From 4db0dc26672a85684a73e54c7d6414a69c7584ee Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 15 Nov 2007 23:24:54 +0000
Subject: [PATCH] Bring trunk up to date with branch/4.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7668 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/Makefile              |   2 +-
 Shorewall-common/changelog.txt         |  26 +
 Shorewall-common/fallback.sh           |   2 +-
 Shorewall-common/install.sh            |   2 +-
 Shorewall-common/lib.base              |   8 +-
 Shorewall-common/lib.cli               |  56 +-
 Shorewall-common/lib.config            |   2 +
 Shorewall-common/macro.AllowICMPs      |   4 +-
 Shorewall-common/macro.Amanda          |   4 +-
 Shorewall-common/macro.Auth            |   4 +-
 Shorewall-common/macro.BitTorrent      |   4 +-
 Shorewall-common/macro.CVS             |   4 +-
 Shorewall-common/macro.DNS             |   4 +-
 Shorewall-common/macro.Distcc          |   4 +-
 Shorewall-common/macro.Drop            |   4 +-
 Shorewall-common/macro.DropDNSrep      |   4 +-
 Shorewall-common/macro.DropUPnP        |   4 +-
 Shorewall-common/macro.Edonkey         |   4 +-
 Shorewall-common/macro.FTP             |   4 +-
 Shorewall-common/macro.Finger          |   4 +-
 Shorewall-common/macro.GRE             |   4 +-
 Shorewall-common/macro.Gnutella        |   4 +-
 Shorewall-common/macro.HTTP            |   4 +-
 Shorewall-common/macro.HTTPS           |   4 +-
 Shorewall-common/macro.ICQ             |   4 +-
 Shorewall-common/macro.IMAP            |   4 +-
 Shorewall-common/macro.IMAPS           |   4 +-
 Shorewall-common/macro.IPIP            |   4 +-
 Shorewall-common/macro.IPP             |   4 +-
 Shorewall-common/macro.IPPserver       |   4 +-
 Shorewall-common/macro.IPsec           |   4 +-
 Shorewall-common/macro.IPsecah         |   4 +-
 Shorewall-common/macro.IPsecnat        |   4 +-
 Shorewall-common/macro.JabberPlain     |   4 +-
 Shorewall-common/macro.JabberSecure    |   4 +-
 Shorewall-common/macro.Jabberd         |   4 +-
 Shorewall-common/macro.Jetdirect       |   4 +-
 Shorewall-common/macro.L2TP            |   4 +-
 Shorewall-common/macro.LDAP            |   4 +-
 Shorewall-common/macro.LDAPS           |   4 +-
 Shorewall-common/macro.MySQL           |   4 +-
 Shorewall-common/macro.NNTP            |   4 +-
 Shorewall-common/macro.NNTPS           |   4 +-
 Shorewall-common/macro.NTP             |   4 +-
 Shorewall-common/macro.NTPbrd          |   4 +-
 Shorewall-common/macro.PCA             |   4 +-
 Shorewall-common/macro.POP3            |   4 +-
 Shorewall-common/macro.POP3S           |   4 +-
 Shorewall-common/macro.Ping            |   4 +-
 Shorewall-common/macro.PostgreSQL      |   4 +-
 Shorewall-common/macro.Printer         |   4 +-
 Shorewall-common/macro.RDP             |   4 +-
 Shorewall-common/macro.Rdate           |   4 +-
 Shorewall-common/macro.Reject          |   4 +-
 Shorewall-common/macro.Rsync           |   4 +-
 Shorewall-common/macro.SMB             |   4 +-
 Shorewall-common/macro.SMBBI           |   4 +-
 Shorewall-common/macro.SMBswat         |   4 +-
 Shorewall-common/macro.SMTP            |   4 +-
 Shorewall-common/macro.SMTPS           |   4 +-
 Shorewall-common/macro.SNMP            |   4 +-
 Shorewall-common/macro.SPAMD           |   4 +-
 Shorewall-common/macro.SSH             |   4 +-
 Shorewall-common/macro.SVN             |   4 +-
 Shorewall-common/macro.SixXS           |   2 +-
 Shorewall-common/macro.Submission      |   4 +-
 Shorewall-common/macro.Syslog          |   4 +-
 Shorewall-common/macro.TFTP            |   4 +-
 Shorewall-common/macro.Telnet          |   4 +-
 Shorewall-common/macro.Telnets         |   4 +-
 Shorewall-common/macro.Time            |   4 +-
 Shorewall-common/macro.Trcrt           |   4 +-
 Shorewall-common/macro.VNC             |   4 +-
 Shorewall-common/macro.VNCL            |   4 +-
 Shorewall-common/macro.Web             |   4 +-
 Shorewall-common/macro.Webmin          |   4 +-
 Shorewall-common/macro.Whois           |   4 +-
 Shorewall-common/releasenotes.txt      | 992 +++++++++++++++----------
 Shorewall-common/shorewall             |   9 +-
 Shorewall-common/shorewall-common.spec |  13 +-
 Shorewall-common/shorewall.conf        |   2 +
 Shorewall-common/uninstall.sh          |   2 +-
 Shorewall-lite/Makefile                |   5 +-
 Shorewall-lite/fallback.sh             |   2 +-
 Shorewall-lite/install.sh              |   2 +-
 Shorewall-lite/shorewall-lite          |   9 +-
 Shorewall-lite/shorewall-lite.spec     |  10 +-
 Shorewall-lite/uninstall.sh            |   2 +-
 Shorewall-perl/Shorewall/Accounting.pm |  15 +-
 Shorewall-perl/Shorewall/Actions.pm    |  12 +-
 Shorewall-perl/Shorewall/Chains.pm     | 234 +++---
 Shorewall-perl/Shorewall/Compiler.pm   |  13 +-
 Shorewall-perl/Shorewall/Config.pm     | 442 ++++++++---
 Shorewall-perl/Shorewall/Nat.pm        | 119 ++-
 Shorewall-perl/Shorewall/Policy.pm     |  13 +-
 Shorewall-perl/Shorewall/Proc.pm       |   5 +-
 Shorewall-perl/Shorewall/Providers.pm  |  20 +-
 Shorewall-perl/Shorewall/Proxyarp.pm   |   4 +-
 Shorewall-perl/Shorewall/Rules.pm      | 134 ++--
 Shorewall-perl/Shorewall/Tc.pm         |  32 +-
 Shorewall-perl/Shorewall/Tunnels.pm    |  18 +-
 Shorewall-perl/Shorewall/Zones.pm      |  16 +-
 Shorewall-perl/install.sh              |   2 +-
 Shorewall-perl/prog.header             |   2 +-
 Shorewall-perl/shorewall-perl.spec     |  10 +-
 Shorewall-shell/compiler               |   1 +
 Shorewall-shell/install.sh             |   2 +-
 Shorewall-shell/lib.providers          |   6 +-
 Shorewall-shell/lib.tcrules            |   1 -
 Shorewall-shell/shorewall-shell.spec   |   8 +-
 web/shorewall_index.htm                |   6 +-
 111 files changed, 1518 insertions(+), 1021 deletions(-)

diff --git a/Shorewall-common/Makefile b/Shorewall-common/Makefile
index de028e356..1ee948e2e 100644
--- a/Shorewall-common/Makefile
+++ b/Shorewall-common/Makefile
@@ -1,5 +1,5 @@
 # Shorewall Makefile to restart if config-files are newer than last restart
-VARDIR=/var/lib/shorewall
+VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=.restore
 all: $(VARDIR)/${RESTOREFILE}
diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index c87c2def9..5ff43b9d1 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -1,3 +1,29 @@
+Changes in 4.0.6
+
+1)  Fix hyphenated service names in DNAT/REDIRECT rules.
+
+2)  Fix long dest ports list bug.
+
+3)  Fix many day-one bugs in REDIRECT port handling.
+
+4)  Add support for '--physdev-is-bridged'.
+
+5)  Add support for embedded shell and Perl scripts.
+
+6)  Add support for manual chains.
+
+7)  Don't require GATEWAY in tunnels file.
+
+8)  Fix HIGH_ROUTE_MARKS fsck-up.
+
+9)  Fix Makefiles for VARDIR
+
+10) Add -t option to hits command.
+
+11) Add DONT_LOAD option
+
+12) Add support for --random.
+
 Changes in 4.0.5
 
 1)  Delete 'detectnets' from Shorewall-perl
diff --git a/Shorewall-common/fallback.sh b/Shorewall-common/fallback.sh
index 7eeea7367..ccc6116e2 100755
--- a/Shorewall-common/fallback.sh
+++ b/Shorewall-common/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-common/install.sh b/Shorewall-common/install.sh
index 91ef673c8..021f11547 100755
--- a/Shorewall-common/install.sh
+++ b/Shorewall-common/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-common/lib.base b/Shorewall-common/lib.base
index 940c1435f..c3f349968 100644
--- a/Shorewall-common/lib.base
+++ b/Shorewall-common/lib.base
@@ -35,7 +35,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40003
+SHOREWALL_CAPVERSION=40006
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -212,7 +212,7 @@ loadmodule() # $1 = module name, $2 - * arguments
     local modulefile
     local suffix
 
-    if ! list_search $modulename $MODULES ; then
+    if ! list_search $modulename $MODULES $DONT_LOAD ; then
 	shift
 
 	for suffix in $MODULE_SUFFIX ; do
@@ -983,6 +983,7 @@ determine_capabilities() {
     XMULTIPORT=
     POLICY_MATCH=
     PHYSDEV_MATCH=
+    PHYSDEV_BRIDGE=
     IPRANGE_MATCH=
     RECENT_MATCH=
     OWNER_MATCH=
@@ -1020,6 +1021,7 @@ determine_capabilities() {
 
     if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
 	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A fooX1234 -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
 	if [ -z "${KLUDGEFREE}" ]; then
 	    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
 	fi
@@ -1112,6 +1114,7 @@ report_capabilities() {
 	report_capability "Packet Type Match" $USEPKTTYPE
 	report_capability "Policy Match" $POLICY_MATCH
 	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
 	report_capability "Packet length Match" $LENGTH_MATCH
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
@@ -1157,6 +1160,7 @@ report_capabilities1() {
     report_capability1 USEPKTTYPE
     report_capability1 POLICY_MATCH
     report_capability1 PHYSDEV_MATCH
+    report_capability1 PHYSDEV_BRIDGE
     report_capability1 LENGTH_MATCH
     report_capability1 IPRANGE_MATCH
     report_capability1 RECENT_MATCH
diff --git a/Shorewall-common/lib.cli b/Shorewall-common/lib.cli
index 879eadc7f..425219840 100644
--- a/Shorewall-common/lib.cli
+++ b/Shorewall-common/lib.cli
@@ -541,6 +541,9 @@ show_command() {
 		$IPTABLES -t $table -L $IPT_OPTIONS
 	    fi
 	    ;;
+	vardir)
+	    echo $VARDIR;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -916,28 +919,59 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
 # 'hits' commmand executor
 #
 hits_command() {
+    local finished=0 today=
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			t*)
+			    today=$(date +'^%b %_d.*')
+			    option=${option#t}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -eq 0 ] || usage 1
+
     clear_term
     echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"
     echo
 
     timeout=30
 
-    if [ $( $LOGREAD | grep -c 'IN=.* OUT=' ) -gt 0 ] ; then
-	echo "   HITS IP		  DATE"
+    if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then
+	echo "   HITS IP	        DATE"
 	echo "   ---- --------------- ------"
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | \
-	    while read count address month day; do
+	$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
 	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
 	done
 
 	echo ""
 
-	echo "   HITS IP		  PORT"
+	echo "   HITS IP	        PORT"
 	echo "   ---- --------------- -----"
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
+	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
-						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | \
-						    while read count address port; do
+						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
 	    printf '%7d %-15s %d\n' $count $address $port
 	done
 
@@ -945,8 +979,7 @@ hits_command() {
 
 	echo "   HITS DATE"
 	echo "   ---- ------"
-	$LOGREAD | grep 'IN=.* OUT=' | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | \
-	    while read count month day; do
+	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
 	    printf '%7d %3s %2d\n' $count $month $day
 	done
 
@@ -954,8 +987,7 @@ hits_command() {
 
 	echo "   HITS  PORT SERVICE(S)"
 	echo "   ---- ----- ----------"
-	$LOGREAD | grep 'IN=.* OUT=.*DPT' | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | \
-	    while read count port ; do
+	$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
 	    # List all services defined for the given port
 	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
 	    srv=$(echo $srv | sed 's/ /,/g')
diff --git a/Shorewall-common/lib.config b/Shorewall-common/lib.config
index f834dc4b8..a26f5a47d 100644
--- a/Shorewall-common/lib.config
+++ b/Shorewall-common/lib.config
@@ -1746,6 +1746,7 @@ do_initialize() {
     EXPORTPARAMS=
     KEEP_TC_RULES=
     DELETE_THEN_ADD=
+    DONT_LOAD=
     #
     # Packet Disposition
     #
@@ -1830,6 +1831,7 @@ do_initialize() {
     # capabilities when module autoloading isn't enabled.
     #
     PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
+    [ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | sed 's/,/ /g' )"
 
