diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 0bff4846b..c42097248 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -17,3 +17,5 @@ Changes since 2.0.0
 8) Implement Sean Mathews's fix fix Proxy ARP and IPSEC.
 
 9) Improve zone-definition checking.
+
+10) Add additional options to hosts file
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 6a627b773..8162f0a0a 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -975,7 +975,7 @@ find_hosts_by_option() # $1 = option
     done < $TMP_DIR/hosts
 
     for interface in $all_interfaces; do
-	interface_has_option $interface $option && \
+	interface_has_option $interface $1 && \
 	    echo ${interface}:0.0.0.0/0
     done
 }
@@ -1889,7 +1889,7 @@ process_tc_rule()
 			fatal_error "Unknown interface $source in rule \"$rule\""
 		    fi
 
-		    r="$(select_source_dev) $source "
+		    r="$(match_source_dev) $source "
 		    ;;
 	    esac
 	fi
@@ -4207,11 +4207,11 @@ process_blacklist_rec() {
 # Setup the Black List
 #
 setup_blacklist() {
-    local interfaces=$(find_interfaces_by_option blacklist)
+    local hosts=$(find_hosts_by_option blacklist)
     local f=$(find_file blacklist)
     local disposition=$BLACKLIST_DISPOSITION
 
-    if [ -n "$interfaces" -a -f $f ]; then
+    if [ -n "$hosts" -a -f $f ]; then
 	echo "Setting up Blacklisting..."
 
 	strip_file blacklist $f
@@ -4220,12 +4220,17 @@ setup_blacklist() {
 
 	[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
 	
-	for interface in $interfaces; do
-	    for chain in $(first_chains $interface); do
-		run_iptables -A $chain $state -j blacklst
-	    done
+	for host in $hosts; do
+	    interface=${host%%:*}
+	    network=${host#*:}
 
-	    echo "   Blacklisting enabled on $interface"
+	    for chain in $(first_chains $interface); do
+		run_iptables -A $chain $state $(match_source_hosts $network) -j blacklst
+	    done
+	    
+	    [ $network = 0/0.0.0.0 ] && network= || network=":$network"
+
+	    echo "   Blacklisting enabled on ${interface}${network}"
 	done
 
 	[ "$disposition" = REJECT ] && disposition=reject
@@ -4605,15 +4610,18 @@ add_common_rules() {
     #
     # SMURFS
     #
-    interfaces=$(find_interfaces_by_option nosmurfs)
+    hosts=$(find_hosts_by_option nosmurfs)
 
-    if [ -n "$interfaces" ]; then
+    if [ -n "$hosts" ]; then
 	
 	echo "Adding Anti-smurf Rules"
 
-	for interface in $interfaces; do
+	for host in $hosts; do
+	    interface=${host%%:*}
+	    subnet=${host#*:}
+
 	    for chain in $(first_chains $interface); do
-		run_iptables -A $chain  -m state --state NEW -j smurfs
+		run_iptables -A $chain  -m state --state NEW $(match_source_hosts $network) -j smurfs
 	    done
 	done
     fi
@@ -4639,9 +4647,9 @@ add_common_rules() {
     #
     # RFC 1918
     #
-    norfc1918_interfaces="$(find_interfaces_by_option norfc1918)"
+    hosts="$(find_hosts_by_option norfc1918)"
 
-    if [ -n "$norfc1918_interfaces" ]; then
+    if [ -n "$hosts" ]; then
 	echo "Enabling RFC1918 Filtering"
 
 	strip_file rfc1918
@@ -4697,21 +4705,24 @@ add_common_rules() {
 	    fi
 	done < $TMP_DIR/rfc1918
 
-	for interface in $norfc1918_interfaces; do
+	for host in $hosts; do
+	    interface=${host%%:*}
+	    subnet=${host#*:}
+
 	    for chain in $(first_chains $interface); do
-		run_iptables -A $chain -m state --state NEW -j norfc1918
+		run_iptables -A $chain -m state --state NEW $(match_source_hosts $subnet) -j norfc1918
 	    done
 
 	    [ -n "$MANGLE_ENABLED" -a -z "$CONNTRACK_MATCH" ] && \
-		run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface -j man1918
+		run_iptables -t mangle -A PREROUTING -m state --state NEW -i $interface $(match_source_hosts $subnet) -j man1918
 	done
     fi
     #
     # Bogons
     #
-    nobogon_interfaces="$(find_interfaces_by_option bogons)"
+    hosts="$(find_hosts_by_option bogons)"
     
-    if [ -n "$nobogon_interfaces" ]; then
+    if [ -n "$hosts" ]; then
 	echo "Enabling Bogon Filtering"
 
 	strip_file bogons
@@ -4740,17 +4751,20 @@ add_common_rules() {
 
 	done < $TMP_DIR/bogons
 
-	for interface in $nobogon_interfaces; do
+	for host in $hosts; do
+	    interface=${host%%:*}
+	    network=${host#*:}
+
 	    for chain in $(first_chains $interface); do
-		run_iptables -A $chain -m state --state NEW -j nobogons
+		run_iptables -A $chain -m state --state NEW $(match_source_hosts $network) -j nobogons
 	    done
 	done
 
     fi
 
-    interfaces=$(find_interfaces_by_option tcpflags)
+    hosts=$(find_hosts_by_option tcpflags)
 
