Bring trunk up to date with branches/4.0/

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7312 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-09-10 15:52:57 +00:00 · 2007-09-10 15:52:57 +00:00 · 6141995184
commit 6141995184
parent a06ad0e518
54 changed files with 1141 additions and 1274 deletions
--- a/Shorewall-common/README.txt
+++ b/Shorewall-common/README.txt
@ -1 +1 @@
-This is the Shorewall-common Development 4.1 branch of SVN.
+This is the Shorewall-common Stable 4.0 branch of SVN.
--- a/Shorewall-common/action.Drop
+++ b/Shorewall-common/action.Drop
@ -32,7 +32,7 @@ dropBcast
 #
 AllowICMPs	-	-	icmp
 #
-# Drop packets that in the INVALID state -- these are usually ICMP packets
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 dropInvalid
--- a/Shorewall-common/action.Reject
+++ b/Shorewall-common/action.Reject
@ -16,7 +16,7 @@
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO
 #
-# Don't log 'auth' REJECT
+# Don't log 'auth' -- REJECT
 #
 Auth/REJECT
 #
@ -29,13 +29,13 @@ dropBcast
 #
 AllowICMPs	-	-	icmp
 #
-# Drop packets that in the INVALID state -- these are usually ICMP packets
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid
 #
-# Reject Microsoft noise so that it doesn't clutter up the lot.
+# Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB/REJECT
 DropUPnP
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -1,3 +1,105 @@
 Changes in 4.0.4
 1)  Fix 'refresh' with light-weight shells.
 2)  Various fixes for proxyarp.
 3)  Fix 'refresh' run-time error.
 4)  Cleaner behavior if module-init-tools not installed.
 5)  Fix [re-]initialization problems in Shorewall::Tc.
 6)  Make compile-time check for iptables-restore.
 Changes in 4.0.3
 1)  Streamline the checking for builtin chains in the accounting file.
 2)  Don't try to write/restore /etc/iproute2/rt_tables if it isn't
    writable. 
 3)  Allow Shorewall-perl compiler and libraries to be installed
    anywhere.
 4)  Add KEEP_RT_TABLES option.
 5)  Other provider changes.
 6)  Fix LOG target in Shorewall-shell.
 7)  Faster log processing.
 8)  Tweak handling of CLASSID in process_tc_rule().
 9)  Restore 3.4 'stop/clear/reset' behavior and make new behavior
    optional.
 10) Add act_police to modules file.
 11) Add 'mss' interface option.
 12) Add TCPMSS_MATCH to show capabilities -f.
 13) Insure a space between log prefix and IN=.
 14) Provide ESTABLISHED,RELATED rules for inappropriate CONTINUE policy
 15) Add hashlimit match detection.
 16) Fix 'add' and 'delete' when interface name contains special char.
 17) Fix PREROUTING track fiasco.
 18) Add NFQUEUE support.
 19) Allow refresh of chains other than 'blacklst'.
 20) Allow INCLUDE in run-time extension scripts.
 21) Fix zone sort.
 Changes in 4.0.2
 1)  Another ECN fix in Shorewall-perl.
 2)  Make 'state match' detection in Shorewall-perl quiet.
 3)  Detect port range in list without XMULTIPORT.
 4)  Move lockfile handling from 'firewall' to 'shorewall' and lib.cli.
 5)  Don't detect routed networks and interfaces addresses during
    'restore'.
 6)  Upcase some global variables in the generated script.
 7)  Remove some 'chain_base' mapping.
 8)  Eliminate a couple of global variables in the Chains module.
 9)  Cosmetic change to generated script.
 10) Allow tc configuration on bridge ports.
 11) Fix add/delete problem when Shorewall-shell is not installed.
 12) Don't overwrite ${VARDIR}/chains and ${VARDIR}/zones during
    'refresh'.
 13) Correct some error messages.
 14) Correct calculations involving number of keys in a hash.
 15) Load xt_multiport.
 16) Apply Günter Niedermeier's patch for multiport.
 17) Honor the BROADCAST column when address type match is not
    available.
 18) Fix accounting.
 Changes in 4.0.1
 1)  Add EXPAND_POLICIES.
--- a/Shorewall-common/ecn
+++ b/Shorewall-common/ecn
@ -3,7 +3,8 @@
 #
 # For information about entries in this file, type "man shorewall-ecn"
 #
-# For additional information, see http://shorewall.net/Documentation.htm#ECN
+# The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-ecn.html
 #
 ###############################################################################
 #INTERFACE	HOST(S)
--- a/Shorewall-common/fallback.sh
+++ b/Shorewall-common/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.0.3
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-common/firewall
+++ b/Shorewall-common/firewall
@ -422,49 +422,14 @@ clear_firewall() {
 delete_proxy_arp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    case $COMMAND in
 		stop|clear)
 	    qt arp -i $external -d $address pub
 	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
-		    ;;
+	    interface=/proc/sys/net/ipv4/conf/$interface
-		*)
+	    [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
 		    if [ -n "$STOPPING" ]; then
 			qt arp -i $external -d $address pub
 			qt arp -i $external -d $address pub
 			[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
 		    else
 			qt arp -i $external -d $address pub
 			if [ -z "$haveroute" ];then
 			    [ -n "$NOROUTE" ] || qt ip route del $address dev $interface
 			fi
 		    fi
 		    ;;
 	    esac
 	done < ${VARDIR}/proxyarp
    fi
    rm -f ${VARDIR}/proxyarp
    fi
    [ -d ${VARDIR} ] && touch ${VARDIR}/proxyarp
    case $COMMAND in
 	stop|clear)
 	    for f in /proc/sys/net/ipv4/conf/*; do
 		[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
 	    done
 	    ;;
 	*)
 	    if [ -n "$STOPPING" ]; then
 		for f in /proc/sys/net/ipv4/conf/*; do
 		    [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
 		done
 	    else
 		for f in /proc/sys/net/ipv4/conf/*; do
 		    [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
 		done
 	    fi
 	    ;;
    esac
 }
 #
--- a/Shorewall-common/hosts
+++ b/Shorewall-common/hosts
@ -3,7 +3,8 @@
 #
 # For information about entries in this file, type "man shorewall-hosts"
 #
-# For additional information, see http://shorewall.net/Documentation.htm#Hosts
+# The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-hosts.html
 #
 ###############################################################################
 #ZONE	HOST(S)					OPTIONS
--- a/Shorewall-common/install.sh
+++ b/Shorewall-common/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.0.3
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-common/interfaces
+++ b/Shorewall-common/interfaces
@ -3,8 +3,8 @@
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
-# For additional information, see
+# The manpage is also online at
-# http://shorewall.net/Documentation.htm#Interfaces
+# http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
--- a/Shorewall-common/masq
+++ b/Shorewall-common/masq
@ -3,7 +3,8 @@
 #
 # For information about entries in this file, type "man shorewall-masq"
 #
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
+# The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
--- a/Shorewall-common/modules
+++ b/Shorewall-common/modules
@ -9,8 +9,8 @@
 #	dependency order. i.e., if M2 depends on M1 then you must load M1
 #	before you load M2.
 #
-# For additional information, see
+#  If you need to modify this file, copy it to /etc/shorewall and modify the
-# http://shorewall.net/Documentation.htm#modules
+#  copy.
 #
 ###############################################################################
 #
--- a/Shorewall-common/policy
+++ b/Shorewall-common/policy
@ -3,7 +3,8 @@
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
+# The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -1,6 +1,6 @@
-Shorewall 4.0.1
+Shorewall 4.0 Patch release 4
 ----------------------------------------------------------------------------
-                   R E L E A S E  H I G H L I G H T S
+               R E L E A S E  4 . 0  H I G H L I G H T S
 ----------------------------------------------------------------------------
 1) This is the first Shorewall release that fully integrates the new
   Shorewall-perl compiler. See the "New Features" section below.
@ -25,106 +25,47 @@ Shorewall 4.0.1
   Shorewall-perl compiler. This support utilizes the reduced-function
   physdev match support available in Linux kernel 2.6.20 and later.
-Problems corrected in 4.0.1.
+Problems Corrected in Shorewall 4.0.4
-1)  The Shorewall Lite installer was producing an empty shorewall-lite
+1)  If no interface had the 'blacklist' option, then when using
-    manpage. Since the installer runs as part of creating the RPM, the
+    Shorewall-perl, the 'start' and 'restart' command fail:
    RPM also suffered from this problem. The 4.0.0 Shorewall-lite 
    packages were re-uploaded with this problem corrected.
-2)  The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
+        ERROR: No filter chain found with name blacklst
    rather than /sbin/shorewall-lite.
-3)  Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
+    New Shorewall-perl 4.0.3 packages were released that corrected this
-    clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
+    problem; it is included here for completeness.
    uninstaller correctly does "shorewall-lite clear" and both
    uninstallers only perform the 'clear' operation if the other
    product is not installed. This prevents the removal of one of the
    two products from clearing the firewall configuration established
    by the other one.
-4)  The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
+2)  If no interface had the 'blacklist' option, then when using
-    Shorewall-perl. If the zone type was changed to 'ipsec' or
+    Shorewall-perl, the generated script would issue this harmless
-    'ipsec4' and the 'ipsec' option removed from the hosts file entry,
+    message during 'shorewall refresh':
    the configuration worked properly.
-5)  If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
+        chainlist_reload: Not found
    Shorewall-perl produced the following:
-    Compiling...
+3)  If /bin/sh was a light-weight shell such as ash or dash, then
-    Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
+    'shorewall refresh' failed.
       ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
-6)  If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
+4)  During start/restart, the script generated by Shorewall-perl is
-    locating the binary using the PATH environmental variable rather
+    clearing the proxy_arp flag on all interfaces; that is not the
-    than the PATH setting in shorewall.conf.  If no PATH was available
+    documented behavior.
    when Shorewall-perl was run and IPTABLES was not set in
    shorewall.conf, the following messages were issued:
-    Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
+5)  If the module-init-tools package was not installed and
-       ERROR: Can't find iptables executable
+    /etc/shorewall/modules did not exist or was non-empty, then
-       ERROR: Shorewall restart failed
+    Shorewall-perl would fail with the message:
-7)  If the "Mangle FORWARD Chain" capability was supported, entries in
+       ERROR: Can't run lsmod : /etc/shorewall/modules (line 0)
    the /etc/shorewall/ecn file would cause invalid iptables commands
    to be generated. This problem occurred with both compilers.
-8)  Shorewall now starts at reboot after an upgrade from shorewall <
+6)  Shorewall-perl now makes a compile-time check to insure that
-    4.0.0. Previously, Shorewall was not started automatically at
+    iptables-restore exists and is executable. This check is made when
-    reboot after an upgrade using the RPM.
+    the compiler is being run by root and the -e option is not
    given.
-9)  Shorewall-perl was generating invalid iptables-restore input when a
+    Note that iptables-restore must reside in the same directory as the
-    log level was specified with the dropBcast and allowBcast builtin
+    iptables executable specified by IPTABLES in shorewall.conf or
-    actions and when a log level followed by '!' was used with any
+    located by the PATH in the event that IPTABLES is not specified.
    builtin actions.
-10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
+Other Changes in Shorewall 4.0.4
    time in rate-limiting specifications.
-11) Certain errors occurring during
+None.
    start/restart/safe-start/safe-restart/try processing could cause
    the lockfile to be left behind. This resulted in a 60-second delay
    the next time one of these commands was run.
 Other changes in Shorewall 4.0.1.
 1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
    option is recognized by Shorewall-perl and is ignored by
    Shorewall-shell.
    Normally, when the SOURCE or DEST columns in shorewall-policy(5)
    contains 'all', a single policy chain is created and the policy is
    enforced in that chain. For example, if the policy entry is
 	     #SOURCE DEST POLICY LOG
 	     #                   LEVEL
 	     net     all  DROP   info
    then the chain name is 'net2all' which is also the chain named in
    Shorewall log messages generated as a result of the policy. If
    EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
    chain for each pair of zones covered by the policy. This makes the
    resulting log messages easier to interpret since the chain in the
    messages will have a name of the form 'a2b' where 'a' is the SOURCE
    zone and 'b' is the DEST zone. See
    http://linuxman.wikispaces.com/PPPPPPS for more information.
 2)  The Shorewall-perl dependency on the "Address Type Match"
    capability has been relaxed. This allows Shorewall 4.0.1 to be used
    on releases like RHEL4 that don't support that capability.
 3)  Shorewall-perl now detects dead policy file entries that result
    when an entry is masked by an earlier entry. Example:
 	 all	 all	  REJECT    info
 	 loc	 net	  ACCEPT
 4)  Recent kernels are apparently hard to configure and we have been
    seeing a lot of problem reports where the root cause is the lack of
    state match support in the kernel. This problem is difficult to
    diagnose when using Shorewall-perl so the generated shell program
    now checks specifically for this problem and terminates with an
    error if the capability doesn't exist.
 Migration Considerations:
@ -712,6 +653,7 @@ Migration Considerations:
    - Perl File::Basename Module
    - Perl File::Temp Module
    - Perl Getopt::Long Module
    - Perl FindBin Module
    ------------------------------------------------------------------------
               U S I N G   T H E   N E W   C O M P I L E R
    ------------------------------------------------------------------------
@ -871,6 +813,12 @@ Migration Considerations:
 	supplimented with a stack trace. Requires the Carp Perl
 	module.
    --refresh=<chainlist>
 	If given, the compiled script's 'refresh' command will refresh
 	the chains in the comma-separated <chainlist> rather than
 	'blacklst'.
    Example (compiles the configuration in the current directory 
             generating a script named 'firewall' and using VERBOSITY
             2).
@ -893,7 +841,7 @@ Migration Considerations:
 	use lib '/usr/share/shorewall-perl';
 	use Shorewall::Compiler;
-	    compiler $filename, $directory, $verbose, $options
+	    compiler $filename, $directory, $verbose, $options $chains
    The arguments to the compiler function are as follows:
@ -913,6 +861,10 @@ Migration Considerations:
 			EXPORT    = 0x01
 			TIMESTAMP = 0x02
        $chains -     A comma-separated list of chains that the
                      generated script's 'refresh' command will
                      reload.
    The compiler raises an exception with 'die' if it encounters an
    error; $@ contains the 'ERROR' messages describing the problem.
@ -988,3 +940,400 @@ Migration Considerations:
    To use this feature with Shorewall-lite, all packages involved
    (compiler, shorewall-common and shorewall-lite) must be version
    4.0.0-RC2 or later.
 Problems corrected in 4.0.1.
 1)  The Shorewall Lite installer was producing an empty shorewall-lite
    manpage. Since the installer runs as part of creating the RPM, the
    RPM also suffered from this problem. The 4.0.0 Shorewall-lite 
    packages were re-uploaded with this problem corrected.