     [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
 
diff --git a/Shorewall-common/macro.AllowICMPs b/Shorewall-common/macro.AllowICMPs
index 6b1765643..c587c9c4a 100644
--- a/Shorewall-common/macro.AllowICMPs
+++ b/Shorewall-common/macro.AllowICMPs
@@ -6,8 +6,8 @@
 #	This macro ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Amanda b/Shorewall-common/macro.Amanda
index 3e7eabd06..28472ed03 100644
--- a/Shorewall-common/macro.Amanda
+++ b/Shorewall-common/macro.Amanda
@@ -8,8 +8,8 @@
 #	files from those nodes.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
diff --git a/Shorewall-common/macro.Auth b/Shorewall-common/macro.Auth
index 3c9d5099f..5043506a7 100644
--- a/Shorewall-common/macro.Auth
+++ b/Shorewall-common/macro.Auth
@@ -6,7 +6,7 @@
 #	This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	113
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.BitTorrent b/Shorewall-common/macro.BitTorrent
index 95ddf530d..b05ae69c4 100644
--- a/Shorewall-common/macro.BitTorrent
+++ b/Shorewall-common/macro.BitTorrent
@@ -6,8 +6,8 @@
 #	This macro handles BitTorrent traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:
diff --git a/Shorewall-common/macro.CVS b/Shorewall-common/macro.CVS
index b6cc995d0..c4e02647f 100644
--- a/Shorewall-common/macro.CVS
+++ b/Shorewall-common/macro.CVS
@@ -6,7 +6,7 @@
 #	This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	2401
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.DNS b/Shorewall-common/macro.DNS
index cfb368e3a..a1e444443 100644
--- a/Shorewall-common/macro.DNS
+++ b/Shorewall-common/macro.DNS
@@ -6,8 +6,8 @@
 #	This macro handles DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Distcc b/Shorewall-common/macro.Distcc
index e449a0da7..c9fce42e9 100644
--- a/Shorewall-common/macro.Distcc
+++ b/Shorewall-common/macro.Distcc
@@ -6,7 +6,7 @@
 #	This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3632
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Drop b/Shorewall-common/macro.Drop
index 410472552..4eb343b8a 100644
--- a/Shorewall-common/macro.Drop
+++ b/Shorewall-common/macro.Drop
@@ -11,8 +11,8 @@
 #		Drop	net	all
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 #
 # Don't log 'auth' REJECT
 #
diff --git a/Shorewall-common/macro.DropDNSrep b/Shorewall-common/macro.DropDNSrep
index 80173f50d..19365dfea 100644
--- a/Shorewall-common/macro.DropDNSrep
+++ b/Shorewall-common/macro.DropDNSrep
@@ -6,7 +6,7 @@
 #	This macro silently drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 DROP	-	-	udp	-	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.DropUPnP b/Shorewall-common/macro.DropUPnP
index bb5d54d5e..989a3f386 100644
--- a/Shorewall-common/macro.DropUPnP
+++ b/Shorewall-common/macro.DropUPnP
@@ -6,7 +6,7 @@
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 DROP	-	-	udp	1900
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Edonkey b/Shorewall-common/macro.Edonkey
index 9f40f443c..77b5203a6 100644
--- a/Shorewall-common/macro.Edonkey
+++ b/Shorewall-common/macro.Edonkey
@@ -28,8 +28,8 @@
 #	applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.FTP b/Shorewall-common/macro.FTP
index f594b0021..dd24dd4ad 100644
--- a/Shorewall-common/macro.FTP
+++ b/Shorewall-common/macro.FTP
@@ -6,7 +6,7 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	21
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Finger b/Shorewall-common/macro.Finger
index 5d78875c5..2fc1742a9 100644
--- a/Shorewall-common/macro.Finger
+++ b/Shorewall-common/macro.Finger
@@ -7,7 +7,7 @@
 #	your finger information to internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	79
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.GRE b/Shorewall-common/macro.GRE
index cd0c7164f..acb032af9 100644
--- a/Shorewall-common/macro.GRE
+++ b/Shorewall-common/macro.GRE
@@ -6,8 +6,8 @@
 #	This macro (bi-directional) handles Generic Routing Encapsulation traffic (RFC 1701)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Gnutella b/Shorewall-common/macro.Gnutella
index 1f4f88470..2097ee1eb 100644
--- a/Shorewall-common/macro.Gnutella
+++ b/Shorewall-common/macro.Gnutella
@@ -6,8 +6,8 @@
 #	This macro handles Gnutella traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.HTTP b/Shorewall-common/macro.HTTP
index e5ecf0fad..85f3231b5 100644
--- a/Shorewall-common/macro.HTTP
+++ b/Shorewall-common/macro.HTTP
@@ -6,7 +6,7 @@
 #	This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	80
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.HTTPS b/Shorewall-common/macro.HTTPS
index 01397eec1..0e07331d4 100644
--- a/Shorewall-common/macro.HTTPS
+++ b/Shorewall-common/macro.HTTPS
@@ -6,7 +6,7 @@
 #	This macro handles HTTPS (WWW over SSL) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	443
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.ICQ b/Shorewall-common/macro.ICQ
index f452ae66c..53ded83ab 100644
--- a/Shorewall-common/macro.ICQ
+++ b/Shorewall-common/macro.ICQ
@@ -6,7 +6,7 @@
 #	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5190
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.IMAP b/Shorewall-common/macro.IMAP
index 76f2dc717..11783c6eb 100644
--- a/Shorewall-common/macro.IMAP
+++ b/Shorewall-common/macro.IMAP
@@ -7,7 +7,7 @@
 #	see macro.IMAPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	143
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.IMAPS b/Shorewall-common/macro.IMAPS
index c5b7391ff..cf2328c03 100644
--- a/Shorewall-common/macro.IMAPS
+++ b/Shorewall-common/macro.IMAPS
@@ -7,7 +7,7 @@
 #	(not recommended), see macro.IMAP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	993
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.IPIP b/Shorewall-common/macro.IPIP
index df0c85060..7fac8b68f 100644
--- a/Shorewall-common/macro.IPIP
+++ b/Shorewall-common/macro.IPIP
@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.IPP b/Shorewall-common/macro.IPP
index 7753284f9..ad78b9ac7 100644
--- a/Shorewall-common/macro.IPP
+++ b/Shorewall-common/macro.IPP
@@ -6,7 +6,7 @@
 #	This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.IPPserver b/Shorewall-common/macro.IPPserver
index fae3ba225..8948345d9 100644
--- a/Shorewall-common/macro.IPPserver
+++ b/Shorewall-common/macro.IPPserver
@@ -23,8 +23,8 @@
 #		IPPserver/ACCEPT $FW loc
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.IPsec b/Shorewall-common/macro.IPsec
index 1e1380ac7..fd02f8b04 100644
--- a/Shorewall-common/macro.IPsec
+++ b/Shorewall-common/macro.IPsec
@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE
diff --git a/Shorewall-common/macro.IPsecah b/Shorewall-common/macro.IPsecah
index 98b7c564a..b51f93e04 100644
--- a/Shorewall-common/macro.IPsecah
+++ b/Shorewall-common/macro.IPsecah
@@ -7,8 +7,8 @@
 #       This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE
diff --git a/Shorewall-common/macro.IPsecnat b/Shorewall-common/macro.IPsecnat
index 5820d9fd8..266dc1811 100644
--- a/Shorewall-common/macro.IPsecnat
+++ b/Shorewall-common/macro.IPsecnat
@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP
diff --git a/Shorewall-common/macro.JabberPlain b/Shorewall-common/macro.JabberPlain
index 4cc3028d5..c5f33eba6 100644
--- a/Shorewall-common/macro.JabberPlain
+++ b/Shorewall-common/macro.JabberPlain
@@ -6,7 +6,7 @@
 #	This macro accepts Jabberd intercommunication traffic
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#TARGET	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5269
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.JabberSecure b/Shorewall-common/macro.JabberSecure
index c9409694f..acc81de73 100644
--- a/Shorewall-common/macro.JabberSecure
+++ b/Shorewall-common/macro.JabberSecure
@@ -6,7 +6,7 @@
 #	This macro accepts Jabber traffic (plaintext).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#TARGET	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5222
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Jabberd b/Shorewall-common/macro.Jabberd
index 212477190..f5bb958e7 100644
--- a/Shorewall-common/macro.Jabberd
+++ b/Shorewall-common/macro.Jabberd
@@ -6,7 +6,7 @@
 #	This macro accepts Jabber traffic (ssl).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#TARGET	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5223
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Jetdirect b/Shorewall-common/macro.Jetdirect
index df4f924a0..bf79ddb6b 100644
--- a/Shorewall-common/macro.Jetdirect
+++ b/Shorewall-common/macro.Jetdirect
@@ -6,7 +6,7 @@
 #	This macro handles HP Jetdirect printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	9100
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.L2TP b/Shorewall-common/macro.L2TP
index 9b33121a3..8a3417e97 100644
--- a/Shorewall-common/macro.L2TP
+++ b/Shorewall-common/macro.L2TP
@@ -6,8 +6,8 @@
 #	This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic (RFC 2661)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	1701	# L2TP
 PARAM	DEST	SOURCE	udp	1701	# L2TP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.LDAP b/Shorewall-common/macro.LDAP
index a6871f37f..903770e0b 100644
--- a/Shorewall-common/macro.LDAP
+++ b/Shorewall-common/macro.LDAP
@@ -11,7 +11,7 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	389
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.LDAPS b/Shorewall-common/macro.LDAPS
index a76c79260..e88d273b5 100644
--- a/Shorewall-common/macro.LDAPS
+++ b/Shorewall-common/macro.LDAPS
@@ -11,7 +11,7 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	636
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.MySQL b/Shorewall-common/macro.MySQL
index 587a7a687..392d35d1b 100644
--- a/Shorewall-common/macro.MySQL
+++ b/Shorewall-common/macro.MySQL
@@ -6,7 +6,7 @@
 #	This macro handles connections to the MySQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3306
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.NNTP b/Shorewall-common/macro.NNTP
index e9cf2d06c..70f8486a7 100644
--- a/Shorewall-common/macro.NNTP
+++ b/Shorewall-common/macro.NNTP
@@ -7,7 +7,7 @@
 #	encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	119
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.NNTPS b/Shorewall-common/macro.NNTPS
index 4f5c3e098..c918dda80 100644
--- a/Shorewall-common/macro.NNTPS
+++ b/Shorewall-common/macro.NNTPS
@@ -7,7 +7,7 @@
 #	plaintext NNTP, see macro.NNTP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	563
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.NTP b/Shorewall-common/macro.NTP
index 62ac382dd..1d0dd2caf 100644
--- a/Shorewall-common/macro.NTP
+++ b/Shorewall-common/macro.NTP
@@ -7,7 +7,7 @@
 #	For broadcast NTP traffic, use NTPbrd Macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.NTPbrd b/Shorewall-common/macro.NTPbrd
index 6be48b4a1..2874cfe2f 100644
--- a/Shorewall-common/macro.NTPbrd
+++ b/Shorewall-common/macro.NTPbrd
@@ -11,8 +11,8 @@
 #	Netfilter doesn't track connections for broadcast traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-		-		udp	123
 PARAM	-		-		udp	1024:	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.PCA b/Shorewall-common/macro.PCA
index b14103ac6..20cce1f19 100644
--- a/Shorewall-common/macro.PCA
+++ b/Shorewall-common/macro.PCA
@@ -6,8 +6,8 @@
 #	This macro handles PCAnywere (tm)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	5632
 PARAM	-	-	tcp	5631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.POP3 b/Shorewall-common/macro.POP3
index 34b08593e..04a7cbcdb 100644
--- a/Shorewall-common/macro.POP3
+++ b/Shorewall-common/macro.POP3
@@ -7,7 +7,7 @@
 #	see macro.POP3S.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	110
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.POP3S b/Shorewall-common/macro.POP3S
index 5c6d388ea..d99928fb9 100644
--- a/Shorewall-common/macro.POP3S
+++ b/Shorewall-common/macro.POP3S
@@ -7,7 +7,7 @@
 #	see macro.POP3.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	995	# Secure POP3
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Ping b/Shorewall-common/macro.Ping
index 755c8ea7b..ef44016da 100644
--- a/Shorewall-common/macro.Ping
+++ b/Shorewall-common/macro.Ping
@@ -6,7 +6,7 @@
 #	This macro handles 'ping' requests.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	icmp	8
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.PostgreSQL b/Shorewall-common/macro.PostgreSQL
index aa7b2248f..7353ea23b 100644
--- a/Shorewall-common/macro.PostgreSQL
+++ b/Shorewall-common/macro.PostgreSQL
@@ -6,7 +6,7 @@
 #	This macro handles connections to the PostgreSQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5432
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Printer b/Shorewall-common/macro.Printer
index 5d3dcea83..2881eac46 100644
--- a/Shorewall-common/macro.Printer
+++ b/Shorewall-common/macro.Printer
@@ -6,7 +6,7 @@
 #	This macro handles Line Printer protocol printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	515
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.RDP b/Shorewall-common/macro.RDP
index ebe6722ac..04eba5dc5 100644
--- a/Shorewall-common/macro.RDP
+++ b/Shorewall-common/macro.RDP
@@ -6,7 +6,7 @@
 #	This macro handles Microsoft RDP (Remote Desktop) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3389
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Rdate b/Shorewall-common/macro.Rdate
index 9f076265a..80a5b6de3 100644
--- a/Shorewall-common/macro.Rdate
+++ b/Shorewall-common/macro.Rdate
@@ -10,7 +10,7 @@
 #	use Time macro instead.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	37
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Reject b/Shorewall-common/macro.Reject
index a1472390e..3fff4f90d 100644
--- a/Shorewall-common/macro.Reject
+++ b/Shorewall-common/macro.Reject
@@ -12,8 +12,8 @@
 #
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 #
 # Don't log 'auth' REJECT
 #
diff --git a/Shorewall-common/macro.Rsync b/Shorewall-common/macro.Rsync
index aace34107..04c24677e 100644
--- a/Shorewall-common/macro.Rsync
+++ b/Shorewall-common/macro.Rsync
@@ -6,7 +6,7 @@
 #	This macro handles connections to the rsync server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	873
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SMB b/Shorewall-common/macro.SMB
index 0a1bd4b86..28b0e7f15 100644
--- a/Shorewall-common/macro.SMB
+++ b/Shorewall-common/macro.SMB
@@ -10,8 +10,8 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137
diff --git a/Shorewall-common/macro.SMBBI b/Shorewall-common/macro.SMBBI
index defd8bc5e..c982b5ef8 100644
--- a/Shorewall-common/macro.SMBBI
+++ b/Shorewall-common/macro.SMBBI
@@ -10,8 +10,8 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
 PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137
diff --git a/Shorewall-common/macro.SMBswat b/Shorewall-common/macro.SMBswat
index 61b125536..9009d92f7 100644
--- a/Shorewall-common/macro.SMBswat
+++ b/Shorewall-common/macro.SMBswat
@@ -7,7 +7,7 @@
 #	(SWAT).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	901
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SMTP b/Shorewall-common/macro.SMTP
index 3503aad6b..a72ce6c00 100644
--- a/Shorewall-common/macro.SMTP
+++ b/Shorewall-common/macro.SMTP
@@ -14,7 +14,7 @@
 #	the POP3 or IMAP macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	25
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SMTPS b/Shorewall-common/macro.SMTPS
index 6d86a36f0..2d013f038 100644
--- a/Shorewall-common/macro.SMTPS
+++ b/Shorewall-common/macro.SMTPS
@@ -11,7 +11,7 @@
 #	the POP3(S) or IMAP(S) macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	465
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SNMP b/Shorewall-common/macro.SNMP
index 8f55e74f6..6c9a153f8 100644
--- a/Shorewall-common/macro.SNMP
+++ b/Shorewall-common/macro.SNMP
@@ -6,8 +6,8 @@
 #	This macro handles SNMP traffic (including traps).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	161:162
 PARAM	-	-	tcp	161
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SPAMD b/Shorewall-common/macro.SPAMD
index 850d3d914..43133c1fe 100644
--- a/Shorewall-common/macro.SPAMD
+++ b/Shorewall-common/macro.SPAMD
@@ -6,7 +6,7 @@
 #	This macro handles Spam Assassin SPAMD traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	783
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SSH b/Shorewall-common/macro.SSH
index 026fce248..32dc0e265 100644
--- a/Shorewall-common/macro.SSH
+++ b/Shorewall-common/macro.SSH
@@ -6,7 +6,7 @@
 #	This macro handles secure shell (SSH) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	22
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SVN b/Shorewall-common/macro.SVN
index c3e3a3b96..5aeb3061b 100644
--- a/Shorewall-common/macro.SVN
+++ b/Shorewall-common/macro.SVN
@@ -7,7 +7,7 @@
 #
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3690
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.SixXS b/Shorewall-common/macro.SixXS
index 8d054930d..2274b0e48 100644
--- a/Shorewall-common/macro.SixXS
+++ b/Shorewall-common/macro.SixXS
@@ -6,7 +6,7 @@
 #	This macro handles SixXS -- An IPv6 Deployment and Tunnel Broken
 #
 ###############################################################################
-#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	RATE	USER/
+#ACTION		SOURCE		PROTO	DEST	SOURCE	RATE	USER/
 #						PORT	PORT(S)	LIMIT	GROUP
 PARAM		-		-	tcp	3874      # Used for retrieving the tunnel information (eg by AICCU)
 PARAM		-		-	udp	3740      # Used for signaling where the current IPv4 endpoint
diff --git a/Shorewall-common/macro.Submission b/Shorewall-common/macro.Submission
index 1000a8f64..c824ac7db 100644
--- a/Shorewall-common/macro.Submission
+++ b/Shorewall-common/macro.Submission
@@ -6,7 +6,7 @@
 #	This macro handles mail message submission traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	587
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Syslog b/Shorewall-common/macro.Syslog
index 3c32dab13..19966ad67 100644
--- a/Shorewall-common/macro.Syslog
+++ b/Shorewall-common/macro.Syslog
@@ -6,7 +6,7 @@
 #	This macro handles syslog UDP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.TFTP b/Shorewall-common/macro.TFTP
index 1367a3c55..168a25c78 100644
--- a/Shorewall-common/macro.TFTP
+++ b/Shorewall-common/macro.TFTP
@@ -8,7 +8,7 @@
 #	Internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	69
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Telnet b/Shorewall-common/macro.Telnet
index d960eaf74..5e75447e7 100644
--- a/Shorewall-common/macro.Telnet
+++ b/Shorewall-common/macro.Telnet
@@ -7,7 +7,7 @@
 #	internet, telnet is inappropriate; use SSH instead
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	23
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Telnets b/Shorewall-common/macro.Telnets
index ac5867d61..472e1230d 100644
--- a/Shorewall-common/macro.Telnets
+++ b/Shorewall-common/macro.Telnets
@@ -7,7 +7,7 @@
 #	For traffic over the internet, SSH might be more practical.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	992
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Time b/Shorewall-common/macro.Time
index 186a47f2d..bb8ca7f88 100644
--- a/Shorewall-common/macro.Time
+++ b/Shorewall-common/macro.Time
@@ -8,7 +8,7 @@
 #	you shouldn't be using this.  NTP is a superior alternative.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	37
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Trcrt b/Shorewall-common/macro.Trcrt
index 439615163..586dfab59 100644
--- a/Shorewall-common/macro.Trcrt
+++ b/Shorewall-common/macro.Trcrt
@@ -6,8 +6,8 @@
 #	This macro handles Traceroute (for up to 30 hops).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	33434:33524 # UDP Traceroute
 PARAM	-	-	icmp	8	    # ICMP Traceroute
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.VNC b/Shorewall-common/macro.VNC
index 6e3ee6e27..154b7f81a 100644
--- a/Shorewall-common/macro.VNC
+++ b/Shorewall-common/macro.VNC
@@ -6,7 +6,7 @@
 #	This macro handles VNC traffic for VNC display's 0 - 9.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5900:5909
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.VNCL b/Shorewall-common/macro.VNCL
index 66c93fa4b..81f561124 100644
--- a/Shorewall-common/macro.VNCL
+++ b/Shorewall-common/macro.VNCL
@@ -7,7 +7,7 @@
 #	mode.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	5500
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Web b/Shorewall-common/macro.Web
index ad961d1a0..2176b5b1c 100644
--- a/Shorewall-common/macro.Web
+++ b/Shorewall-common/macro.Web
@@ -8,8 +8,8 @@
 #	is recommended.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	80	# HTTP (plaintext)
 PARAM	-	-	tcp	443	# HTTPS (over SSL)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Webmin b/Shorewall-common/macro.Webmin
index c8a557765..9a35055d8 100644
--- a/Shorewall-common/macro.Webmin
+++ b/Shorewall-common/macro.Webmin
@@ -6,7 +6,7 @@
 #	This macro handles Webmin traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	10000
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/macro.Whois b/Shorewall-common/macro.Whois
index 7425a8833..6e9c8bd67 100644
--- a/Shorewall-common/macro.Whois
+++ b/Shorewall-common/macro.Whois
@@ -6,7 +6,7 @@
 #	This macro handles whois (nicname) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#				PORT	PORT(S)	DEST		LIMIT	GROUP
+#ACTION	SOURCE	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	43
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index dd5c05019..59286e937 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 4.0 Patch release 5
+Shorewall 4.0 Patch release 6
 
 ----------------------------------------------------------------------------
                R E L E A S E  4 . 0  H I G H L I G H T S
@@ -26,197 +26,217 @@ Shorewall 4.0 Patch release 5
    Shorewall-perl compiler. This support utilizes the reduced-function
    physdev match support available in Linux kernel 2.6.20 and later.
 
-Problems corrected in Shorewall 4.0.5.
+Problems corrected in Shorewall-perl 4.0.6.
 
-1)  Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
-    column of a REDIRECT rule, generating an error. '$FW::<port>' now
-    produces the same effect as '<port>'.
+1)  In a DNAT or REDIRECT rule, if no serverport was given and the DEST
+    PORT(S) list contained a service name containing a hyphen ("-") then
+    an ERROR was generated.
 
