From dae060bbb4158f32c17fe7e468b8412a262846c1 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 20 Nov 2016 13:03:13 -0800
Subject: [PATCH] Update shorewall(8) for single CLI

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/manpages/shorewall.xml | 405 +++++++++++++++++++++----------
 1 file changed, 275 insertions(+), 130 deletions(-)

diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml
index 0f6bf9fa2..e90c5c479 100644
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -898,8 +898,8 @@
     include <command>shorewall</command> commands in
     <filename>/etc/shorewall/started</filename>.</para>
 
-    <para>Beginning with Shorewall 5.0.15, the <command>shorewall</command>
-    command may also be used to control Shorewall6, Shorewall-lite and
+    <para>Beginning with Shorewall 5.1.0, the <command>shorewall</command>
+    command is also be used to control Shorewall6, Shorewall-lite and
     Shorewall6-lite.</para>
 
     <orderedlist>
@@ -923,9 +923,10 @@
     </orderedlist>
 
     <para>When the Shorewall6 package is installed, the <option>6</option>
-    option is used to cause shorewall commands to operate on the Shorewall6
-    configuration. In other words, "<command>shorewall -6 ...</command>" is
-    equivalent to "<command>shorewall6 ...</command>".</para>
+    option is used to cause <command>shorewall</command> commands to operate
+    on the Shorewall6 configuration. In other words, "<command>shorewall -6
+    ...</command>" is equivalent to the 5.0 command "<command>shorewall6
+    ...</command>".</para>
 
     <para>Similarly, when Shorewall is not installed but both Shorewall-lite
     and Shorewall6-lite are installed, the <option>6</option> option causes
@@ -936,10 +937,10 @@
     and the corresponding -lite product(s) are installed, the
     <option>l</option> option causes <command>shorewall</command> commands to
     operate on the -lite configuration rather than the standard configuration.
-    In other words "<command>shorewall -l ...</command>" is equivalent to
-    "<command>shorewall-lite -l ...</command>" and "<command>shorewall -6l
-    ...</command>" is equivalent to "<command>shorewall6-lite
-    ...</command>".</para>
+    In other words "<command>shorewall -l ...</command>" is equivalent to the
+    5.0 "<command>shorewall-lite -l ...</command>" command and
+    "<command>shorewall -6l ...</command>" is equivalent to
+    "<command>shorewall6-lite ...</command>".</para>
 
     <para>The remaining <emphasis>options</emphasis> control the amount of
     output that the command produces. They consist of a sequence of the
@@ -978,7 +979,9 @@
           <para>The <emphasis>interface</emphasis> argument names an interface
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-          file. A <emphasis>host-list</emphasis> is comma-separated list whose
+          (<ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5))file.
+          A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are host or network addresses.<caution>
               <para>The <command>add</command> command is not very robust. If
               there are errors in the <replaceable>host-list</replaceable>,
@@ -991,12 +994,12 @@
 
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
-          allows a single ipset to handle entries for multiple interfaces.
-          When that option is specified for a zone, the <command>add</command>
-          command has the alternative syntax in which the
-          <replaceable>zone</replaceable> name precedes the
-          <replaceable>host-list</replaceable>.</para>
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),<ulink
+          url="???">shorewall6-zones</ulink>(5)) allows a single ipset to
+          handle entries for multiple interfaces. When that option is
+          specified for a zone, the <command>add</command> command has the
+          alternative syntax in which the <replaceable>zone</replaceable> name
+          precedes the <replaceable>host-list</replaceable>.</para>
         </listitem>
       </varlistentry>
 
@@ -1076,6 +1079,8 @@
         [<replaceable>directory</replaceable>]</term>
 
         <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
           <para>Compiles the configuration in the specified
           <emphasis>directory</emphasis> and discards the compiled output
           script. If no <emphasis>directory</emphasis> is given, then
@@ -1107,7 +1112,9 @@
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1147,6 +1154,11 @@
           <para>When the second form of the command is used, the parameters
           must match those given in the earlier <command>open</command>
           command.</para>
+
+          <para>This command requires that the firewall be in the started
+          state and that DYNAMIC_BLACKLIST=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -1157,6 +1169,8 @@
         </replaceable>] [<replaceable> pathname</replaceable> ]</term>
 
