diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 23e6f8c6a..ba587acd7 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -7,3 +7,5 @@ Changes in 3.1.0
 3) Implement 'super-quiet' mode using multiple -q options (e.g., -qq).
 
 4) Add back dynamic zones.
+
+5) Allow remote compiles.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 9a3090c9e..24e38eccc 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1218,6 +1218,8 @@ validate_interfaces_file() {
 	options=$(separate_list $options)
 	iface=$(chain_base $interface)
 
+	[ -n "$EXPORT" -a x$networks = detect ] && startup_error "BROADCAST 'detect' is incompatible with the -e option: Interface \"$interface\""
+
 	eval ${iface}_broadcast="$networks"
 	eval ${iface}_zone="$z"
 	eval ${iface}_options=\"$options\"
@@ -1226,7 +1228,10 @@ validate_interfaces_file() {
 	    case $option in
 		-)
 		    ;;
-		dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|maclist|nosmurfs|upnp|-)
+		dhcp|tcpflags|arp_filter|routefilter|logmartians|sourceroute|blacklist|proxyarp|nosmurfs|upnp|-)
+		    ;;
+		maclist)
+		    [ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e option: Interface \"$interface\""
 		    ;;
 		norfc1918)
 		    if [ $COMMAND = generate ]; then
@@ -1266,6 +1271,8 @@ __EOF__
 		detectnets)
 		    [ -n "$wildcard" ] && \
 			startup_error "The \"detectnets\" option may not be used with a wild-card interface"
+		    [ -n $EXPORT ] && \
+			startup_error "'detectnets' not permitted with the -e option"
 		    ;;
 		routeback)
 		    [ -n "$z" ] || startup_error "The routeback option may not be specified on a multi-zone interface"
@@ -1478,16 +1485,44 @@ __EOF__
 
 	rulenum=0
 
-	if [ $COMMAND != check ]; then
-	    find_interface_addresses $interface | while read address; do
-		run_and_save_command "    qt ip rule del from $address"
+	case $COMMAND in
+	    check)
+		;;
+	    generate)
 		if [ -z "$loose" ]; then
-		    pref=$((20000 + $rulenum * 1000 + $number ))
-		    rulenum=$(($rulenum + 1))
-		    ensure_and_save_command "    ip rule add from $address pref $pref table $number"
+		    cat >> $RESTOREBASE << __EOF__
+
+    rulenum=0
+
+    find_interface_addresses $interface | while read address; do
+        qt ip rule del from \$address
+        pref=\$((20000 + \$rulenum * 1000 + $number ))
+        rulenum=\$((\$rulenum + 1))
+        ip rule add from \$address pref \$pref table $number"
+    done
+
+__EOF__
+		else
+		    cat >> $RESTOREBASE << __EOF__
+
+    find_interface_addresses $interface | while read address; do
+        qt ip rule del from \$address
+    done
+
+__EOF__
 		fi
-	    done
-	fi
+		;;
+	    *)
+		find_interface_addresses $interface | while read address; do
+		    run_and_save_command "    qt ip rule del from $address"
+		    if [ -z "$loose" ]; then
+			pref=$((20000 + $rulenum * 1000 + $number ))
+			rulenum=$(($rulenum + 1))
+			ensure_and_save_command "    ip rule add from $address pref $pref table $number"
+		    fi
+		done
+		;;
+	esac
     }
 
     strip_file providers $1
@@ -1632,8 +1667,11 @@ validate_hosts_file() {
 
 	   for option in $(separate_list $options) ; do
 	       case $option in
-		   maclist|norfc1918|blacklist|tcpflags|nosmurfs|-)
+		   norfc1918|blacklist|tcpflags|nosmurfs|-)
 		       ;;
+		   maclist)
+			[ -n "$EXPORT" ] && startup_error "The 'maclist' option is incompatible with the -e option: \"$host\""
+			;;
 		   ipsec)
 		       [ -n "$POLICY_MATCH" ] || \
 			   startup_error "Your kernel and/or iptables does not support policy match: ipsec"
@@ -1822,27 +1860,6 @@ find_broadcasts() {
     done
 }
 