-2)  If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE
-    PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected
-    the entry with the error:
+    Example -- Rules file:
 
-    ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules 
+	DNAT	net	loc:$WINDOWS_IP tcp	https,pptp,ms-wbt-server,4125
 
-    The rule was accepted if 'tcp' or 'udp' was used instead.
+    Results in:
 
-3)  Shorewall-shell now removes any default bindings of ipsets before
-    attempting to reload them. Previously, default bindings were not
-    removed with the result that the ipsets could not be destroyed.
+	ERROR: Invalid port range (ms:wbt:server) : rules (line 49)
 
-Other changes in Shorewall 4.0.5.
+    Problem was introduced in Shorewall 4.0.5 and does not occur in
+    earlier releases.
 
-1)  Two new options have been added to /etc/shorewall/hosts
-    (Shorewall-perl only).
+2)  If a long destination port list needed to be broken at a port pair,
+    the generated rule contained an extra comma which resulted in an
+    iptables-restore failure.
 
-    broadcast: Permits limited broadcast (destination 255.255.255.255)
-               to the zone.
+3)  Several problems involving port ranges and port lists in REDIRECT
+    rules have been corrected.
 
-    destonly: Normally used with the Multi-cast range. Specifies that
-	      traffic will be sent to the specified net(s) but that 
-	      no traffic will be received from the net(s).
+4)  Shorewall-perl no longer requires an address in the GATEWAY column
+    of /etc/shorewall/tunnels. If the column is left empty (or contains
+    '-') then 0.0.0.0/0 is assumed.
+
+5)  Previously with Shorewall-perl, redirecting both STDOUT and STDERR
+    to the same file descriptor resulted in scrambled output between
+    the two. The error messages were often in the middle of the
+    regular output far ahead of the point where the error occurred.
+
+    This problem was possible in the Debian Shorewall init script
+    (/etc/init.d/shorewall) which redirects output to the
+    Debian-specific /var/log/shorewall-init.log file in this way:
+
+        $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && ...
+
+6)  With both compilers, when HIGH_ROUTE_MARKS=Yes, unpredictable
+    results could occur when marking in the PREROUTING or OUTPUT
+    chains. When a rule specified a mark value > 255, the compilers
+    were using the '--or-mark' operator rather than the '--set-mark'
+    operator. Consequently, when a packet matched more than one
+    rule, the resulting routing mark was the logical product of the
+    mark values in the matching rules rather than the mark value from
+    the last matching rule.
 
     Example:
 
-    wifi	eth1:192.168.3.0/24		broadcast
-    wifi	eth1:224.0.0.0/4		destonly
+	0x100	192.168.1.44	0.0.0.0/0
+	0x200	0.0.0.0/0	0.0.0.0/0	tcp	25
 
-    In that example, limited broadcasts from the firewall with a source
-    IP in the 192.168.3.0/24 range will be acccepted as will multicasts
-    (with any source address).
+    A TCP packet from 192.168.1.44 with destination port 25 would have
+    a  mark value of 0x300 rather than the expected value of 0x200.
 
-2)  A MULTICAST option has been added to shorewall.conf. This option
-    will normally be set to 'No' (the default). It should be set to 
-    'Yes' under the following circumstances:
+7)  Previously, a 'start -f' on Shorewall Lite would produce the
+    following distressing output before starting the firewall:
 
-    a) You have an interface that has parallel zones defined via
-       /etc/shorewall/hosts.
-    b) You want to forward multicast packets to two or more of those
-       parallel zones.
+    make: *** No rule to make target `/firewall', needed by
+    `/var/lib/shorewall-lite/restore'.  Stop.
 
-    In such cases, you will configure a 'destonly' network on each 
-    zone receiving multicasts.
+    Furthermore, the Makefile for both Shorewall and Shorewall Lite
+    failed to take into account the /etc/shorewall/vardir file.
 
-    The MULTICAST option is only recognized by Shorewall-perl and is
-    ignored by Shorewall-shell.
+    This has been corrected. As part of the fix, both /sbin/shorewall
+    and /sbin/shorewall-lite support a "show vardir" command that
+    displays the VARDIR setting.
 
-3)  As announced in the Shorewall 4.0.4 release notes, Shorewall-perl
-    no longer supports the 'detectnets' option. Specifying that option
-    now results in the following message:
+Other changes in Shorewall 4.0.6.
 
-    WARNING: Support for the 'detectnets' option has been removed
+1)  Shorewall-perl now uses the '--physdev-is-bridged' option when it
+    is available. This option will suppress messages like the following:
 
-    It is suggested that 'detectnets' be replaced by
-    'routefilter,logmartians'. That will produce the same filtering
-    effect as 'detectnets' while eliminating 1-2 rules per connection.
+    kernel: physdev match: using --physdev-out in the OUTPUT, FORWARD and
+    POSTROUTING chains for non-bridged traffic is not supported
+    anymore.
 
-    One user has asked how to retain the output of 'shorewall show
-    zones' if the 'detectnets' option is removed. While I don't advise
-    doing so, you can reproduce the current 'shorewall show' behavior
-    as follows.
+    This change only affects users who use bport/bport4 zones in a
+    briged configuration and requires that capabilities files be
+    regenerated using Shorewall-common or Shorewall-lite 4.0.6.
 
-    Suppose that you have a zone named 'wifi' that produces the
-    following output with 'detectnets':
+2)  Shorewall-perl now allows you to embed Shell or Perl scripts in
+    all configuration files except /etc/shorewall/params and
+    /etc/shorewall/shorewall.conf (As always, you can continue to
+    include arbitrary shell code in /etc/shorewall/params).
 
-    wifi (ipv4)
-      eth1:192.168.3.0/24
- 
-    You can reproduce this behavior as follows:
+    To embed a one-line script, use one of the following:
 
-    /etc/shorewall/interfaces:
+        SHELL <shell script>
+	PERL <perl script>
 
-    -	eth1	detect	...
+    For multi-line scripts, use:
 
-    /etc/shorewall/hosts:
+	BEGIN SHELL
+	<shell script>
+	END SHELL
 
-    wifi	eth1:192.168.3.0/24	broadcast
+	BEGIN PERL
+	<perl script>
+	END PERL
 
-    If you send multicast to the 'wifi' zone, you also need this entry
-    in your hosts file:
+    For SHELL scripts, the output from the script is processed as if it
+    were part of the file.
 
-    wifi	eth1:224.0.0.0/4		destonly
+    Example 1 (Shell): To generate SMTP/ACCEPT rules from zones a b c d
+    and e to the firewall:
 
-4)  (Shorewall-perl only) The server port in a DNAT or REDIRECT rule
-    may now be specified as a service name from
-    /etc/services. Additionally:
+	Either:
 
-    a) A port-range may be specified as the service port expressed in
-       the format <low port>-<high port>. Connections are assigned to
-       server ports in round-robin fashion.
+	    BEGIN SHELL 
+	    for z in a b c d e; do
+	        echo SMTP/ACCEPT $z fw tcp 25
+	    done
+	    END SHELL
 
-    b) The compiler only permits a server port to be specified if the
-       protocol is tcp or udp.
+        or
 
-    c) The compiler ensures that the server IP address is valid (note
-       that it is still not permitted to specify the server address as a
-       DNS name).
+	    SHELL for z in a b c d e; do echo SMTP/ACCEPT $z fw tcp 25; done
 
-5)  (Shorewall-perl only) Users are complaining that when they migrate
-    to Shorewall-perl, they have to restrict their port lists to 15
-    ports. In this release, we relax that restriction on destination
-    port lists. Since the SOURCE PORT(s) column in the configuration
-    files is rarely used, we have no plans to relax the restriction in
-    that column.
+    Either is equivalent to:
 
-6)  There have been several cases where iptables-restore has failed
-    while executing a COMMIT command in the .iptables_restore_input
-    file. This gives neither the user nor Shorewall support much to go
-    on when analyzing the problem. As a new debugging aid, the meaning
-    of 'trace' and 'debug' have been changed.
+	SMTP/ACCEPT a fw tcp 25
+	SMTP/ACCEPT b fw tcp 25
+	SMTP/ACCEPT c fw tcp 25
+	SMTP/ACCEPT d fw tcp 25
+	SMTP/ACCEPT e fw tcp 25
 
-    Traditionally, /sbin/shorewall and /sbin/shorewall-lite have
-    allowed either 'trace' or 'debug' as the first run-line
-    parameter. Prior to 4.0.5, the two words produced the same effect.
+    With a Perl script, if you want to output text to be processed as
+    if it were part of the file, then pass the text to the shorewall()
+    function.
 
-    Beginning with Shorewall 4.0.5, the two words have different
-    effects when Shorewall-perl is used.
+    Example 2 (Perl): To generate SMTP/ACCEPT rules from zones a b c d
+    and e to the firewall:
 
-    trace - Like the previous behavior.
+	  BEGIN PERL 
+	  for ( qw/a b c d e/ ) { 
+	      shorewall "SMTP/ACCEPT $_ fw tcp 25";
+	  }
+	  END PERL
 
-            In the Shorewall-perl compiler, generate a stack trace
-            on WARNING and ERROR messages.
+    PERL scripts have access to any context accumulated in earlier PERL
+    scripts. All such embedded Perl, as well as conventional Perl
+    extension scripts are placed in the Shorewall::User package. That
+    way, your global variables and functions won't conflict with any of
+    Shorewall's.
 
-	    In the generated script, sets the shell's -x option to
-	    trace execution of the script.
+    To allow you to load Perl modules and initialize any global state,
+    a new 'compile' compile-time extension script has been added. It is
+    called early in the compilation process.
 
-    debug - Ignored by the Shorewall-perl compiler.
+    For additional information, see
 
-            In the generated script, causes the commands in
-            .iptables_restore_input to be executed as discrete iptables
-            commands. The failing command can thus be identified and a
-            diagnosis of the cause can be made.
+    - http://www.shorewall.net/configuration_file_basics.html#Embedded
 
-    Users of Shorewall-lite will see the following change when using a
-    script that was compiled with Shorewall-perl 4.0.5 or later.
+3)  To complement Embedded Perl scripts, Shorewall 4.0.6 allows Perl
+    scripts to create filter chains using
+    Shorewall::Chains::new_manual_chain() and then use the chain as a
+    target in subsequent entries in /etc/shorewall/rules.
 
-    trace - In the generated script, sets the shell's -x option to
-            trace execution of the script.
+    See http://www.shorewall.net/ManualChains.html for information.
 
-    debug - In the generated script, causes the commands in
-            .iptables_restore_input to be executed as discrete iptables
-            commands. The failing command can thus be identified and a
-            diagnosis of the cause can be made.
+4)  The 'hits' command now accepts a -t option which limits the report
+    to those log records generated today.
 
-    In all other cases, 'debug' and 'trace' remain synonymous. In
-    particular, users of Shorewall-shell will see no change in
-    behavior.
+5)  A DONT_LOAD option has been added to shorewall.conf. If there are
+    kernel modules that you don't wish to have loaded, you can list
+    them in this entry as a comma-separated list.
 
-    WARNING: The 'debug' feature in Shorewall-perl is strictly for
-    problem analysis. When 'debug' is used:
+    Example:
 
-    a) The firewall is made 'wide open' before the rules are applied.
-    b) The routestopped file is not consulted and the rules are applied
-       in the canonical iptables-restore order (ASCIIbetical by chain).
-       So if you need critical hosts to be always available during
-       start/restart, you may not be able to use 'debug'.
+	DONT_LOAD=nf_conntrack_sip,nf_nat_sip
 
-7)  /usr/share/shorewall-perl/buildports.pl,
-    /usr/share/shorewall-perl/FallbackPorts.pm and 
-    /usr/share/shorewall-perl/Shorewall/Ports.pm have been removed.
+6)  Shorewall-perl now supports the --random option of the iptables
+    SNAT, MASQUERADE, DNAT and REDIRECT targets. Please note that
+    iptables support for this option is currently broken for the DNAT
+    and REDIRECT targets; I've sent a patch to the Netfilter team.
 
-    Shorewall now resolves protocol and port names as using Perl's
-    interface to the the standard C library APIs getprotobyname() and
-    getservbyname().
+    For MASQUERADE, simply place the word 'random' in the ADDRESS
+    column. This causes Netfilter to randomize the source port seen by
+    the remote host.
 
-    Note 1: 
+     Example:
 
-	   The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL',
-	   'icmp' and 'ICMP' are still resolved by Shorewall-perl
-	   itself.
+	#INTERFACE	SOURCE	ADDRESS
+	eth0		eth1	random    
 
-    Note 2:
+    For SNAT, follow the port list by ":random".
 
-	   Those of you running Shorewall-perl under Cygwin may wish to
-	   install "real" /etc/protocols and /etc/services files
-	   in place of the symbolic links installed by Cygwin.
+    Example:
 
-8)  The contents of the Shorewall::*::$VERSION variables are now a
-    V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is
-    only of interest for Perl programs that are using the modules and
-    specifying a minimum version (e.g., "use Shorewall::Config
-    4.0.5;"). Each module continues to carry a separate version which
-    indicates the release of Shorewall-perl when the module was last
-    modified.
+	#INTERFACE	SOURCE	ADDRESS
+	eth0		eth1	206.124.146.179:10000-10999:random
+
+    For DNAT, follow the port list by ":random".
+
+    Example:
+
+	#ACTION	SOURCE	DEST				PROTO	DEST
+	#						PORT(S)
+	DNAT	net	loc:192.168.1.4:40-50:random	tcp	22
+
+    For REDIRECT, you must use the fully-qualified form of the DEST:
+
+   	#ACTION	  SOURCE	DEST			PROTO	DEST
+	#						PORT(S)
+	REDIRECT	net	$FW::40-50:random	tcp	22
+
+    Note that ':random' is only effective with SNAT, DNAT and REDIRECT
+    when a port range is specified in the ADDRESS/DEST column. It is
+    ignored by iptables/iptables-restore otherwise.
 
 Migration Considerations:
 
@@ -807,6 +827,7 @@ Migration Considerations:
     - Perl File::Temp Module
     - Perl Getopt::Long Module
     - Perl FindBin Module
+    - Perl Scaler::Util Module
     ------------------------------------------------------------------------
                U S I N G   T H E   N E W   C O M P I L E R
     ------------------------------------------------------------------------
@@ -978,17 +999,6 @@ Migration Considerations:
 
        /usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall
 
-    Note: For compatibility with the Shorewall 3.4.2 and 3.4.3
-    releases, options not passed on the run-line get their values from
-    environmental variables:
-
-	   Option                 Variable
-
-	   --verbosity		  VERBOSE
-	   --export		  EXPORT
-	   --directory		  SHOREWALL_DIR
-	   --timestamp		  TIMESTAMP
-
     The Perl Module is externalized as follows:
 
 	use lib '/usr/share/shorewall-perl';
@@ -1013,6 +1023,7 @@ Migration Considerations:
 
 			EXPORT    = 0x01
 			TIMESTAMP = 0x02
+			DEBUG     = 0x04
 
         $chains -     A comma-separated list of chains that the
                       generated script's 'refresh' command will
@@ -1071,194 +1082,342 @@ Migration Considerations:
     (compiler, shorewall-common and shorewall-lite) must be version
     4.0.0-RC2 or later.
 
-Problems corrected in 4.0.1.
+Problems corrected in Shorewall 4.0.5.
 
-1)  The Shorewall Lite installer was producing an empty shorewall-lite
-    manpage. Since the installer runs as part of creating the RPM, the
-    RPM also suffered from this problem. The 4.0.0 Shorewall-lite 
-    packages were re-uploaded with this problem corrected.
+1)  Previously, Shorewall-perl misprocessed $FW::<port> in the DEST
+    column of a REDIRECT rule, generating an error. '$FW::<port>' now
+    produces the same effect as '<port>'.
 
-2)  The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
-    rather than /sbin/shorewall-lite.
+2)  If the PROTOCOL (PROTO) column contained 'TCP' or 'UDP' and SOURCE
+    PORT(S) or DEST PORT(S) were given, then Shorewall-perl rejected
+    the entry with the error:
 
-3)  Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
-    clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
-    uninstaller correctly does "shorewall-lite clear" and both
-    uninstallers only perform the 'clear' operation if the other
-    product is not installed. This prevents the removal of one of the
-    two products from clearing the firewall configuration established
-    by the other one.
+    ERROR: SOURCE/DEST PORT(S) not allowed with PROTO TCP : /etc/shorewall/rules 
 
-4)  The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
-    Shorewall-perl. If the zone type was changed to 'ipsec' or
-    'ipsec4' and the 'ipsec' option removed from the hosts file entry,
-    the configuration worked properly.
+    The rule was accepted if 'tcp' or 'udp' was used instead.
 
-5)  If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
-    Shorewall-perl produced the following:
+3)  Shorewall-shell now removes any default bindings of ipsets before
+    attempting to reload them. Previously, default bindings were not
+    removed with the result that the ipsets could not be destroyed.
 
-    Compiling...
-    Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
-       ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
+Other changes in Shorewall 4.0.5.
 
-6)  If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
-    locating the binary using the PATH environmental variable rather
-    than the PATH setting in shorewall.conf.  If no PATH was available
-    when Shorewall-perl was run and IPTABLES was not set in
-    shorewall.conf, the following messages were issued:
+1)  Two new options have been added to /etc/shorewall/hosts
+    (Shorewall-perl only).
 
-    Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
-       ERROR: Can't find iptables executable
-       ERROR: Shorewall restart failed
+    broadcast: Permits limited broadcast (destination 255.255.255.255)
+               to the zone.
 