         <listitem>
+          <para>Not available with shorewall[6]-lite.</para>
+
           <para>Compiles the current configuration into the executable file
           <emphasis>pathname</emphasis>. If a
           <replaceable>directory</replaceable> is supplied, Shorewall will
@@ -1206,7 +1220,9 @@
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1223,12 +1239,16 @@
           <para>The <emphasis>interface</emphasis> argument names an interface
           defined in the <ulink
           url="/manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
           file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are a host or network address.</para>
 
           <para>Beginning with Shorewall 4.5.9, the <emphasis
           role="bold">dynamic_shared</emphasis> zone option (<ulink
-          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5))
+          url="/manpages/shorewall-zones.html">shorewall-zones</ulink>(5),
+          <ulink
+          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
           allows a single ipset to handle entries for multiple interfaces.
           When that option is specified for a zone, the
           <command>delete</command> command has the alternative syntax in
@@ -1254,7 +1274,9 @@
           may be either the logical or physical name of the interface. The
           command removes any routes added from <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
-          and any traffic shaping configuration for the interface.</para>
+          (<ulink
+          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))and
+          any traffic shaping configuration for the interface.</para>
         </listitem>
       </varlistentry>
 
@@ -1264,7 +1286,10 @@
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently dropped.</para>
+          to be silently dropped. This command requires that the firewall be
+          in the started state and that DYNAMIC_BLACKLIST=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -1310,6 +1335,8 @@
           command sets <filename>/proc</filename> entries for the interface,
           adds any route specified in <ulink
           url="/manpages/shorewall-routes.html">shorewall-routes</ulink>(5)
+          (<ulink
+          url="/manpages/shorewall6-routes.html">shorewall6-routes</ulink>(5))
           and installs the interface's traffic shaping configuration, if
           any.</para>
         </listitem>
@@ -1322,6 +1349,8 @@
         ]</term>
 
         <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
           <para>If <emphasis>directory1</emphasis> is omitted, the current
           working directory is assumed.</para>
 
@@ -1350,7 +1379,9 @@
           <para>Deletes /var/lib/shorewall/<emphasis>filename</emphasis> and
           /var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
           given then the file specified by RESTOREFILE in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) is
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -1370,7 +1401,8 @@
         <listitem>
           <para>Generates several reports from Shorewall log messages in the
           current log file. If the <option>-t</option> option is included, the
-          reports are restricted to log messages generated today.</para>
+          reports are restricted to log messages generated today. Not
+          available with Shorewall6[-lite].</para>
         </listitem>
       </varlistentry>
 
@@ -1380,8 +1412,8 @@
 
         <listitem>
           <para>Ipcalc displays the network address, broadcast address,
-          network in CIDR notation and netmask corresponding to the
-          input[s].</para>
+          network in CIDR notation and netmask corresponding to the input[s].
+          Not available with Shorewall6[-lite].</para>
         </listitem>
       </varlistentry>
 
@@ -1391,7 +1423,8 @@
 
         <listitem>
           <para>Iprange decomposes the specified range of IP addresses into
-          the equivalent list of network/host addresses.</para>
+          the equivalent list of network/host addresses. Not available with
+          Shorewall6[-lite].</para>
         </listitem>
       </varlistentry>
 
@@ -1431,8 +1464,13 @@
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
           to be logged then discarded. Logging occurs at the log level
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
-          (5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          This command requires that the firewall be in the started state and
+          that DYNAMIC_BLACKLIST=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -1443,6 +1481,8 @@
         <listitem>
           <para>Monitors the log file specified by the LOGFILE option in
           <ulink url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
           and produces an audible alarm when new Shorewall messages are
           logged. The <emphasis role="bold">-m</emphasis> option causes the
           MAC address of each packet source to be displayed if that
@@ -1463,8 +1503,13 @@
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
           to be logged then rejected. Logging occurs at the log level
           specified by the BLACKLIST_LOGLEVEL setting in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>
-          (5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5),
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          This command requires that the firewall be in the started state and
+          that DYNAMIC_BLACKLIST=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -1551,6 +1596,8 @@
         <replaceable>chain</replaceable>... ]</term>
 
         <listitem>
+          <para>Not available with Shorewall[6]-lite.</para>
+
           <para>All steps performed by <command>restart</command> are
           performed by <command>refresh</command> with the exception that
           <command>refresh</command> only recreates the chains specified in
@@ -1605,7 +1652,10 @@
 
