listitem>
      </varlistentry>
@ -950,8 +711,7 @@
        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
        [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This column may only be non-empty if the SOURCE is the
@ -990,19 +750,6 @@
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@ -1049,8 +796,7 @@
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested. This option is only supported by
+                mark's value is tested.</para>
                Shorewall6-perl.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@ -1062,18 +808,17 @@
        role="bold">!</emphasis>]<emphasis>limit</emphasis>[:<emphasis>mask</emphasis>]</term>
        <listitem>
-          <para>Added in Shorewall6-perl 4.2.1. May be used to limit the
+          <para>May be used to limit the number of simultaneous connections
-          number of simultaneous connections from each individual host to
+          from each individual host to <replaceable>limit</replaceable>
-          <replaceable>limit</replaceable> connections. Requires connlimit
+          connections. Requires connlimit match in your kernel and ip6tables.
-          match in your kernel and iptables. While the limit is only checked
+          While the limit is only checked on rules specifying CONNLIMIT, the
-          on rules specifying CONNLIMIT, the number of current connections is
+          number of current connections is calculated over all current
-          calculated over all current connections from the SOURCE host. By
+          connections from the SOURCE host. By default, the limit is applied
-          default, the limit is applied to each host but can be made to apply
+          to each host but can be made to apply to networks of hosts by
-          to networks of hosts by specifying a
+          specifying a <replaceable>mask</replaceable>. The
-          <replaceable>mask</replaceable>. The <replaceable>mask</replaceable>
+          <replaceable>mask</replaceable> specifies the width of a VLSM mask
-          specifies the width of a VLSM mask to be applied to the source
+          to be applied to the source address; the number of current
-          address; the number of current connections is then taken over all
+          connections is then taken over all hosts in the subnet
          hosts in the subnet
          <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
          When<option> !</option> is specified, the rule matches when the
          number of connection exceeds the
@ -1086,10 +831,10 @@
        <emphasis>timeelement</emphasis>[,<emphasis>timelement</emphasis>...]</term>
        <listitem>
-          <para>Added in Shorewall6-perl 4.2.1. May be used to limit the rule
+          <para>May be used to limit the rule to a particular time period each
-          to a particular time period each day, to particular days of the week
+          day, to particular days of the week or month, or to a range defined
-          or month, or to a range defined by dates and times. Requires time
+          by dates and times. Requires time match support in your kernel and
-          match support in your kernel and iptables.</para>
+          ip6tables.</para>
          <para><replaceable>timeelement</replaceable> may be:</para>
@ -1169,17 +914,6 @@
    </variablelist>
  </refsect1>
  <refsect1>
    <title>Restrictions</title>
    <para>Unless you are using <ulink
    url="../Shorewall6-perl.html">Shorewall6-perl</ulink> and your
    iptables/kernel have <firstterm>Repeat Match</firstterm> support (see the
    output of <command>shorewall6 show capabilities</command>), if you specify
    a list of DEST PORT(S), then you may not specify SOURCE PORT(S) and vice
    versa.</para>
  </refsect1>
  <refsect1>
    <title>Example</title>
@ -1200,12 +934,12 @@
        <term>Example 2:</term>
        <listitem>
-          <para>Forward all ssh and http connection requests from the internet
+          <para>Allow all ssh and http connection requests from the internet
-          to local system 192.168.1.3</para>
+          to local system 2002:cec792b4:1::44</para>
          <programlisting>        #ACTION SOURCE  DEST                    PROTO   DEST    SOURCE  ORIGINAL
        #                                               PORT    PORT(S) DEST
-        DNAT    net     loc:192.168.1.3 tcp     ssh,http</programlisting>
+        DNAT    net     loc:2002:cec792b4:1::44 tcp     ssh,http</programlisting>
        </listitem>
      </varlistentry>
@ -1213,132 +947,26 @@
        <term>Example 3:</term>
        <listitem>
-          <para>Forward all http connection requests from the internet to
+          <para>Allow http connection requests from the internet to local
-          local system 192.168.1.3 with a limit of 3 per second and a maximum
+          system 2002:cec792b4:1::44 with a limit of 3 per second and a
-          burst of 10<programlisting>        #ACTION SOURCE DEST            PROTO  DEST  SOURCE  ORIGINAL RATE
+          maximum burst of 10<programlisting>        #ACTION SOURCE DEST                      PROTO  DEST  SOURCE  ORIGINAL RATE
        #                                               PORT  PORT(S) DEST     LIMIT
-        DNAT    net    loc:192.168.1.3 tcp    http  -       -        3/sec:10</programlisting></para>
+        DNAT    net    loc:&lt;2002:cec792b4:1::44&gt; tcp    http  -       -        3/sec:10</programlisting></para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 4:</term>
        <listitem>
          <para>Redirect all locally-originating www connection requests to
          port 3128 on the firewall (Squid running on the firewall system)
          except when the destination address is 192.168.2.2</para>
          <programlisting>        #ACTION  SOURCE DEST      PROTO DEST    SOURCE  ORIGINAL
        #                               PORT    PORT(S) DEST
        REDIRECT loc    3128      tcp   www      -      !192.168.2.2</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 5:</term>
        <listitem>
          <para>All http requests from the internet to address 130.252.100.69
          are to be forwarded to 192.168.1.3</para>
          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
        DNAT      net   loc:192.168.1.3 tcp     80      -       130.252.100.69</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 6:</term>
        <listitem>
          <para>You want to accept SSH connections to your firewall only from
-          internet IP addresses 130.252.100.69 and 130.252.100.70</para>
+          internet IP addresses 2002:ce7c::92b4:1::2 and