 2)  The Shorewall Lite uninstaller incorrectly removed /sbin/shorewall
    rather than /sbin/shorewall-lite.
 3)  Both the Shorewall and Shorewall Lite uninstallers did a "shorewall
    clear" if Shorewall [Lite] was running. Now, the Shorewall Lite
    uninstaller correctly does "shorewall-lite clear" and both
    uninstallers only perform the 'clear' operation if the other
    product is not installed. This prevents the removal of one of the
    two products from clearing the firewall configuration established
    by the other one.
 4)  The 'ipsec' OPTION in /etc/shorewall/hosts was mis-handled by
    Shorewall-perl. If the zone type was changed to 'ipsec' or
    'ipsec4' and the 'ipsec' option removed from the hosts file entry,
    the configuration worked properly.
 5)  If a CLASSID was specified in a tcrule and TC_ENABLED=No, then
    Shorewall-perl produced the following:
    Compiling...
    Use of uninitialized value in string ne at /usr/share/shorewall-perl/Shorewall/Tc.pm line 285, <$currentfile> line 18.
       ERROR: Class Id n:m is not associated with device eth0 : /etc/shorewall/tcrules (line 18)
 6)  If IPTABLES was not specified in shorewall.conf, Shorewall-perl was
    locating the binary using the PATH environmental variable rather
    than the PATH setting in shorewall.conf.  If no PATH was available
    when Shorewall-perl was run and IPTABLES was not set in
    shorewall.conf, the following messages were issued:
    Use of uninitialized value in split at /usr/share/shorewall-perl/Shorewall/Config.pm line 1054.
       ERROR: Can't find iptables executable
       ERROR: Shorewall restart failed
 7)  If the "Mangle FORWARD Chain" capability was supported, entries in
    the /etc/shorewall/ecn file would cause invalid iptables commands
    to be generated. This problem occurred with both compilers.
 8)  Shorewall now starts at reboot after an upgrade from shorewall <
    4.0.0. Previously, Shorewall was not started automatically at
    reboot after an upgrade using the RPM.
 9)  Shorewall-perl was generating invalid iptables-restore input when a
    log level was specified with the dropBcast and allowBcast builtin
    actions and when a log level followed by '!' was used with any
    builtin actions.
 10) Shorewall-perl was incorrectly rejecting 'min' as a valid unit of
    time in rate-limiting specifications.
 11) Certain errors occurring during
    start/restart/safe-start/safe-restart/try processing could cause
    the lockfile to be left behind. This resulted in a 60-second delay
    the next time one of these commands was run.
 Other changes in Shorewall 4.0.1.
 1)  A new EXPAND_POLICIES option is added to shorewall.conf. The
    option is recognized by Shorewall-perl and is ignored by
    Shorewall-shell.
    Normally, when the SOURCE or DEST columns in shorewall-policy(5)
    contains 'all', a single policy chain is created and the policy is
    enforced in that chain. For example, if the policy entry is
 	     #SOURCE DEST POLICY LOG
 	     #                   LEVEL
 	     net     all  DROP   info
    then the chain name is 'net2all' which is also the chain named in
    Shorewall log messages generated as a result of the policy. If
    EXPAND_POLICIES=Yes, then Shorewall-perl will create a separate
    chain for each pair of zones covered by the policy. This makes the
    resulting log messages easier to interpret since the chain in the
    messages will have a name of the form 'a2b' where 'a' is the SOURCE
    zone and 'b' is the DEST zone. See
    http://linuxman.wikispaces.com/PPPPPPS for more information.
 2)  The Shorewall-perl dependency on the "Address Type Match"
    capability has been relaxed. This allows Shorewall 4.0.1 to be used
    on releases like RHEL4 that don't support that capability.
 3)  Shorewall-perl now detects dead policy file entries that result
    when an entry is masked by an earlier entry. Example:
 	 all	 all	  REJECT    info
 	 loc	 net	  ACCEPT
 4)  Recent kernels are apparently hard to configure and we have been
    seeing a lot of problem reports where the root cause is the lack of
    state match support in the kernel. This problem is difficult to
    diagnose when using Shorewall-perl so the generated shell program
    now checks specifically for this problem and terminates with an
    error if the capability doesn't exist.
 Problems corrected in 4.0.2
 1)  The Shorewall-perl compiler was still generating invalid
    iptables-restore input from entries in /etc/shorewall/ecn.
 2)  When using Shorewall-perl, unless an interface was specified as
    'optional' in the interfaces file, the 'restore' command would
    fail if the routes through the interface or the addresses on the
    interface could not be detected.
    Route detection occurs when the interface is named in the SOURCE
    column of the masq file. Address detection occurs when
    DETECT_DNAT_IPADDRS=Yes and the interface is the SOURCE for a DNAT
    or REDIRECT rule or when 'maclist' is specified for the interface.
    Since the 'restore' command doesn't use the detected information,
    detection is now skipped if the command is 'restore'.
 3)  It was not previously possible to define traffic shaping on a
    bridge port; the generated script complained that the
    interface was not up and configured.
 4)  When Shorewall-shell was not installed, certain options in
    /etc/shorewall/interfaces and /etc/shorewall/hosts would cause the
    'add' and 'delete' commands to fail with a missing library error.
 	  OPTION               FILE
 	  maclist	       interfaces,hosts
 	  proxyarp	       interfaces
 5)  The /var/lib/shorewall/zones file was being overwritten during
    processing of the 'refresh' command by a script generated with
    Shorewall-perl. The result was that hosts previously added to
    dynamic zones could not be deleted after the 'refresh'.
 6)  If the file named as the output file in a Shorewall-perl 'compile'
    command was a symbolic link, the generated error message
    erroneously stated that the file's parent directory was a symbolic
    link.
    As part of this change, cosmetic changes were made to a number of
    other error messages.
 7)  Some intra-zone rules were missing when a zone involved multiple
    interfaces or when a zone included both IPSEC and non-IPSEC
    networks.
 8)  Shorewall was not previously loading the xt_multiport kernel
    module.
 9)  The Russian and French translations no longer have English headings
    on notes, cautions, etc..
 10) Previously, using a port list in the DEST PORT(S) column of the
    rules file or in an action file could cause an invalid iptables
    command to be generated by Shorewall-shell.
 11) If there were no bridges in a configuration, Shorewall-perl would
    ignore the CHAIN column in /etc/shorewall/accounting.
 Other changes in 4.0.2
 1)  Shorewall-perl now detects when a port range is included in a list
    of ports and iptables/kernel support for Extended Multi-port Match
    is not available. This avoids an iptables-restore failure at
    run-time.
 2)  Most chains created by Shorewall-shell have names that can be
    embedded within shell variable names. This is a workaround for
    limitations in the shell programming language which has no
    equivalent to Perl hashes. Often chain names must have the name of
    a network interface encoded in them. Given that interface names can
    contain characters that are invalid in a shell variable name,
    Shorewall-shell performs a name mapping which was carried forward to
    Shorewall-perl:
    - Trailing '+' is dropped.
    - The characters ".", "-", "%' and "@" are translated to "_".
    This mapping has been elminated in the 4.0.2 release of Shorewall-
    perl. So where before you would see chain "eth0_0_in", you may now
    see the same chain named "eth0.0_in". Similarly, a chain previously
    named "ppp_fwd" may now be called "ppp+_fwd".
 3)  Shorewall-perl now uses the contents of the BROADCAST column in
    /etc/shorewall/interfaces when the Address Type match capability is
    not available.
 Problems Corrected in 4.0.3
 1) Using the LOG target in the rules file could result in two LOG
   rules being generated by Shorewall-shell. Additionally, using an IP
   address range in a rule that performed logging could result in an
   invalid iptables command.
 2)  Shorewall now loads the act_police kernel module needed by traffic
    shaping.
 3)  Previously, "shorewall show -f capabilities" and "shorecap" omitted
    the "TCPMSS Match" capability. This made it appear to a compiler
    using a capabilities file that the TCPMSS Match capability was not
    available.
 4)  Previously, Shorewall would truncate long log prefixes to 29
    characters. This resulted in there being no space between the log
    prefix and the IN= part of the message.
    Example: fw2net:LOG:HTTPSoutIN= OUT=eth0
    Beginning with this release, Shorewall will truncate the prefix to
    28 bytes and add a trailing space.
    Example: fw2net:LOG:HTTPSou IN= OUT=eth0
 5)  Previously, if:
    - FASTACCEPT=No
    - The policy from Z1 to Z2 was CONTINUE
    - Neither Z1 nor Z2 had parent zones
    - There were no Z1->Z2 rules
    then connections from Z2->Z1 would fail even if there were
    rules/policies allowing them. This has been
    corrected.
 6)  The 'shorewall add' and 'shorewall delete' command would fail when:
    - The running configuration was compiled with Shorewall-perl.
    - The name of the interface specified in the command contained an
      embedded special character such as '.' or '-'.
    This problem was the result of the change in Shorewall 4.0.2 that
    removed the legacy mapping of interface names when embedding such
    names in a Netfilter chain name. To correct the problem, the
    pre-4.0.2 name mapping is restored when DYNAMIC_ZONES=Yes.
 5)  A bug in Shorewall-shell prevented proper handling of PREROUTING
    marks when HIGH_ROUTE_MARKS=No and the track option was specified
    in /etc/shorewall/providers.
 6)  With Shorewall-perl, if EXPORTPARAMS=Yes then INCLUDE directives in
    the params file would fail at script execution time with "INCLUDE:
    not found". This has been corrected.
 7)  Shorewall-perl was mis-sorting the zone list when zones were nested
    more than one deep.
 8)  Stale references to http://www.shorewall.net/Documentation.htm have
    been removed from the config files (including samples). That URL
    has been replaced by the online manpages.
 Other Changes in 4.0.3
 1)  A script generated by Shorewall-perl now tries to modify/restore
    /etc/iproute2/rt_tables only if the file is writable. This prevents
    run-time errors when /etc is mounted read-only.
    A new KEEP_RT_TABLES option has been added to shorewall.conf. When
    set to Yes, this option prevents Shorewall from altering the
    /etc/iproute2/rt_tables database. The KEEP_RT_TABLES option is only
    recognized by Shorewall-perl and is ignored by Shorewall-shell.
 2)  Shorewall-perl now requires the FindBin Perl module.
 3)  When an optional provider is not available, a script generated by
    Shorewall-perl will no longer add the corresponding
    routing rules.
 4)  A new 'isusable' extension script has been added. This script
    allows you to extend the availability test that Shorewall performs
    on optional providers.
    Here's an example that uses ping to ensure that the default
    gateways through eth0 and eth1 are reachable:
    case $1 in
        eth0)
 	    ping -c 4 -I eth0 206.124.146.254 > /dev/null 2>&1
            return
           ;;
        eth1)
            ping -c 4 -I eth1 192.168.12.254 > /dev/null 2>&1
            return
            ;;
        *)
            # Assume we don't need to do any additional testing
 	    # for this interface beyond Shorewall's
 	    return 0
 	    ;;
    esac
    Additional information is available at
    http://www.shorewall.net/shorewall_extension_scripts.htm.
 5)  Processing of the message log in the 'show log', 'logwatch' and
    'dump' commands has been speeded up thanks to a suggestion by
    Andrew Suffield.
 6)  Beginning with Shorewall 4.0, the shorewall 'stop', and 'clear'
    commands were processed by the generated script from the
    last successful 'start', 'restart' or 'refresh' command. This had
    the side effect that updates to the /etc/shorewall/routestopped
    file did not take effect until one of those three commands was
    successfully processed.
    Beginning with Shorewall 4.0.3, the old 3.x behavior is restored as
    the default and the 4.0 behavior is enabled using the '-f' command
    option.
    Example: shorewall stop -f
 7)  An 'mss' option has been added to the interfaces file. This option
    is only recognized by Shorewall-perl and causes Shorewall to set
    the MSS field in forwarded TCP SYN packets going in or out the
    interface to the value that you specify.
    Example:
    #ZONE	INTERFACE	BROADCAST	OPTIONS
    vpn		ppp0		-		mss=1400
    The mss option only affects incoming traffic that has not been
    decrypted by IPSEC and outgoing traffic that will not subsequently
    be encrypted by IPSEC. The MSS for IPSEC traffic is managed by the
    'mss' option in /etc/shorewall/zones.
 8)  Shorewall now detects the presence of the 'hashlimit match'
    capability. There is no builtin support yet for hashlimit but
    detection allows extension scripts for user-supplied actions to
    determine if the capability exists.
    With Shorewall-shell, $HASHLIMIT_MATCH will be non-empty if the
    capability exists.
    With Shorewall-perl, $capabilities{HASHLIMIT_MATCH} will be true in
    a boolean context if the capability exists. Shorewall-perl users
    may also code the following in their extension script:
    use Shorewall::Config;
    require_capability( 'HASHLIMIT_MATCH',      #Capability
                        'My hashlimit action' , #Feature requiring 
 						#capability
 			's' );                  #Feature is singular
                                                #(if plural, pass the
 						  empty string)
    That call would procduce the following fatal error if the
    capability isn't available:
    ERROR: My hashlimit action requires the Hashlimit match capability
           in your kernel and iptables
 9)  NFQUEUE support has been added to Shorewall-perl.
    NFQUEUE may appear in actions, macros, rules and as a policy.
    When NFQUEUE is used by itself, queue number zero is assumed. To
    specify a queue number, follow NFQUEUE by a slash ("/") and the
    queue number.
    Examples (/etc/shorewall/rules):
    NFQUEUE		loc	net	tcp #Queue number 0
    NFQUEUE/22		loc	net	udp #Queue number 22
    NFQUEUE/22:info	loc	net	gre #With logging
    An NFQUEUE_DEFAULT option has been added to shorewall.conf for
    specifying the default action to use with NFQUEUE policies.
    Use of NFQUEUE requires the NFQUEUE Target capability in your
    kernel/iptables. If you intend to use NFQUEUE with Shorewall-lite,
    then you must install Shorewall-lite 4.0.3 in order to build a
    capabilities file that includes NFQUEUE Target. If your
    capabilities file was generated by a Shorewall/Shorewall-lite
    version earlier that 4.0.3, you will receive a warning during
    compilation.
 10) The 'refresh' command can now refresh chains other than 'blacklst'.
    The syntax of the command is now:
 	shorewall refresh [ <chain> ... ]
    If no <chain> is given then 'blacklst' is assumed. Otherwise, the
    Shorewall-perl compiler compiles a script whose 'refresh' command
    refreshes the listed <chain>(s).