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/inet //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Find interfaces that have the passed option specified
 #
@@ -2006,28 +2023,6 @@ setup_forwarding() {
     esac
 }
 
-#
-# Disable IPV6
-#
-disable_ipv6() {
-    local foo="$(ip -f inet6 addr ls 2> /dev/null)"
-
-    if [ -n "$foo" ]; then
-	if qt mywhich ip6tables; then
-	    save_progress_message "Disabling IPV6..."
-	    ip6tables -P FORWARD DROP           && save_command ip6tables -P FORWARD DROP
-	    ip6tables -P INPUT DROP             && save_command ip6tables -P INPUT DROP
-	    ip6tables -P OUTPUT DROP            && save_command ip6tables -P OUTPUT DROP
-	    ip6tables -F                        && save_command ip6tables -F
-	    ip6tables -X                        && save_command ip6tables -X
-	    ip6tables -A OUTPUT -o lo -j ACCEPT && save_command ip6tables -A OUTPUT -o lo -j ACCEPT
-	    ip6tables -A INPUT -i lo -j ACCEPT  && save_command ip6tables -A INPUT -i lo -j ACCEPT
-	else
-	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
-	fi
-    fi
-}
-
 disable_ipv6_1() {
     local foo="$(ip -f inet6 addr ls 2> /dev/null)"
 
@@ -3015,6 +3010,7 @@ setup_mac_lists() {
     # chains
     #
     for interface in $maclist_interfaces; do
+
 	[ -n "$MACLIST_TTL" ] && chain=$(macrecent_target $interface) || chain=$(mac_chain $interface)
 
 	blob=$(ip link show $interface 2> /dev/null)
@@ -3104,8 +3100,12 @@ setup_syn_flood_chains()
 delete_proxy_arp() {
     if [ -f /var/lib/shorewall/proxyarp ]; then
 	while read address interface external haveroute; do
-	    [ $COMMAND = generate ] || qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
+	    run_and_save_command "qt arp -i $external -d $address pub"
+	    if [ $COMMAND = generate ]; then
+		[ -z "$haveroute" ] && save_command "qt ip route del $address dev $interface"
+	    else
+		[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
+	    fi
 	done < /var/lib/shorewall/proxyarp
 
 	[ $COMMAND = generate ] || rm -f /var/lib/shorewall/proxyarp
@@ -3113,9 +3113,19 @@ delete_proxy_arp() {
 
     [ -d $STATEDIR ] && touch $STATEDIR/proxyarp
 
-    [ $COMMAND = generate ] || for f in /proc/sys/net/ipv4/conf/*; do
-	[ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
-    done
+    if [ $COMMAND = generate ]; then
+	cat >> $RESTOREBASE << __EOF__
+
+for f in /proc/sys/net/ipv4/conf/*; do
+    [ -f \$f/proxy_arp ] && echo 0 > \$f/proxy_arp
+done
+
+__EOF__
+    else
+	for f in /proc/sys/net/ipv4/conf/*; do
+	    [ -f $f/proxy_arp ] && echo 0 > $f/proxy_arp
+	done
+    fi
 }
 
 #
@@ -3205,15 +3215,31 @@ delete_nat() {
     run_iptables -t nat -F
     run_iptables -t nat -X
 
-    if [ -f /var/lib/shorewall/nat ]; then
-	while read external interface; do
-	    qt ip addr del $external dev $interface
-	done < /var/lib/shorewall/nat
+    if [ $COMMAND = generate ]; then
+	[ -d $STATEDIR ] && touch $STATEDIR/nat
 
-	[ $COMMAND = generate ] || rm -f {/var/lib/shorewall}/nat
+	cat >> $RESTOREBASE << __EOF__
+
+if [ -f /var/lib/shorewall/nat ]; then
+   while read external interface; do
+	qt ip addr del \$external dev \$interface
+    done < /var/lib/shorewall/nat
+
+    rm -f {/var/lib/shorewall}/nat
+fi
+
+__EOF__
+    else
+	if [ -f /var/lib/shorewall/nat ]; then
+	    while read external interface; do
+		qt ip addr del $external dev $interface
+	    done < /var/lib/shorewall/nat
+
+	    rm -f {/var/lib/shorewall}/nat
+	fi
+
+	[ -d $STATEDIR ] && touch $STATEDIR/nat
     fi
-
-    [ -d $STATEDIR ] && touch $STATEDIR/nat
 }
 