          2002:ce7c::92b4:1::22</para>
          <programlisting>        #ACTION  SOURCE DEST            PROTO   DEST    SOURCE  ORIGINAL
        #                                       PORT    PORT(S) DEST
-        ACCEPT   net:130.252.100.69,130.252.100.70 $FW \
+        ACCEPT   net:&lt;2002:ce7c::92b4:1::2,2002:ce7c::92b4:1::22&gt; \
-                                        tcp     22</programlisting>
+                        $FW              tcp     22</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 7:</term>
        <listitem>
          <para>You wish to accept connections from the internet to your
          firewall on port 2222 and you want to forward them to local system
          192.168.1.3, port 22</para>
          <programlisting>        #ACTION  SOURCE DEST                PROTO   DEST    SOURCE  ORIGINAL
        #                                           PORT    PORT(S) DEST
        DNAT     net    loc:192.168.1.3:22  tcp     2222</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 8:</term>
        <listitem>
          <para>You want to redirect connection requests to port 80 randomly
          to the port range 81-90.</para>
          <programlisting>        #ACTION  SOURCE DEST                PROTO DEST    SOURCE  ORIGINAL
        #                                   PORT  PORT(S) DEST
        REDIRECT net    $FW::81-90:random   tcp   www</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 9:</term>
        <listitem>
          <para>Shorewall6 does not impose as much structure on the Netfilter
          rules in the 'nat' table as it does on those in the filter table. As
          a consequence, when using Shorewall6 versions before 4.1.4, care
          must be exercised when using DNAT and REDIRECT rules with zones
          defined with wildcard interfaces (those ending with '+'. Here is an
          example:</para>
          <para><ulink
          url="shorewall6-zones.html">shorewall6-zones</ulink>(8):<programlisting>        #ZONE       TYPE    OPTIONS
        fw          firewall
        net         ipv4
        dmz         ipv4
        loc         ipv4</programlisting></para>
          <para><ulink
          url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>(8):<programlisting>        #ZONE       INTERFACE       BROADCAST      OPTIONS
        net         ppp0
        loc         eth1            detect
        dmz         eth2            detect
        -           ppp+                           # Addresses are assigned from 192.168.3.0/24</programlisting></para>
          <para><ulink
          url="shorewall6-hosts.html">shorewall6-host</ulink>(8):<programlisting>        #ZONE       HOST(S)              OPTIONS
        loc         ppp+:192.168.3.0/24</programlisting></para>
          <para>rules:</para>
          <programlisting>        #ACTION     SOURCE          DEST       PROTO       DEST
        #                                                  PORT(S)
        REDIRECT    loc             3128       tcp         80                                                   </programlisting>
          <simpara>Note that it would have been tempting to simply define the
          loc zone entirely in shorewall6-interfaces(8):</simpara>
          <para><programlisting>        #******************* INCORRECT *****************
        #ZONE       INTERFACE       BROADCAST      OPTIONS
        net         ppp0
        loc         eth1            detect
        loc         ppp+
        dmz         eth2</programlisting></para>
          <para>This would have made it impossible to run a
          internet-accessible web server in the DMZ because all traffic
          entering ppp+ interfaces would have been redirected to port 3128 on
          the firewall and there would have been no net-&gt;fw ACCEPT rule for
          that traffic.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@ -1355,11 +983,10 @@
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-nat(5), shorewall6-netmap(5), shorewall6-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall6-policy(5), shorewall6-providers(5), shorewall6-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall6-route_rules(5), shorewall6-routestopped(5), shorewall6.conf(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-tcclasses.xml
+++ b/manpages6/shorewall6-tcclasses.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-tcclasses</refentrytitle>
+    <refentrytitle>shorewall6-tcclasses</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>tcclasses</refname>
-    <refpurpose>Shorewall file to define HTB classes</refpurpose>
+    <refpurpose>Shorewall6 file to define HTB classes</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcclasses</command>
+      <command>/etc/shorewall6/tcclasses</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -119,20 +121,19 @@
          alias (e.g., eth0:0) here; see <ulink
          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
-          <para>If you are running Shorewall-perl 4.1.6 or later, you may
+          <para>You may specify either the interface number or the interface
-          specify the interface number rather than the interface name. If the
+          name. If the <emphasis role="bold">classify</emphasis> option is
-          <emphasis role="bold">classify</emphasis> option is given for the
+          given for the interface in <ulink
-          interface in <ulink
+          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5),
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5), then
+          then you must also specify an interface class (an integer that must
-          you must also specify an interface class (an integer that must be
+          be unique within classes associated with this interface).</para>
          unique within classes associated with this interface).</para>
          <para>You may NOT specify wildcards here, e.g. if you have multiple
          ppp interfaces, you need to put them all in here!</para>
          <para>Please note that you can only use interface names in here that
          have a bandwidth defined in the <ulink
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
          file</para>
        </listitem>
      </varlistentry>
@ -144,12 +145,12 @@
        <listitem>
          <para>The mark <emphasis>value</emphasis> which is an integer in the
          range 1-255. You set mark values in the <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) file,
+          url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5) file,
          marking the traffic you want to fit in the classes defined in here.