    The listed chains are assumed to be in the filter table. You can
    refresh chains in other tables by prefixing the chain name with the
    table name followed by ":" (e.g., nat:net_dnat). Chain names which
    follow are assumed to be in that table until the end of the list or
    until an entry in the list names another table.
    This feature requires Shorewall-perl 4.0.3 as well as
    Shorewall-common 4.0.3.
--- a/Shorewall-common/routestopped
+++ b/Shorewall-common/routestopped
@ -3,8 +3,10 @@
 #
 # For information about entries in this file, type "man shorewall-routestopped"
 #
-# See http://shorewall.net/Documentation.htm#Routestopped and
+# The manpage is also online at
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# http://www.shorewall.net/manpages/shorewall-routestopped.html
 #
 # See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ###############################################################################
--- a/Shorewall-common/rules
+++ b/Shorewall-common/rules
@ -3,7 +3,8 @@
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
-# See http://shorewall.net/Documentation.htm#Rules for additional information.
+# The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ############################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
--- a/Shorewall-common/shorewall
+++ b/Shorewall-common/shorewall
@ -180,15 +180,6 @@ get_config() {
 	export IPTABLES
        #
        # See if we have a real version of "tail" -- use separate redirection so
        # that ash (aka /bin/sh on LRP) doesn't crap
        #
 	if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
 	    realtail="Yes"
 	else
 	    realtail=""
 	fi
 	#
 	# Compile by non-root needs no restore file
 	#
@ -340,10 +331,11 @@ compiler() {
 	    shift 
 	    options="--verbose $VERBOSE ";
-	    [ -n "$EXPORT" ] && options="$options --export ";
+	    [ -n "$EXPORT" ] && options="$options --export "
-	    [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR ";
+	    [ -n "$SHOREWALL_DIR" ] && options="$options --directory $SHOREWALL_DIR "
-	    [ -n "$TIMESTAMP" ] && options="$options --timestamp " ;
+	    [ -n "$TIMESTAMP" ] && options="$options --timestamp "
-	    [ -n "$debugging" ] && options="$options --debug " ;
+	    [ -n "$debugging" ] && options="$options --debug "
 	    [ -n "$REFRESHCHAINS" ] && options="$options --refresh $REFRESHCHAINS"
 	    [ -x $pc ] || startup_error "SHOREWALL_COMPILER=perl requires the shorewall-perl package which is not installed"
 	    #
 	    # Run the appropriate params file
@ -358,6 +350,7 @@ compiler() {
 	    ;;
 	shell)
 	    [ -x $sc ] || startup_error "SHOREWALL_COMPILER=shell requires the shorewall-shell package which is not installed"
 	    [ -n "$REFRESHCHAINS" ] && startup_error "Shorewall-shell does not support refresh of specific chains"
 	    $command $SHOREWALL_SHELL $sc $@
 	    ;;
 	*)
@ -779,13 +772,15 @@ refresh_command() {
 	esac
    done
-    case $# in
+    if [ $# -gt 0 ]; then
-	0)
+	REFRESHCHAINS=$1
-	    ;;
+	shift
-	*)
+
-	    usage 1
+	while [ $# -gt 0 ]; do
-	    ;;
+	    REFRESHCHAINS="$REFRESHCHAINS,$1"
-    esac
+	    shift
 	done
    fi
    shorewall_is_started || fatal_error "Shorewall is not running"
@ -1298,7 +1293,7 @@ usage() # $1 = exit status
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
-    echo "   refresh [ -C {shell|perl} ]"
+    echo "   refresh [ -C {shell|perl} ] [ <chain>... ]"
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -C {shell|perl} ] [ <directory> ] <system>"
    echo "   reset"
@ -1483,7 +1478,7 @@ export PRODUCT="Shorewall"
 FIREWALL=$SHAREDIR/firewall
 LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
-HELP=$SHAREDIR/help
+REFRESHCHAINS=
 for library in $LIBRARIES; do
    if [ -f $library ]; then
--- a/Shorewall-common/shorewall-common.spec
+++ b/Shorewall-common/shorewall-common.spec
@ -1,5 +1,5 @@
 %define name shorewall-common
-%define version 4.0.3
+%define version 4.0.4
 %define release 1
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -240,6 +240,8 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn Samples
 %changelog
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.4-1
 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
--- a/Shorewall-common/tunnels
+++ b/Shorewall-common/tunnels
@ -3,8 +3,8 @@
 #
 # For information about entries in this file, type "man shorewall-tunnels"
 #
-# See http://shorewall.net/Documentation.htm#Tunnels for additional
+# The manpage is also online at
-# information.
+# http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
 #TYPE			ZONE	GATEWAY		GATEWAY
--- a/Shorewall-common/uninstall.sh
+++ b/Shorewall-common/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.0.3
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-common/zones
+++ b/Shorewall-common/zones
@ -3,7 +3,8 @@
 #
 # For information about this file, type "man shorewall-zones"
 #
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
+# The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@ -1 +1 @@
-This is the Shorewall-lite Development 4.1 branch of SVN.
+This is the Shorewall-lite Stable 4.0 branch of SVN.
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
-VERSION=4.0.2
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.0.2
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@ -93,9 +93,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread"
+	LOGREAD="logread | tac"
    elif [ -f $LOGFILE ]; then
-	LOGREAD="cat $LOGFILE"
+	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@ -1,5 +1,5 @@
 %define name shorewall-lite
-%define version 4.0.2
+%define version 4.0.4
 %define release 1
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
@ -98,6 +98,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.4-1
 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.0.2
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-perl/README.txt
+++ b/Shorewall-perl/README.txt
@ -1,2 +1,2 @@
-This is the Shorewall-perl Development 4.1 branch of SVN.
+This is the Shorewall-perl Stable 4.0 branch of SVN.
--- a/Shorewall-perl/Shorewall/Accounting.pm
+++ b/Shorewall-perl/Shorewall/Accounting.pm
@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.01;
+our $VERSION = '4.03';
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@ -70,7 +70,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
    }
    sub accounting_error() {
-	warning_message "Invalid Accounting rule";
+	fatal_error "Invalid Accounting rule";
    }
    sub jump_to_chain( $ ) {
@ -112,8 +112,10 @@ sub process_accounting_rule( $$$$$$$$$ ) {
    $source = ALLIPv4 if $source eq 'any' || $source eq 'all';
-    if ( @bridges ) {
+    if ( have_bridges ) {
-	if ( $source =~ /^$firewall_zone:?(.*)$/ ) {
+	my $fw = firewall_zone;
 	if ( $source =~ /^$fw:?(.*)$/ ) {
 	    $source = $1 ? $1 : ALLIPv4;
 	    $restriction = OUTPUT_RESTRICT;
 	    $chain = 'accountout' unless $chain and $chain ne '-';
@ -192,9 +194,9 @@ sub setup_accounting() {
 	}
    }
-    $comment = '';
+    clear_comment;
-    if ( @bridges ) {
+    if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
 		insert_rule $filter_table->{$chain}, 1, '-j accounting';
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@ -54,7 +54,7 @@ our @EXPORT = qw( merge_levels
 		  %macros
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@ -651,7 +651,7 @@ sub process_action3( $$$$$ ) {
 	}
    }
-    $comment = '';
+    clear_comment;
 }
 sub process_actions3 () {
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -53,6 +53,7 @@ our @EXPORT = qw( STANDARD
 		  ALL_RESTRICT
 		  process_comment
 		  clear_comment
 		  incr_cmd_level
 		  decr_cmd_level
 		  add_command
@ -61,7 +62,6 @@ our @EXPORT = qw( STANDARD
 		  add_file
 		  add_rule
 		  insert_rule
 		  insert_rule_nice
 		  chain_base
 		  forward_chain
 		  input_chain
@ -116,26 +116,22 @@ our @EXPORT = qw( STANDARD
 		  get_interface_bcasts
 		  set_global_variables
 		  create_netfilter_load
-		  create_blacklist_reload
+		  create_chainlist_reload
 		  @policy_chains
 		  %chain_table
 		  $nat_table
 		  $mangle_table
 		  $filter_table
 		  $section
 		  %sections
 		  $comment
 		  %targets
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.03;
+our $VERSION = '4.04';
 #
 # Chain Table
 #
 #    @policy_chains is a list of references to policy chains in the filter table
 #
 #    %chain_table { <table> => { <chain1>  => { name         => <chain name>
 #                                               table        => <table name>
 #                                               is_policy    => 0|1
@ -166,7 +162,6 @@ our $VERSION = 4.03;
 #
 #       'loglevel', 'synparams', 'synchain' and 'default' only apply to policy chains.
 #
 our @policy_chains;
 our %chain_table;
 our $nat_table;
 our $mangle_table;
@ -234,7 +229,6 @@ our $mode;
 #
 sub initialize() {
    @policy_chains = ();
    %chain_table = ( raw    => {} ,
 		     mangle => {},
 		     nat    => {},
@ -335,6 +329,14 @@ sub process_comment() {
 	warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
    }
 }
 #
 # Clear the $comment variable
 #
 sub clear_comment() {
    $comment = '';
 }
 #
 # Functions to manipulate cmdlevel
 #
@ -731,8 +733,8 @@ sub finish_section ( $ ) {
 	$sections{$section} = 1;
    }
-    for my $zone ( @zones ) {
+    for my $zone ( all_zones ) {
-	for my $zone1 ( @zones ) {
+	for my $zone1 ( all_zones ) {
 	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
 	    if ( $chainref->{referenced} ) {
 		finish_chain_section $chainref, $sections;
@ -760,7 +762,7 @@ sub set_mss1( $$ ) {
 sub set_mss( $$$ ) {
    my ( $zone, $mss, $direction) = @_;
-    for my $z ( @zones ) {
+    for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
 	    set_mss1 "${zone}2${z}" , $mss;
 	} elsif ( $direction eq '_out' ) {
@ -776,8 +778,8 @@ sub set_mss( $$$ ) {
 # Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate. 
 #
 sub setup_zone_mss() {
-    for my $zone ( @zones ) {
+    for my $zone ( all_zones ) {
-	my $zoneref = $zones{$zone};
+	my $zoneref = find_zone( $zone );
 	set_mss( $zone, $zoneref->{options}{in_out}{mss}, ''     ) if $zoneref->{options}{in_out}{mss};
 	set_mss( $zone, $zoneref->{options}{in}{mss},     '_in'  ) if $zoneref->{options}{in}{mss};
@ -1104,7 +1106,7 @@ sub do_tos( $ ) {
 #
 sub match_source_dev( $ ) {
    my $interface = shift;
-    my $interfaceref =  $interfaces{$interface};
+    my $interfaceref =  find_interface( $interface );
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
    } else {
@ -1117,7 +1119,7 @@ sub match_source_dev( $ ) {
 #
 sub match_dest_dev( $ ) {
    my $interface = shift;
-    my $interfaceref =  $interfaces{$interface};
+    my $interfaceref =  find_interface( $interface );
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
    } else {
@ -1240,7 +1242,7 @@ sub match_orig_dest ( $ ) {
 sub match_ipsec_in( $$ ) {
    my ( $zone , $hostref ) = @_;
    my $match = '-m policy --dir in --pol ';
-    my $zoneref    = $zones{$zone};
+    my $zoneref    = find_zone( $zone );
    my $optionsref = $zoneref->{options};
    if ( $zoneref->{type} eq 'ipsec4' ) {
@ -1258,7 +1260,7 @@ sub match_ipsec_in( $$ ) {
 sub match_ipsec_out( $$ ) {
    my ( $zone , $hostref ) = @_;
    my $match = '-m policy --dir out --pol ';
-    my $zoneref    = $zones{$zone};
+    my $zoneref    = find_zone( $zone );
    my $optionsref = $zoneref->{options};
    if ( $zoneref->{type} eq 'ipsec4' ) {
@ -1537,7 +1539,7 @@ sub expand_rule( $$$$$$$$$$ )
 	    incr_cmd_level $chainref;
 	} else {
-	    fatal_error "Source Interface ($iiface) not allowed when the source zone is $firewall_zone" if $restriction & OUTPUT_RESTRICT;
+	    fatal_error "Source Interface ($iiface) not allowed when the source zone is the firewall zone" if $restriction & OUTPUT_RESTRICT;
 	    $rule .= match_source_dev( $iiface );
 	}
    }
@ -1598,7 +1600,7 @@ sub expand_rule( $$$$$$$$$$ )
 	    incr_cmd_level $chainref;
 	} else {
 	    fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
-	    fatal_error "Destination Interface ($diface) not allowed when the destination zone is $firewall_zone" if $restriction & INPUT_RESTRICT;
+	    fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
 	    if ( $iiface ) {
 		my $bridge = port_to_bridge( $diface );
@ -2013,19 +2015,34 @@ sub create_netfilter_load() {
 }
 #
-# Generate the netfilter input for refreshing the blacklist
+# Generate the netfilter input for refreshing a list of chains
 #
-sub create_blacklist_reload() {
+sub create_chainlist_reload($) {
    my $chains = $_[0];
    my @chains = split ',', $chains;
    unless ( @chains ) {
 	@chains = qw( blacklst ) if $filter_table->{blacklst};
    }
    $mode = NULL_MODE;
-    emit(  'blacklist_reload()',
+    emit(  'chainlist_reload()',
 	   '{'
 	   );
    push_indent;
-    save_progress_message "Preparing iptables-restore input...";
+    if ( @chains ) {
 	if ( @chains == 1 ) {
 	    progress_message2 "Compiling iptables-restore input for chain @chains...";
 	    save_progress_message "Preparing iptables-restore input for chain @chains...";
 	} else {
 	    progress_message2 "Compiling iptables-restore input for chain $chains...";
 	    save_progress_message "Preparing iptables-restore input for chains $chains...";
 	}
 	emit '';
@ -2033,18 +2050,57 @@ sub create_blacklist_reload() {
 	enter_cat_mode;
-    emit_unindented '*filter';
+	my $table = 'filter';
-    emit_unindented ':blacklst - [0:0]';
+	
 	my %chains;
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;
 	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter)$/;
 	    fatal_error "No $table chain found with name $chain" unless  $chain_table{$table}{$chain};
 	    $chains{$table} = [] unless $chains{$table};
 	    push @{$chains{$table}}, $chain; 
 	}
 	for $table qw(nat mangle filter) {
 	    next unless $chains{$table};
 	    emit_unindented "*$table";
 	    my $tableref=$chain_table{$table};
 	    @chains = sort @{$chains{$table}};
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		emit_unindented ":$chainref->{name} $chainref->{policy} [0:0]" if $chainref->{builtin};
 	    }
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		emit_unindented ":$chainref->{name} - [0:0]" unless $chainref->{builtin};
 	    }
 	    for my $chain ( @chains ) {
 		my $chainref = $tableref->{$chain};
 		my @rules = @{$chainref->{rules}};
 		@rules = () unless @rules;
 		#
-    # Emit the Blacklist rules
+		# Emit the chain rules
 		#
-    emitr $_ for ( @{$filter_table->{blacklst}{rules}} );
+		emitr $_ for ( @rules );
 	    }
 	    #
 	    # Commit the changes to the table
 	    #
 	    enter_cat_mode unless $mode == CAT_MODE;
 	    emit_unindented 'COMMIT';
 	}
 	enter_cmd_mode;
 	#
@ -2059,6 +2115,9 @@ sub create_blacklist_reload() {
 	       '    fatal_error "iptables-restore Failed. Input is in ${VARDIR}/.iptables-restore-input"',
 	       "fi\n"
 	    );
    } else {
 	emit('true');
    }
    pop_indent;
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@ -41,7 +41,7 @@ use Shorewall::Proxyarp;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 4.03;
+our $VERSION = '4.04';
 our $export;
@ -58,6 +58,7 @@ sub reinitialize() {
    Shorewall::Config::initialize;
    Shorewall::Chains::initialize;
    Shorewall::Zones::initialize;
    Shorewall::Policy::initialize;
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize;
    Shorewall::Tc::initialize;
@ -138,17 +139,16 @@ sub generate_script_1() {
 	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"',
 	   qq(VERSION="$globals{VERSION}") ,
 	   qq(PATH="$config{PATH}") ,
-	   'TERMINATOR=fatal_error'
+	   'TERMINATOR=fatal_error' ,
 	   ''
 	   );
    if ( $config{IPTABLES} ) {
 	emit( qq(IPTABLES="$config{IPTABLES}"),
 	      '',
 	      '[ -x "$IPTABLES" ] || startup_error "IPTABLES=$IPTABLES does not exist or is not executable"',
 	      );
    } else {
-	emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables 2> /dev/null)',
+	emit( '[ -z "$IPTABLES" ] && IPTABLES=$(mywhich iptables) # /sbin/shorewall exports IPTABLES',
 	      '',
 	      '[ -n "$IPTABLES" -a -x "$IPTABLES" ] || startup_error "Can\'t find iptables executable"'
 	      );