 #
@@ -7285,6 +7311,7 @@ setup_masq()
 	*.*.*|+*|!+*)
 	    ;;
 	*)
+	    [ -n "$EXPORT" ] && fatal_error "An interface name in the SUBNET column is not allowed with the -e option"
 	    networks=$(get_routed_networks $networks)
 	    [ -z "$networks" ] && fatal_error "Unable to determine the routes through interface \"$source\""
 	    networks="$networks"
@@ -7900,7 +7927,9 @@ initialize_netfilter () {
 
     process_routestopped -A
 
-    [ -n "$DISABLE_IPV6" ] && disable_ipv6
+    if [ -n "$DISABLE_IPV6" ]; then
+	run_and_save_command disable_ipv6
+    fi
 
     [ $COMMAND = generate ] && save_progress_message "Enabling Loopback and DNS Lookups"
 
@@ -9771,6 +9800,8 @@ do_initialize() {
     ROUTE_FILTER=$(added_param_value_no ROUTE_FILTER $ROUTE_FILTER)
     LOG_MARTIANS=$(added_param_value_no LOG_MARTIANS $LOG_MARTIANS)
     DETECT_DNAT_IPADDRS=$(added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS)
+    [ -n "$DETECT_DNAT_IPADDRS" -a -n "$EXPORT" ] && \
+	startup_error "DETECT_DNAT_IPADDRS=Yes not allowed with the -e option"
     FORWARDPING=$(added_param_value_no FORWARDPING $FORWARDPING)
     [ -n "$FORWARDPING" ] && \
 	startup_error "FORWARDPING=Yes is no longer supported"
diff --git a/Shorewall/functions b/Shorewall/functions
index d4663493d..66ce8c351 100755
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -1108,4 +1108,25 @@ detect_gateway() # $1 = interface
     [ -n "$gateway" ] && echo $gateway
 }
 
+#
+# Disable IPV6
+#
+disable_ipv6() {
+    local foo="$(ip -f inet6 addr ls 2> /dev/null)"
+
+    if [ -n "$foo" ]; then
+	if qt mywhich ip6tables; then
+	    ip6tables -P FORWARD DROP           && save_command ip6tables -P FORWARD DROP
+	    ip6tables -P INPUT DROP             && save_command ip6tables -P INPUT DROP
+	    ip6tables -P OUTPUT DROP            && save_command ip6tables -P OUTPUT DROP
+	    ip6tables -F                        && save_command ip6tables -F
+	    ip6tables -X                        && save_command ip6tables -X
+	    ip6tables -A OUTPUT -o lo -j ACCEPT && save_command ip6tables -A OUTPUT -o lo -j ACCEPT
+	    ip6tables -A INPUT -i lo -j ACCEPT  && save_command ip6tables -A INPUT -i lo -j ACCEPT
+	else
+	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
+	fi
+    fi
+}
+
 SHOREWALL_LIBRARY=Loaded
diff --git a/Shorewall/help b/Shorewall/help
index 77f13e183..666cbe025 100755
--- a/Shorewall/help
+++ b/Shorewall/help
@@ -88,11 +88,16 @@ clear)
 	;;
 
 compile)
-	echo "compile: compile [ <directory name> ] <file name>
+	echo "compile: compile [ -e ] [ <directory name> ] <file name>
     Compiles the current configuration into the executable file
-    /var/lib/shorewall/<file name>"
+    /var/lib/shorewall/<file name>
 
-    'generate' is a synonym for 'compile'.
+    When -e is specified, the compilation is being performed on a system
+    other than where the compiled script will run. This option disables
+    certain configuration options that require the script to be compiled
+    where it is to be run.
+
+    'generate' is a synonym for 'compile'."
 	;;
 
 debug)
@@ -166,9 +171,14 @@ forget)
 generate)
 	echo "generate: generate [ <directory name> ] <file name>
     Compiles the current configuration into the executable file
-    /var/lib/shorewall/<file name>"
+    /var/lib/shorewall/<file name>
 