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
+          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)</para>
          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@ -207,8 +208,8 @@
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>
        <listitem>
-          <para>Added in Shorewall-perl 4.1. A comma-separated list of options
+          <para>A comma-separated list of options including the
-          including the following:</para>
+          following:</para>
          <variablelist>
            <varlistentry>
@ -347,7 +348,7 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/tcclasses</para>
+    <para>/etc/shorewall6/tcclasses</para>
  </refsect1>
  <refsect1>
@ -356,13 +357,12 @@
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall.conf(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-tcdevices.xml
+++ b/manpages6/shorewall6-tcdevices.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-tcdevices</refentrytitle>
+    <refentrytitle>shorewall6-tcdevices</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>tcdevices</refname>
-    <refpurpose>Shorewall Traffic Shaping Devices file</refpurpose>
+    <refpurpose>Shorewall6 Traffic Shaping Devices file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tcdevices</command>
+      <command>/etc/shorewall6/tcdevices</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -106,13 +108,13 @@
          ppp interfaces, you need to put them all in here!</para>
          <para>If the device doesn't exist, a warning message will be issued
-          during "shorewall [re]start" and "shorewall refresh" and traffic
+          during "shorewall6 [re]start" and "shorewall6 refresh" and traffic
          shaping configuration will be skipped for that device.</para>
-          <para>Shorewall assigns a sequential <firstterm>interface
+          <para>Shorewall6 assigns a sequential <firstterm>interface
          number</firstterm> to each interface (the first entry in the file is
          interface 1, the second is interface 2 and so on) Beginning with
-          Shorewall-perl 4.1.6, you can explicitly specify the interface
+          Shorewall6-perl 4.1.6, you can explicitly specify the interface
          number by prefixing the interface name with the number and a colon
          (":"). Example: 1:eth0.</para>
        </listitem>
@ -132,7 +134,7 @@
          to avoid queuing at your providers side.</para>
          <para>If you don't want any traffic to be dropped, set this to a
-          value to zero in which case Shorewall will not create an ingress
+          value to zero in which case Shorewall6 will not create an ingress
          qdisc.Must be set to zero if the REDIRECTED INTERFACES column is
          non-empty.</para>
        </listitem>
@ -146,7 +148,7 @@
          <para>The outgoing <emphasis>bandwidth</emphasis> of that interface.
          This is the maximum speed your connection can handle. It is also the
          speed you can refer as "full" if you define the tc classes in <ulink
-          url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).
+          url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5).
          Outgoing traffic above this rate will be dropped.</para>
        </listitem>
      </varlistentry>
@ -157,10 +159,10 @@
        role="bold">classify</emphasis>}</term>
        <listitem>
-          <para>classify ― When specified, Shorewall will not generate tc or
+          <para>classify ― When specified, Shorewall6 will not generate tc or
          Netfilter rules to classify traffic based on packet marks. You must
          do all classification using CLASSIFY rules in <ulink
-          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>
+          url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>(5).</para>
        </listitem>
      </varlistentry>
@ -169,7 +171,7 @@
        [<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>
        <listitem>
-          <para>Added in Shorewall-perl 4.1.6. May only be specified if the
+          <para>Added in Shorewall6-perl 4.1.6. May only be specified if the
          interface in the INTERFACE column is an Intermediate Frame Block
          (IFB) device. Causes packets that enter each listed interface to be
          passed through the egress filters defined for this device, thus
@ -204,7 +206,7 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/tcdevices</para>
+    <para>/etc/shorewall6/tcdevices</para>
  </refsect1>
  <refsect1>
@ -213,13 +215,12 @@
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcrules(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@ -3,7 +3,7 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-tcrules</refentrytitle>
+    <refentrytitle>shorewall6-tcrules</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -11,12 +11,12 @@
  <refnamediv>
    <refname>tcrules</refname>
-    <refpurpose>Shorewall Packet Marking rules file</refpurpose>
+    <refpurpose>Shorewall6 Packet Marking rules file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/rules</command>
+      <command>/etc/shorewall6/rules</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -28,13 +28,13 @@
    <important>
      <para>Unlike rules in the <ulink
-      url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
+      url="shorewall6-rules.html">shorewall6-rules</ulink>(5) file, evaluation
      of rules in this file will continue after a match. So the final mark for
      each packet will be the one assigned by the LAST tcrule that
      matches.</para>
      <para>If you use multiple internet providers with the 'track' option, in
-      /etc/shorewall/providers be sure to read the restrictions at <ulink
+      /etc/shorewall6/providers be sure to read the restrictions at <ulink
      url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
    </important>
@ -71,7 +71,7 @@
              current mark value to produce a new mark value.</para>
              <para>Both "|" and "&amp;" require Extended MARK Target support
-              in your kernel and iptables; neither may be used with connection
+              in your kernel and ip6tables; neither may be used with connection
              marks (see below).</para>
              <para>May optionally be followed by <emphasis
@ -90,19 +90,16 @@
              role="bold">$FW</emphasis>[<emphasis
              role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
              then the rule is inserted into the OUTPUT chain. The behavior
-              changed in Shorewall-perl 4.1. Previously, when
+              changed in Shorewall6-perl 4.1. Only high mark values may be
-              HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero mark values
+              assigned in this case. Packet marking rules for traffic shaping
-              &lt; 256 to be assigned in the OUTPUT chain. This has been
+              of packets originating on the firewall must be coded in the
-              changed so that only high mark values may be assigned there.