    }
@ -328,11 +328,9 @@ EOF
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
 	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
            interface=/proc/sys/net/ipv4/conf/$interface
 	    [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
 	done < ${VARDIR}/proxyarp
        for f in /proc/sys/net/ipv4/conf/*; do
            [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
        done
    fi
    rm -f ${VARDIR}/proxyarp
@ -596,7 +594,7 @@ sub generate_script_2 () {
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
 #          than those related to writing to the object file.
 #
-sub generate_script_3() {
+sub generate_script_3($) {
    emit 'cat > ${VARDIR}/proxyarp << __EOF__';
    dump_proxy_arp;
@ -629,7 +627,7 @@ sub generate_script_3() {
    progress_message2 "Creating iptables-restore input...";
    create_netfilter_load;
-    create_blacklist_reload;
+    create_chainlist_reload( $_[0] );
    emit "#\n# Start/Restart the Firewall\n#";
    emit 'define_firewall() {';
@ -647,14 +645,14 @@ setup_routing_and_traffic_shaping
 if [ $COMMAND = restore ]; then
    iptables_save_file=${VARDIR}/$(basename $0)-iptables
    if [ -f $iptables_save_file ]; then
-        iptables-restore < $iptables_save_file
+        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux
    else
        fatal_error "$iptables_save_file does not exist"
    fi
    set_state "Started"
 else
    if [ $COMMAND = refresh ]; then
-        blacklist_reload
+        chainlist_reload
        run_refreshed_exit
        $IPTABLES -N shorewall
        set_state "Started"
@ -701,9 +699,9 @@ EOF
 #    If the first argument is non-null, it names the script file to generate.
 #    Otherwise, this is a 'check' command and no script is produced.
 #
-sub compiler( $$$$ ) {
+sub compiler( $$$$$ ) {
-    my ( $objectfile, $directory, $verbosity, $options ) = @_;
+    my ( $objectfile, $directory, $verbosity, $options , $chains ) = @_;
    $export = 0;
@ -723,7 +721,7 @@ sub compiler( $$$$ ) {
    #
    get_configuration( $export );
-    report_capabilities if $verbose > 1;
+    report_capabilities;
    require_capability( 'MULTIPORT'       , "Shorewall-perl $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
@ -731,7 +729,7 @@ sub compiler( $$$$ ) {
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
    require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' , 's'   )  if $config{RFC1918_STRICT};
-    ( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
+    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
    initialize_chain_table;
@ -865,7 +863,7 @@ sub compiler( $$$$ ) {
 	#
 	# Finish the script.
 	#
-	generate_script_3;
+	generate_script_3( $chains );
 	finalize_object ( $export );
 	#
 	# And generate the auxilary config file
--- a/Shorewall-perl/Shorewall/Config.pm
+++ b/Shorewall-perl/Shorewall/Config.pm
@ -34,10 +34,13 @@ use strict;
 use warnings;
 use File::Basename;
 use File::Temp qw/ tempfile tempdir /;
-use Cwd 'abs_path';
+use Cwd qw(abs_path getcwd);
 use autouse 'Carp' => qw(longmess confess);
 our @ISA = qw(Exporter);
 #
 # Imported variables should be treated as read-only by importers
 #
 our @EXPORT = qw(
 		 create_temp_object
 		 finalize_object
@ -47,6 +50,7 @@ our @EXPORT = qw(
 		 save_progress_message_short
 		 set_timestamp
 		 set_verbose
 		 set_command
 		 progress_message
 		 progress_message2
 		 progress_message3
@ -55,7 +59,6 @@ our @EXPORT = qw(
 		 copy
 		 create_temp_aux_config
 		 finalize_aux_config
 		 warning_message
 		 fatal_error
 		 set_shorewall_dir
@ -85,15 +88,13 @@ our @EXPORT = qw(
 		 $command
 		 $doing
 		 $done
 		 $verbose
 		 $currentline
 		 %config
 		 %globals
 		 %capabilities );
 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path );
-our $VERSION = 4.03;
+our $VERSION = '4.04';
 #
 # describe the current command, it's present progressive, and it's completion.
@ -147,7 +148,38 @@ our %capabilities;
 #
 # Capabilities
 #
-our %capdesc;
+our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MANGLE_ENABLED  => 'Packet Mangling',
 		 MULTIPORT       => 'Multi-port Match' ,
 		 XMULTIPORT      => 'Extended Multi-port Match',
 		 CONNTRACK_MATCH => 'Connection Tracking Match',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 LENGTH_MATCH    => 'Packet length Match',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
 		 XCONNMARK_MATCH => 'Extended Connmark Match',
 		 RAW_TABLE       => 'Raw Table',
 		 IPP2P_MATCH     => 'IPP2P Match',
 		 CLASSIFY_TARGET => 'CLASSIFY Target',
 		 ENHANCED_REJECT => 'Extended Reject',
 		 KLUDGEFREE      => 'Repeat match',
 		 MARK            => 'MARK Target',
 		 XMARK           => 'Extended Mark Target',
 		 MANGLE_FORWARD  => 'Mangle FORWARD Chain',
 		 COMMENTS        => 'Comments',
 		 ADDRTYPE        => 'Address Type Match',
 		 TCPMSS_MATCH    => 'TCPMSS Match',
 		 HASHLIMIT_MATCH => 'Hashlimit Match',
 		 NFQUEUE_TARGET  => 'NFQUEUE Target',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
 # Directories to search for configuration files
 #
@ -198,7 +230,7 @@ sub initialize() {
 		    ORIGINAL_POLICY_MATCH => '',
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
-		    VERSION =>  '4.0.3',
+		    VERSION =>  '4.0.4',
 		    CAPVERSION => 40003 ,
 		  );
    #
@ -335,41 +367,6 @@ sub initialize() {
 	       CAPVERSION => undef,
 	       );
    #
    # Capabilities
    #
    %capdesc = ( NAT_ENABLED     => 'NAT',
 		 MANGLE_ENABLED  => 'Packet Mangling',
 		 MULTIPORT       => 'Multi-port Match' ,
 		 XMULTIPORT      => 'Extended Multi-port Match',
 		 CONNTRACK_MATCH => 'Connection Tracking Match',
 		 USEPKTTYPE      => 'Packet Type Match',
 		 POLICY_MATCH    => 'Policy Match',
 		 PHYSDEV_MATCH   => 'Physdev Match',
 		 LENGTH_MATCH    => 'Packet length Match',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
 		 XCONNMARK_MATCH => 'Extended Connmark Match',
 		 RAW_TABLE       => 'Raw Table',
 		 IPP2P_MATCH     => 'IPP2P Match',
 		 CLASSIFY_TARGET => 'CLASSIFY Target',
 		 ENHANCED_REJECT => 'Extended Reject',
 		 KLUDGEFREE      => 'Repeat match',
 		 MARK            => 'MARK Target',
 		 XMARK           => 'Extended Mark Target',
 		 MANGLE_FORWARD  => 'Mangle FORWARD Chain',
 		 COMMENTS        => 'Comments',
 		 ADDRTYPE        => 'Address Type Match',
 		 TCPMSS_MATCH    => 'TCPMSS Match',
 		 HASHLIMIT_MATCH => 'Hashlimit Match',
 		 NFQUEUE_TARGET  => 'NFQUEUE Target',
 		 CAPVERSION      => 'Capability Version',
 	       );
    #
    # Directories to search for configuration files
    #
    @config_path = ();
@ -401,7 +398,8 @@ INIT {
 #
 sub warning_message
 {
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $currentlinenumber)" : '';
+    my $linenumber = $currentlinenumber || 1;
    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
    if ( $debug ) {
 	print STDERR longmess( "   WARNING: @_$currentlineinfo" );
@ -414,7 +412,8 @@ sub warning_message
 # Issue fatal error message and die
 #
 sub fatal_error	{
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $currentlinenumber)" : '';
+    my $linenumber = $currentlinenumber || 1;
    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
    confess "   ERROR: @_$currentlineinfo" if $debug;
    die "   ERROR: @_$currentlineinfo\n";
 }
@ -480,12 +479,18 @@ sub set_verbose( $ ) {
    $verbose = shift;
 }
 #
 # Set $command, $doing and $done
 #
 sub set_command( $$$ ) {
    ($command, $doing, $done) = @_;
 }
 #
 # Print the current TOD to STDOUT.
 #
 sub timestamp() {
-    my ($sec, $min, $hr) = ( localtime ) [0,1,2];
+    printf '%02d:%02d:%02d ', ( localtime ) [2,1,0];
    printf '%02d:%02d:%02d ', $hr, $min, $sec;
 }
 #
@ -649,7 +654,7 @@ sub finalize_aux_config() {
 }
 #
-# Set $globals{CONFIG_PATH}
+# Set $config{CONFIG_PATH}
 #
 sub set_config_path( $ ) {
    $config{CONFIG_PATH} = shift;
@ -839,9 +844,12 @@ sub read_a_line() {
    while ( $currentfile ) {
 	$currentline = '';
 	$currentlinenumber = 0;
 	while ( <$currentfile> ) {
 	    $currentlinenumber = $. unless $currentlinenumber;
 	    chomp;
 	    #
 	    # Continuation
@ -856,7 +864,6 @@ sub read_a_line() {
 	    #
 	    $currentline = '', next if $currentline =~ /^\s*$/;
 	    $currentlinenumber = $.;
 	    #
 	    # Expand Shell Variables using %ENV
 	    #
@ -883,6 +890,8 @@ sub read_a_line() {
 		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
 		    $currentlinenumber = 0;
 		}
 		$currentline = '';
@ -1026,17 +1035,19 @@ sub report_capabilities() {
 	}
    }
    if ( $verbose > 1 ) {
 	print "Shorewall has detected the following capabilities:\n";
 	for my $cap ( sort { $capdesc{$a} cmp $capdesc{$b} } keys %capabilities ) {
 	    report_capability $cap;
 	}
    }
 }
 #
 # Search the current PATH for the passed executable
 #
-sub mywhich( $ ) {
+sub which( $ ) {
    my $prog = $_[0];
    for my $dir ( split /:/, $config{PATH} ) {
@ -1050,7 +1061,7 @@ sub mywhich( $ ) {
 # Load the kernel modules defined in the 'modules' file.
 #
 sub load_kernel_modules( ) {
-    my $moduleloader = mywhich 'modprobe' ? 'modprobe' : 'insmod';
+    my $moduleloader = which( 'modprobe' ) || ( which 'insmod' );
    my $modulesdir = $config{MODULESDIR};
@ -1063,7 +1074,7 @@ sub load_kernel_modules( ) {
    my @moduledirectories = split /:/, $modulesdir;
-    if ( @moduledirectories && open_file 'modules' ) {
+    if ( $moduleloader && open_file 'modules' ) {
 	my %loadedmodules;
 	progress_message "Loading Modules...";
@ -1114,9 +1125,9 @@ sub qt( $ ) {
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
-sub determine_capabilities() {
+sub determine_capabilities( $ ) {
-    my $iptables  = $config{IPTABLES};
+    my $iptables  = $_[0];
    my $pid       = $$;
    my $sillyname = "fooX$pid";
@ -1173,7 +1184,7 @@ sub determine_capabilities() {
    $capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" );
-    if ( mywhich 'ipset' ) {
+    if ( which 'ipset' ) {
 	qt( "ipset -X $sillyname" );
 	if ( qt( "ipset -N $sillyname iphash" ) ) {
@ -1243,8 +1254,10 @@ sub ensure_config_path() {
    }
    if ( $shorewall_dir ) {
 	$shorewall_dir = getcwd if $shorewall_dir =~ m|(\./*)+|;
 	$shorewall_dir .= '/' unless $shorewall_dir =~ m|/$|;
 	unshift @config_path, $shorewall_dir if $shorewall_dir ne $config_path[0];
 	$config{CONFIG_PATH} = join ':', @config_path;
    }
 }
@ -1287,32 +1300,10 @@ sub process_shorewall_conf() {
    }
 }
 sub get_capabilities( $ ) {
    my $export = $_[0];
    if ( ! $export && $> == 0 ) { # $> == $EUID
 	unless ( $config{IPTABLES} ) {
 	    fatal_error "Can't find iptables executable" unless $config{IPTABLES} = mywhich 'iptables';
 	} else {
 	    fatal_error "\$IPTABLES=$config{IPTABLES} does not exist or is not executable" unless -x $config{IPTABLES};
 	}
 	load_kernel_modules;
 	unless ( open_file 'capabilities' ) {
 	    determine_capabilities;
 	}
    } else {
 	unless ( open_file 'capabilities' ) {
 	    fatal_error "The -e flag requires a capabilities file" if $export;
 	    fatal_error "Compiling under non-root uid requires a capabilities file";
 	}
    }
 #
-    # If we successfully called open_file above, then this loop will read the capabilities file.