-    'compile' is a synonym for 'generate'.
+    When -e is specified, the compilation is being performed on a system
+    other than where the compiled script will run. This option disables
+    certain configuration options that require the script to be compiled
+    where it is to be run.
+
+    'compile' is a synonym for 'generate'."
 	;;
 
 help)
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 07eac8382..5068e6d73 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -39,11 +39,16 @@ New Features:
 
 1)  A new 'shorewall generate' command has been added.
 
-	shorewall [ -q ] generate [ <config directory> ] <script file>
+	shorewall [ -q ] [ -e ] generate [ <config directory> ] <script file>
 
     where:
 
 	-q                    Suppresses many of the progress messages
+	-e                    Generates an error if the configuration used
+	                      an option that would prevent the generated
+	                      script from running on a system other than
+	                      where the 'generate' command is running (see
+	                      additional consideration a) below).
 	<config directory>    Is an optional directory to be searched for
 	                      configuration files prior to those listed
 	                      in CONFIG_DIR in /etc/shorewall/shorewall.conf.
@@ -57,7 +62,7 @@ New Features:
 
     'compile' is a synonym for 'generate':
 
-	shorewall [ -q ] compile [ <config directory> ] <script file>
+	shorewall [ -q ] [ -e ] compile [ <config directory> ] <script file>
 
     WARNING: The generated script HAS ABSOLUTELY NO ERROR CHECKING so if there
              are errors in your configuration files that result in errors when
@@ -70,9 +75,14 @@ New Features:
 
     Some additional considerations:
 
-    a) All 'detect' operations are done at the time that the 'generate' command
-       is run. So it is generally not possible to run 'generate' on one system
-       then move the generated script to another system.
+    a) It is possible to run 'generate' ('compile') on one system and then
+       run the generated script on another system but there are certain
+       limitation.
+
+       1) The same version of Shorewall must be running on the remote system
+       2) The 'detectnets' interface option is not allowed.
+       3) 'detect' in the BROADCAST column of /etc/shorewall/ is not allowed.
+       4) DETECT_DNAT_ADDRS=Yes is not allowed.
 
     b) If you have extension scripts, they may need modification. The scripts
        will be run at generation time, rather than when the generated script
@@ -83,14 +93,14 @@ New Features:
 
     In addition to 'generate', a 'shorewall reload' command has been added.
 
-	shorewall [ -q ] reload [ <config directory>
+	shorewall [ -q ] reload [ <config directory> ]
 
     where -q and <config directory> are as above.
 
     The 'reload' command creates a script using 'generate' and if there are
     no errors, it then restores that script. It is equivalent to:
 
-    if shorewall generate <temp file>; then restore <tempfile>; fi
+    if shorewall generate .reload; then restore .reload; fi
 
     The advantage of using reload over restart is that reload results in new
     connections being dropped for a much shorter time. Here are the results of
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index 3d4726f04..c54d41cde 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -502,7 +502,7 @@ help()
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] [ -n ] <command>"
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -x ] [ -q ] [ -f ] [ -v ] [ -n ] [ -e ] <command>"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host-list>] ... <zone>"
     echo "   allow <address> ..."
@@ -626,6 +626,7 @@ IPT_OPTIONS="-nv"
 FAST=
 VERBOSE=
 NOROUTES=
+EXPORT=
 noroutes=
 
 done=0
@@ -656,6 +657,10 @@ while [ $done -eq 0 ]; do
 			option=
 			shift
 			;;
+		    e*)
+			EXPORT=Yes
+			option=${option#e}
+			;;
 		    x*)
 			IPT_OPTIONS="-xnv"
 			option=${option#x}
@@ -867,6 +872,8 @@ case "$1" in
 		;;
 	esac
 
+	export EXPORT
+
 	exec $SHOREWALL_SHELL $FIREWALL $debugging generate $file
 	;;
     check|restart)