+              POSTROUTING chain (see below).</para>
              Packet marking rules for traffic shaping of packets originating
              on the firewall must be coded in the POSTROUTING chain (see
              below).</para>
              <para>- Otherwise, the chain is determined by the setting of
              MARK_IN_FORWARD_CHAIN in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
-              <para>If your kernel and iptables include CONNMARK support then
+              <para>If your kernel and ip6tables include CONNMARK support then
              you can also mark the connection rather than the packet.</para>
              <para>The mark value may be optionally followed by "/" and a
@ -147,18 +144,18 @@
              <para><emphasis role="bold">Special considerations for If
              HIGH_ROUTE_MARKS=Yes in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
+              url="shorewall6.conf.html">shorewall6.conf</ulink>(5</emphasis>).</para>
              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
              in the range 0x0100-0xFF00 with the low-order byte being zero.
              Such values may only be used in the PREROUTING chain (value
              followed by <emphasis role="bold">:P</emphasis> or you have set
              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
+              url="shorewall6.conf.html">shorewall6.conf</ulink>(5) and have
-              followed the value with <option>:F</option>) or the OUTPUT chain
+              not followed the value with <option>:F</option>) or the OUTPUT
-              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
+              chain (SOURCE is <emphasis role="bold">$FW</emphasis>). With
              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
-              permitted. Shorewall 4.1 and later versions prohibit non-zero
+              permitted. Shorewall6 4.1 and later versions prohibit non-zero
              mark values less that 256 in the OUTPUT chain when
              HIGH_ROUTE_MARKS=Yes. While earlier versions allow such values
              in the OUTPUT chain, it is strongly recommended that with
@ -185,14 +182,14 @@
              role="bold">$FW</emphasis>[:<emphasis>address</emphasis>] in
              which case classification occurs in the OUTPUT chain.</para>
-              <para>When using Shorewall's built-in traffic shaping tool, the
+              <para>When using Shorewall6's built-in traffic shaping tool, the
              <emphasis>major</emphasis> class is the device number (the first
              device in <ulink
-              url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
+              url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)
-              major class 1, the second device is major class 2, and so on)
+              is major class 1, the second device is major class 2, and so on)
              and the <emphasis>minor</emphasis> class is the class's MARK
              value in <ulink
-              url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
+              url="shorewall6-tcclasses.html">shorewall6-tcclasses</ulink>(5)
              preceded by the number 1 (MARK 1 corresponds to minor class 11,
              MARK 5 corresponds to minor class 15, MARK 22 corresponds to
              minor class 122, etc.).</para>
@ -202,7 +199,7 @@
              <para><emphasis
              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
              restore the packet's mark from the connection's mark using the
-              supplied mask if any. Your kernel and iptables must include
+              supplied mask if any. Your kernel and ip6tables must include
              CONNMARK support.</para>
              <para>As in 1) above, may be followed by <emphasis
@ -214,7 +211,7 @@
              <para><emphasis
              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
              the packet's mark to the connection's mark using the supplied
-              mask if any. Your kernel and iptables must include CONNMARK
+              mask if any. Your kernel and ip6tables must include CONNMARK
              support.</para>
              <para>As in 1) above, may be followed by <emphasis
@ -231,14 +228,14 @@
              role="bold">:F</emphasis>. Currently, CONTINUE may not be used
              with <emphasis>exclusion</emphasis> (see the SOURCE and DEST
              columns below); that restriction will be removed when
-              iptables/Netfilter provides the necessary support.</para>
+              ip6tables/Netfilter provides the necessary support.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
              the line will be attached as a comment to the Netfilter rule(s)
              generated by the following entries. The comment will appear
-              delimited by "/* ... */" in the output of <command>shorewall
+              delimited by "/* ... */" in the output of <command>shorewall6
              show mangle</command></para>
              <para>To stop the comment from being attached to further rules,
@ -252,8 +249,8 @@
        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|<emphasis
        role="bold">$FW</emphasis>}|[{<emphasis>interface</emphasis>|<emphasis
-        role="bold">$FW</emphasis>}:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">$FW</emphasis>}:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
        <listitem>
          <para>Source of the packet. A comma-separated list of interface
@ -278,20 +275,24 @@
          <para>Example: ~00-A0-C9-15-39-78</para>
          <para>When an interface is not specified, the angled brackets
          ('&lt;' and '&gt;') surrounding the address(es) may be
          omitted.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]&lt;<emphasis>address-or-range</emphasis>[<emphasis
-        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]&gt;</term>
        <listitem>
          <para>Destination of the packet. Comma separated list of IP
-          addresses and/or subnets. If your kernel and iptables include
+          addresses and/or subnets. If your kernel and ip6tables include
          iprange match support, IP address ranges are also allowed. List
          elements may also consist of an interface name followed by ":" and
          an address (e.g., eth1:192.168.1.0/24). If the <emphasis
@ -299,9 +300,13 @@
          the form <emphasis>major</emphasis>:<emphasis>minor</emphasis> then
          this column may also contain an interface name.</para>
          <para>When an interface is not specified, the angled brackets
          ('&lt;' and '&gt;') surrounding the address(es) may be
          omitted.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          url="shorewall6-exclusion.html">shorewall6-exclusion</ulink>(5)).</para>
        </listitem>
      </varlistentry>
@ -316,7 +321,7 @@
        <listitem>
          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
-          ipp2p match support in your kernel and iptables.</para>
+          ipp2p match support in your kernel and ip6tables.</para>
        </listitem>
      </varlistentry>
@ -360,8 +365,7 @@
      <varlistentry>
        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This column may only be non-empty if the SOURCE is the
@ -400,19 +404,6 @@
                group</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>+upnpd</term>
              <listitem>
                <para>#program named upnpd</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@ -474,7 +465,7 @@
        <listitem>
          <para>Packet Length. This field, if present allow you to match the
          length of a packet against a specific value or range of values. You
-          must have iptables length support for this to work. A range is
+          must have ip6tables length support for this to work. A range is
          specified in the form
          <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
          <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
@ -506,12 +497,11 @@
        role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
        role="bold">B</emphasis>}[:{<emphasis
        role="bold">B</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
-        role="bold">A</emphasis>}]]] </term>
+        role="bold">A</emphasis>}]]]</term>
        <listitem>
          <para>Connection Bytes; defines a byte or packet range that the
-          connection must fall within in order for the rule to match. Added in
+          connection must fall within in order for the rule to match.</para>
          Shorewall-perl 4.2.0.</para>
          <para>A packet matches if the the packet/byte count is within the
          range defined by <emphasis>min</emphasis> and
@ -532,8 +522,8 @@
              directions.</para>
            </blockquote></para>
-          <para>If omitted, <emphasis role="bold">B</emphasis> is assumed.