+# Process the records in the capabilities file
    # Otherwise, the first call to read_a_line() below will return false
 #
 sub read_capabilities() {
    while ( read_a_line1 ) {
 	if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 	    my ($var, $val) = ($1, $2);
@ -1334,6 +1325,42 @@ sub get_capabilities( $ ) {
    }
 }
 #
 # Get the system's capabilities, either by probing or by reading a capabilities file
 #
 sub get_capabilities( $ ) {
    my $export = $_[0];
    if ( ! $export && $> == 0 ) { # $> == $EUID
 	my $iptables = $config{IPTABLES};
 	if ( $iptables ) {
 	    fatal_error "IPTABLES=$iptables does not exist or is not executable" unless -x $iptables;
 	} else {
 	    fatal_error "Can't find iptables executable" unless $iptables = which 'iptables';
 	}
 	my $iptables_restore=$iptables . '-restore';
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
 	load_kernel_modules;
 	if ( open_file 'capabilities' ) {
 	    read_capabilities;
 	} else {
 	    determine_capabilities $iptables;
 	}
    } else {
 	unless ( open_file 'capabilities' ) {
 	    fatal_error "The -e compiler option requires a capabilities file" if $export;
 	    fatal_error "Compiling under non-root uid requires a capabilities file";
 	}
 	read_capabilities;
    }
 }
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
--- a/Shorewall-perl/Shorewall/FallbackPorts.pm
+++ b/Shorewall-perl/Shorewall/FallbackPorts.pm
@ -33,7 +33,7 @@ use warnings;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( %protocols %services );
 our @EXPORT_OK = qw();
-our $VERSION = 4.00;
+our $VERSION = '4.00';
 our %protocols = (
 		  ip			=> 0,
--- a/Shorewall-perl/Shorewall/IPAddrs.pm
+++ b/Shorewall-perl/Shorewall/IPAddrs.pm
@ -36,12 +36,11 @@ our @EXPORT = qw( ALLIPv4
 		  validate_host
 		  validate_range
 		  ip_range_explicit
-
+		  allipv4
-		  @allipv4
+		  rfc1918_neworks
 		  @rfc1918_networks
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 #
 # Some IPv4 useful stuff
@ -161,4 +160,12 @@ sub validate_host( $ ) {
    }
 }
 sub allipv4() {
    @allipv4;
 }
 sub rfc1918_networks() {
    @rfc1918_networks
 }
 1;
--- a/Shorewall-perl/Shorewall/Nat.pm
+++ b/Shorewall-perl/Shorewall/Nat.pm
@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 our @addresses_to_add;
 our %addresses_to_add;
@ -169,7 +169,7 @@ sub setup_one_masq($$$$$$$)
    #
    ( my $interface = $fullinterface ) =~ s/:.*//;
-    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
+    fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};
    my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
    #
@ -305,7 +305,7 @@ sub setup_masq()
 	}
    }
-    $comment = '';
+    clear_comment;
 }
@ -417,7 +417,7 @@ sub setup_nat() {
    }
-    $comment = '';
+    clear_comment;
 }
 #
--- a/Shorewall-perl/Shorewall/Policy.pm
+++ b/Shorewall-perl/Shorewall/Policy.pm
@ -34,7 +34,28 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain sub setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 # @policy_chains is a list of references to policy chains in the filter table
 our @policy_chains;
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
 #                       initialize() function does globals initialization for this
 #                       module and is called from an INIT block below. The function is
 #                       also called by Shorewall::Compiler::compiler at the beginning of
 #                       the second and subsequent calls to that function.
 #
 sub initialize() {
    @policy_chains = ();
 }
 INIT {
    initialize;
 }
 #
 # Convert a chain into a policy chain.
@ -104,20 +125,36 @@ sub set_policy_chain($$$$$)
 #
 # Process the policy file
 #
-sub validate_policy()
+use constant { OPTIONAL => 1 };
-{
+
-    sub print_policy($$$$)
+sub add_or_modify_policy_chain( $$ ) {
-    {
+    my ( $zone, $zone1 ) = @_;
    my $chain    = "${zone}2${zone1}";
    my $chainref = $filter_table->{$chain};
    if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
 	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
 	    push @policy_chains, $chainref;
 	}
    } else {
 	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
    }
 }    
 sub print_policy($$$$) {
    my ( $source, $dest, $policy , $chain ) = @_;
    unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
 	if ( $policy eq 'CONTINUE' ) {
-		my ( $sourceref, $destref ) = @zones{$source,$dest};
+	    my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
 	    warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
 	}
 	progress_message "   Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
    }
 }
 sub validate_policy()
 {
    my %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
@ -136,8 +173,6 @@ sub validate_policy()
    my $zone;
    use constant { OPTIONAL => 1 };
    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
 	my $action = $config{$option};
 	next if $action eq 'none';
@ -157,14 +192,15 @@ sub validate_policy()
 	$default_actions{$map{$option}} = $action;
    }
-    for $zone ( @zones ) {
+    for $zone ( all_zones ) {
 	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zones{$zone}{parents}} ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
-	    for my $zone1 ( @zones ) {
+	    for my $zone1 ( all_zones ) {
-		next if $zone eq $zone1;
+		unless( $zone eq $zone1 ) {
-		push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
+		    add_or_modify_policy_chain( $zone, $zone1 );
-		push @policy_chains, ( new_policy_chain $zone1, $zone, 'CONTINUE', OPTIONAL );
+		    add_or_modify_policy_chain( $zone1, $zone );
 		}
 	    }
 	}
    }
@ -187,11 +223,11 @@ sub validate_policy()
 	my $clientwild = ( "\L$client" eq 'all' );
-	fatal_error "Undefined zone $client" unless $clientwild || $zones{$client};
+	fatal_error "Undefined zone $client" unless $clientwild || defined_zone( $client );
 	my $serverwild = ( "\L$server" eq 'all' );
-	fatal_error "Undefined zone $server" unless $serverwild || $zones{$server};
+	fatal_error "Undefined zone $server" unless $serverwild || defined_zone( $server );
 	( $policy , my ( $default, $remainder ) ) = split( /:/, $policy, 3 );
@ -230,13 +266,13 @@ sub validate_policy()
 	    fatal_error "NONE policy not allowed with \"all\""
 		if $clientwild || $serverwild;
 	    fatal_error "NONE policy not allowed to/from firewall zone"
-		if ( $zones{$client}{type} eq 'firewall' ) || ( $zones{$server}{type} eq 'firewall' );
+		if ( zone_type( $client ) eq 'firewall' ) || ( zone_type( $server ) eq 'firewall' );
 	}
 	unless ( $clientwild || $serverwild ) {
-	    if ( $zones{$server}{type} eq 'bport4' ) {
+	    if ( zone_type( $server ) eq 'bport4' ) {
 		fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
-		    unless $zones{$client}{bridge} eq $zones{$server}{bridge} || single_interface( $client ) eq $zones{$server}{bridge};
+		    unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	    }
 	}
@ -275,20 +311,20 @@ sub validate_policy()
 	if ( $clientwild ) {
 	    if ( $serverwild ) {
-		for my $zone ( @zones , 'all' ) {
+		for my $zone ( all_zones , 'all' ) {
-		    for my $zone1 ( @zones , 'all' ) {
+		    for my $zone1 ( all_zones , 'all' ) {
 			set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
 			print_policy $zone, $zone1, $policy, $chain;
 		    }
 		}
 	    } else {
-		for my $zone ( @zones ) {
+		for my $zone ( all_zones ) {
 		    set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
 		    print_policy $zone, $server, $policy, $chain;
 		}
 	    }
 	} elsif ( $serverwild ) {
-	    for my $zone ( @zones , 'all' ) {
+	    for my $zone ( all_zones , 'all' ) {
 		set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 		print_policy $client, $zone, $policy, $chain;
 	    }
@ -382,8 +418,8 @@ sub apply_policy_rules() {
 	}
    }
-    for my $zone ( @zones ) {
+    for my $zone ( all_zones ) {
-	for my $zone1 ( @zones ) {
+	for my $zone1 ( all_zones ) {
 	    my $chainref = $filter_table->{"${zone}2${zone1}"};
 	    if ( $chainref->{referenced} ) {
--- a/Shorewall-perl/Shorewall/Proc.pm
+++ b/Shorewall-perl/Shorewall/Proc.pm
@ -42,7 +42,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 4.01;
+our $VERSION = '4.01';
 #
 # ARP Filtering
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces);
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 use constant { LOCAL_NUMBER   => 255,
 	       MAIN_NUMBER    => 254,
--- a/Shorewall-perl/Shorewall/Proxyarp.pm
+++ b/Shorewall-perl/Shorewall/Proxyarp.pm
@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.01;
+our $VERSION = '4.01';
 our @proxyarp;
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -47,7 +47,7 @@ our @EXPORT = qw( process_tos
 		  dump_rule_chains
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 #
 # Keep track of chains for the /var/lib/shorewall[-lite]/chains file
@ -125,7 +125,7 @@ sub process_tos() {
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    if ( $srczone eq $firewall_zone ) {
+	    if ( $srczone eq firewall_zone ) {
 		$chainref    = $outtosref;
 		$src         = $source || '-';
 		$restriction = OUTPUT_RESTRICT;
@ -519,7 +519,7 @@ sub add_common_rules() {
    my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
-    for $interface ( @interfaces ) {
+    for $interface ( all_interfaces ) {
 	for $chain ( @{first_chains $interface} ) {
 	    add_rule new_standard_chain( $chain ) , "$state -j dynamic";
 	}
@ -593,7 +593,7 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , '-p udp --dport 67:68 -j ACCEPT';
 	    }
-	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if $interfaces{$interface}{options}{bridge};
+	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport 67:68 -j ACCEPT" if get_interface_option( $interface, 'bridge' );
 	}
    }
@ -649,7 +649,7 @@ sub add_common_rules() {
    }
    if ( $config{DYNAMIC_ZONES} ) {
-	for $interface ( @interfaces) {
+	for $interface ( all_interfaces ) {
 	    for $chain ( @{dynamic_chains $interface} ) {
 		new_standard_chain $chain;
 	    }
@ -713,7 +713,7 @@ sub setup_mac_lists( $ ) {
 	    my $chainref = new_chain $table , mac_chain $interface;
 	    add_rule $chainref , '-s 0.0.0.0 -d 255.255.255.255 -p udp --dport 67:68 -j RETURN'
-		if ( $table eq 'mangle' ) && $interfaces{$interface}{options}{dhcp};
+		if ( $table eq 'mangle' ) && get_interface_option( $interface, 'dhcp' );
 	    if ( $ttl ) {
 		my $chain1ref = new_chain $table, macrecent_target $interface;
@ -782,7 +782,7 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
-	$comment = '';
+	clear_comment;
 	#
 	# Generate jumps from the input and forward chains
 	#
@ -806,7 +806,7 @@ sub setup_mac_lists( $ ) {
 	    my $chain    = $chainref->{name};
 	    if ( $level ne '' || $disposition ne 'ACCEPT' ) {
-		my $variable = get_interface_addresses $interfaces{$interface}{bridge};
+		my $variable = get_interface_addresses source_port_to_bridge( $interface );
 		if ( $capabilities{ADDRTYPE} ) {
 		    add_commands( $chainref,
@ -815,8 +815,8 @@ sub setup_mac_lists( $ ) {
 				  "    echo \"-A $chainref->{name} -s \$address -d 224.0.0.0/4 -j RETURN\" >&3",
 				  'done' );
 		} else {
-		    my $bridge    = $interfaces{$interface}{bridge};
+		    my $bridge    = source_port_to_bridge( $interface );
-		    my $bridgeref = $interfaces{$bridge};
+		    my $bridgeref = find_interface( $bridge );
 		    add_commands( $chainref,
 				  "for address in $variable; do" );
@ -1001,9 +1001,9 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
    #
    if ( $actiontype & REDIRECT ) {
 	if ( $dest eq '-' ) {
-	    $dest = "$firewall_zone";
+	    $dest = "firewall_zone";
 	} else {
-	    $dest = join( '', $firewall_zone, '::', $dest );
+	    $dest = join( '', firewall_zone, '::', $dest );
 	}
    } elsif ( $action eq 'REJECT' ) {
 	$action = 'reject';
@ -1017,6 +1017,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
    #
    my $sourcezone;
    my $destzone;
    my $sourceref;
    my $destref;
    if ( $source =~ /^(.+?):(.*)/ ) {
 	$sourcezone = $1;
@ -1035,22 +1037,22 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
    }
    fatal_error "Missing source zone" if $sourcezone eq '-';
-    fatal_error "Unknown source zone ($sourcezone)" unless $zones{$sourcezone};
+    fatal_error "Unknown source zone ($sourcezone)" unless $sourceref = defined_zone( $sourcezone );
    fatal_error "Missing destination zone" if $destzone eq '-';
-    fatal_error "Unknown destination zone ($destzone)" unless $zones{$destzone};
+    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
    my $restriction = NO_RESTRICT;
-    if ( $sourcezone eq $firewall_zone ) {
+    if ( $sourcezone eq firewall_zone ) {
-	$restriction = $destzone eq $firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
+	$restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
    } else {
-	$restriction = INPUT_RESTRICT if $destzone eq $firewall_zone;
+	$restriction = INPUT_RESTRICT if $destzone eq firewall_zone;
    }
    #
    # Check for illegal bridge port rule
    #
-    if ( $zones{$destzone}->{type} eq 'bport4' ) {
+    if ( $destref->{type} eq 'bport4' ) {
-	unless ( $zones{$sourcezone}{bridge} eq $zones{$destzone}{bridge} || single_interface( $sourcezone ) eq $zones{$destzone}{bridge} ) {
+	unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 	    return 1 if $wildcard;
 	    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	}
@ -1135,8 +1137,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIPv4;
 	    } elsif ( $origdest eq 'detect' ) {
-		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) {
+		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
-		    my $interfacesref = $zones{$sourcezone}{interfaces};
+		    my $interfacesref = $sourceref->{interfaces};
 		    my @interfaces = keys %$interfacesref;
 		    $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
 		} else {
@ -1146,7 +1148,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	} else {
 	    if ( $action eq 'SAME' ) {
 		fatal_error 'Port mapping not allowed in SAME rules' if $serverport;
-		fatal_error 'SAME not allowed with SOURCE=$FW'       if $sourcezone eq $firewall_zone;
+		fatal_error 'SAME not allowed with SOURCE=$FW'       if $sourcezone eq firewall_zone;
 		$target = '-j SAME ';
 		for my $serv ( split /,/, $server ) {
 		    $target .= "--to $serv ";
@ -1160,8 +1162,8 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	    }
 	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
-		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne $firewall_zone ) {
+		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
-		    my $interfacesref = $zones{$sourcezone}{interfaces};
+		    my $interfacesref = $sourceref->{interfaces};
 		    my @interfaces = keys %$interfacesref;
 		    $origdest = @interfaces ? "detect:@interfaces" : ALLIPv4;
 		} else {