-    if [ -n "$interfaces" ]; then
+    if [ -n "$hosts" ]; then
 	echo "Setting up TCP Flags checking..."
 
 	createchain tcpflags no
@@ -4791,9 +4805,12 @@ add_common_rules() {
 	#
 	run_iptables -A tcpflags -p tcp --syn --sport 0             $disposition
 
-	for interface in $interfaces; do
+	for host in $hosts; do
+	    interface=${host%%:*}
+	    network=${host#*:}
+
 	    for chain in $(first_chains $interface); do
-		run_iptables -A $chain -p tcp -j tcpflags
+		run_iptables -A $chain -p tcp $(match_source_hosts $network) -j tcpflags
 	    done
 	done
     fi
@@ -5117,7 +5134,6 @@ activate_rules()
 	run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
     done
-
 }
 
 #
diff --git a/Shorewall2/hosts b/Shorewall2/hosts
index 12f9740d7..746fd2634 100644
--- a/Shorewall2/hosts
+++ b/Shorewall2/hosts
@@ -58,5 +58,66 @@
 #				       to send requests originating from this 
 #				       group to a server in the group.
 #
+#			norfc1918    - This option only makes sense for ports
+#				       on a bridge.
+#
+#				       The port should not accept 
+#				       any packets whose source is in one
+#				       of the ranges reserved by RFC 1918
+#				       (i.e., private or "non-routable"
+#				       addresses. If packet mangling or
+#				       connection-tracking match is enabled in
+#				       your kernel, packets whose destination
+#				       addresses are reserved by RFC 1918 are
+#				       also rejected.
+#
+#			nobogons    -  This option only makes sense for ports
+#				       on a bridge.
+#
+#				       This port should not accept
+#				       any packets whose source is in one
+#				       of the ranges reserved by IANA (this
+#				       option does not cover those ranges
+#				       reserved by RFC 1918 -- see 
+#				       'norfc1918' above).
+#
+#	.	.	blacklist    - This option only makes sense for ports
+#				       on a bridge.
+# 
+#				       Check packets arriving on this port
+#				       against the /etc/shorewall/blacklist
+#				       file.
+#
+#			tcpflags     - Packets arriving from these hosts are
+#				       checked for certain illegal combinations
+#				       of TCP flags. Packets found to have
+#				       such a combination of flags are handled
+#				       according to the setting of
+#				       TCP_FLAGS_DISPOSITION after having been
+#				       logged according to the setting of
+#				       TCP_FLAGS_LOG_LEVEL.
+#
+#			nosmurfs     - This option only makes sense for ports
+#				       on a bridge.
+#				       
+#				       Filter packets for smurfs
+#				       (packets with a broadcast
+#				       address as the source).
+#
+#				       Smurfs will be optionally logged based
+#				       on the setting of SMURF_LOG_LEVEL in
+#				       shorewall.conf. After logging, the
+#				       packets are dropped.
+#
+#			newnotsyn    - TCP packets that don't have the SYN 
+#				       flag set and which are not part of an
+#				       established connection will be accepted
+#				       from these hosts, even if 
+#				       NEWNOTSYN=No has been specified in
+#				       /etc/shorewall/shorewall.conf.
+#
+#				       This option has no effect if 
+#				       NEWNOTSYN=Yes.
+#
 #ZONE		HOST(S)				OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
diff --git a/Shorewall2/interfaces b/Shorewall2/interfaces
index 575286e03..9a9642362 100644
--- a/Shorewall2/interfaces
+++ b/Shorewall2/interfaces
@@ -63,15 +63,23 @@
 #				       any packets whose source is in one
 #				       of the ranges reserved by RFC 1918
 #				       (i.e., private or "non-routable"
-#				       addresses. If packet mangling is
-#				       enabled in shorewall.conf, packets
-#				       whose destination addresses are
-#				       reserved by RFC 1918 are also rejected.
+#				       addresses. If packet mangling or
+#				       connection-tracking match is enabled in
+#				       your kernel, packets whose destination
+#				       addresses are reserved by RFC 1918 are
+#				       also rejected.
+#
+#			nobogons    -  This interface should not receive
+#				       any packets whose source is in one
+#				       of the ranges reserved by IANA (this
+#				       option does not cover those ranges
+#				       reserved by RFC 1918 -- see above).
 #
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
 #                                      option can also be enabled globally in
 #				       the /etc/shorewall/shorewall.conf file.
+#
 #	.	.	blacklist    - Check packets arriving on this interface
 #				       against the /etc/shorewall/blacklist
 #				       file.
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index c89b705a6..433950372 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -85,4 +85,21 @@ New Features:
       ...
       Error: Invalid zone definition for zone <name of zone>
    Terminated
- 
+
+5) To support bridging, the following options have been added to
+   entries in /etc/shorewall/hosts:
+
+	   norfc1918
+	   nobogons
+	   blacklist
+	   tcpflags
+	   nosmurfs
+	   newnotsyn
+
+   With the excpection of 'newnotsyn', these options are only
+   useful when the entry refers to a bridge port.
+
+   Example:
+   
+   #ZONE   HOST(S)	OPTIONS
+   net	   br0:eth0	norfc1918,nobogons,blacklist,tcpflags,nosmurfs