+          <para>If omitted, <emphasis role="bold">B</emphasis> is
-          </para>
+          assumed.</para>
          <para>The second letter determines what the range refers
          to.<blockquote>
@ -544,7 +534,7 @@
              <para><emphasis role="bold">A</emphasis> - Average packet
              size.</para>
            </blockquote>If omitted, <emphasis role="bold">B</emphasis> is
-          assumed. </para>
+          assumed.</para>
        </listitem>
      </varlistentry>
@ -553,18 +543,18 @@
        </emphasis><emphasis>helper</emphasis></term>
        <listitem>
-          <para>Added in Shorewall-perl 4.2.0. Names a Netfiler protocol
+          <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
-          <firstterm>helper</firstterm> module such as <option>ftp</option>,
+          such as <option>ftp</option>, <option>sip</option>,
-          <option>sip</option>, <option>amanda</option>, etc. A packet will
+          <option>amanda</option>, etc. A packet will match if it was accepted
-          match if it was accepted by the named helper module. You can also
+          by the named helper module. You can also append "-" and a port
-          append "-" and a port number to the helper module name (e.g.,
+          number to the helper module name (e.g., <emphasis
-          <emphasis role="bold">ftp-21</emphasis>) to specify the port number
+          role="bold">ftp-21</emphasis>) to specify the port number that the
-          that the original connection was made on.</para>
+          original connection was made on.</para>
          <para>Example: Mark all FTP data connections with mark
          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
 #CLASSIFY                                        PORT(S)
-4         0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
+4         ::/       ::/       TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
    </variablelist>
@ -578,8 +568,8 @@
        <term>Example 1:</term>
        <listitem>
-          <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer
+          <para>Mark all forwarded ICMP echo traffic with packet mark 1. Mark
-          to peer traffic with packet mark 4.</para>
+          all forwarded peer to peer traffic with packet mark 4.</para>
          <para>This is a little more complex than otherwise expected. Since
          the ipp2p module is unable to determine all packets in a connection
@ -590,12 +580,12 @@
          <programlisting>       #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
       #CLASSIFY                                              PORT(S)
-       1         0.0.0.0/0 0.0.0.0/0    icmp    echo-request
+       1         ::/       ::/          icmp    echo-request
-       1         0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
+       1         ::/       ::/          icmp    echo-reply
-       RESTORE   0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
+       RESTORE   ::/       ::/          all     -             -       -       0
-       CONTINUE  0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0
+       CONTINUE  ::/       ::/          all     -             -       -      !0
-       4         0.0.0.0/0 0.0.0.0/0    ipp2p:all
+       4         ::/       ::/          ipp2p:all
-       SAVE      0.0.0.0/0 0.0.0.0/0    all     -             -       -       !0</programlisting>
+       SAVE      ::/       ::/          all     -             -       -       !0</programlisting>
          <para>If a packet hasn't been classifed (packet mark is 0), copy the
          connection mark to the packet mark. If the packet mark is set, we're
@ -609,7 +599,7 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/tcrules</para>
+    <para>/etc/shorewall6/tcrules</para>
  </refsect1>
  <refsect1>
@ -624,14 +614,13 @@
    <para><ulink
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
+    shorewall6-blacklist(5), shorewall6-ecn(5), shorewall6-exclusion(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
+    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall6-tcdevices(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
+    shorewall6-zones(5)</para>
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-template.xml
+++ b/manpages6/shorewall6-template.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-</refentrytitle>
+    <refentrytitle>shorewall6-</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>file</refname>
-    <refpurpose>Shorewall file</refpurpose>
+    <refpurpose>Shorewall6 file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/</command>
+      <command>/etc/shorewall6/</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -43,20 +45,19 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/</para>
+    <para>/etc/shorewall6/</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-exclusion(5), shorewall6-hosts(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-interfaces(5), shorewall6-maclist(5), shorewall6-nesting(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-tos.xml
+++ b/manpages6/shorewall6-tos.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-tos</refentrytitle>
+    <refentrytitle>shorewall6-tos</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>tos</refname>
-    <refpurpose>Shorewall Type of Service rules file</refpurpose>
+    <refpurpose>Shorewall6 Type of Service rules file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tos</command>
+      <command>/etc/shorewall6/tos</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -26,45 +28,18 @@
    <para>The columns in the file are as follows.</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
        {<emphasis>zone</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