@ -1173,7 +1175,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	#
 	# And generate the nat table rule(s)
 	#
-	expand_rule ( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
+	expand_rule ( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone ),
 		      PREROUTE_RESTRICT ,
 		      $rule ,
 		      $source ,
@ -1205,12 +1207,12 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	$origdest = '' unless $origdest and $origdest ne '-';
 	if ( $origdest eq 'detect' ) {
-	    my $interfacesref = $zones{$sourcezone}{interfaces};
+	    my $interfacesref = $sourceref->{interfaces};
 	    my $interfaces = "@$interfacesref";
 	    $origdest = $interfaces ? "detect:$interfaces" : ALLIPv4;
 	}
-	expand_rule( ensure_chain ('nat' , $zones{$sourcezone}{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
+	expand_rule( ensure_chain ('nat' , $sourceref->{type} eq 'firewall' ? 'OUTPUT' : dnat_chain $sourcezone) ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
 		     $source ,
@ -1312,11 +1314,11 @@ sub process_rule ( $$$$$$$$$$ ) {
    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
    if ( $source eq 'all' ) {
-	for my $zone ( @zones ) {
+	for my $zone ( all_zones ) {
-	    if ( $includesrcfw || ( $zones{$zone}{type} ne 'firewall' ) ) {
+	    if ( $includesrcfw || ( zone_type( $zone ) ne 'firewall' ) ) {
 		if ( $dest eq 'all' ) {
-		    for my $zone1 ( @zones ) {
+		    for my $zone1 ( all_zones ) {
-			if ( $includedstfw || ( $zones{$zone1}{type} ne 'firewall' ) ) {
+			if ( $includedstfw || ( zone_type( $zone1 ) ne 'firewall' ) ) {
 			    if ( $intrazone || ( $zone ne $zone1 ) ) {
 				process_rule1 $target, $zone, $zone1 , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
 			    }
@ -1324,7 +1326,7 @@ sub process_rule ( $$$$$$$$$$ ) {
 		    }
 		} else {
 		    my $destzone = (split( /:/, $dest, 2 ) )[0];
-		    $destzone = $firewall_zone unless $zones{$destzone}; # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
+		    $destzone = firewall_zone unless defined_zone( $destzone ); # We do this to allow 'REDIRECT all ...'; process_rule1 will catch the case where the dest zone is invalid
 		    if ( $intrazone || ( $zone ne $destzone ) ) {
 			process_rule1 $target, $zone, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
 		    }
@ -1332,9 +1334,9 @@ sub process_rule ( $$$$$$$$$$ ) {
 	    }
 	}
    } elsif ( $dest eq 'all' ) {
-	for my $zone ( @zones ) {
+	for my $zone ( all_zones ) {
 	    my $sourcezone = ( split( /:/, $source, 2 ) )[0];
-	    if ( ( $includedstfw || ( $zones{$zone}{type} ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
+	    if ( ( $includedstfw || ( zone_type( $zone ) ne 'firewall') ) && ( ( $sourcezone ne $zone ) || $intrazone) ) {
 		process_rule1 $target, $source, $zone , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, 1;
 	    }
 	}
@ -1392,7 +1394,7 @@ sub process_rules() {
 	}
    }
-    $comment = '';
+    clear_comment;
    $section = 'DONE';
 }
@ -1481,6 +1483,7 @@ sub generate_matrix() {
    my $exclusion_seq    = 1;
    my %chain_exclusions;
    my %policy_exclusions;
    my @interfaces = ( all_interfaces );
    for my $interface ( @interfaces ) {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface );
@ -1503,9 +1506,9 @@ sub generate_matrix() {
    #
    # Special processing for complex zones
    #
-    for my $zone ( grep $zones{$_}{options}{complex} , @zones ) {
+    for my $zone ( complex_zones ) {
 	my $frwd_ref   = new_standard_chain "${zone}_frwd";
-	my $zoneref    = $zones{$zone};
+	my $zoneref    = find_zone( $zone );
 	my $exclusions = $zoneref->{exclusions};
 	if ( @$exclusions ) {
@ -1549,11 +1552,11 @@ sub generate_matrix() {
    #
    # Main source-zone matrix-generation loop
    #
-    for my $zone ( grep ( $zones{$_}{type} ne 'firewall'  ,  @zones ) ) {
+    for my $zone ( non_firewall_zones ) {
-	my $zoneref          = $zones{$zone};
+	my $zoneref          = find_zone( $zone );
 	my $source_hosts_ref = $zoneref->{hosts};
-	my $chain1           = rules_target $firewall_zone , $zone;
+	my $chain1           = rules_target firewall_zone , $zone;
-	my $chain2           = rules_target $zone, $firewall_zone;
+	my $chain2           = rules_target $zone, firewall_zone;
 	my $chain3           = rules_target $zone, $zone;
 	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
@ -1571,8 +1574,8 @@ sub generate_matrix() {
 	}
 	if ( $config{DYNAMIC_ZONES} ) {
-	    push @rule_chains , [ $firewall_zone , $zone , $chain1 ] if $chain1;
+	    push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
-	    push @rule_chains , [ $zone , $firewall_zone , $chain2 ];
+	    push @rule_chains , [ $zone , firewall_zone , $chain2 ];
 	}
 	#
@ -1623,7 +1626,7 @@ sub generate_matrix() {
 		if ( $capabilities{ADDRTYPE} ) {
 		    add_rule $filter_table->{output_chain $interface}  , "-m addrtype --dst-type BROADCAST -j $chain1";
 		} else {
-		    my $interfaceref = $interfaces{$interface};
+		    my $interfaceref = find_interface( $interface );
 		    my $chain        = output_chain $interface;
 		    my $chainref     = $filter_table->{$chain};
@ -1654,8 +1657,8 @@ sub generate_matrix() {
 	    my @temp_zones;
 	  ZONE1:
-	    for my $zone1 ( grep $zones{$_}{type} ne 'firewall' , @zones )  {
+	    for my $zone1 ( non_firewall_zones )  {
-		my $zone1ref = $zones{$zone1};
+		my $zone1ref = find_zone( $zone1 );
 		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
 		next if $policy  eq 'NONE';
@ -1695,7 +1698,7 @@ sub generate_matrix() {
 		$last_chain = '';
 	    }
 	} else {
-	    @dest_zones =  grep $zones{$_}{type} ne 'firewall' , @zones ;
+	    @dest_zones =  non_firewall_zones ;
 	}
 	#
 	# Here it is -- THE BIG UGLY!!!!!!!!!!!!
@ -1705,7 +1708,7 @@ sub generate_matrix() {
 	#
      ZONE1:
 	for my $zone1 ( @dest_zones ) {
-	    my $zone1ref = $zones{$zone1};
+	    my $zone1ref = find_zone( $zone1 );
 	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};
 	    next if $policy  eq 'NONE';
@ -1841,11 +1844,12 @@ sub generate_matrix() {
    for my $interface ( @interfaces ) {
 	add_rule $filter_table->{FORWARD} , match_source_dev( $interface ) . "-j " . forward_chain $interface;
 	add_rule $filter_table->{INPUT}   , match_source_dev( $interface ) . "-j " . input_chain $interface;
-	add_rule $filter_table->{OUTPUT}  , "-o $interface -j " . output_chain $interface unless $interfaces{$interface}{options}{port};
+	add_rule $filter_table->{OUTPUT}  , "-o $interface -j " . output_chain $interface unless get_interface_option( $interface, 'port' );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
    }
-    my $chainref = $filter_table->{"${firewall_zone}2${firewall_zone}"};
+    my $fw = firewall_zone;
    my $chainref = $filter_table->{"${fw}2${fw}"};
    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
    add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@ -1854,8 +1858,8 @@ sub generate_matrix() {
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
-    complete_standard_chain $filter_table->{INPUT}   , 'all' , $firewall_zone;
+    complete_standard_chain $filter_table->{INPUT}   , 'all' , firewall_zone;
-    complete_standard_chain $filter_table->{OUTPUT}  , $firewall_zone , 'all';
+    complete_standard_chain $filter_table->{OUTPUT}  , firewall_zone , 'all';
    complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all';
    if ( $config{LOGALLNEW} ) {
@ -1913,7 +1917,7 @@ sub setup_mss( ) {
 	} 
 	for ( @$interfaces ) {
-	    my $mss      = $interfaces{$_}{options}{mss};
+	    my $mss      = get_interface_option( $_, 'mss' );
 	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; 
 	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
 	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -39,7 +39,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = 4.03;
+our $VERSION = '4.04';
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@ -150,7 +150,7 @@ our %tcdevices;
 our @tcclasses;
 our %tcclasses;
-our $prefix = '1';
+our $prefix;
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
@ -168,6 +168,11 @@ sub initialize() {
    %tcdevices = ();
    @tcclasses = ();
    %tcclasses = ();
    $prefix = '1';
 }
 INIT {
    initialize;
 }
 sub process_tc_rule( $$$$$$$$$$ ) {
@ -185,13 +190,14 @@ sub process_tc_rule( $$$$$$$$$$ ) {
    my $connmark = 0;
    my $classid  = 0;
    my $device   = '';
    my $fw       = firewall_zone;
    if ( $source ) {
-	if ( $source eq $firewall_zone ) {
+	if ( $source eq $fw ) {
 	    $chain = 'tcout';
 	    $source = '';
 	} else {
-	    $chain = 'tcout' if $source =~ s/^($firewall_zone)://;
+	    $chain = 'tcout' if $source =~ s/^($fw)://;
 	}
    }
@ -200,7 +206,7 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
-		fatal_error "Invalid chain designator for source $firewall_zone" unless $tcsref->{fw};
+		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    }
 	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
@ -610,7 +616,7 @@ sub setup_tc() {
 	}
-	$comment = '';
+	clear_comment;
    }
    for ( @deferred_rules ) {
--- a/Shorewall-perl/Shorewall/Tunnels.pm
+++ b/Shorewall-perl/Shorewall/Tunnels.pm
@ -33,13 +33,15 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = 4.00;
+our $VERSION = '4.03';
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
 #
 sub setup_tunnels() {
    our $fw = firewall_zone;
    sub setup_one_ipsec {
 	my ($inchainref, $outchainref, $kind, $source, $dest, $gatewayzones) = @_;
@ -79,11 +81,10 @@ sub setup_tunnels() {
 	unless ( $gatewayzones eq '-' ) {
 	    for my $zone ( split /,/, $gatewayzones ) {
-		fatal_error "Unknown zone ($zone)" unless $zones{$zone};
+		my $type = zone_type( $zone );
 		my $type = $zones{$zone}{type};
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type eq 'firewall' || $type eq 'bport4';
-		$inchainref  = ensure_filter_chain "${zone}2${firewall_zone}", 1;
+		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
+		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_rule $inchainref,  "-p 50 $source -j ACCEPT";
@ -225,14 +226,12 @@ sub setup_tunnels() {
    sub setup_one_tunnel($$$$) {
 	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
-	fatal_error "Unknown zone ($zone)" unless $zones{$zone};
+	my $zonetype = zone_type( $zone );
 	my $zonetype = $zones{$zone}{type};
 	fatal_error "Invalid zone ($zone) for tunnel ZONE" if $zonetype eq 'firewall' || $zonetype eq 'bport4';
-	my $inchainref  = ensure_filter_chain "${zone}2${firewall_zone}", 1;
+	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${firewall_zone}2${zone}", 1;
+	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
 	my $source = match_source_net $gateway;
 	my $dest   = match_dest_net   $gateway;
@ -286,7 +285,7 @@ sub setup_tunnels() {
 	}
    }
-    $comment = '';
+    clear_comment;
 }
 1;
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@ -41,9 +41,19 @@ our @EXPORT = qw( NOTHING
 		  determine_zones
 		  zone_report
 		  dump_zone_contents
 		  find_zone
 		  firewall_zone
 		  defined_zone
 		  zone_type
 		  all_zones
 		  complex_zones
 		  non_firewall_zones
 		  single_interface
 		  validate_interfaces_file
 		  all_interfaces
 		  find_interface
 		  known_interface
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
 		  interface_is_optional
@ -51,16 +61,10 @@ our @EXPORT = qw( NOTHING
 		  get_interface_option
 		  validate_hosts_file
 		  find_hosts_by_option
-
+		 );
 		  @zones
 		  %zones
 		  $firewall_zone
 		  %interfaces
 		  @interfaces
 		  @bridges );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 4.03;
+our $VERSION = '4.03';
 #
 # IPSEC Option types
@ -312,24 +316,24 @@ sub determine_zones()
    fatal_error "No firewall zone defined" unless $firewall_zone;
    my $pushed = 1;
    my %ordered;
-    while ( $pushed )
+  PUSHED:
    {
 	$pushed = 0;
      ZONE:
 	for my $zone ( @z ) {
 	    unless ( $ordered{$zone} ) {
-		for my $child ( @{$zones{$zone}{children}} ) {
+		for ( @{$zones{$zone}{children}} ) {
-		    next ZONE unless $ordered{$child};
+		    next ZONE unless $ordered{$_};
 		}
 		$ordered{$zone} = 1;
 		push @zones, $zone;
-		$pushed = 1;
+		redo PUSHED;
 	    }
 	}
    }
    fatal_error "Internal error in determine_zones()" unless scalar @zones == scalar @z;
 }
 #
@ -504,6 +508,44 @@ sub add_group_to_zone($$$$$)
 			 ipsec   => $type eq 'ipsec4' ? 'ipsec' : 'none' };
 }
 #
 # Verify that the passed zone name represents a declared zone. Return a
 # reference to its zone table entry.
 #
 sub find_zone( $ ) {
    my $zone = $_[0];
    my $zoneref = $zones{$zone};
    fatal_error "Unknown zone" unless $zoneref;
    $zoneref;
 }
 sub zone_type( $ ) {
    find_zone( $_[0] )->{type};
 }
 sub defined_zone( $ ) {
    $zones{$_[0]};
 }
 sub all_zones() {
    @zones;
 }
 sub non_firewall_zones() {
   grep ( $zones{$_}{type} ne 'firewall'  ,  @zones );
 }
 sub complex_zones() {
    grep( $zones{$_}{options}{complex} , @zones );
 }
 sub firewall_zone() {
    $firewall_zone;
 }
 #
 # Return a list of networks routed out of the passed interface
 #
@ -724,7 +766,7 @@ sub validate_interfaces_file( $ )
 	    fatal_error "No routes found through 'detectnets' interface $interface" unless @networks || $options{optional};
 	    delete $options{maclist} unless @networks;
 	} else {
-	    @networks = @allipv4;
+	    @networks = allipv4;
 	}
 	add_group_to_zone( $zone, $zoneref->{type}, $interface, \@networks, $optionsref ) if $zone && @networks;
@ -782,6 +824,32 @@ sub known_interface($)
    0;
 }
 #
 # Return the interfaces list
 #
 sub all_interfaces() {
    @interfaces;
 }
 #
 # Return a reference to the interfaces table entry for an interface
 #
 sub find_interface( $ ) {
    my $interface    = $_[0];
    my $interfaceref = $interfaces{ $interface };
    fatal_error "Unknown Interface ($interface)" unless $interfaceref;
    $interfaceref;
 }
 #
 # Returns true if there are bridges defined in the config
 #
 sub have_bridges() {
    @bridges > 0;
 }
 #
 # Return the bridge associated with the passed interface. If the interface is not a bridge port,
 # return ''
--- a/Shorewall-perl/buildports.pl
+++ b/Shorewall-perl/buildports.pl
@ -123,8 +123,11 @@ use warnings;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( %protocols %services );
 our @EXPORT_OK = qw();
-our $VERSION = '1.00';
+EOF
 print "our \$VERSION = '$globals{VERSION}';\n";
 print <<'EOF';
 our %protocols = (
 EOF
--- a/Shorewall-perl/compiler.pl
+++ b/Shorewall-perl/compiler.pl
@ -32,6 +32,7 @@
 #         --directory=<directory>     # Directory where configuration resides (default is /etc/shorewall)
 #         --timestamp                 # Timestamp all progress messages
 #         --debug                     # Print stack trace on warnings and fatal error.
 #         --refresh=<chainlist>       # Make the 'refresh' command refresh a comma-separated list of chains rather than 'blacklst'.
