--- ../../3.4/Shorewall/lib.tunnels	2007-10-26 19:10:45.000000000 -0400
+++ lib.tunnels	2008-03-09 15:55:46.000000000 -0400
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 3.4 -- /usr/share/shorewall/lib.tunnels
+# Shorewall 4.1 -- /usr/share/shorewall/lib.tunnels
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -37,19 +37,31 @@
 
     setup_one_ipsec() # $1 = Tunnel Kind $2 = gateway zones
     {
-    	local kind=$1 noah=
+    	local kind
+    	kind=$1
+    	local noah
+    	noah=noah
 
 	case $kind in
 	    *:*)
 	    	noah=${kind#*:}
-		[ $noah = noah -o $noah = NOAH ] || fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+		case $noah in
+		    ah|AH)
+			noah=
+			;;
+		    noah|NOAH)
+			;;
+		    *)
+			fatal_error "Invalid IPSEC modifier $noah in tunnel \"$tunnel\""
+			;;
+		esac
 		kind=${kind%:*}
 		;;
 	esac
 
 	[ $kind = IPSEC ] && kind=ipsec
 
-	[ $kind = ipsec ] || noah=noah
+	[ $kind = ipsec ] || [ "$noah" = noah ] || fatal_error ":ah not allowed on ipsecnat tunnels"
 
 	options="-m state --state NEW -j ACCEPT"
 	addrule2 $inchain	  -p 50	 $source -j ACCEPT
@@ -125,8 +137,10 @@
 
     setup_one_openvpn() # $1 = kind[:port]
     {
-	local protocol=udp
-	local p=1194
+	local protocol
+	protocol=udp
+	local p
+	p=1194
 
 	case $1 in
 	    *:*:*)
@@ -150,8 +164,10 @@
 
     setup_one_openvpn_server() # $1 = kind[:port]
     {
-	local protocol=udp
-	local p=1194
+	local protocol
+	protocol=udp
+	local p
+	p=1194
 
 	case $1 in
 	    *:*:*)
@@ -175,8 +191,10 @@
 
     setup_one_openvpn_client() # $1 = kind[:port]
     {
-	local protocol=udp
-	local p=1194
+	local protocol
+	protocol=udp
+	local p
+	p=1194
 
 	case $1 in
 	    *:*:*)
@@ -201,7 +219,8 @@
     setup_one_generic() # $1 = kind:protocol[:port]
     {
 	local protocol
-	local p=
+	local p
+	p=
 
 	case $1 in
 	    *:*:*)