        role="bold">all</emphasis>|<emphasis role="bold">$FW</emphasis>}
        (Shorewall-shell)</term>
        <listitem>
          <para>Name of a <replaceable>zone</replaceable> declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
          role="bold">all</emphasis> or <emphasis
          role="bold">$FW</emphasis>.</para>
          <para>If not <emphasis role="bold">all</emphasis> or <emphasis
          role="bold">$FW</emphasis>, may optionally be followed by ":" and an
          IP address, a MAC address, a subnet specification or the name of an
          interface.</para>
          <para>Example: loc:192.168.2.3</para>
          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>
          <para>Example: ~00-A0-C9-15-39-78</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
        role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
        role="bold">all</emphasis>:<emphasis>address</emphasis>|<emphasis
-        role="bold">$FW</emphasis>} (Shorewall-perl)</term>
+        role="bold">$FW</emphasis>}</term>
        <listitem>
          <para>If <emphasis role="bold">all</emphasis>, may optionally be
          followed by ":" and an IP address, a MAC address, a subnet
          specification or the name of an interface.</para>
-          <para>Example: all:192.168.2.3</para>
+          <para>Example: all:2002:ce7c::92b4:1::2</para>
          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>
@ -73,32 +48,13 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        {<emphasis>zone</emphasis>[<emphasis
        role="bold">:</emphasis><emphasis>address</emphasis>]|<emphasis
        role="bold">all</emphasis>} (Shorewall-shell)</term>
        <listitem>
          <para>Name of a zone declared in <ulink
          url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
          role="bold">all</emphasis>.</para>
          <para>If not <emphasis role="bold">all</emphasis>, may optionally be
          followed by ":" and an IP address or a subnet specification</para>
          <para>Example: loc:192.168.2.3</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
        role="bold">all</emphasis>|<emphasis>address</emphasis>]|<emphasis
-        role="bold">all</emphasis>:<emphasis>address</emphasis>}
+        role="bold">all</emphasis>:<emphasis>address</emphasis>}</term>
        (Shorewall-perl)</term>
        <listitem>
-          <para>Example: 192.168.2.3</para>
+          <para>Example: 2002:ce7c::92b4:1::2</para>
        </listitem>
      </varlistentry>
@ -185,8 +141,7 @@
              <listitem>
                <para>Designates a connection mark. If omitted, the packet
-                mark's value is tested. This option is only supported by
+                mark's value is tested.</para>
                Shorewall-perl.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@ -198,19 +153,18 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/tos</para>
+    <para>/etc/shorewall6/tos</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-tcrules(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-tunnels.xml
+++ b/manpages6/shorewall6-tunnels.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-tunnels</refentrytitle>
+    <refentrytitle>shorewall6-tunnels</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>tunnels</refname>
-    <refpurpose>Shorewall VPN definition file</refpurpose>
+    <refpurpose>Shorewall6 VPN definition file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/tunnels</command>
+      <command>/etc/shorewall6/tunnels</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -22,7 +24,7 @@
    <title>Description</title>
    <para>The tunnels file is used to define rules for encapsulated (usually
-    encrypted) traffic to pass between the Shorewall system and a remote
+    encrypted) traffic to pass between the Shorewall6 system and a remote
    gateway. Traffic flowing through the tunnel is handled using the normal
    zone/policy/rule mechanism. See <ulink
    url="http://www.shorewall.net/VPNBasics.html">http://www.shorewall.net/VPNBasics.html</ulink>
@ -53,13 +55,10 @@
        <listitem>
          <para>Types are as follows:</para>
-          <programlisting>        <emphasis role="bold">ipsec</emphasis>         - IPv4 IPSEC
+          <programlisting>        <emphasis role="bold">ipsec</emphasis>         - IPv6 IPSEC
-        <emphasis role="bold">ipsecnat</emphasis>      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
+        <emphasis role="bold">ipsecnat</emphasis>      - IPv6 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
        <emphasis role="bold">ipip</emphasis>          - IPv4 encapsulated in IPv4 (Protocol 4)
        <emphasis role="bold">gre</emphasis>           - Generalized Routing Encapsulation (Protocol 47)
        <emphasis role="bold">l2tp</emphasis>          - Layer 2 Tunneling Protocol (UDP port 1701)
        <emphasis role="bold">pptpclient</emphasis>    - PPTP Client runs on the firewall
        <emphasis role="bold">pptpserver</emphasis>    - PPTP Server runs on the firewall
        <emphasis role="bold">openvpn</emphasis>       - OpenVPN in point-to-point mode
        <emphasis role="bold">openvpnclient</emphasis> - OpenVPN client runs on the firewall
        <emphasis role="bold">openvpnserver</emphasis> - OpenVPN server runs on the firewall
@ -80,8 +79,8 @@
          role="bold">openvpnserver</emphasis> it may optionally be followed
          by ":" and <emphasis role="bold">tcp</emphasis> or <emphasis
          role="bold">udp</emphasis> to specify the protocol to be used. If
-          not specified, <emphasis role="bold">udp</emphasis> is
+          not specified, <emphasis role="bold">udp</emphasis> is assumed.