         <listitem>
           <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be silently rejected.</para>
+          to be silently rejected. This command requires that the firewall be
+          in the started state and that DYNAMIC_BLACKLIST=Yes in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -1635,38 +1685,47 @@
           be installed to use this option.</para>
 
           <para>The <option>-d</option> option causes the compiler to run
-          under the Perl debugger.</para>
+          under the Perl debugger (Shorewall and Shorewall6 only).</para>
 
           <para>The <option>-f</option> option suppresses the compilation step
           and simply reused the compiled script which last started/restarted
           Shorewall, provided that /etc/shorewall and its contents have not
-          been modified since the last start/restart.</para>
+          been modified since the last start/restart (Shorewall and Shorewall6
+          only).</para>
 
           <para>The <option>-c</option> option was added in Shorewall 4.4.20
           and performs the compilation step unconditionally, overriding the
           AUTOMAKE setting in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option> are present, the
-          result is determined by the option that appears last.</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (Shorewall and Shorewall6 only). When both <option>-f</option> and
+          <option>-c</option> are present, the result is determined by the
+          option that appears last.</para>
 
           <para>The <option>-T</option> option was added in Shorewall 4.5.3
           and causes a Perl stack trace to be included with each
-          compiler-generated error and warning message.</para>
+          compiler-generated error and warning message (Shorewall and
+          Shorewall6 only).</para>
 
           <para>The <option>-i</option> option was added in Shorewall 4.6.0
           and causes a warning message to be issued if the current line
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          This option is available in Shorewall and Shorewall6 only.</para>
 
           <para>The <option>-C</option> option was added in Shorewall 4.6.5
           and is only meaningful when AUTOMAKE=Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). If an
-          existing firewall script is used and if that script was the one that
-          generated the current running configuration, then the running
-          netfilter configuration will be reloaded as is so as to preserve the
-          iptables packet and byte counters.</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+          If an existing firewall script is used and if that script was the
+          one that generated the current running configuration, then the
+          running netfilter configuration will be reloaded as is so as to
+          preserve the iptables packet and byte counters. This option is
+          available in Shorewall and Shorewall6 only.</para>
         </listitem>
       </varlistentry>
 
@@ -1679,7 +1738,8 @@
 
         <listitem>
           <para>This command was renamed from <command>load</command> in
-          Shorewall 5.0.0.</para>
+          Shorewall 5.0.0 and is only available in Shorewall and
+          Shoreawall6.</para>
 
           <para>If <emphasis>directory</emphasis> is omitted, the current
           working directory is assumed. Allows a non-root user to compile a
@@ -1704,8 +1764,9 @@
           ssh. Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
-          that case, if you want to specify a
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>) is
+          assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
 
@@ -1747,7 +1808,8 @@
         <replaceable>system</replaceable> ]</term>
 
         <listitem>
-          <para>This command was added in Shorewall 5.0.0.</para>
+          <para>This command was added in Shorewall 5.0.0 and is only
+          available in Shorewall and Shorewall6.</para>
 
           <para>If <emphasis>directory</emphasis> is omitted, the current
           working directory is assumed. Allows a non-root user to compile a
@@ -1772,8 +1834,9 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
-          that case, if you want to specify a
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
 
@@ -1802,7 +1865,9 @@
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -1816,7 +1881,8 @@
 
         <listitem>
           <para>This command was renamed from <command>reload</command> in
-          Shorewall 5.0.0.</para>
+          Shorewall 5.0.0 and is available in Shorewall and Shorewall6
+          only.</para>
 
           <para>If <emphasis>directory</emphasis> is omitted, the current
           working directory is assumed. Allows a non-root user to compile a
@@ -1841,8 +1907,9 @@
           Beginning with Shorewall 5.0.13, if
           <replaceable>system</replaceable> is omitted, then the FIREWALL
           option setting in <ulink
-          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
-          that case, if you want to specify a
+          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)) is
+          assumed. In that case, if you want to specify a
           <replaceable>directory</replaceable>, then the <option>-D</option>
           option must be given.</para>
 
@@ -1871,7 +1938,9 @@
           contains alternative input specifications following a semicolon
           (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
           set to Yes in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -1904,7 +1973,8 @@
           <para>Beginning with Shorewall 5.0.0, this command performs a true
           restart. The firewall is completely stopped as if a
           <command>stop</command> command had been issued then it is started
-          again.</para>
+          again. The command is available on Shorewall and Shorewall6
+          only.</para>
 