-7)  If the "Mangle FORWARD Chain" capability was supported, entries in
-    the /etc/shorewall/ecn file would cause invalid iptables commands
-    to be generated. This problem occurred with both compilers.
+    destonly: Normally used with the Multi-cast range. Specifies that
+	      traffic will be sent to the specified net(s) but that 
+	      no traffic will be received from the net(s).
 
-8)  Shorewall now starts at reboot after an upgrade from shorewall <
-    4.0.0. Previously, Shorewall was not started automatically at
-    reboot after an upgrade using the RPM.
+    Example:
 
-9)  Shorewall-perl was generating invalid iptables-restore input when a
-    log level was specified with the dropBcast and allowBcast builtin
-    actions and when a log level followed by '!' was used with any
-    builtin actions.
+    wifi	eth1:192.168.3.0/24		broadcast
+    wifi	eth1:224.0.0.0/4		destonly
 
-10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
-    time in rate-limiting specifications.
+    In that example, limited broadcasts from the firewall with a source
+    IP in the 192.168.3.0/24 range will be acccepted as will multicasts
+    (with any source address).
 
-11) Certain errors occurring during
-    start/restart/safe-start/safe-restart/try processing could cause
-    the lockfile to be left behind. This resulted in a 60-second delay
-    the next time one of these commands was run.
+2)  A MULTICAST option has been added to shorewall.conf. This option
+    will normally be set to 'No' (the default). It should be set to 
+    'Yes' under the following circumstances:
 
-Other changes in Shorewall 4.0.1.
+    a) You have an interface that has parallel zones defined via
+       /etc/shorewall/hosts.
+    b) You want to forward multicast packets to two or more of those
+       parallel zones.
 
-1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
-    option is recognized by Shorewall-perl and is ignored by
-    Shorewall-shell.
+    In such cases, you will configure a 'destonly' network on each 
+    zone receiving multicasts.
 
-    Normally, when the SOURCE or DEST columns in shorewall-policy(5)
-    contains 'all', a single policy chain is created and the policy is
-    enforced in that chain. For example, if the policy entry is
+    The MULTICAST option is only recognized by Shorewall-perl and is
+    ignored by Shorewall-shell.
 
-	     #SOURCE DEST POLICY LOG
-	     #                   LEVEL
-	     net     all  DROP   info
+3)  As announced in the Shorewall 4.0.4 release notes, Shorewall-perl
+    no longer supports the 'detectnets' option. Specifying that option
+    now results in the following message:
 
-    then the chain name is 'net2all' which is also the chain named in
-    Shorewall log messages generated as a result of the policy. If
-    EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
-    chain for each pair of zones covered by the policy. This makes the
-    resulting log messages easier to interpret since the chain in the
-    messages will have a name of the form 'a2b' where 'a' is the SOURCE
-    zone and 'b' is the DEST zone. See
-    http://linuxman.wikispaces.com/PPPPPPS for more information.
+    WARNING: Support for the 'detectnets' option has been removed
 
-2)  The Shorewall-perl dependency on the "Address Type Match"
-    capability has been relaxed. This allows Shorewall 4.0.1 to be used
-    on releases like RHEL4 that don't support that capability.
+    It is suggested that 'detectnets' be replaced by
+    'routefilter,logmartians'. That will produce the same filtering
+    effect as 'detectnets' while eliminating 1-2 rules per connection.
 
-3)  Shorewall-perl now detects dead policy file entries that result
-    when an entry is masked by an earlier entry. Example:
+    One user has asked how to retain the output of 'shorewall show
+    zones' if the 'detectnets' option is removed. While I don't advise
+    doing so, you can reproduce the current 'shorewall show' behavior
+    as follows.
 
-	 all	 all	  REJECT    info
-	 loc	 net	  ACCEPT
+    Suppose that you have a zone named 'wifi' that produces the
+    following output with 'detectnets':
 
-4)  Recent kernels are apparently hard to configure and we have been
-    seeing a lot of problem reports where the root cause is the lack of
-    state match support in the kernel. This problem is difficult to
-    diagnose when using Shorewall-perl so the generated shell program
-    now checks specifically for this problem and terminates with an
-    error if the capability doesn't exist.
+    wifi (ipv4)
+      eth1:192.168.3.0/24
+ 
+    You can reproduce this behavior as follows:
 
-Problems corrected in 4.0.2
+    /etc/shorewall/interfaces:
 
-1)  The Shorewall-perl compiler was still generating invalid
-    iptables-restore input from entries in /etc/shorewall/ecn.
+    -	eth1	detect	...
 
-2)  When using Shorewall-perl, unless an interface was specified as
-    'optional' in the interfaces file, the 'restore' command would
-    fail if the routes through the interface or the addresses on the
-    interface could not be detected.
+    /etc/shorewall/hosts:
 
-    Route detection occurs when the interface is named in the SOURCE
-    column of the masq file. Address detection occurs when
-    DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
-    or REDIRECT rule or when 'maclist' is specified for the interface.
-   
-    Since the 'restore' command doesn't use the detected information,
-    detection is now skipped if the command is 'restore'.
+    wifi	eth1:192.168.3.0/24	broadcast
 
-3)  It was not previously possible to define traffic shaping on a
-    bridge port; the generated script complained that the
-    interface was not up and configured.
+    If you send multicast to the 'wifi' zone, you also need this entry
+    in your hosts file:
 
-4)  When Shorewall-shell was not installed, certain options in
-    /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
-    'add' and 'delete' commands to fail with a missing library error.
+    wifi	eth1:224.0.0.0/4		destonly
 
-	  OPTION               FILE
-	  maclist	       interfaces,hosts
-	  proxyarp	       interfaces
+4)  (Shorewall-perl only) The server port in a DNAT or REDIRECT rule
+    may now be specified as a service name from
+    /etc/services. Additionally:
 
-5)  The /var/lib/shorewall/zones file was being overwritten during
-    processing of the 'refresh' command by a script generated with
-    Shorewall-perl. The result was that hosts previously added to
-    dynamic zones could not be deleted after the 'refresh'.
+    a) A port-range may be specified as the service port expressed in
+       the format <low port>-<high port>. Connections are assigned to
+       server ports in round-robin fashion.
 
-6)  If the file named as the output file in a Shorewall-perl 'compile'
-    command was a symbolic link, the generated error message
-    erroneously stated that the file's parent directory was a symbolic
-    link.
+    b) The compiler only permits a server port to be specified if the
+       protocol is tcp or udp.
 
-    As part of this change, cosmetic changes were made to a number of
-    other error messages.
+    c) The compiler ensures that the server IP address is valid (note
+       that it is still not permitted to specify the server address as a
+       DNS name).
 
-7)  Some intra-zone rules were missing when a zone involved multiple
-    interfaces or when a zone included both IPSEC and non-IPSEC
-    networks.
+5)  (Shorewall-perl only) Users are complaining that when they migrate
+    to Shorewall-perl, they have to restrict their port lists to 15
+    ports. In this release, we relax that restriction on destination
+    port lists. Since the SOURCE PORT(s) column in the configuration
+    files is rarely used, we have no plans to relax the restriction in
+    that column.
 
-8)  Shorewall was not previously loading the xt_multiport kernel
-    module.
+6)  There have been several cases where iptables-restore has failed
+    while executing a COMMIT command in the .iptables_restore_input
+    file. This gives neither the user nor Shorewall support much to go
+    on when analyzing the problem. As a new debugging aid, the meaning
+    of 'trace' and 'debug' have been changed.
 
-9)  The Russian and French translations no longer have English headings
-    on notes, cautions, etc..
+    Traditionally, /sbin/shorewall and /sbin/shorewall-lite have
+    allowed either 'trace' or 'debug' as the first run-line
+    parameter. Prior to 4.0.5, the two words produced the same effect.
 
-10) Previously, using a port list in the DEST PORT(S) column of the
-    rules file or in an action file could cause an invalid iptables
-    command to be generated by Shorewall-shell.
+    Beginning with Shorewall 4.0.5, the two words have different
+    effects when Shorewall-perl is used.
 
-11) If there were no bridges in a configuration, Shorewall-perl would
-    ignore the CHAIN column in /etc/shorewall/accounting.
+    trace - Like the previous behavior.
 
-Other changes in 4.0.2
+            In the Shorewall-perl compiler, generate a stack trace
+            on WARNING and ERROR messages.
 
-1)  Shorewall-perl now detects when a port range is included in a list
-    of ports and iptables/kernel support for Extended Multi-port Match
-    is not available. This avoids an iptables-restore failure at
-    run-time.
+	    In the generated script, sets the shell's -x option to
+	    trace execution of the script.
 
-2)  Most chains created by Shorewall-shell have names that can be
-    embedded within shell variable names. This is a workaround for
-    limitations in the shell programming language which has no
-    equivalent to Perl hashes. Often chain names must have the name of
-    a network interface encoded in them. Given that interface names can
-    contain characters that are invalid in a shell variable name,
-    Shorewall-shell performs a name mapping which was carried forward to
-    Shorewall-perl:
+    debug - Ignored by the Shorewall-perl compiler.
 
-    - Trailing '+' is dropped.
-    - The characters ".", "-", "%' and "@" are translated to "_".
+            In the generated script, causes the commands in
+            .iptables_restore_input to be executed as discrete iptables
+            commands. The failing command can thus be identified and a
+            diagnosis of the cause can be made.
 
-    This mapping has been elminated in the 4.0.2 release of Shorewall-
-    perl. So where before you would see chain "eth0_0_in", you may now
-    see the same chain named "eth0.0_in". Similarly, a chain previously
-    named "ppp_fwd" may now be called "ppp+_fwd".
+    Users of Shorewall-lite will see the following change when using a
+    script that was compiled with Shorewall-perl 4.0.5 or later.
 
-3)  Shorewall-perl now uses the contents of the BROADCAST column in
-    /etc/shorewall/interfaces when the Address Type match capability is
-    not available.
+    trace - In the generated script, sets the shell's -x option to
+            trace execution of the script.
+
+    debug - In the generated script, causes the commands in
+            .iptables_restore_input to be executed as discrete iptables
+            commands. The failing command can thus be identified and a
+            diagnosis of the cause can be made.
+
+    In all other cases, 'debug' and 'trace' remain synonymous. In
+    particular, users of Shorewall-shell will see no change in
+    behavior.
+
+    WARNING: The 'debug' feature in Shorewall-perl is strictly for
+    problem analysis. When 'debug' is used:
+
+    a) The firewall is made 'wide open' before the rules are applied.
+    b) The routestopped file is not consulted and the rules are applied
+       in the canonical iptables-restore order (ASCIIbetical by chain).
+       So if you need critical hosts to be always available during
+       start/restart, you may not be able to use 'debug'.
+
+7)  /usr/share/shorewall-perl/buildports.pl,
+    /usr/share/shorewall-perl/FallbackPorts.pm and 
+    /usr/share/shorewall-perl/Shorewall/Ports.pm have been removed.
+
+    Shorewall now resolves protocol and port names as using Perl's
+    interface to the the standard C library APIs getprotobyname() and
+    getservbyname().
+
+    Note 1: 
+
+	   The protocol names 'tcp', 'TCP', 'udp', 'UDP', 'all', 'ALL',
+	   'icmp' and 'ICMP' are still resolved by Shorewall-perl
+	   itself.
+
+    Note 2:
+
+	   Those of you running Shorewall-perl under Cygwin may wish to
+	   install "real" /etc/protocols and /etc/services files
+	   in place of the symbolic links installed by Cygwin.
+
+8)  The contents of the Shorewall::*::$VERSION variables are now a
+    V-string (e.g., 4.0.5) rather than an integer (e.g., 4.05). This is
+    only of interest for Perl programs that are using the modules and
+    specifying a minimum version (e.g., "use Shorewall::Config
+    4.0.5;"). Each module continues to carry a separate version which
+    indicates the release of Shorewall-perl when the module was last
+    modified.
+
+Problems Corrected in Shorewall 4.0.4
+
+1)  If no interface had the 'blacklist' option, then when using
+    Shorewall-perl, the 'start' and 'restart' command failed:
+
+        ERROR: No filter chain found with name blacklst
+
+    New Shorewall-perl 4.0.3 packages were released that corrected this
+    problem; it is included here for completeness.
+
+2)  If no interface had the 'blacklist' option, then when using
+    Shorewall-perl, the generated script would issue this harmless
+    message during 'shorewall refresh':
+
+        chainlist_reload: Not found
+
+3)  If /bin/sh was a light-weight shell such as ash or dash, then
+    'shorewall refresh' failed.
+
+4)  During start/restart, the script generated by Shorewall-perl was
+    clearing the proxy_arp flag on all interfaces; that is not the
+    documented behavior.
+
+5)  If the module-init-tools package was not installed and
+    /etc/shorewall/modules did not exist or was non-empty, then
+    Shorewall-perl would fail with the message:
+
+       ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
+
+6)  Shorewall-perl now makes a compile-time check to insure that
+    iptables-restore exists and is executable. This check is made when
+    the compiler is being run by root and the -e option is not
+    given.
+
+    Note that iptables-restore must reside in the same directory as the
+    iptables executable specified by IPTABLES in shorewall.conf or
+    located by the PATH in the event that IPTABLES is not specified.
+
+7)  When using Shorewall-perl, if an action was invoked with more than
+    10 different combinations of log-levels/tags, some of those
+    invocations would have incorrect logging.
+
+8)  Previously, when 'shorewall restore' was executed, the
+    iptables-restore utility was always located using the PATH setting
+    rather than the IPTABLES setting.
+
+    With Shorewall-perl, the IPTABLES setting is now used to locate
+    this utility during 'restore' as it is during the processing of
+    other commands.
+
+9)  Although the shorewall.conf manpage indicates that the value
+    'internal' is allowed for TC_ENABLED, that value was previously
+    rejected ('Internal' was accepted).
+
+10) The meaning of the 'loose' provider option was accidentally reversed
+    in Shorewall-perl. Rather than causing certain routing rules to be
+    omitted when specified, it actually caused them to be added (these
+    rules were omitted when the option was NOT specified).
+
+11) If the 'bridge' option was specified on an interface but there were
+    no bport zones, then traffic originating on the firewall was not
+    passed through the accounting chain.
+
+12) In commands such as:
+
+       shorewall compile <directory>
+       shorewall restart <directory>
+       shorewall check <directory>
+
+    if the name of the <directory> contained a period ("."), then
+    Shorewall-perl would incorrectly substitute the current working
+    directory for the name.
+
+13) Previously, if the following sequence of routing rules was
+    specified, then the first rule would always be omitted.
+
+    #SOURCE    DEST      PROVIDER     PRIORITY
+    $SRC_A     $DESTIP1  ISP1         1000
+    $SRC_A     $DESTIP2  SOMEISP      1000
+    $SRC_A     -         ISP2         1000
+
+    The reason for this omission was that Shorewall uses a
+    delete-before-add approach and attempting to delete the third rule
+    resulted in the deletion of the first one instead. 
+
+    This problem occurred with both compilers.
+
+14) When using Shorewall-shell, provider numbers were not recognized in
+    the PROVIDER column of /etc/shorewall/route_rules.
+
+15) An off-by-one problem in Shorewall-perl caused the value 255 to be
+    rejected in the MARK column of /etc/shorewall/tcclasses.
+
+16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
+    multiple of 256. That restriction was being enforced by
+    Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
+    enforces this restriction.
+
+17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
+    failed with an "Unknown interface" error when using Shorewall-perl.
+
+Other Changes in Shorewall 4.0.4
+
+1)  The detection of 'Repeat Match' has been improved. 'Repeat Match'
+    is not a match at all but rather is a feature of recent versions of
+    iptables that allows a particular match to be used multiple times
+    within a single rule.
+
+    Example:
+
+      -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
+
+    When using Shorewall-shell, the availability of 'Repeat Match' can
+    speed up compilation very slightly.
+
+2)  Apparently recent Fedora releases are broken. The
+    following sequence of commands demonstrates the problem:
+
+    ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
+    ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
+    ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
+
+    The third command should fail but doesn't; instead, it incorrectly
+    removes the rule added by the first command.
+
+    To work around this issue, you can set DELETE_THEN_ADD=No in
+    shorewall.conf which prevents Shorewall from deleting ip rules
+    before attempting to add a similar rule.
+
+3)  When using Shorewall-perl, the following message is now issued if
+    the 'detectnets' option is specified in /etc/shorewall/interfaces:
+
+    WARNING: Support for the 'detectnets' option will be removed from
+    Shorewall-perl in version 4.0.5; better to use 'routefilter' and
+    'logmartians
+
+    The 'detect' options has always been rather silly. On input, it
+    duplicates the function of 'routefilter'. On output, it is a no-op
+    since traffic that doesn't match a route out of an interface won't
+    be sent through that interface (duh!).
+
+    Beginning with Shorewall 4.0.5, the warning message will read:
+
+    WARNING: Support for the 'detectnets' option has been removed
 
 Problems Corrected in 4.0.3
 
@@ -1468,148 +1627,191 @@ Other Changes in 4.0.3
     This feature requires Shorewall-perl 4.0.3 as well as
     Shorewall-common 4.0.3.
 
-Problems Corrected in Shorewall 4.0.4
+Problems corrected in 4.0.2
 
-1)  If no interface had the 'blacklist' option, then when using
-    Shorewall-perl, the 'start' and 'restart' command failed:
+1)  The Shorewall-perl compiler was still generating invalid
+    iptables-restore input from entries in /etc/shorewall/ecn.
 