 #
 use strict;
 use FindBin;
@ -40,7 +41,7 @@ use Shorewall::Compiler;
 use Getopt::Long;
 sub usage() {
-    print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ <filename> ]\n";
+    print STDERR "usage: compiler.pl [ --export ] [ --directory=<directory> ] [ --verbose={0-2} ] [ --timestamp ] [ -- debuging ] [ --refresh=<chainlist> ] [ <filename> ]\n";
    exit 1;
 }
@ -52,6 +53,7 @@ my $shorewall_dir = '';
 my $verbose       = 0;
 my $timestamp     = '';
 my $debug         = 0;
 my $chains        = '';
 Getopt::Long::Configure ('bundling');
@ -63,7 +65,9 @@ my $result = GetOptions('export'      => \$export,
 			'v=i'         => \$verbose,
 			'timestamp'   => \$timestamp,
 			't'           => \$timestamp,
-		        'debug'       => \$debug
+		        'debug'       => \$debug,
 			'r=s'         => \$chains,
 			'refresh=s'   => \$chains
 		       );
 usage unless $result && @ARGV < 2;
@ -74,4 +78,4 @@ $options |= EXPORT    if $export;
 $options |= TIMESTAMP if $timestamp;
 $options |= DEBUG     if $debug;
-compiler $ARGV[0], $shorewall_dir, $verbose, $options;
+compiler $ARGV[0], $shorewall_dir, $verbose, $options, $chains;
--- a/Shorewall-perl/diff-4.0-lib.base
+++ b/Shorewall-perl/diff-4.0-lib.base
@ -1,788 +0,0 @@
 --- ../Shorewall-common/lib.base	2007-07-22 06:29:50.000000000 -0700
 +++ prog.header	2007-07-22 06:29:50.000000000 -0700
@@ -1,48 +1,27 @@
 -#!/bin/sh
 -#
 -# Shorewall 4.0 -- /usr/share/shorewall/lib.base
 -#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 -#	Complete documentation is available at http://shorewall.net
 +#	Options are:
 #
 -#	This program is free software; you can redistribute it and/or modify
 -#	it under the terms of Version 2 of the GNU General Public License
 -#	as published by the Free Software Foundation.
 -#
 -#	This program is distributed in the hope that it will be useful,
 -#	but WITHOUT ANY WARRANTY; without even the implied warranty of
 -#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 -#	GNU General Public License for more details.
 -#
 -#	You should have received a copy of the GNU General Public License
 -#	along with this program; if not, write to the Free Software
 -#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 -#
 -# This library contains the code common to all Shorewall components.
 -#
 -# - It is copied into the compiled script with the -e compiler flag is specified to
 -#   shorewall-shell.
 -# - It is loaded by /sbin/shorewall.
 -# - It is loaded by /usr/share/shorewall/firewall.
 -# - It is loaded by /usr/share/shorewall-shell/compiler.
 -# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
 -#   and /usr/share/shorewall-lite/shorecap.
 -# - It is released as part of Shorewall Perl where it is copied into the compiled script
 -#   by the compiler.
 -#
 -
 -SHOREWALL_LIBVERSION=40000
 -SHOREWALL_CAPVERSION=30405
 -
 -[ -n "${VARDIR:=/var/lib/shorewall}" ]
 -[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
 -[ -n "${CONFDIR:=/etc/shorewall}" ]
 -SHELLSHAREDIR=/usr/share/shorewall-shell
 -PERLSHAREDIR=/usr/share/shorewall-perl
 -
 +#	    -n				  Don't alter Routing
 +#	    -v and -q			  Standard Shorewall Verbosity control
 +#
 +#	Commands are:
 +#
 +#	   start			  Starts the firewall
 +#          refresh                        Refresh the firewall
 +#	   restart			  Restarts the firewall
 +#	   reload			  Reload the firewall
 +#	   clear			  Removes all firewall rules
 +#	   stop				  Stops the firewall
 +#	   status			  Displays firewall status
 +#	   version			  Displays the version of Shorewall that
 +#	   				  generated this program
 +#
 +################################################################################
 +# Functions imported from /usr/share/shorewall/lib.base
 +################################################################################
 #
 # Message to stderr
 #
@@ -111,20 +90,6 @@
 }
 #
 -# Undo the effect of 'separate_list()'
 -#
 -combine_list()
 -{
 -    local f o=
 -
 -    for f in $* ; do
 -        o="${o:+$o,}$f"
 -    done
 -
 -    echo $o
 -}
 -
 -#
 # Suppress all output for a command
 #
 qt()
@@ -310,83 +275,6 @@
 }
 #
 -# Call this function to assert mutual exclusion with Shorewall. If you invoke the
 -# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
 -# the first argument. Example "shorewall nolock refresh"
 -#
 -# This function uses the lockfile utility from procmail if it exists.
 -# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
 -# behavior of lockfile.
 -#
 -mutex_on()
 -{
 -    local try=0
 -    local lockf=${LOCKFILE:=${VARDIR}/lock}
 -
 -    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
 -
 -    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 -
 -	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 -
 -	if qt mywhich lockfile; then
 -	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 -	else
 -	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 -		sleep 1
 -		try=$((${try} + 1))
 -	    done
 -
 -	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 -	        # Create the lockfile
 -		echo $$ > ${lockf}
 -	    else
 -		echo "Giving up on lock file ${lockf}" >&2
 -	    fi
 -	fi
 -    fi
 -}
 -
 -#
 -# Call this function to release mutual exclusion
 -#
 -mutex_off()
 -{
 -    rm -f ${LOCKFILE:=${VARDIR}/lock}
 -}
 -
 -#
 -# Load an optional library
 -#
 -lib_load() # $1 = Name of the Library, $2 = Error Message heading if the library cannot be found
 -{
 -    local lib=${SHAREDIR}/lib.$1
 -    local loaded
 -
 -    eval loaded=\$LIB_${1}_LOADED
 -
 -    if [ -z "$loaded" ]; then
 -	[ -f $lib ] || lib=${SHELLSHAREDIR}/lib.$1
 -
 -	if [ -f $lib ]; then
 -	    progress_message "Loading library $lib..."
 -	    . $lib
 -	    eval LIB_${1}_LOADED=Yes
 -	else
 -	    startup_error "$2 requires the Shorewall library $1 ($lib) which is not installed"
 -	fi
 -    fi
 -}
 -
 -#
 -# Determine if an optional library is available
 -#
 -lib_avail() # $1 = Name of the Library
 -{
 -    [ -f ${SHAREDIR}/lib.$1 ]
 -}
 -
 -#
 #  Note: The following set of IP address manipulation functions have anomalous
 #        behavior when the shell only supports 32-bit signed arithmetic and
 #        the IP address is 128.0.0.0 or 128.0.0.1.
@@ -395,32 +283,6 @@
 LEFTSHIFT='<<'
 #
 -# Validate an IP address
 -#
 -valid_address() {
 -    local x y
 -    local ifs=$IFS
 -
 -    IFS=.
 -
 -    for x in $1; do
 -	case $x in
 -	    [0-9]|[0-9][0-9]|[1-2][0-9][0-9])
 -		[ $x -lt 256 ] || { IFS=$ifs; return 2; }
 -                ;;
 -	    *)
 -	        IFS=$ifs
 -		return 2
 -		;;
 -	esac
 -    done
 -
 -    IFS=$ifs
 -
 -    return 0
 -}
 -
 -#
 # Convert an IP address in dot quad format to an integer
 #
 decodeaddr() {
@@ -456,88 +318,6 @@
 }
 #
 -# Enumerate the members of an IP range -- When using a shell supporting only
 -# 32-bit signed arithmetic, the range cannot span 128.0.0.0.
 -#
 -# Comes in two flavors:
 -#
 -# ip_range() - produces a mimimal list of network/host addresses that spans
 -#              the range.
 -#
 -# ip_range_explicit() - explicitly enumerates the range.
 -#
 -ip_range() {
 -    local first last l x y z vlsm
 -
 -    case $1 in
 -	!*)
 -	    #
 -	    # Let iptables complain if it's a range
 -	    #
 -	    echo $1
 -	    return
 -	    ;;
 -	[0-9]*.*.*.*-*.*.*.*)
 -            ;;
 -	*)
 -	    echo $1
 -	    return
 -	    ;;
 -    esac
 -
 -    first=$(decodeaddr ${1%-*})
 -    last=$(decodeaddr ${1#*-})
 -
 -    if [ $first -gt $last ]; then
 -	fatal_error "Invalid IP address range: $1"
 -    fi
 -
 -    l=$(( $last + 1 ))
 -
 -    while [ $first -le $last ]; do
 -	vlsm=
 -	x=31
 -	y=2
 -	z=1
 -
 -	while [ $(( $first % $y )) -eq 0 -a $(( $first + $y )) -le $l ]; do
 -	    vlsm=/$x
 -	    x=$(( $x - 1 ))
 -	    z=$y
 -	    y=$(( $y * 2 ))
 -	done
 -
 -	echo $(encodeaddr $first)$vlsm
 -	first=$(($first + $z))
 -    done
 -}
 -
 -ip_range_explicit() {
 -    local first last
 -
 -    case $1 in
 -    [0-9]*.*.*.*-*.*.*.*)
 -	;;
 -    *)
 -	echo $1
 -	return
 -	;;
 -    esac
 -
 -    first=$(decodeaddr ${1%-*})
 -    last=$(decodeaddr ${1#*-})
 -
 -    if [ $first -gt $last ]; then
 -	fatal_error "Invalid IP address range: $1"
 -    fi
 -
 -    while [ $first -le $last ]; do
 -	echo $(encodeaddr $first)
 -	first=$(($first + 1))
 -    done
 -}
 -
 -#
 # Netmask from CIDR
 #
 ip_netmask() {
@@ -588,60 +368,6 @@
 }
 #
 -# Netmask to VLSM
 -#
 -ip_vlsm() {
 -    local mask=$(decodeaddr $1)
 -    local vlsm=0
 -    local x=$(( 128 << 24 )) # 0x80000000
 -
 -    while [ $(( $x & $mask )) -ne 0 ]; do
 -	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 -	vlsm=$(($vlsm + 1))
 -    done
 -
 -    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 -	echo "Invalid net mask: $1" >&2
 -    else
 -	echo $vlsm
 -    fi
 -}
 -
 -
 -#
 -# Chain name base for an interface -- replace all periods with underscores in the passed name.
 -#                                     The result is echoed (less trailing "+").
 -#
 -chain_base() #$1 = interface
 -{
 -    local c=${1%%+}
 -
 -    while true; do
 -	case $c in
 -	    @*)
 -               c=at_${c#@}
 -	       ;;
 -	    *.*)
 -		c="${c%.*}_${c##*.}"
 -		;;
 -	    *-*)
 -		c="${c%-*}_${c##*-}"
 -		;;
 -	    *%*)
 -		c="${c%\%*}_${c##*%}"
 -		;;
 -	    *@*)
 -		c="${c%@*}_${c##*@}"
 -		;;
 -	    *)
 -		echo ${c:=common}
 -		return
 -		;;
 -	esac
 -    done
 -}
 -
 -#
 # Query NetFilter about the existence of a filter chain
 #
 chain_exists() # $1 = chain name
@@ -879,21 +605,6 @@
 }
 #
 -# Set default config path
 -#
 -ensure_config_path() {
 -    local F=${SHAREDIR}/configpath
 -    if [ -z "$CONFIG_PATH" ]; then
 -	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 -	. $F
 -    fi
 -
 -    if [ -n "$SHOREWALL_DIR" ]; then
 -	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
 -    fi
 -}
 -
 -#
 # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
 #
 find_file()
@@ -918,54 +629,6 @@
 }
 #
 -# Get fully-qualified name of file
 -#
 -resolve_file() # $1 = file name
 -{
 -    local pwd=$PWD
 -
 -    case $1 in
 -	/*)
 -	    echo $1
 -	    ;;
 -	.)
 -	    echo $pwd
 -	    ;;
 -	./*)
 -	    echo ${pwd}${1#.}
 -	    ;;
 -	..)
 -	    cd ..
 -	    echo $PWD
 -	    cd $pwd
 -	    ;;
 -	../*)
 -	    cd ..