           <para>If a <emphasis>directory</emphasis> is included in the
           command, Shorewall will look in that <emphasis>directory</emphasis>
@@ -1966,7 +2036,9 @@
           role="bold">shorewall save</emphasis>; if no
           <emphasis>filename</emphasis> is given then Shorewall will be
           restored from the file specified by the RESTOREFILE option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <caution>
             <para>If your iptables ruleset depends on variables that are
@@ -2027,8 +2099,8 @@
 
         <listitem>
           <para>Added in Shorewall 5.0.0, this command performs the same
-          function as did <command>safe_restart</command> in earlier
-          releases.</para>
+          function as did <command>safe_restart</command> in earlier releases.
+          The command is available in Shorewall and Shorewall6 only.</para>
 
           <para>Only allowed if Shorewall is running. The current
           configuration is saved in /var/lib/shorewall/safe-reload (see the
@@ -2058,16 +2130,17 @@
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
-          <para>Only allowed if Shorewall is running. The current
-          configuration is saved in /var/lib/shorewall/safe-restart (see the
-          save command below) then a <emphasis role="bold">shorewall
-          restart</emphasis> is done. You will then be prompted asking if you
-          want to accept the new configuration or not. If you answer "n" or if
-          you fail to answer within 60 seconds (such as when your new
-          configuration has disabled communication with your terminal), the
-          configuration is restored from the saved configuration. If a
-          directory is given, then Shorewall will look in that directory first
-          when opening configuration files.</para>
+          <para>Only allowed if Shorewall[6] is running and is not available
+          in Shorewall-lite and Shorewall6-lite. The current configuration is
+          saved in /var/lib/shorewall/safe-restart (see the save command
+          below) then a <emphasis role="bold">shorewall restart</emphasis> is
+          done. You will then be prompted asking if you want to accept the new
+          configuration or not. If you answer "n" or if you fail to answer
+          within 60 seconds (such as when your new configuration has disabled
+          communication with your terminal), the configuration is restored
+          from the saved configuration. If a directory is given, then
+          Shorewall will look in that directory first when opening
+          configuration files.</para>
 
           <para>Beginning with Shorewall 4.5.0, you may specify a different
           <replaceable>timeout</replaceable> value using the
@@ -2101,6 +2174,9 @@
           <option>s</option>, <option>m</option> or <option>h</option> suffix
           (e.g., 5m) to specify seconds, minutes or hours respectively. If the
           suffix is omitted, seconds is assumed.</para>
+
+          <para>This command is available in Shorewall and Shorewall6
+          only.</para>
         </listitem>
       </varlistentry>
 
@@ -2116,7 +2192,9 @@
           role="bold">shorewall -f start</emphasis> commands. If
           <emphasis>filename</emphasis> is not given then the state is saved
           in the file specified by the RESTOREFILE option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
 
           <para>The <option>-C</option> option, added in Shorewall 4.6.5,
           causes the iptables packet and byte counters to be saved along with
@@ -2131,7 +2209,9 @@
           <para>Added in shorewall 4.6.8. Performs the same action as the
           <command>stop</command> command with respect to saving ipsets (see
           the SAVE_IPSETS option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
+          (<ulink
+          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
           This command may be used to proactively save your ipset contents in
           the event that a system failure occurs prior to issuing a
           <command>stop</command> command.</para>
@@ -2287,7 +2367,8 @@
                 <para>Added in Shorewall 4.4.17. Displays the per-IP
                 accounting counters (<ulink
                 url="/manpages/shorewall-accounting.html">shorewall-accounting</ulink>
-                (5)).</para>
+                (5), <ulink
+                url="/manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>(5)).</para>
               </listitem>
             </varlistentry>
 
@@ -2298,7 +2379,9 @@
               <listitem>
                 <para>Displays the last 20 Shorewall messages from the log
                 file specified by the LOGFILE option in <ulink
-                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                (<ulink
+                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
                 The <emphasis role="bold">-m</emphasis> option causes the MAC
                 address of each packet source to be displayed if that
                 information is available.</para>
@@ -2310,7 +2393,7 @@
 
               <listitem>
                 <para>Displays information about each macro defined on the
-                firewall system.</para>
+                firewall system (Shorewall and Shorewall6 only)</para>
               </listitem>
             </varlistentry>
 