-        ERROR: No filter chain found with name blacklst
+2)  When using Shorewall-perl, unless an interface was specified as
+    'optional' in the interfaces file, the 'restore' command would
+    fail if the routes through the interface or the addresses on the
+    interface could not be detected.
 
-    New Shorewall-perl 4.0.3 packages were released that corrected this
-    problem; it is included here for completeness.
+    Route detection occurs when the interface is named in the SOURCE
+    column of the masq file. Address detection occurs when
+    DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
+    or REDIRECT rule or when 'maclist' is specified for the interface.
+   
+    Since the 'restore' command doesn't use the detected information,
+    detection is now skipped if the command is 'restore'.
 
-2)  If no interface had the 'blacklist' option, then when using
-    Shorewall-perl, the generated script would issue this harmless
-    message during 'shorewall refresh':
+3)  It was not previously possible to define traffic shaping on a
+    bridge port; the generated script complained that the
+    interface was not up and configured.
 
-        chainlist_reload: Not found
+4)  When Shorewall-shell was not installed, certain options in
+    /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
+    'add' and 'delete' commands to fail with a missing library error.
 
-3)  If /bin/sh was a light-weight shell such as ash or dash, then
-    'shorewall refresh' failed.
+	  OPTION               FILE
+	  maclist	       interfaces,hosts
+	  proxyarp	       interfaces
 
-4)  During start/restart, the script generated by Shorewall-perl was
-    clearing the proxy_arp flag on all interfaces; that is not the
-    documented behavior.
+5)  The /var/lib/shorewall/zones file was being overwritten during
+    processing of the 'refresh' command by a script generated with
+    Shorewall-perl. The result was that hosts previously added to
+    dynamic zones could not be deleted after the 'refresh'.
 
-5)  If the module-init-tools package was not installed and
-    /etc/shorewall/modules did not exist or was non-empty, then
-    Shorewall-perl would fail with the message:
+6)  If the file named as the output file in a Shorewall-perl 'compile'
+    command was a symbolic link, the generated error message
+    erroneously stated that the file's parent directory was a symbolic
+    link.
 
-       ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
+    As part of this change, cosmetic changes were made to a number of
+    other error messages.
 
-6)  Shorewall-perl now makes a compile-time check to insure that
-    iptables-restore exists and is executable. This check is made when
-    the compiler is being run by root and the -e option is not
-    given.
+7)  Some intra-zone rules were missing when a zone involved multiple
+    interfaces or when a zone included both IPSEC and non-IPSEC
+    networks.
 
-    Note that iptables-restore must reside in the same directory as the
-    iptables executable specified by IPTABLES in shorewall.conf or
-    located by the PATH in the event that IPTABLES is not specified.
+8)  Shorewall was not previously loading the xt_multiport kernel
+    module.
 
-7)  When using Shorewall-perl, if an action was invoked with more than
-    10 different combinations of log-levels/tags, some of those
-    invocations would have incorrect logging.
+9)  The Russian and French translations no longer have English headings
+    on notes, cautions, etc..
 
-8)  Previously, when 'shorewall restore' was executed, the
-    iptables-restore utility was always located using the PATH setting
-    rather than the IPTABLES setting.
+10) Previously, using a port list in the DEST PORT(S) column of the
+    rules file or in an action file could cause an invalid iptables
+    command to be generated by Shorewall-shell.
 
-    With Shorewall-perl, the IPTABLES setting is now used to locate
-    this utility during 'restore' as it is during the processing of
-    other commands.
+11) If there were no bridges in a configuration, Shorewall-perl would
+    ignore the CHAIN column in /etc/shorewall/accounting.
 
-9)  Although the shorewall.conf manpage indicates that the value
-    'internal' is allowed for TC_ENABLED, that value was previously
-    rejected ('Internal' was accepted).
+Other changes in 4.0.2
 
-10) The meaning of the 'loose' provider option was accidentally reversed
-    in Shorewall-perl. Rather than causing certain routing rules to be
-    omitted when specified, it actually caused them to be added (these
-    rules were omitted when the option was NOT specified).
+1)  Shorewall-perl now detects when a port range is included in a list
+    of ports and iptables/kernel support for Extended Multi-port Match
+    is not available. This avoids an iptables-restore failure at
+    run-time.
 
-11) If the 'bridge' option was specified on an interface but there were
-    no bport zones, then traffic originating on the firewall was not
-    passed through the accounting chain.
+2)  Most chains created by Shorewall-shell have names that can be
+    embedded within shell variable names. This is a workaround for
+    limitations in the shell programming language which has no
+    equivalent to Perl hashes. Often chain names must have the name of
+    a network interface encoded in them. Given that interface names can
+    contain characters that are invalid in a shell variable name,
+    Shorewall-shell performs a name mapping which was carried forward to
+    Shorewall-perl:
 
-12) In commands such as:
+    - Trailing '+' is dropped.
+    - The characters ".", "-", "%' and "@" are translated to "_".
 
-       shorewall compile <directory>
-       shorewall restart <directory>
-       shorewall check <directory>
+    This mapping has been elminated in the 4.0.2 release of Shorewall-
+    perl. So where before you would see chain "eth0_0_in", you may now
+    see the same chain named "eth0.0_in". Similarly, a chain previously
+    named "ppp_fwd" may now be called "ppp+_fwd".
 
-    if the name of the <directory> contained a period ("."), then
-    Shorewall-perl would incorrectly substitute the current working
-    directory for the name.
+3)  Shorewall-perl now uses the contents of the BROADCAST column in
+    /etc/shorewall/interfaces when the Address Type match capability is
+    not available.
 
-13) Previously, if the following sequence of routing rules was
-    specified, then the first rule would always be omitted.
+Problems corrected in 4.0.1.
 
-    #SOURCE    DEST      PROVIDER     PRIORITY
-    $SRC_A     $DESTIP1  ISP1         1000
-    $SRC_A     $DESTIP2  SOMEISP      1000
-    $SRC_A     -         ISP2         1000
+1)  The Shorewall Lite installer was producing an empty shorewall-lite
+    manpage. Since the installer runs as part of creating the RPM, the
+    RPM also suffered from this problem. The 4.0.0 Shorewall-lite 
+    packages were re-uploaded with this problem corrected.
 
-    The reason for this omission was that Shorewall uses a
-    delete-before-add approach and attempting to delete the third rule
-    resulted in the deletion of the first one instead. 
+2)  The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
+    rather than /sbin/shorewall-lite.
 
-    This problem occurred with both compilers.
+3)  Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
+    clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
+    uninstaller correctly does "shorewall-lite clear" and both
+    uninstallers only perform the 'clear' operation if the other
+    product is not installed. This prevents the removal of one of the
+    two products from clearing the firewall configuration established
+    by the other one.
 
-14) When using Shorewall-shell, provider numbers were not recognized in
-    the PROVIDER column of /etc/shorewall/route_rules.
+4)  The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
+    Shorewall-perl. If the zone type was changed to 'ipsec' or
+    'ipsec4' and the 'ipsec' option removed from the hosts file entry,
+    the configuration worked properly.
 
-15) An off-by-one problem in Shorewall-perl caused the value 255 to be
-    rejected in the MARK column of /etc/shorewall/tcclasses.
+5)  If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
+    Shorewall-perl produced the following:
 
-16) When HIGH_ROUTE_MARKS=Yes, marks with values > 255 must be a
-    multiple of 256. That restriction was being enforced by
-    Shorewall-shell but not by Shorewall-perl. Shorewall-perl now also
-    enforces this restriction.
+    Compiling...
+    Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
+       ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
 
-17) Using REDIRECT with a parameterized macro (e.g., DNS/REDIRECT)
-    failed with an "Unknown interface" error when using Shorewall-perl.
+6)  If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
+    locating the binary using the PATH environmental variable rather
+    than the PATH setting in shorewall.conf.  If no PATH was available
+    when Shorewall-perl was run and IPTABLES was not set in
+    shorewall.conf, the following messages were issued:
 
-Other Changes in Shorewall 4.0.4
+    Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
+       ERROR: Can't find iptables executable
+       ERROR: Shorewall restart failed
 
-1)  The detection of 'Repeat Match' has been improved. 'Repeat Match'
-    is not a match at all but rather is a feature of recent versions of
-    iptables that allows a particular match to be used multiple times
-    within a single rule.
+7)  If the "Mangle FORWARD Chain" capability was supported, entries in
+    the /etc/shorewall/ecn file would cause invalid iptables commands
+    to be generated. This problem occurred with both compilers.
 
-    Example:
+8)  Shorewall now starts at reboot after an upgrade from shorewall <
+    4.0.0. Previously, Shorewall was not started automatically at
+    reboot after an upgrade using the RPM.
 
-      -A foo -m physdev --physdev-in eth0 -m physdev --physdev-out ...
+9)  Shorewall-perl was generating invalid iptables-restore input when a
+    log level was specified with the dropBcast and allowBcast builtin
+    actions and when a log level followed by '!' was used with any
+    builtin actions.
 
-    When using Shorewall-shell, the availability of 'Repeat Match' can
-    speed up compilation very slightly.
+10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
+    time in rate-limiting specifications.
 
-2)  Apparently recent Fedora releases are broken. The
-    following sequence of commands demonstrates the problem:
+11) Certain errors occurring during
+    start/restart/safe-start/safe-restart/try processing could cause
+    the lockfile to be left behind. This resulted in a 60-second delay
+    the next time one of these commands was run.
 
-    ip rule add from 1.1.1.1 to 10.0.0.0/8 priority 1000 table 5
-    ip rule add from 1.1.1.1 to 0.0.0.0/0 priority 1000 table main
-    ip rule del from 1.1.1.1 to 0.0.0.0/0 priority 1000
+Other changes in Shorewall 4.0.1.
 
-    The third command should fail but doesn't; instead, it incorrectly
-    removes the rule added by the first command.
+1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
+    option is recognized by Shorewall-perl and is ignored by
+    Shorewall-shell.
 
-    To work around this issue, you can set DELETE_THEN_ADD=No in
-    shorewall.conf which prevents Shorewall from deleting ip rules
-    before attempting to add a similar rule.
+    Normally, when the SOURCE or DEST columns in shorewall-policy(5)
+    contains 'all', a single policy chain is created and the policy is
+    enforced in that chain. For example, if the policy entry is
 
-3)  When using Shorewall-perl, the following message is now issued if
-    the 'detectnets' option is specified in /etc/shorewall/interfaces:
+	     #SOURCE DEST POLICY LOG
+	     #                   LEVEL
+	     net     all  DROP   info
 
-    WARNING: Support for the 'detectnets' option will be removed from
-    Shorewall-perl in version 4.0.5; better to use 'routefilter' and
-    'logmartians
+    then the chain name is 'net2all' which is also the chain named in
+    Shorewall log messages generated as a result of the policy. If
+    EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
+    chain for each pair of zones covered by the policy. This makes the
+    resulting log messages easier to interpret since the chain in the
+    messages will have a name of the form 'a2b' where 'a' is the SOURCE
+    zone and 'b' is the DEST zone. See
+    http://linuxman.wikispaces.com/PPPPPPS for more information.
 
-    The 'detect' options has always been rather silly. On input, it
-    duplicates the function of 'routefilter'. On output, it is a no-op
-    since traffic that doesn't match a route out of an interface won't
-    be sent through that interface (duh!).
+2)  The Shorewall-perl dependency on the "Address Type Match"
+    capability has been relaxed. This allows Shorewall 4.0.1 to be used
+    on releases like RHEL4 that don't support that capability.
 
-    Beginning with Shorewall 4.0.5, the warning message will read:
+3)  Shorewall-perl now detects dead policy file entries that result
+    when an entry is masked by an earlier entry. Example:
 
-    WARNING: Support for the 'detectnets' option has been removed
+	 all	 all	  REJECT    info
+	 loc	 net	  ACCEPT
 
+4)  Recent kernels are apparently hard to configure and we have been
+    seeing a lot of problem reports where the root cause is the lack of
+    state match support in the kernel. This problem is difficult to
+    diagnose when using Shorewall-perl so the generated shell program
+    now checks specifically for this problem and terminates with an
+    error if the capability doesn't exist.
diff --git a/Shorewall-common/shorewall b/Shorewall-common/shorewall
index 8c3290386..275a34c1f 100755
--- a/Shorewall-common/shorewall
+++ b/Shorewall-common/shorewall
@@ -62,6 +62,7 @@
 #	   shorewall show tc			   Display traffic control info
 #	   shorewall show classifiers		   Display classifiers
 #          shorewall show capabilities             Display iptables/kernel capabilities
+#          shorewall show vardir                   Display the VARDIR setting.
 #	   shorewall version			   Display the installed version id
 #	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
 #	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
@@ -1283,7 +1284,7 @@ usage() # $1 = exit status
     echo "   export [ -C {shell|perl} ] [ <directory1> ] [<user>@]<system>[:<directory2>]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -1298,7 +1299,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ] [ -C {shell|perl} ] [ <directory> ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|ip|log|macros|mangle|nat|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ] [ -C {shell|perl} ] [ <directory> ]"
     echo "   stop [ -f ]"
     echo "   status"
@@ -1633,8 +1634,8 @@ case "$COMMAND" in
     hits)
 	get_config Yes No Yes
 	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] || usage 1
-	hits_command
+	shift
+	hits_command $@
 	;;
     version)
 	shift
diff --git a/Shorewall-common/shorewall-common.spec b/Shorewall-common/shorewall-common.spec
index 415ad0a78..38c0bcd9f 100644
--- a/Shorewall-common/shorewall-common.spec
+++ b/Shorewall-common/shorewall-common.spec
@@ -1,5 +1,5 @@
 %define name shorewall-common
-%define version 4.0.5
+%define version 4.0.6
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -153,6 +153,9 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/macro.IPsec
 %attr(0644,root,root) /usr/share/shorewall/macro.IPsecah
 %attr(0644,root,root) /usr/share/shorewall/macro.IPsecnat
+%attr(0644,root,root) /usr/share/shorewall/macro.Jabberd
+%attr(0644,root,root) /usr/share/shorewall/macro.JabberPlain
+%attr(0644,root,root) /usr/share/shorewall/macro.JabberSecure
 %attr(0644,root,root) /usr/share/shorewall/macro.Jetdirect
 %attr(0644,root,root) /usr/share/shorewall/macro.L2TP
 %attr(0644,root,root) /usr/share/shorewall/macro.LDAP
@@ -240,6 +243,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 
 %changelog
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
diff --git a/Shorewall-common/shorewall.conf b/Shorewall-common/shorewall.conf
index 5346ad8bc..873ea7bcc 100644
--- a/Shorewall-common/shorewall.conf
+++ b/Shorewall-common/shorewall.conf
@@ -171,6 +171,8 @@ DELETE_THEN_ADD=Yes
 
 MULTICAST=No
 
+DONT_LOAD=
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
diff --git a/Shorewall-common/uninstall.sh b/Shorewall-common/uninstall.sh
index ff7c89f18..53a9dc807 100755
--- a/Shorewall-common/uninstall.sh
+++ b/Shorewall-common/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-lite/Makefile b/Shorewall-lite/Makefile
index 6dbd0d90c..c30ccb88b 100644
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -1,12 +1,11 @@
 # Shorewall Lite Makefile to restart if firewall script is newer than last restart
-VARDIR=/var/lib/shorewall-lite
+VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
-include $(SHAREDIR)/configpath
 
 all: $(VARDIR)/${RESTOREFILE}
 
-$(VARDIR)/${RESTOREFILE}: $(LITEDIR)/firewall
+$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
diff --git a/Shorewall-lite/fallback.sh b/Shorewall-lite/fallback.sh
index 80c6422d8..73d7a231f 100755
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh
index fa8ac7dd3..b7fc95e12 100755
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite
index 8d1baa0aa..61d3d16eb 100755
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -49,6 +49,7 @@
 #     shorewall-lite show tc			   Display traffic control info
 #     shorewall-lite show classifiers		   Display classifiers
 #     shorewall-lite show capabilities             Display iptables/kernel capabilities
+#     shorewall-lite show vardir                   Display VARDIR setting
 #     shorewall-lite version			   Display the installed version id
 #     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
 #						   messages.
@@ -356,7 +357,7 @@ usage() # $1 = exit status
     echo "   dump [ -x ]"
     echo "   forget [ <file name> ]"
     echo "   help"
-    echo "   hits"
+    echo "   hits [ -t ]"
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
@@ -368,7 +369,7 @@ usage() # $1 = exit status
     echo "   restart [ -n ]"
     echo "   restore [ -n ] [ <file name> ]"
     echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|zones} ]"
+    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
     echo "   start [ -f ] [ -n ]"
     echo "   stop"
     echo "   status"
@@ -597,8 +598,8 @@ case "$COMMAND" in
 	;;
     hits)
 	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] || usage 1
-	hits_command
+	shift
+	hits_command $@
 	;;
     version)
 	echo $version Lite
diff --git a/Shorewall-lite/shorewall-lite.spec b/Shorewall-lite/shorewall-lite.spec
index 6f7e2bbfe..919b8c6b5 100644
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.0.5
+%define version 4.0.6
 %define release 1
 
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@@ -98,6 +98,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 
 %changelog
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
diff --git a/Shorewall-lite/uninstall.sh b/Shorewall-lite/uninstall.sh
index 9990b22f5..690ea6a49 100755
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-perl/Shorewall/Accounting.pm b/Shorewall-perl/Shorewall/Accounting.pm
index 23181af72..4b4b8cf6b 100644
--- a/Shorewall-perl/Shorewall/Accounting.pm
+++ b/Shorewall-perl/Shorewall/Accounting.pm
@@ -25,17 +25,17 @@
 #
 package Shorewall::Accounting;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@@ -174,19 +174,14 @@ sub process_accounting_rule( $$$$$$$$$ ) {
 
 sub setup_accounting() {
 
-    my $first_entry = 1;
-
     my $fn = open_file 'accounting';
 