-          assumed.</para>
+          Note: At this writing, OpenVPN does not support IPv6.</para>
          <para>If type is <emphasis role="bold">openvpn</emphasis>, <emphasis
          role="bold">openvpnclient</emphasis> or <emphasis
@ -127,7 +126,7 @@
          <para>The IP address of the remote tunnel gateway. If the remote
          gateway has no fixed address (Road Warrior) then specify the gateway
          as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
-          network address and if your kernel and iptables include iprange
+          network address and if your kernel and ip6tables include iprange
          match support then IP address ranges are also allowed.</para>
        </listitem>
      </varlistentry>
@ -158,11 +157,11 @@
        <listitem>
          <para>IPSec tunnel.</para>
-          <para>The remote gateway is 4.33.99.124 and the remote subnet is
+          <para>The remote gateway is 2001:cec792b4:1::44. The tunnel does not
-          192.168.9.0/24. The tunnel does not use the AH protocol</para>
+          use the AH protocol</para>
          <programlisting>        #TYPE           ZONE    GATEWAY
-        ipsec:noah      net     4.33.99.124</programlisting>
+        ipsec:noah      net     2002:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
@ -174,7 +173,7 @@
          "gw" zone is used to represent the remote LapTop</para>
          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
-        ipsec           net     0.0.0.0/0       gw</programlisting>
+        ipsec           net     ::/                     gw</programlisting>
        </listitem>
      </varlistentry>
@ -182,11 +181,12 @@
        <term>Example 3:</term>
        <listitem>
-          <para>Host 4.33.99.124 is a standalone system connected via an ipsec
+          <para>Host 2001:cec792b4:1::44 is a standalone system connected via
-          tunnel to the firewall system. The host is in zone gw.</para>
+          an ipsec tunnel to the firewall system. The host is in zone
          gw.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
-        ipsec           net     4.33.99.124     gw</programlisting>
+        ipsec           net     2001:cec792b4:1::44     gw</programlisting>
        </listitem>
      </varlistentry>
@ -194,48 +194,11 @@
        <term>Example 4:</term>
        <listitem>
-          <para>Road Warriors that may belong to zones vpn1, vpn2 or vpn3. The
+          <para>OPENVPN tunnel. The remote gateway is 2001:cec792b4:1::44 and
-          FreeS/Wan _updown script will add the host to the appropriate zone
+          openvpn uses port 7777.</para>
          using the <command>shorewall add</command> command on connect and
          will remove the host from the zone at disconnect time.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY                 GATEWAY ZONES
-        ipsec           net     0.0.0.0/0       vpn1,vpn2,vpn3</programlisting>
+        openvpn:7777    net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 5:</term>
        <listitem>
          <para>You run the Linux PPTP client on your firewall and connect to
          server 192.0.2.221.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
        pptpclient      net     192.0.2.221</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 6:</term>
        <listitem>
          <para>You run a PPTP server on your firewall.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
        pptpserver      net     0.0.0.0/0</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 7:</term>
        <listitem>
          <para>OPENVPN tunnel. The remote gateway is 4.33.99.124 and openvpn
          uses port 7777.</para>
          <programlisting>        #TYPE           ZONE    GATEWAY         GATEWAY ZONES
        openvpn:7777    net     4.33.99.124</programlisting>
        </listitem>
      </varlistentry>
@ -245,10 +208,10 @@
        <listitem>
          <para>You have a tunnel that is not one of the supported types. Your
          tunnel uses UDP port 4444. The other end of the tunnel is
-          4.3.99.124.</para>
+          2001:cec792b4:1::44.</para>
          <programlisting>        #TYPE            ZONE    GATEWAY                GATEWAY ZONES
-        generic:udp:4444 net     4.3.99.124</programlisting>
+        generic:udp:4444 net     2001:cec792b4:1::44</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@ -257,19 +220,18 @@
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/tunnels</para>
+    <para>/etc/shorewall6/tunnels</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tos(5), shorewall6-zones(5)</para>
    shorewall-tcrules(5), shorewall-tos(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-vardir.xml
+++ b/manpages6/shorewall6-vardir.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-vardir</refentrytitle>
+    <refentrytitle>shorewall6-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,12 +11,12 @@
  <refnamediv>
    <refname>vardir</refname>
-    <refpurpose>Shorewall file</refpurpose>
+    <refpurpose>Shorewall6 file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/vardir</command>
+      <command>/etc/shorewall6/vardir</command>
    </cmdsynopsis>
  </refsynopsisdiv>
@ -22,9 +24,9 @@
    <title>Description</title>
    <para>This file does not exist by default. You may create the file if you
-    want to change the directory used by Shorewall to store state information,
+    want to change the directory used by Shorewall6 to store state
-    including compiled firewall scripts. By default, the directory used is
+    information, including compiled firewall scripts. By default, the
-    <filename>/var/lib/shorewall/</filename>.</para>
+    directory used is <filename>/var/lib/shorewall6/</filename>.</para>
    <para>The file contains a single variable assignment:</para>
@ -32,33 +34,31 @@
    <para>where <replaceable>directory</replaceable> is the name of a
    directory. If you add this file, you should copy the files from
-    <filename>/var/lib/shorewall</filename> to the new directory before
+    <filename>/var/lib/shorewall6</filename> to the new directory before
-    performing a <command>shorewall restart</command>.</para>
+    performing a <command>shorewall6 restart</command>.</para>
  </refsect1>
  <refsect1>
    <title>Example</title>
-    <para>VARDIR=/root/shorewall</para>
+    <para>VARDIR=/root/shorewall6</para>
  </refsect1>
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/vardir</para>
+    <para>/etc/shorewall6/vardir</para>
  </refsect1>
  <refsect1>
    <title>See ALSO</title>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-zones.xml
+++ b/manpages6/shorewall6-zones.xml
@ -1,7 +1,9 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall-zones</refentrytitle>