 -	    resolve_file ${1#../}
 -	    cd $pwd
 -	    ;;
 -	*)
 -	    echo $pwd/$1
 -	    ;;
 -    esac
 -}
 -
 -#
 -# Perform variable substitution on the passed argument and echo the result
 -#
 -expand() # $@ = contents of variable which may be the name of another variable
 -{
 -    eval echo \"$@\"
 -}
 -
 -#
 -# Function for including one file into another
 -#
 -INCLUDE() {
 -    . $(find_file $(expand $@))
 -}
 -
 -#
 # Set the Shorewall state
 #
 set_state () # $1 = state
@@ -974,200 +637,6 @@
 }
 #
 -# Determine which optional facilities are supported by iptables/netfilter
 -#
 -determine_capabilities() {
 -    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
 -    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
 -
 -    CONNTRACK_MATCH=
 -    MULTIPORT=
 -    XMULTIPORT=
 -    POLICY_MATCH=
 -    PHYSDEV_MATCH=
 -    IPRANGE_MATCH=
 -    RECENT_MATCH=
 -    OWNER_MATCH=
 -    IPSET_MATCH=
 -    CONNMARK=
 -    XCONNMARK=
 -    CONNMARK_MATCH=
 -    XCONNMARK_MATCH=
 -    RAW_TABLE=
 -    IPP2P_MATCH=
 -    LENGTH_MATCH=
 -    CLASSIFY_TARGET=
 -    ENHANCED_REJECT=
 -    USEPKTTYPE=
 -    KLUDGEFREE=
 -    MARK=
 -    XMARK=
 -    MANGLE_FORWARD=
 -    COMMENTS=
 -    ADDRTYPE=
 -    TCPMSS_MATCH=
 -
 -    qt $IPTABLES -N fooX1234
 -    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
 -    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
 -    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT               && XMULTIPORT=Yes
 -    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT     && POLICY_MATCH=Yes
 -
 -    if qt $IPTABLES -A fooX1234 -m physdev --physdev-out eth0 -j ACCEPT; then
 -	PHYSDEV_MATCH=Yes
 -    fi
 -
 -    if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
 -	IPRANGE_MATCH=Yes
 -	if [ -z "${KLUDGEFREE}" ]; then
 -	    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
 -	fi
 -    fi
 -
 -    qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
 -    qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
 -
 -    if qt $IPTABLES -A fooX1234 -m connmark --mark 2  -j ACCEPT; then
 -	CONNMARK_MATCH=Yes
 -	qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
 -    fi
 -
 -    qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT            && IPP2P_MATCH=Yes
 -    qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
 -    qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
 -
 -    qt $IPTABLES -A fooX1234 -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
 -
 -    if [ -n "$MANGLE_ENABLED" ]; then
 -	qt $IPTABLES -t mangle -N fooX1234
 -
 -	if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
 -	    MARK=Yes
 -	    qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
 -	fi
 -
 -	if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
 -	    CONNMARK=Yes
 -	    qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
 -	fi
 -
 -	qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 -	qt $IPTABLES -t mangle -F fooX1234
 -	qt $IPTABLES -t mangle -X fooX1234
 -	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
 -    fi
 -
 -    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
 -
 -    if qt mywhich ipset; then
 -	qt ipset -X fooX1234 # Just in case something went wrong the last time
 -
 -	if qt ipset -N fooX1234 iphash ; then
 -	    if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
 -		qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
 -		IPSET_MATCH=Yes
 -	    fi
 -	    qt ipset -X fooX1234
 -	fi
 -    fi
 -
 -    qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
 -    qt $IPTABLES -A fooX1234 -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
 -    qt $IPTABLES -A fooX1234 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
 -
 -    qt $IPTABLES -F fooX1234
 -    qt $IPTABLES -X fooX1234
 -
 -    CAPVERSION=$SHOREWALL_CAPVERSION
 -}
 -
 -report_capabilities() {
 -    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
 -    {
 -	local setting=
 -
 -	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
 -
 -	echo "  " $1: $setting
 -    }
 -
 -    if [ $VERBOSE -gt 1 ]; then
 -	echo "Shorewall has detected the following iptables/netfilter capabilities:"
 -	report_capability "NAT" $NAT_ENABLED
 -	report_capability "Packet Mangling" $MANGLE_ENABLED
 -	report_capability "Multi-port Match" $MULTIPORT
 -	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
 -	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
 -	report_capability "Packet Type Match" $USEPKTTYPE
 -	report_capability "Policy Match" $POLICY_MATCH
 -	report_capability "Physdev Match" $PHYSDEV_MATCH
 -	report_capability "Packet length Match" $LENGTH_MATCH
 -	report_capability "IP range Match" $IPRANGE_MATCH
 -	report_capability "Recent Match" $RECENT_MATCH
 -	report_capability "Owner Match" $OWNER_MATCH
 -	report_capability "Ipset Match" $IPSET_MATCH
 -	report_capability "CONNMARK Target" $CONNMARK
 -	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 -	report_capability "Connmark Match" $CONNMARK_MATCH
 -	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 -	report_capability "Raw Table" $RAW_TABLE
 -	report_capability "IPP2P Match" $IPP2P_MATCH
 -	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 -	report_capability "Extended REJECT" $ENHANCED_REJECT
 -	report_capability "Repeat match" $KLUDGEFREE
 -	report_capability "MARK Target" $MARK
 -	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
 -	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
 -	report_capability "Comments" $COMMENTS
 -	report_capability "Address Type Match" $ADDRTYPE
 -	report_capability "TCPMSS Match" $TCPMSS_MATCH
 -    fi
 -
 -    [ -n "$PKTTYPE" ] || USEPKTTYPE=
 -
 -}
 -
 -report_capabilities1() {
 -    report_capability1() # $1 = Capability
 -    {
 -	eval echo $1=\$$1
 -    }
 -
 -    echo "#"
 -    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
 -    echo "#"
 -    report_capability1 NAT_ENABLED
 -    report_capability1 MANGLE_ENABLED
 -    report_capability1 MULTIPORT
 -    report_capability1 XMULTIPORT
 -    report_capability1 CONNTRACK_MATCH
 -    report_capability1 USEPKTTYPE
 -    report_capability1 POLICY_MATCH
 -    report_capability1 PHYSDEV_MATCH
 -    report_capability1 LENGTH_MATCH
 -    report_capability1 IPRANGE_MATCH
 -    report_capability1 RECENT_MATCH
 -    report_capability1 OWNER_MATCH
 -    report_capability1 IPSET_MATCH
 -    report_capability1 CONNMARK
 -    report_capability1 XCONNMARK
 -    report_capability1 CONNMARK_MATCH
 -    report_capability1 XCONNMARK_MATCH
 -    report_capability1 RAW_TABLE
 -    report_capability1 IPP2P_MATCH
 -    report_capability1 CLASSIFY_TARGET
 -    report_capability1 ENHANCED_REJECT
 -    report_capability1 KLUDGEFREE
 -    report_capability1 MARK
 -    report_capability1 XMARK
 -    report_capability1 MANGLE_FORWARD
 -    report_capability1 COMMENTS
 -    report_capability1 ADDRTYPE
 -
 -    echo CAPVERSION=$SHOREWALL_CAPVERSION
 -}
 -
 -#
 # Delete IP address
 #
 del_ip_addr() # $1 = address, $2 = interface
@@ -1286,82 +755,6 @@
     cut -b -${1}
 }
 -#
 -# Add a logging rule.
 -#
 -do_log_rule_limit() # $1 = log level, $2 = chain, $3 = display Chain $4 = disposition , $5 = rate limit $6=log tag $7=command $... = predicates for the rule
 -{
 -    local level=$1
 -    local chain=$2
 -    local displayChain=$3
 -    local disposition=$4
 -    local rulenum=
 -    local limit=
 -    local tag=
 -    local command=
 -    local prefix
 -    local base=$(chain_base $displayChain)
 -    local pf
 -
 -    limit="${5:-$LOGLIMIT}" # Do this here rather than in the declaration above to appease /bin/ash.
 -    tag=${6:+$6 }
 -    command=${7:--A}
 -
 -    shift 7
 -
 -    if [ -n "$tag" -a -n "$LOGTAGONLY" ]; then
 -	displayChain=$tag
 -	tag=
 -    fi
 -
 -    if [ -n "$LOGRULENUMBERS" ]; then
 -	#
 -	# Hack for broken printf on some lightweight shells
 -	#
 -	[ $(printf "%d" 1) = "1" ] && pf=printf || pf=$(mywhich printf)
 -
 -	eval rulenum=\$${base}_logrules
 -
 -	rulenum=${rulenum:-1}
 -
 -	prefix="$($pf "$LOGFORMAT" $displayChain $rulenum $disposition)${tag}"
 -
 -	rulenum=$(($rulenum + 1))
 -	eval ${base}_logrules=$rulenum
 -    else
 -	prefix="$(printf "$LOGFORMAT" $displayChain $disposition)${tag}"
 -    fi
 -
 -    if [ ${#prefix} -gt 29 ]; then
 -	prefix=`echo "$prefix" | truncate 29`
 -	error_message "WARNING: Log Prefix shortened to \"$prefix\""
 -    fi
 -
 -    case $level in
 -	ULOG)
 -	    $IPTABLES $command $chain $@ $limit -j ULOG $LOGPARMS --ulog-prefix "$prefix"
 -	    ;;
 -	*)
 -	    $IPTABLES $command $chain $@ $limit -j LOG $LOGPARMS --log-level $level --log-prefix "$prefix"
 -	    ;;
 -    esac
 -
 -    if [ $? -ne 0 ] ; then
 -	[ -z "$STOPPING" ] && { stop_firewall; exit 2; }
 -    fi
 -}
 -
 -do_log_rule() # $1 = log level, $2 = chain, $3 = disposition , $... = predicates for the rule
 -{
 -    local level=$1
 -    local chain=$2
 -    local disposition=$3
 -
 -    shift 3
 -
 -    do_log_rule_limit $level $chain $chain $disposition "$LOGLIMIT" "" -A $@
 -}
 -
 delete_tc1()
 {
     clear_one_tc() {
@@ -1496,65 +889,6 @@
     echo echo
 }
 -
 -# Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
 -#
 -#     None - No mktemp
 -#     BSD  - BSD mktemp (Mandrake)
 -#     STD  - mktemp.org mktemp
 -#
 -find_mktemp() {
 -    local mktemp=`mywhich mktemp 2> /dev/null`
 -
 -    if [ -n "$mktemp" ]; then
 -	if qt mktemp -V ; then
 -	    MKTEMP=STD
 -	else
 -	    MKTEMP=BSD
 -	fi
 -    else
 -	MKTEMP=None
 -    fi
 -}
 -
 -#
 -# create a temporary file. If a directory name is passed, the file will be created in
 -# that directory. Otherwise, it will be created in a temporary directory.
 -#
 -mktempfile() {
 -
 -    [ -z "$MKTEMP" ] && find_mktemp
 -
 -    if [ $# -gt 0 ]; then
 -	case "$MKTEMP" in
 -	    BSD)
 -		mktemp $1/shorewall.XXXXXX
 -		;;
 -	    STD)
 -		mktemp -p $1 shorewall.XXXXXX
 -		;;
 -	    None)
 -		> $1/shorewall-$$ && echo $1/shorewall-$$
 -		;;
 -	    *)
 -		error_message "ERROR:Internal error in mktempfile"
 -		;;
 -	esac
 -    else
 -	case "$MKTEMP" in
 -	    BSD)
 -		mktemp /tmp/shorewall.XXXXXX
 -		;;
 -	    STD)
 -		mktemp -t shorewall.XXXXXX
 -		;;
 -	    None)
 -		rm -f /tmp/shorewall-$$
 -		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 -		;;
 -	    *)
 -		error_message "ERROR:Internal error in mktempfile"
 -		;;
 -	esac
 -    fi
 -}
 +################################################################################
 +# End of functions imported from /usr/share/shorewall/lib.base
 +################################################################################
--- a/Shorewall-perl/install.sh
+++ b/Shorewall-perl/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.0.3
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-perl/prog.functions
+++ b/Shorewall-perl/prog.functions
@ -6,11 +6,9 @@ delete_proxyarp() {
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
 	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
 	    interface=/proc/sys/net/ipv4/conf/$interface
 	    [ -f $interface/proxyarp ] && echo 0 > $interface/proxy_arp
 	done < ${VARDIR}/proxyarp
 	for f in /proc/sys/net/ipv4/conf/*; do
 	    [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
 	done
    fi
    rm -f ${VARDIR}/proxyarp
--- a/Shorewall-perl/prog.header
+++ b/Shorewall-perl/prog.header
@ -636,6 +636,21 @@ set_state () # $1 = state
    echo "$1 ($(date))" > ${VARDIR}/state
 }
 #
 # Perform variable substitution on the passed argument and echo the result
 #
 expand() # $@ = contents of variable which may be the name of another variable
 {
    eval echo \"$@\"
 }
 #
 # Function for including one file into another
 #
 INCLUDE() {
    . $(find_file $(expand $@))
 }
 #
 # Delete IP address
 #
--- a/Shorewall-perl/shorewall-perl.spec
+++ b/Shorewall-perl/shorewall-perl.spec
@ -1,5 +1,5 @@
 %define name shorewall-perl
-%define version 4.0.3
+%define version 4.0.4
 %define release 1
 Summary: Shoreline Firewall Perl-based compiler.
@ -72,6 +72,8 @@ fi
 %doc COPYING releasenotes.txt
 %changelog
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.4-1
 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
--- a/Shorewall-shell/README.txt
+++ b/Shorewall-shell/README.txt
@ -1 +1 @@
-This is the Shorewall-shell Development 4.1 branch of SVN.
+This is the Shorewall-shell Stable 4.0 branch of SVN.
--- a/Shorewall-shell/install.sh
+++ b/Shorewall-shell/install.sh
@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.0.3
+VERSION=4.0.4
 usage() # $1 = exit status
 {
--- a/Shorewall-shell/shorewall-shell.spec
+++ b/Shorewall-shell/shorewall-shell.spec
@ -1,5 +1,5 @@
 %define name shorewall-shell
-%define version 4.0.3
+%define version 4.0.4
 %define release 1
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -81,6 +81,8 @@ fi
 %doc COPYING INSTALL 
 %changelog
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.4-1
 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
`@ -1 +1 @@`
	`This is the Shorewall-common Development 4.1 branch of SVN.`	`This is the Shorewall-common Stable 4.0 branch of SVN.`
`@ -1 +1 @@`
	`This is the Shorewall-lite Development 4.1 branch of SVN.`	`This is the Shorewall-lite Stable 4.0 branch of SVN.`
`@ -1,2 +1,2 @@`
	`This is the Shorewall-perl Development 4.1 branch of SVN.`	`This is the Shorewall-perl Stable 4.0 branch of SVN.`
`@ -1 +1 @@`
	`This is the Shorewall-shell Development 4.1 branch of SVN.`	`This is the Shorewall-shell Stable 4.0 branch of SVN.`