+    first_entry "$doing $fn...";
+
     while ( read_a_line ) {
 
 	my ( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	if ( $action eq 'COMMENT' ) {
 	    process_comment;
 	} else {
diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm
index b5f8b5e60..7c4236e00 100644
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@@ -25,9 +25,9 @@
 #
 package Shorewall::Actions;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
@@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
 		  %macros
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.4;
+our $VERSION = 4.0.6;
 
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -400,7 +400,7 @@ sub process_macro1 ( $$ ) {
 	$targettype = 0 unless defined $targettype;
 
 	fatal_error "Invalid target ($mtarget)"
-	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ ) );
+	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
     }
 
     progress_message "   ..End Macro $macrofile";
@@ -418,7 +418,7 @@ sub process_action1 ( $$ ) {
     my $targettype = $targets{$target};
 
     if ( defined $targettype ) {
-	return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE |  NFQ ) );
+	return if ( $targettype == STANDARD ) || ( $targettype == MACRO ) || ( $targettype & ( LOGRULE |  NFQ | CHAIN ) );
 
 	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
 
@@ -640,7 +640,7 @@ sub process_action3( $$$$$ ) {
 	    if ( $action2type & ACTION ) {
 		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
 	    } else {
-		fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ );
+		fatal_error "Internal Error" unless $action2type == MACRO || $action2type & ( LOGRULE | NFQ | CHAIN );
 	    }
 	}
 
diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm
index 06c5d0673..2db7678bf 100644
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@@ -27,116 +27,127 @@
 package Shorewall::Chains;
 require Exporter;
 
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
-
 use strict;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw( STANDARD
-		  NATRULE
-		  BUILTIN
-		  NONAT
-		  NATONLY
-		  REDIRECT
-		  ACTION
-		  MACRO
-		  LOGRULE
-		  NFQ
-		  NO_RESTRICT
-		  PREROUTE_RESTRICT
-		  INPUT_RESTRICT
-		  OUTPUT_RESTRICT
-		  POSTROUTE_RESTRICT
-		  ALL_RESTRICT
-
-		  process_comment
-		  clear_comment
-		  incr_cmd_level
-		  decr_cmd_level
-		  add_command
-		  add_commands
-		  mark_referenced
+our @EXPORT = qw( 
 		  add_rule
 		  insert_rule
-		  chain_base
-		  forward_chain
-		  input_chain
-		  output_chain
-		  masq_chain
-		  syn_flood_chain
-		  mac_chain
-		  macrecent_target
-		  dynamic_fwd
-		  dynamic_in
-		  dynamic_out
-		  dynamic_chains
-		  dnat_chain
-		  snat_chain
-		  ecn_chain
-		  first_chains
 		  new_chain
-		  ensure_chain
-		  ensure_filter_chain
-		  ensure_mangle_chain
-		  new_standard_chain
-		  new_builtin_chain
-		  initialize_chain_table
-		  finish_section
-		  setup_zone_mss
-		  newexclusionchain
-		  clearrule
-		  validate_portrange
-		  do_proto
-		  mac_match
-		  verify_mark
-		  verify_small_mark
-		  validate_mark
-		  do_test
-		  do_ratelimit
-		  do_user
-		  do_tos
-		  match_source_dev
-		  match_dest_dev
-		  iprange_match
-		  match_source_net
-		  match_dest_net
-		  match_orig_dest
-		  match_ipsec_in
-		  match_ipsec_out
+		  new_manual_chain
+		  ensure_manual_chain
 		  log_rule_limit
-		  log_rule
-		  expand_rule
-		  addnatjump
-		  insertnatjump
-		  get_interface_address
-		  get_interface_addresses
-		  get_interface_bcasts
-		  set_global_variables
-		  create_netfilter_load
-		  create_chainlist_reload
 
 		  %chain_table
 		  $nat_table
 		  $mangle_table
 		  $filter_table
-		  $section
-		  %sections
-		  %targets
 		  );
-our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.5;
+
+our %EXPORT_TAGS = ( 
+		    internal => [  qw( STANDARD
+				       NATRULE
+				       BUILTIN
+				       NONAT
+				       NATONLY
+				       REDIRECT
+				       ACTION
+				       MACRO
+				       LOGRULE
+				       NFQ
+				       CHAIN
+				       NO_RESTRICT
+				       PREROUTE_RESTRICT
+				       INPUT_RESTRICT
+				       OUTPUT_RESTRICT
+				       POSTROUTE_RESTRICT
+				       ALL_RESTRICT
+				       
+				       add_command
+				       add_commands
+				       process_comment
+				       clear_comment
+				       incr_cmd_level
+				       decr_cmd_level
+				       chain_base 
+				       forward_chain
+				       input_chain
+				       output_chain
+				       masq_chain
+				       syn_flood_chain
+				       mac_chain
+				       macrecent_target
+				       dynamic_fwd
+				       dynamic_in
+				       dynamic_out
+				       dynamic_chains
+				       dnat_chain
+				       snat_chain
+				       ecn_chain
+				       first_chains
+				       mark_referenced
+				       ensure_chain
+				       ensure_mangle_chain
+				       new_standard_chain
+				       new_builtin_chain
+				       ensure_filter_chain
+				       initialize_chain_table
+				       finish_section
+				       setup_zone_mss
+				       newexclusionchain
+				       clearrule
+				       validate_port
+				       proto_name
+				       do_proto
+				       mac_match
+				       verify_mark
+				       verify_small_mark
+				       validate_mark
+				       do_test
+				       do_ratelimit
+				       do_user
+				       do_tos
+				       match_source_dev
+				       match_dest_dev
+				       iprange_match
+				       match_source_net
+				       match_dest_net
+				       match_orig_dest
+				       match_ipsec_in
+				       match_ipsec_out
+				       log_rule
+				       expand_rule
+				       addnatjump
+				       insertnatjump
+				       get_interface_address
+				       get_interface_addresses
+				       get_interface_bcasts
+				       set_global_variables
+				       create_netfilter_load
+				       create_chainlist_reload
+				       $section
+				       %sections
+				       %targets
+				     ) ],
+		   );
+
+Exporter::export_ok_tags('internal');
+
+our $VERSION = 4.0.6;
 
 #
 # Chain Table
 #
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
-#                                               is_policy    => 0|1
-#                                               is_optional  => 0|1
-#                                               referenced   => 0|1 -- If 1, will be written to the iptables-restore-input.
-#                                               builtin      => 0|1 -- If 1, one of Netfilter's built-in chains.
+#                                               is_policy    => undef|1 -- if 1, this is a policy chain
+#                                               is_optional  => undef|1 -- See below.
+#                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
+#                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
+#                                               manual       => undef|1 -- If 1, a manual chain.
 #                                               log          => <logging rule number for use when LOGRULENUMBERS>
 #                                               policy       => <policy>
 #                                               policychain  => <name of policy chain> -- self-reference if this is a policy chain
@@ -156,7 +167,7 @@ our $VERSION = 4.0.5;
 #                 }
 #
 #       'is_optional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
-#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are optional.
+#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with is_optional == 1.
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
@@ -186,6 +197,7 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       MACRO    => 128,            #A Macro
 	       LOGRULE  => 256,            #'LOG'
 	       NFQ      => 512,            #'NFQUEUE'
+	       CHAIN    => 1024,           #Manual Chain
 	   };
 
 our %targets;
@@ -423,6 +435,7 @@ sub add_rule($$;$)
 		    if ( ++$count == 15 ) {
 			if ( $separator eq ':' ) {
 			    unshift @ports, $port, ':';
+			    chop $newports;
 			    last;
 			} else {
 			    $newports .= $port;
@@ -676,6 +689,22 @@ sub new_standard_chain($) {
     $chainref;
 }
 
+sub new_manual_chain($) {
+    my $chain = $_[0];
+    fatal_error "Duplicate Chain Name ($chain)" if $targets{$chain} || $filter_table->{$chain};
+    $targets{$chain} = CHAIN;
+    ( my $chainref = ensure_filter_chain( $chain, 0) )->{manual} = 1;
+    $chainref->{referenced} = 1;
+    $chainref;
+}
+
+sub ensure_manual_chain($) {
+    my $chain = $_[0];
+    my $chainref = $filter_table->{$chain} || new_manual_chain($chain);
+    fatal_error "$chain exists and is not a manual chain" unless $chainref->{manual};
+    $chainref;
+}
+
 #
 # Add all builtin chains to the chain table
 #
@@ -869,25 +898,6 @@ sub validate_portpair( $$ ) {
 
 }
 
-sub validate_portrange( $$ ) {
-    my ($proto, $portpair) = @_;
-
-    if ( $portpair =~ tr/-/-/ > 1 || substr( $portpair,  0, 1 ) eq '-' || substr( $portpair, -1, 1 ) eq '-' ) {
-	fatal_error "Invalid port range ($portpair)";
-    }
-
-    my @ports = split /-/, $portpair, 2;
-
-    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
-
-    if ( @ports == 2 ) {
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-    }
-
-    join '-', @ports;
-
-}
-
 sub validate_port_list( $$ ) {
     my $result = '';
     my ( $proto, $list ) = @_;
@@ -1208,7 +1218,11 @@ sub match_dest_dev( $ ) {
     my $interface = shift;
     my $interfaceref =  find_interface( $interface );
     if ( $interfaceref && $interfaceref->{options}{port} ) {
-	"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
+	if ( $capabilities{PHYSDEV_BRIDGE} ) {
+	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
+	} else {
+	    "-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
+	}
     } else {
 	"-o $interface ";
     }
diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm
index e1e70ed51..0d03eb06e 100644
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@@ -24,8 +24,8 @@
 
 package Shorewall::Compiler;
 require Exporter;
-use Shorewall::Config;
-use Shorewall::Chains;
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Policy;
 use Shorewall::Nat;
@@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 4.0.4;
+our $VERSION = 4.0.6;
 
 our $export;
 
@@ -133,6 +133,8 @@ sub generate_script_1() {
 
     propagateconfig;
 
+    my @dont_load = split /,/, $config{DONT_LOAD};
+
     emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
 	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
@@ -140,6 +142,7 @@ sub generate_script_1() {
 	   qq(VERSION="$globals{VERSION}") ,
 	   qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
+	   qq(DONT_LOAD="@dont_load") ,
 	   ''
 	   );
 
@@ -735,6 +738,10 @@ sub compiler( $$$$$ ) {
 	generate_script_1;
     }
 
+    #
+    # Allow user to load Perl modules
+    #
+    run_user_exit1 'compile';
     #
     # Process the zones file.
     #
diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm
index 0990b8ed5..cac30b969 100644
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@@ -36,65 +36,73 @@ use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
 use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
+use Scalar::Util 'reftype';
 
 our @ISA = qw(Exporter);
 #
 # Imported variables should be treated as read-only by importers
 #
 our @EXPORT = qw(
-		 create_temp_object
-		 finalize_object
-		 emit
-		 emit_unindented
-		 save_progress_message
-		 save_progress_message_short
-		 set_timestamp
-		 set_verbose
-		 set_command
+		 warning_message
+		 fatal_error
 		 progress_message
 		 progress_message2
 		 progress_message3
-		 push_indent
-		 pop_indent
-		 copy
-		 create_temp_aux_config
-		 finalize_aux_config
-		 warning_message
-		 fatal_error
-		 set_shorewall_dir
-		 set_debug
-		 find_file
-		 split_line
-		 split_line1
-		 split_line2
-		 open_file
-		 close_file
-		 push_open
-		 pop_open
-		 read_a_line
-		 validate_level
-		 qt
-		 ensure_config_path
-		 get_configuration
-		 require_capability
-		 report_capabilities
-		 propagateconfig
-		 append_file
-		 run_user_exit
-		 run_user_exit1
-		 run_user_exit2
-		 generate_aux_config
+                );
 
-		 $command
-		 $doing
-		 $done
-		 $currentline
-		 %config
-		 %globals
-		 %capabilities );
+our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);
 
-our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
-our $VERSION = 4.0.5;
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_object 
+				       finalize_object
+				       emit
+				       emit_unindented
+				       save_progress_message
+				       save_progress_message_short
+				       set_timestamp
+				       set_verbose
+				       set_command
+				       push_indent
+				       pop_indent
+				       copy
+				       create_temp_aux_config
+				       finalize_aux_config
+				       set_shorewall_dir
+				       set_debug
+				       find_file
+				       split_line
+				       split_line1
+				       split_line2
+				       first_entry
+				       open_file
+				       close_file
+				       push_open
+				       pop_open
+				       read_a_line
+				       validate_level
+				       qt
+				       ensure_config_path
+				       get_configuration
+				       require_capability
+				       report_capabilities
+				       propagateconfig
+				       append_file
+				       run_user_exit
+				       run_user_exit1
+				       run_user_exit2
+				       generate_aux_config
+				       
+				       $command
+				       $doing
+				       $done
+				       $currentline
+				       %config
+				       %globals
+				       %capabilities
+				     ) ] );	       
+
+Exporter::export_ok_tags('internal');
+
+our $VERSION = 4.0.6;
 
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -156,6 +164,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
+		 PHYSDEV_BRIDGE  => 'Physdev-is-bridged support',
 		 LENGTH_MATCH    => 'Packet length Match',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
@@ -197,6 +206,10 @@ our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
 our $currentfilename;         # File NAME
 our $currentlinenumber;       # Line number
+our $scriptfile;              # File Handle Reference to current temporary file being written by an in-line Perl script
+our $scriptfilename;          # Name of that file.
+our @tempfiles;               # Files that need unlinking at END
+our $first_entry;             # Message to output or function to call on first non-blank line of a file
 
 our $shorewall_dir;           # Shorewall Directory
 
@@ -230,8 +243,8 @@ sub initialize() {
 		    ORIGINAL_POLICY_MATCH => '',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
-		    VERSION =>  '4.0.5',
-		    CAPVERSION => 40003 ,
+		    VERSION =>  '4.0.6',
+		    CAPVERSION => 40006 ,
 		  );
     #
     # From shorewall.conf file
@@ -324,6 +337,7 @@ sub initialize() {
 		KEEP_RT_TABLES => undef,
 		DELETE_THEN_ADD => undef,
 		MULTICAST => undef,
+		DONT_LOAD => '',
 		#
 		# Packet Disposition
 		#
@@ -344,6 +358,7 @@ sub initialize() {
 	       USEPKTTYPE => undef,
 	       POLICY_MATCH => undef,
 	       PHYSDEV_MATCH => undef,
+	       PHYSDEV_BRIDGE => undef,
 	       LENGTH_MATCH => undef,
 	       IPRANGE_MATCH => undef,
 	       RECENT_MATCH => undef,
@@ -385,6 +400,7 @@ sub initialize() {
     $currentfile = undef;     # File handle reference
     $currentfilename = '';    # File NAME
     $currentlinenumber = 0;   # Line number
+    $first_entry = 0;         # Message to output or function to call on first non-blank file entry
 
     $shorewall_dir = '';      #Shorewall Directory
 
@@ -403,11 +419,15 @@ sub warning_message
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
 
+    $| = 1;
+
     if ( $debug ) {
 	print STDERR longmess( "   WARNING: @_$currentlineinfo" );
     } else {
 	print STDERR "   WARNING: @_$currentlineinfo\n";
     }
+
+    $| = 0;
 }
 
 #
@@ -416,10 +436,17 @@ sub warning_message
 sub fatal_error	{
     my $linenumber = $currentlinenumber || 1;
     my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    $| = 1;
     confess "   ERROR: @_$currentlineinfo" if $debug;
     die "   ERROR: @_$currentlineinfo\n";
 }
 
+sub fatal_error1	{
+    $| = 1;
+    confess "   ERROR: @_" if $debug;
+    die "   ERROR: @_\n";
+}
+
 #
 # Write the arguments to the object file (if any) with the current indentation.
 #
@@ -792,6 +819,19 @@ sub open_file( $ ) {
     do_open_file $fname if -f $fname && -s _;
 }
 
+#
+# Pop the include stack
+#
+sub pop_include() {
+    my $arrayref = pop @includestack;
+
+    if ( $arrayref ) {
+	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
+    } else {
+	$currentfile = undef;
+    }
+}    
+
 #
 # This function is normally called below in read_a_line() when EOF is reached. Clients of the
 # module may also call the function to close the file before EOF
@@ -799,15 +839,14 @@ sub open_file( $ ) {
 
 sub close_file() {
     if ( $currentfile ) {
-	close $currentfile;
+	my $result = close $currentfile;
 
-	my $arrayref = pop @includestack;
+	pop_include;
+	
+	fatal_error "SHELL Script failed" unless $result;
+
+	$first_entry = 0;
 
-	if ( $arrayref ) {
-	    ( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
-	} else {
-	    $currentfile = undef;
-	}
     }
 }
 
@@ -828,13 +867,143 @@ sub push_open( $ ) {
 
 sub pop_open() {
     @includestack = @{pop @openstack};
+    pop_include;
+}
 
-    my $arrayref = pop @includestack;
+sub shorewall {
+    unless ( $scriptfile ) {
+	fatal_error "shorewall() may not be called in this context" unless $currentfile;
 