+    <refentrytitle>shorewall6-zones</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
@ -9,22 +11,22 @@
  <refnamediv>
    <refname>zones</refname>
-    <refpurpose>Shorewall zone declaration file</refpurpose>
+    <refpurpose>Shorewall6 zone declaration file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/zones</command>
+      <command>/etc/shorewall6/zones</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
-    <para>The /etc/shorewall/zones file declares your network zones. You
+    <para>The /etc/shorewall6/zones file declares your network zones. You
    specify the hosts in each zone through entries in
-    <filename>/etc/shorewall/interfaces</filename> or
+    <filename>/etc/shorewall6/interfaces</filename> or
-    <filename>/etc/shorewall/hosts</filename>.</para>
+    <filename>/etc/shorewall6/hosts</filename>.</para>
    <para>The columns in the file are as follows.</para>
@ -40,34 +42,34 @@
          "none", "SOURCE" and "DEST" are reserved and may not be used as zone
          names. The maximum length of a zone name is determined by the
          setting of the LOGFORMAT option in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5). With the
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5). With the
          default LOGFORMAT, zone names can be at most 5 characters
          long.</para>
-          <para>The order in which Shorewall matches addresses from packets to
+          <para>The order in which Shorewall6 matches addresses from packets
-          zones is determined by the order of zone declarations. Where a zone
+          to zones is determined by the order of zone declarations. Where a
-          is nested in one or more other zones, you may either ensure that the
+          zone is nested in one or more other zones, you may either ensure
-          nested zone precedes its parents in this file, or you may follow the
+          that the nested zone precedes its parents in this file, or you may
-          (sub)zone name by ":" and a comma-separated list of the parent
+          follow the (sub)zone name by ":" and a comma-separated list of the
-          zones. The parent zones must have been declared in earlier records
+          parent zones. The parent zones must have been declared in earlier
-          in this file. See <ulink
+          records in this file. See <ulink
-          url="shorewall-nesting.html">shorewall-nesting</ulink>(5) for
+          url="shorewall6-nesting.html">shorewall6-nesting</ulink>(5) for
          additional information.</para>
          <para>Example:</para>
          <programlisting>#ZONE     TYPE     OPTIONS         IN OPTIONS        OUT OPTIONS
-a         ipv4
+a         ipv6
-b         ipv4
+b         ipv6
-c:a,b     ipv4</programlisting>
+c:a,b     ipv6</programlisting>
-          <para>Currently, Shorewall uses this information to reorder the zone
+          <para>Currently, Shorewall6 uses this information to reorder the
-          list so that parent zones appear after their subzones in the list.
+          zone list so that parent zones appear after their subzones in the
-          The IMPLICIT_CONTINUE option in <ulink
+          list. The IMPLICIT_CONTINUE option in <ulink
-          url="shorewall.conf.html">shorewall.conf</ulink>(5) can also create
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5) can also
-          implicit CONTINUE policies to/from the subzone.</para>
+          create implicit CONTINUE policies to/from the subzone.</para>
-          <para>In the future, Shorewall may make additional use of nesting
+          <para>In the future, Shorewall6 may make additional use of nesting
          information.</para>
        </listitem>
      </varlistentry>
@ -78,15 +80,15 @@ c:a,b     ipv4</programlisting>
        <listitem>
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">ipv4</emphasis></term>
+              <term><emphasis role="bold">ipv6</emphasis></term>
              <listitem>
-                <para>This is the standard Shorewall zone type and is the
+                <para>This is the standard Shorewall6 zone type and is the
                default if you leave this column empty or if you enter "-" in
                the column. Communication with some zone hosts may be
                encrypted. Encrypted hosts are designated using the
                'ipsec'option in <ulink
-                url="shorewall-hosts.html">shorewall-hosts</ulink>(5).</para>
+                url="shorewall6-hosts.html">shorewall6-hosts</ulink>(5).</para>
              </listitem>
            </varlistentry>
@ -95,7 +97,7 @@ c:a,b     ipv4</programlisting>
              <listitem>
                <para>Communication with all zone hosts is encrypted. Your
-                kernel and iptables must include policy match support.</para>
+                kernel and ip6tables must include policy match support.</para>
              </listitem>
            </varlistentry>
@ -113,11 +115,11 @@ c:a,b     ipv4</programlisting>
            </varlistentry>
            <varlistentry>
-              <term>bport (or bport4)</term>
+              <term>bport (or bport6)</term>
              <listitem>
-                <para>(Shorewall-perl only) The zone is associated with one or
+                <para>The zone is associated with one or more ports on a
-                more ports on a single bridge.</para>
+                single bridge.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@ -173,9 +175,9 @@ c:a,b     ipv4</programlisting>
              <listitem>
                <para>sets the MSS field in TCP packets. If you supply this
                option, you should also set FASTACCEPT=No in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5) to insure
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to
-                that both the SYN and SYN,ACK packets have their MSS field
+                insure that both the SYN and SYN,ACK packets have their MSS
-                adjusted.</para>
+                field adjusted.</para>
              </listitem>
            </varlistentry>
@ -239,7 +241,7 @@ c:a,b     ipv4</programlisting>
  <refsect1>
    <title>FILES</title>
-    <para>/etc/shorewall/zones</para>
+    <para>/etc/shorewall6/zones</para>
  </refsect1>
  <refsect1>
@ -248,14 +250,12 @@ c:a,b     ipv4</programlisting>
    <para><ulink
    url="http://www.shorewall.net/Multiple_Zones.html">http://www.shorewall.net/Multiple_Zones.html</ulink>.</para>
-    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall6-maclist(5), shorewall6-nesting(8), shorewall6-params(5),
-    shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall6-tos(5), shorewall6-tunnels(5)</para>
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
--- a/manpages6/shorewall6.xml
+++ b/manpages6/shorewall6.xml