@@ -2322,7 +2405,8 @@
                 <para>Added in Shorewall 4.4.6. Displays the file that
                 implements the specified <replaceable>macro</replaceable>
                 (usually
-                <filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).</para>
+                <filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).
+                Available only in Shorewall and Shorewall6.</para>
               </listitem>
             </varlistentry>
 
@@ -2440,59 +2524,114 @@
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
-          <para>Start shorewall. Existing connections through shorewall
-          managed interfaces are untouched. New connections will be allowed
-          only if they are allowed by the firewall rules or policies. If a
-          <replaceable>directory</replaceable> is included in the command,
-          Shorewall will look in that <emphasis>directory</emphasis> first for
-          configuration files. If <emphasis role="bold">-f</emphasis> is
-          specified, the saved configuration specified by the RESTOREFILE
-          option in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall. When <emphasis
-          role="bold">-f</emphasis> is given, a
-          <replaceable>directory</replaceable> may not be specified.</para>
+          <para><variablelist>
+              <varlistentry>
+                <term>Shorewall and Shorewall6</term>
 
-          <para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
-          added to <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          LEGACY_FASTSTART=No, the modification times of files in
-          /etc/shorewall are compared with that of /var/lib/shorewall/firewall
-          (the compiled script that last started/restarted the
-          firewall).</para>
+                <listitem>
+                  <para>Start shorewall[6]. Existing connections through
+                  shorewall managed interfaces are untouched. New connections
+                  will be allowed only if they are allowed by the firewall
+                  rules or policies. If a <replaceable>directory</replaceable>
+                  is included in the command, Shorewall will look in that
+                  <emphasis>directory</emphasis> first for configuration
+                  files. If <emphasis role="bold">-f</emphasis> is specified,
+                  the saved configuration specified by the RESTOREFILE option
+                  in <ulink
+                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                  (<ulink
+                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5))
+                  will be restored if that saved configuration exists and has
+                  been modified more recently than the files in
+                  /etc/shorewall. When <emphasis role="bold">-f</emphasis> is
+                  given, a <replaceable>directory</replaceable> may not be
+                  specified.</para>
 
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
+                  <para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART
+                  option was added to <ulink
+                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                  (<ulink
+                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  When LEGACY_FASTSTART=No, the modification times of files in
+                  /etc/shorewall are compared with that of
+                  /var/lib/shorewall/firewall (the compiled script that last
+                  started/restarted the firewall).</para>
 
-          <para>The <option>-p</option> option causes the connection tracking
-          table to be flushed; the <command>conntrack</command> utility must
-          be installed to use this option.</para>
+                  <para>The <option>-n</option> option causes Shorewall to
+                  avoid updating the routing table(s).</para>
 
-          <para>The <option>-c</option> option was added in Shorewall 4.4.20
-          and performs the compilation step unconditionally, overriding the
-          AUTOMAKE setting in <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). When
-          both <option>-f</option> and <option>-c</option>are present, the
-          result is determined by the option that appears last.</para>
+                  <para>The <option>-p</option> option causes the connection
+                  tracking table to be flushed; the
+                  <command>conntrack</command> utility must be installed to
+                  use this option.</para>
 
-          <para>The <option>-T</option> option was added in Shorewall 4.5.3
-          and causes a Perl stack trace to be included with each
-          compiler-generated error and warning message.</para>
+                  <para>The <option>-c</option> option was added in Shorewall
+                  4.4.20 and performs the compilation step unconditionally,
+                  overriding the AUTOMAKE setting in <ulink
+                  url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                  (<ulink
+                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).
+                  When both <option>-f</option> and <option>-c</option>are
+                  present, the result is determined by the option that appears
+                  last.</para>
 
-          <para>The -i option was added in Shorewall 4.6.0 and causes a
-          warning message to be issued if the current line contains
-          alternative input specifications following a semicolon (";"). Such
-          lines will be handled incorrectly if INLINE_MATCHES is set to Yes in
-          <ulink
-          url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
+                  <para>The <option>-T</option> option was added in Shorewall
+                  4.5.3 and causes a Perl stack trace to be included with each
+                  compiler-generated error and warning message.</para>
 