-    if ( $arrayref ) {
-	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
-    } else {
+	$dir ||= '/tmp/';
+
+	eval {
+	    ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
+	};
+
+	fatal_error "Unable to create temporary file in directory $dir" if $@;
+    }
+
+    print $scriptfile "@_\n";
+}
+
+#
+# We don't announce that we are checking/compiling a file until we determine that the file contains 
+# at least one non-blank, non-commentary line.
+#
+# The argument to this function may be either a scalar or a function reference. When the first
+# non-blank/non-commentary line is reached: 
+#
+# - if a function reference was passed to first_entry(), that function is called
+# - otherwise, the argument to first_entry() is passed to progress_message2().
+#
+# We do this processing in read_a_line() rather than in the higher-level routines because
+# Embedded Shell/Perl scripts are processed out of read_a_line(). If we were to defer announcement
+# until we get back to the caller of read_a_line(), we could issue error messages about parsing and 
+# running scripts in the file before we'd even indicated that we are processing it.
+#
+sub first_entry( $ ) {
+    $first_entry = $_[0];
+    my $reftype = reftype $first_entry;
+    if ( $reftype ) {
+	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
+    }
+}   
+
+sub embedded_shell( $ ) {
+    my $multiline = shift;
+
+    fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+    my ( $command, $linenumber ) = ( "/bin/sh -c '$currentline", $currentlinenumber );
+    
+    if ( $multiline ) {
+	#
+	# Multi-line script
+	#
+	fatal_error "Invalid BEGIN SHELL directive" unless $currentline =~ /^\s*$/;
+	$command .= "\n";
+
+	my $last = 0;
+		    
+	while ( <$currentfile> ) {
+	    $currentlinenumber++;
+	    last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
+	    $command .= $_;
+	}
+	
+	fatal_error ( "Missing END SHELL" ) unless $last;
+	fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
+    }
+
+    $command .= q(');
+    
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    $currentfile = undef;
+    open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
+    $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
+    $currentline = '';
+    $currentlinenumber = 0;
+}
+
+sub embedded_perl( $ ) {
+    my $multiline = shift;
+		
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );		
+
+    if ( $multiline ) {
+	#
+	# Multi-line script
+	#
+	fatal_error "Invalid BEGIN PERL directive" unless $currentline =~ /^\s*$/;
+	$command .= "\n";
+		    
+	my $last = 0;
+		    
+	while ( <$currentfile> ) {
+	    $currentlinenumber++;
+	    last if $last = s/^\s*END(\s+PERL)?\s*;?//;
+	    $command .= $_;
+	}
+	
+	fatal_error ( "Missing END PERL" ) unless $last;
+	fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
+    }
+    
+    unless (my $return = eval $command ) {
+	if ( $@ ) {
+	    #
+	    # Perl found the script offensive or the script itself died
+	    #
+	    $@ =~ s/, <\$currentfile> line \d+//g;
+	    fatal_error1 "$@";
+	}
+	
+	unless ( defined $return ) {
+	    fatal_error "Perl Script failed: $!" if $!; 
+	    fatal_error "Perl Script failed";
+	} 
+
+	fatal_error "Perl Script Returned False";
+    }
+    
+    if ( $scriptfile ) {
+	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
+
+	close $scriptfile or fatal_error "Internal Error in embedded_perl()";
+	
+	$scriptfile = undef;
+	
+	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 	$currentfile = undef;
+	
+	open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
+
+	push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
+	
+	$scriptfilename = '';
+	
+	$currentfilename = "PERL\@$currentfilename:$linenumber";
+	$currentline = '';
+	$currentlinenumber = 0;
     }
 }
 
@@ -844,6 +1013,7 @@ sub pop_open() {
 #   - Ignore blank or comment-only lines.
 #   - Remove trailing comments.
 #   - Handle Line Continuation
+#   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from $ENV.
 #   - Handle INCLUDE <filename>
 #
@@ -871,40 +1041,57 @@ sub read_a_line() {
 	    # Ignore ( concatenated ) Blank Lines
 	    #
 	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
-
 	    #
-	    # Expand Shell Variables using %ENV
+	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
-	    #                            $1      $2      $3           -     $4
-	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
-		my $val = $ENV{$3};
-		$val = '' unless defined $val;
-		$currentline = join( '', $1 , $val , $4 );
+	    if ( $first_entry ) {
+		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
+		$first_entry = 0;
 	    }
-
-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
-
-		my @line = split ' ', $currentline;
-
-		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
-
-		my $filename = find_file $line[1];
-
-		fatal_error "INCLUDE file $filename not found" unless -f $filename;
-		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
-
-		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
-		    $currentfile = undef;
-		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
-		}
-
-		$currentline = '';
+	    #
+	    # Must check for shell/perl before doing variable expansion
+	    #
+	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		embedded_shell( $1 );
+	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		embedded_perl( $1 );
 	    } else {
-		return 1;
+		my $count = 0;
+		#
+		# Expand Shell Variables using %ENV
+		#
+		#                            $1      $2      $3           -     $4
+		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+		    my $val = $ENV{$3};
+		    $val = '' unless defined $val;
+		    $currentline = join( '', $1 , $val , $4 );
+		    fatal_error "Variable Expansion Loop" if ++$count > 100;
+		}
+		
+		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+		    
+		    my @line = split ' ', $currentline;
+		    
+		    fatal_error "Invalid INCLUDE command"    if @line != 2;
+		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		    
+		    my $filename = find_file $line[1];
+		    
+		    fatal_error "INCLUDE file $filename not found" unless -f $filename;
+		    fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
+		    
+		    if ( -s _ ) {
+			push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			$currentfile = undef;
+			do_open_file $filename;
+		    } else {
+			$currentlinenumber = 0;
+		    }
+		    
+		    $currentline = '';
+		} else {
+		    return 1;
+		}
 	    }
 	}
 
@@ -1085,6 +1272,10 @@ sub load_kernel_modules( ) {
     if ( $moduleloader && open_file 'modules' ) {
 	my %loadedmodules;
 
+	for ( split /,/, $config{DONT_LOAD} ) {
+	    $loadedmodules{$_} = 1;
+	}
+
 	progress_message "Loading Modules...";
 
 	open LSMOD , '-|', 'lsmod' or fatal_error "Can't run lsmod";
@@ -1155,7 +1346,8 @@ sub determine_capabilities( $ ) {
     $capabilities{POLICY_MATCH}    = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
 
     if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
-	$capabilities{PHYSDEV_MATCH} = 1;
+	$capabilities{PHYSDEV_MATCH}  = 1;
+	$capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
 	unless ( $capabilities{KLUDGEFREE} ) {
 	    $capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
 	}
@@ -1389,12 +1581,20 @@ sub get_configuration( $ ) {
 
     my $export = $_[0];
 
+    our ( $once, @originalinc );
+    
+    @originalinc = @INC unless $once++;
+
     ensure_config_path;
 
     process_shorewall_conf;
 
     ensure_config_path;
 
+    @INC = @originalinc;
+
+    unshift @INC, @config_path;
+
     default 'PATH' , '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin';
 
     default 'MODULE_PREFIX', 'o gz ko o.gz ko.gz';
@@ -1641,10 +1841,17 @@ sub run_user_exit( $ ) {
     if ( -f $file ) {
 	progress_message "Processing $file...";
 
-	unless (my $return = eval `cat $file` ) {
+	my $command = qq(package Shorewall::User;\nno strict;\n# line 1 "$file"\n) . `cat $file`;
+
+	unless (my $return = eval $command ) {
 	    fatal_error "Couldn't parse $file: $@" if $@;
-	    fatal_error "Couldn't do $file: $!"    unless defined $return;
-	    fatal_error "Couldn't run $file";
+	    
+	    unless ( defined $return ) {
+		fatal_error "Couldn't do $file: $!" if $!;    
+		fatal_error "Couldn't do $file";
+	    }    
+	    
+	    fatal_error "$file returned a false value";
 	}
     }
 }
@@ -1662,14 +1869,21 @@ sub run_user_exit1( $ ) {
 	if ( read_a_line ) {
 	    close_file;
 
-	    unless (my $return = eval `cat $file` ) {
-		fatal_error "Couldn't parse $file: $@" if $@;
-		fatal_error "Couldn't do $file: $!"    unless defined $return;
-		fatal_error "Couldn't run $file";
-	    }
-	}
+	    my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;
 
-	pop_open;
+	    unless (my $return = eval $command ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
+	    }
+	} else {
+	    pop_open;
+	}
     }
 }
 
@@ -1688,8 +1902,13 @@ sub run_user_exit2( $$ ) {
 
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
-		fatal_error "Couldn't do $file: $!"    unless defined $return;
-		fatal_error "Couldn't run $file";
+
+		unless ( defined $return ) {
+		    fatal_error "Couldn't do $file: $!" if $!;
+		    fatal_error "Couldn't do $file";
+		}
+
+		fatal_error "$file returned a false value";
 	    }
 	}
 
@@ -1733,10 +1952,17 @@ sub generate_aux_config() {
 }
 
 END {
-    if ( $object ) {
-	close $object;
-	unlink $tempfile;
-    }
+    #
+    # Close files first in case we're running under Cygwin
+    #
+    close  $object         if $object;
+    close  $scriptfile     if $scriptfile;
+    #
+    # Unlink temporary files
+    #
+    unlink $tempfile       if $tempfile;
+    unlink $scriptfilename if $scriptfilename;
+    unlink $_ for @tempfiles; 
 }
 
 1;
diff --git a/Shorewall-perl/Shorewall/Nat.pm b/Shorewall-perl/Shorewall/Nat.pm
index 9f6f47ae6..3ddcd4fa6 100644
--- a/Shorewall-perl/Shorewall/Nat.pm
+++ b/Shorewall-perl/Shorewall/Nat.pm
@@ -25,10 +25,10 @@
 #
 package Shorewall::Nat;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 
 use strict;
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 our @addresses_to_add;
 our %addresses_to_add;
@@ -188,49 +188,60 @@ sub setup_one_masq($$$$$$$)
 
     my $detectaddress = 0;
     my $exceptionrule = '';
+    my $randomize     = '';
     #
     # Parse the ADDRESSES column
     #
     if ( $addresses ne '-' ) {
-	if ( $addresses =~ /^SAME:nodst:/ ) {
-	    $target = '-j SAME --nodst ';
-	    $addresses =~ s/.*://;
-	    for my $addr ( split /,/, $addresses ) {
-		$target .= "--to $addr ";
-	    }
-	} elsif ( $addresses =~ /^SAME:/ ) {
-	    $target = '-j SAME ';
-	    $addresses =~ s/.*://;
-	    for my $addr ( split /,/, $addresses ) {
-		$target .= "--to $addr ";
-	    }
-	} elsif ( $addresses eq 'detect' ) {
-	    my $variable = get_interface_address $interface;
-	    $target = "-j SNAT --to-source $variable";
-
-	    if ( interface_is_optional $interface ) {
-		add_commands( $chainref,
-			      '',
-			      "if [ \"$variable\" != 0.0.0.0 ]; then" );
-		incr_cmd_level( $chainref );
-		$detectaddress = 1;
-	    }
+	if ( $addresses eq 'random' ) {
+	    $randomize = '--random ';
 	} else {
-	    my $addrlist = '';
-	    for my $addr ( split /,/, $addresses ) {
-		if ( $addr =~ /^.*\..*\..*\./ ) {
-		    $target = '-j SNAT ';
-		    $addrlist .= "--to-source $addr ";
-		    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
-		} else {
-		    $addr =~ s/^://;
-		    $addrlist .= "--to-ports $addr ";
-		    $exceptionrule = do_proto( $proto, '', '' );
-		}
-	    }
+	    $addresses =~ s/:random$// and $randomize = '--random ';
 
-	    $target .= $addrlist;
+	    if ( $addresses =~ /^SAME:nodst:/ ) {
+		fatal_error "':random' is not supported by the SAME target" if $randomize;
+		$target = '-j SAME --nodst ';
+		$addresses =~ s/.*://;
+		for my $addr ( split /,/, $addresses ) {
+		    $target .= "--to $addr ";
+		}
+	    } elsif ( $addresses =~ /^SAME:/ ) {
+		fatal_error "':random' is not supported by the SAME target" if $randomize;
+		$target = '-j SAME ';
+		$addresses =~ s/.*://;
+		for my $addr ( split /,/, $addresses ) {
+		    $target .= "--to $addr ";
+		}
+	    } elsif ( $addresses eq 'detect' ) {
+		my $variable = get_interface_address $interface;
+		$target = "-j SNAT --to-source $variable";
+		
+		if ( interface_is_optional $interface ) {
+		    add_commands( $chainref,
+				  '',
+				  "if [ \"$variable\" != 0.0.0.0 ]; then" );
+		    incr_cmd_level( $chainref );
+		    $detectaddress = 1;
+		}
+	    } else {
+		my $addrlist = '';
+		for my $addr ( split /,/, $addresses ) {
+		    if ( $addr =~ /^.*\..*\..*\./ ) {
+			$target = '-j SNAT ';
+			$addrlist .= "--to-source $addr ";
+			$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
+		    } else {
+			$addr =~ s/^://;
+			$addrlist .= "--to-ports $addr ";
+			$exceptionrule = do_proto( $proto, '', '' );
+		    }
+		}
+		
+		$target .= $addrlist;
+	    }
 	}
+
+	$target .= $randomize;
     } else {
 	$add_snat_aliases = 0;
     }
@@ -284,18 +295,12 @@ sub setup_one_masq($$$$$$$)
 #
 sub setup_masq()
 {
-    my $first_entry = 1;
-
     my $fn = open_file 'masq';
 
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+    
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    require_capability( 'NAT_ENABLED' , 'a non-empty masq file' , 's' );
-	    $first_entry = 0;
-	}
-
 	my ($fullinterface, $networks, $addresses, $proto, $ports, $ipsec, $mark ) = split_line1 2, 7, 'masq file';
 
 	if ( $fullinterface eq 'COMMENT' ) {
@@ -395,18 +400,12 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
 
-    my $first_entry = 1;
-
     my $fn = open_file 'nat';
 
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+    
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    require_capability( 'NAT_ENABLED' , 'a non-empty nat file', 's' );
-	    $first_entry = 0;
-	}
-
 	my ( $external, $interface, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
 
 	if ( $external eq 'COMMENT' ) {
@@ -425,17 +424,11 @@ sub setup_nat() {
 #
 sub setup_netmap() {
 
-    my $first_entry = 1;
-
     my $fn = open_file 'netmap';
 
-    while ( read_a_line ) {
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' , 's' );
-	    $first_entry = 0;
-	}
+    while ( read_a_line ) {
 
 	my ( $type, $net1, $interface, $net2 ) = split_line 4, 4, 'netmap file';
 
diff --git a/Shorewall-perl/Shorewall/Policy.pm b/Shorewall-perl/Shorewall/Policy.pm
index 4f10b0848..92a1ccda9 100644
--- a/Shorewall-perl/Shorewall/Policy.pm
+++ b/Shorewall-perl/Shorewall/Policy.pm
@@ -24,9 +24,9 @@
 #
 package Shorewall::Policy;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw( :DEFAULT :internal) ;
 use Shorewall::Actions;
 
 use strict;
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 # @policy_chains is a list of references to policy chains in the filter table
 
@@ -207,15 +207,10 @@ sub validate_policy()
 
     my $fn = open_file 'policy';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ( $client, $server, $policy, $loglevel, $synparams ) = split_line 3, 5, 'policy file';
 
 	$loglevel  = '' if $loglevel  eq '-';
diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm
index 383fea190..87c3b0ac6 100644
--- a/Shorewall-perl/Shorewall/Proc.pm
+++ b/Shorewall-perl/Shorewall/Proc.pm
@@ -27,9 +27,8 @@
 #
 package Shorewall::Proc;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
 
 use strict;
 
@@ -42,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.0.1;
+our $VERSION = 4.0.6;
 
 #
 # ARP Filtering
diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm
index 2d434caad..16f1d31de 100644
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@@ -25,17 +25,17 @@
 #
 package Shorewall::Providers;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces);
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 use constant { LOCAL_NUMBER   => 255,
 	       MAIN_NUMBER    => 254,
@@ -83,8 +83,7 @@ INIT {
 # Set up marking for 'tracked' interfaces. Unlike in Shorewall 3.x, we add these rules unconditionally, even if the associated interface isn't up.
 #
 sub setup_route_marking() {
-    my $mask    = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
-    my $mark_op = $config{HIGH_ROUTE_MARKS} ? '--or-mark' : '--set-mark';
+    my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF';
 
     require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
     require_capability( 'CONNMARK' ,       'the provider \'track\' option' , 's' );
@@ -96,7 +95,7 @@ sub setup_route_marking() {
 
     while ( my ( $interface, $mark ) = ( each %routemarked_interfaces ) ) {
 	add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	add_rule $chainref, " -i $interface -j MARK $mark_op $mark";
+	add_rule $chainref, " -i $interface -j MARK --set-mark $mark";
     }
 
     add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -476,17 +475,12 @@ sub setup_providers() {
 
 	if ( $fn ) {
 
-	    my $first_entry = 0;
-
+	    first_entry "$doing $fn...";
+	    
 	    emit '';
 
 	    while ( read_a_line ) {
 
-		if ( $first_entry ) {
-		    progress_message2 "$doing $fn...";
-		    $first_entry = 0;
-		}
-
 		my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
 
 		add_an_rtrule( $source, $dest, $provider , $priority );
diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm
index ad7c7af9f..82b9c7fbd 100644
--- a/Shorewall-perl/Shorewall/Proxyarp.pm
+++ b/Shorewall-perl/Shorewall/Proxyarp.pm
@@ -23,7 +23,7 @@
 #
 package Shorewall::Proxyarp;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 
 use strict;
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.1;
+our $VERSION = 4.0.6;
 
 our @proxyarp;
 
diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index 8c8936195..81333c34f 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -24,10 +24,10 @@
 #
 package Shorewall::Rules;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Actions;
 use Shorewall::Policy;
 use Shorewall::Proc;
@@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
 		  dump_rule_chains
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 #
 # Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@@ -95,20 +95,17 @@ sub process_tos() {
 
     if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;
-
+	
 	my ( $pretosref, $outtosref );
 
+	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$pretosref = ensure_chain 'mangle' , $chain;
-		$outtosref = ensure_chain 'mangle' , 'outtos';
-		$first_entry = 0;
-	    }
-
 	    my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
 
+	    $first_entry = 0;
+
 	    fatal_error "A value must be supplied in the TOS column" if $tos eq '-';
 	    
 	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
@@ -166,15 +163,10 @@ sub setup_ecn()
 
     if ( my $fn = open_file 'ecn' ) {
 
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
 
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -229,15 +221,10 @@ sub setup_rfc1918_filteration( $ ) {
 
     my $fn = open_file 'rfc1918';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ( $networks, $target ) = split_line 2, 2, 'rfc1918 file';
 
 	my $s_target;
@@ -297,6 +284,8 @@ sub setup_blacklist() {
 	if ( my $fn = open_file 'blacklist' ) {
 
 	    my $first_entry = 1;
+	    
+	    first_entry "$doing $fn...";
 
 	    while ( read_a_line ) {
 
@@ -307,7 +296,6 @@ sub setup_blacklist() {
 			last BLACKLIST;
 		    }
 
-		    progress_message2 "$doing $fn...";
 		    $first_entry = 0;
 		}
 
@@ -353,17 +341,12 @@ sub process_criticalhosts() {
 
     my $fn = open_file 'routestopped';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn for critical hosts...";
 
     while ( read_a_line ) {
 
 	my $routeback = 0;
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn for critical hosts...";
-	    $first_entry = 0;
-	}
-
 	my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -399,17 +382,12 @@ sub process_routestopped() {
 
     my $fn = open_file 'routestopped';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
 	my $routeback = 0;
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ($interface, $hosts, $options ) = split_line 1, 3, 'routestopped file';
 
 	fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -724,15 +702,10 @@ sub setup_mac_lists( $ ) {
 
 	my $fn = open_file 'maclist';
 
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ( $disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
 
 	    if ( $disposition eq 'COMMENT' ) {
@@ -937,7 +910,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 
     if ( $actiontype == MACRO ) {
 	#
-	# Will call process_rule1() recursively for each rule in the macro body
+	# process_macro() will call process_rule1() recursively for each rule in the macro body
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
 
@@ -975,7 +948,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
     }
     #
-    # We can now dispense with the postfix characters
+    # We can now dispense with the postfix character
     #
     $action =~ s/[\+\-!]$//;
     #
@@ -992,7 +965,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
     #
     if ( $actiontype & REDIRECT ) {
 	if ( $dest eq '-' ) {
-	    $dest = firewall_zone;
+	    $dest = join( '', firewall_zone, '::' , $ports =~ /[:,]/ ? '' : $ports );
 	} else {
 	    $dest = join( '', firewall_zone, '::', $dest ) unless $dest =~ /:/;
 	}
@@ -1050,6 +1023,11 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	}
     }
 
+    #
+    # For compatibility with older Shorewall versions
+    #
+    $origdest = ALLIPv4 if $origdest eq 'all';
+
     #
     # Take care of chain
     #
@@ -1079,17 +1057,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
     #
     $chainref = ensure_filter_chain $chain, 1;
     #
-    # For compatibility with older Shorewall versions
-    #
-    $origdest = ALLIPv4 if $origdest eq 'all';
-    #
     # Generate Fixed part of the rule
     #
     $rule = join( '', do_proto($proto, $ports, $sports), do_ratelimit( $ratelimit, $basictarget ) , do_user( $user ) , do_test( $mark , 0xFF ) );
 
     unless ( $section eq 'NEW' ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
-	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & NONAT;
+	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "-m state --state $section "
     }
 
@@ -1098,23 +1072,42 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
     #
     if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
-	fatal_error "$target rules not allowed in the $section SECTION"  if $section ne 'NEW';
+	my $randomize = $dest =~ s/:random$// ? '--random ' : '';
+
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
-	# Isolate server port
+	# Isolate server port 
 	#
 	if ( $dest =~ /^(.*)(:(.+))$/ ) {
-	    $server = $1;
-	    $serverport = validate_portrange $proto, $3;
+	    #
+	    # Server IP and Port
+	    #
+	    $server = $1;      # May be empty
+	    $serverport = $3;  # Not Empty due to RE 
+	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
+		#
+		# Server Port Range
+		#
+		fatal_error "Invalid port range ($serverport)" unless $1 < $2;
+		my @ports = ( $1, $2 );
+		$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
+		( $ports = $serverport ) =~ tr/-/:/;
+	    } else {
+		$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
+	    }
+	} elsif ( $dest eq ':' ) {
+	    #
+	    # Rule with no server IP or port ( zone:: )
+	    #
+	    $server = $serverport = '';
 	} else {
+	    #
+	    # Simple server IP address (may be empty or "-")
+	    #
 	    $server = $dest;
 	    $serverport = '';
 	}
 
-	#
-	# After DNAT, dest port will be the server port. Capture it here because $serverport gets modified below.
-	#
-	my $servport = $serverport ne '' ? $serverport : $ports;
 	#
 	# Generate the target
 	#
@@ -1122,7 +1115,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target = '-j REDIRECT --to-port ' . $servport;
+	    $target  = '-j REDIRECT ';
+	    $target .= "--to-port $serverport " if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIPv4;
 	    } elsif ( $origdest eq 'detect' ) {
@@ -1142,6 +1136,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    if ( $action eq 'SAME' ) {
 		fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
 		fatal_error 'SAME not allowed with SOURCE=$FW'       if $sourcezone eq firewall_zone;
+		fatal_error "':random' is not supported by the SAME target" if $randomize;
+		warning_message 'Netfilter support for SAME is being dropped in early 2008';
 		$target = '-j SAME ';
 		for my $serv ( split /,/, $server ) {
 		    $target .= "--to $serv ";
@@ -1165,6 +1161,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    }
 	}
 
+	$target .= $randomize;
+
 	#
 	# And generate the nat table rule(s)
 	#
@@ -1180,14 +1178,13 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 		      $serverport ? do_proto( $proto, '', '' ) : '' );
 	#
 	# After NAT:
-	#   - the destination port will be the server port
-	#   - the destination IP   will be the server IP
+	#   - the destination port will be the server port ($ports) -- we did that above
+	#   - the destination IP   will be the server IP   ($dest)
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
 	unless ( $actiontype & NATONLY ) {
-	    $servport =~ tr/-/:/ if $servport ne '-';
-	    $rule = join( '', do_proto( $proto, $servport, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
+	    $rule = join( '', do_proto( $proto, $ports, $sports ), do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user , do_test( $mark , 0xFF ) );
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -1348,15 +1345,10 @@ sub process_rules() {
 
     my $fn = open_file 'rules';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark ) = split_line2 1, 10, 'rules file';
 
 	if ( $target eq 'COMMENT' ) {
@@ -1398,7 +1390,7 @@ sub process_rules() {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone X destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
 #
 sub generate_matrix() {
     #
@@ -1468,7 +1460,7 @@ sub generate_matrix() {
     }
 
     #
-    # Generate_Matrix() Starts Here
+    #                               G e n e r a t e _ M a t r i x ( )   S t a r t s  H e r e
     #
     start_matrix;
 
diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm
index 278675983..bf67f0390 100644
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@@ -29,9 +29,9 @@
 #
 package Shorewall::Tc;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Providers;
 
 use strict;
@@ -39,7 +39,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -269,8 +269,6 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 
 	    fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
 		if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS};
-
-	    $target =~ s/set-mark/or-mark/ if numeric_value( $cmd ) > 0xFF && ( $chain eq 'tcpre' || $chain eq 'tcout' );
 	}
     }
 
@@ -408,15 +406,10 @@ sub setup_traffic_shaping() {
     my $fn = open_file 'tcdevices';
 
     if ( $fn ) {
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ( $device, $inband, $outband ) = split_line 3, 3, 'tcdevices';
 
 	    fatal_error "Invalid tcdevices entry" if $outband eq '-';
@@ -427,15 +420,10 @@ sub setup_traffic_shaping() {
     $fn = open_file 'tcclasses';
 
     if ( $fn ) {
-	my $first_entry = 1;
+	first_entry "$doing $fn...";
 
 	while ( read_a_line ) {
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
-
 	    my ( $device, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
 
 	    validate_tc_class( $device, $mark, $rate, $ceil, $prio, $options );
@@ -550,8 +538,6 @@ sub setup_traffic_shaping() {
 #
 sub setup_tc() {
 
-    my $first_entry = 1;
-
     if ( $capabilities{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';
@@ -595,13 +581,9 @@ sub setup_tc() {
 
     if ( my $fn = open_file 'tcrules' ) {
 
-	while ( read_a_line ) {
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
 
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's' );
-		$first_entry = 0;
-	    }
+	while ( read_a_line ) {
 
 	    my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file';
 
diff --git a/Shorewall-perl/Shorewall/Tunnels.pm b/Shorewall-perl/Shorewall/Tunnels.pm
index 4bb1038ce..0ca265741 100644
--- a/Shorewall-perl/Shorewall/Tunnels.pm
+++ b/Shorewall-perl/Shorewall/Tunnels.pm
@@ -24,16 +24,17 @@
 #
 package Shorewall::Tunnels;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
-use Shorewall::Chains;
+use Shorewall::IPAddrs;
+use Shorewall::Chains qw(:DEFAULT :internal);
 
 use strict;
 
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = 4.0.3;
+our $VERSION = 4.0.6;
 
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -233,6 +234,8 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
 	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 
+	$gateway = ALLIPv4 if $gateway eq '-';
+
 	my $source = match_source_net $gateway;
 	my $dest   = match_dest_net   $gateway;
 
@@ -262,19 +265,14 @@ sub setup_tunnels() {
 	progress_message "   Tunnel \"$currentline\" $done";
     }
 
-    my $first_entry = 1;
-
     #
     # Setup_Tunnels() Starts Here
     #
     my $fn = open_file 'tunnels';
 
-    while ( read_a_line ) {
+    first_entry "$doing $fn...";
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
+    while ( read_a_line ) {
 
 	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
 
diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm
index 8bd6cb448..c62d7cc68 100644
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@@ -25,7 +25,7 @@
 #
 package Shorewall::Zones;
 require Exporter;
-use Shorewall::Config;
+use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 
 use strict;
@@ -64,7 +64,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.0.5;
+our $VERSION = 4.0.6;
 
 #
 # IPSEC Option types
@@ -161,8 +161,8 @@ INIT {
 # Convert value to decimal number
 #
 sub numeric_value ( $ ) {
-    my $mark = $_[0];
-    fatal_error "Invalid Numeric Value ($mark)" unless "\L$mark" =~ /^(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/;
+    my $mark = lc $_[0];
+    fatal_error "Invalid Numeric Value ($mark)" unless $mark =~ /^(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/;
     $mark =~ /^0/ ? oct $mark : $mark;
 }
 
@@ -245,15 +245,10 @@ sub determine_zones()
 
     my $fn = open_file 'zones';
 
-    my $first_entry = 1;
+    first_entry "$doing $fn...";
 
     while ( read_a_line ) {
 
-	if ( $first_entry ) {
-	    progress_message2 "$doing $fn...";
-	    $first_entry = 0;
-	}
-
 	my @parents;
 
 	my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
@@ -620,6 +615,7 @@ sub validate_interfaces_file( $ )
 	fatal_error "Invalid Interface Name ($interface)" if $interface eq '+';
 
 	if ( defined $port ) {
+	    fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	    require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	    require_capability( 'KLUDGEFREE', 'Bridge Ports', '');
 	    fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
diff --git a/Shorewall-perl/install.sh b/Shorewall-perl/install.sh
index 47e31dc8b..de69a4563 100755
--- a/Shorewall-perl/install.sh
+++ b/Shorewall-perl/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-perl/prog.header b/Shorewall-perl/prog.header
index 5befe75cf..3090e6e10 100644
--- a/Shorewall-perl/prog.header
+++ b/Shorewall-perl/prog.header
@@ -177,7 +177,7 @@ loadmodule() # $1 = module name, $2 - * arguments
     local modulefile
     local suffix
 
-    if ! list_search $modulename $MODULES ; then
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift
 
 	for suffix in $MODULE_SUFFIX ; do
diff --git a/Shorewall-perl/shorewall-perl.spec b/Shorewall-perl/shorewall-perl.spec
index 0428b17a5..9b497049f 100644
--- a/Shorewall-perl/shorewall-perl.spec
+++ b/Shorewall-perl/shorewall-perl.spec
@@ -1,5 +1,5 @@
 %define name shorewall-perl
-%define version 4.0.5
+%define version 4.0.6
 %define release 1
 
 Summary: Shoreline Firewall Perl-based compiler.
@@ -64,6 +64,14 @@ rm -rf $RPM_BUILD_ROOT
 %doc COPYING releasenotes.txt
 
 %changelog
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler
index 2454daf61..daf1d9798 100755
--- a/Shorewall-shell/compiler
+++ b/Shorewall-shell/compiler
@@ -5194,6 +5194,7 @@ __EOF__
     LOCKFILE="$LOCKFILE"
     PATH="$PATH"
     TERMINATOR=fatal_error
+    DONT_LOAD="$DONT_LOAD"
 
 __EOF__
     if [ -n "$IPTABLES" ]; then
diff --git a/Shorewall-shell/install.sh b/Shorewall-shell/install.sh
index 968c582b0..128d02eba 100755
--- a/Shorewall-shell/install.sh
+++ b/Shorewall-shell/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 
-VERSION=4.0.5
+VERSION=4.0.6
 
 usage() # $1 = exit status
 {
diff --git a/Shorewall-shell/lib.providers b/Shorewall-shell/lib.providers
index a6ee6063d..198b8ff35 100644
--- a/Shorewall-shell/lib.providers
+++ b/Shorewall-shell/lib.providers
@@ -434,9 +434,9 @@ __EOF__
 #
 setup_route_marking()
 {
-    local mask=0xFF mark_op="--set-mark" save_indent="$INDENT"
+    local mask=0xFF save_indent="$INDENT"
 
-    [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00 && mark_op="--or-mark"
+    [ -n "$HIGH_ROUTE_MARKS" ] && mask=0xFF00
 
     run_iptables -t mangle -A PREROUTING -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
     run_iptables -t mangle -A OUTPUT     -m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask
@@ -450,7 +450,7 @@ setup_route_marking()
 	save_command "if [ -n \"\$${iface}_up\" ]; then"
 	INDENT="$INDENT    "
 	run_iptables -t mangle -A PREROUTING -i $interface -m mark --mark 0/$mask -j routemark
-	run_iptables -t mangle -A routemark  -i $interface                        -j MARK $mark_op $mark_value
+	run_iptables -t mangle -A routemark  -i $interface                        -j MARK --set-mark $mark_value
 	INDENT="$save_indent"
 	save_command "fi"
     done
diff --git a/Shorewall-shell/lib.tcrules b/Shorewall-shell/lib.tcrules
index 4ac17aa08..749c47ea3 100644
--- a/Shorewall-shell/lib.tcrules
+++ b/Shorewall-shell/lib.tcrules
@@ -340,7 +340,6 @@ process_tc_rule()
 		if [ $((${mark%/*})) -gt 255 ]; then
 		    case $chain in
 			tcpre|tcout)
-			    target="MARK --or-mark"
 			    ;;
 			*)
 			    fatal_error "Invalid mark value ($mark) in rule \"$rule\""
diff --git a/Shorewall-shell/shorewall-shell.spec b/Shorewall-shell/shorewall-shell.spec
index e4bbd52c5..a02ef17da 100644
--- a/Shorewall-shell/shorewall-shell.spec
+++ b/Shorewall-shell/shorewall-shell.spec
@@ -1,5 +1,5 @@
 %define name shorewall-shell
-%define version 4.0.5
+%define version 4.0.6
 %define release 1
 
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@@ -81,6 +81,12 @@ fi
 %doc COPYING INSTALL 
 
 %changelog
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
diff --git a/web/shorewall_index.htm b/web/shorewall_index.htm
index 19007baf0..451a1b7bf 100644
--- a/web/shorewall_index.htm
+++ b/web/shorewall_index.htm
@@ -39,7 +39,9 @@ href="#Glossary">Glossary</a><br>
 
 <p style="margin-left: 0.42in;"><br>
 <a href="#Notice"><strong>Important Notice to users of Shorewall Multi-ISP
-Feature</strong></a><br>
+Feature</strong></a> -- <strong>UPDATED 7 November 2007</strong></p>
+
+<p style="margin-left: 0.42in;"><br>
 <a href="#Leaf">Leaf</a><br>
 <a href="#OpenWRT">OpenWRT</a><br>
 <a href="#Donations">Donations</a></p>
@@ -207,6 +209,8 @@ patching file compiler
 Hunk #1 succeeded at 958 (offset -1669 lines).
 root@wookie:/usr/share/shorewall#</pre>
 
+<h3>Update -- 7 November 2007</h3>
+
 <p>A second bug in Shorewall versions 3.2.0-3.2.11, 3.4.0-3.4.7 and
 4.0.0-4.0.5 can cause improper handing of PREROUTING and OUTPUT marks when
 HIGH_ROUTE_MARKS=Yes. Patches are also available to correct this problem:</p>