-          <para>The <option>-C</option> option was added in Shorewall 4.6.5
-          and is only meaningful when the <option>-f</option> option is also
-          specified. If the previously-saved configuration is restored, and if
-          the <option>-C</option> option was also specified in the <emphasis
-          role="bold">save</emphasis> command, then the packet and byte
-          counters will be restored.</para>
+                  <para>The -i option was added in Shorewall 4.6.0 and causes
+                  a warning message to be issued if the current line contains
+                  alternative input specifications following a semicolon
+                  (";"). Such lines will be handled incorrectly if
+                  INLINE_MATCHES is set to Yes in <ulink
+                  url="/manpages/shorewall.conf.html">shorewall.conf(5)</ulink>
+                  (<ulink
+                  url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+
+                  <para>The <option>-C</option> option was added in Shorewall
+                  4.6.5 and is only meaningful when the <option>-f</option>
+                  option is also specified. If the previously-saved
+                  configuration is restored, and if the <option>-C</option>
+                  option was also specified in the <emphasis
+                  role="bold">save</emphasis> command, then the packet and
+                  byte counters will be restored.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>Shorewall-lite and Shorewall6-lite</term>
+
+                <listitem>
+                  <para>Start Shorewall[6] Lite. Existing connections through
+                  shorewall[6]-lite managed interfaces are untouched. New
+                  connections will be allowed only if they are allowed by the
+                  firewall rules or policies.</para>
+
+                  <para>The <option>-p</option> option causes the connection
+                  tracking table to be flushed; the
+                  <command>conntrack</command> utility must be installed to
+                  use this option.</para>
+
+                  <para>The <option>-n</option> option prevents the firewall
+                  script from modifying the current routing
+                  configuration.</para>
+
+                  <para>The <option>-f</option> option was added in Shorewall
+                  4.6.5. If the RESTOREFILE named in <ulink
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5) exists,
+                  is executable and is not older than the current filewall
+                  script, then that saved configuration is restored.</para>
+
+                  <para>The <option>-C</option> option was added in Shorewall
+                  4.6.5 and is only meaningful when the <option>-f</option>
+                  option is also specified. If the previously-saved
+                  configuration is restored, and if the <option>-C</option>
+                  option was also specified in the <emphasis
+                  role="bold">save</emphasis> command, then the packet and
+                  byte counters will be restored.</para>
+                </listitem>
+              </varlistentry>
+            </variablelist></para>
         </listitem>
       </varlistentry>
 
@@ -2539,18 +2678,21 @@
         <replaceable>timeout</replaceable> ]</term>
 
         <listitem>
-          <para>If Shorewall is started then the firewall state is saved to a
-          temporary saved configuration
-          (<filename>/var/lib/shorewall/.try</filename>). Next, if Shorewall
-          is currently started then a <emphasis role="bold">restart</emphasis>
-          command is issued using the specified configuration
-          <replaceable>directory</replaceable>; otherwise, a <emphasis
-          role="bold">start</emphasis> command is performed using the
-          specified configuration <replaceable>directory</replaceable>. if an
-          error occurs during the compilation phase of the <emphasis
+          <para>This command is available in Shorewall and Shorewall6
+          only.</para>
+
+          <para>If Shorewall[6] is started then the firewall state is saved to
+          a temporary saved configuration
+          (<filename>/var/lib/shorewall/.try</filename>). Next, if
+          Shorewall[6] is currently started then a <emphasis
+          role="bold">restart</emphasis> command is issued using the specified
+          configuration <replaceable>directory</replaceable>; otherwise, a
+          <emphasis role="bold">start</emphasis> command is performed using
+          the specified configuration <replaceable>directory</replaceable>. if
+          an error occurs during the compilation phase of the <emphasis
           role="bold">restart</emphasis> or <emphasis
           role="bold">start</emphasis>, the command terminates without
-          changing the Shorewall state. If an error occurs during the
+          changing the Shorewall[6] state. If an error occurs during the
           <emphasis role="bold">restart</emphasis> phase, then a <emphasis
           role="bold">shorewall restore</emphasis> is performed using the
           saved configuration. If an error occurs during the <emphasis
@@ -2577,6 +2719,9 @@
         <replaceable>directory</replaceable> ]</term>
 
         <listitem>
+          <para>This command is available only in Shorewall and
+          Shorewall6.</para>
+
           <para>Added in Shorewall 4.4.21 and causes the compiler to update
           <filename>/etc/shorewall/shorewall.conf then validate the
           configuration</filename>. The update will add options not present in