Delete temporary nat chain used in capabilities detection.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
A better solution to Marcus Limosani's issue
2009-12-31 10:42:30 -08:00 · 2009-12-29 08:24:04 -08:00 · 2009-12-28 16:58:12 -08:00 · 2009-12-28 14:59:51 -08:00 · 2009-12-28 14:51:42 -08:00 · 2009-12-28 11:06:55 -08:00
132 changed files with 6527 additions and 3384 deletions
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -34,9 +34,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -191,6 +191,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/one-interface/zones
+++ b/Samples/one-interface/zones
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
--- a/Samples/three-interfaces/policy
+++ b/Samples/three-interfaces/policy
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

--- a/Samples/three-interfaces/routestopped
+++ b/Samples/three-interfaces/routestopped
@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -34,9 +34,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -191,6 +191,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/zones
+++ b/Samples/three-interfaces/zones
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

--- a/Samples/two-interfaces/routestopped
+++ b/Samples/two-interfaces/routestopped
@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -41,9 +41,9 @@ SHOREWALL_COMPILER=

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -198,6 +198,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/zones
+++ b/Samples/two-interfaces/zones
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -139,6 +139,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -139,6 +139,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -139,6 +139,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -21,4 +21,9 @@ startup=0

 OPTIONS=""

+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -15,9 +15,7 @@

 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
@@ -220,6 +220,11 @@ mkdir -p ${PREFIX}/var/lib/shorewall-lite
 chmod 755 ${PREFIX}/etc/shorewall-lite
 chmod 755 ${PREFIX}/usr/share/shorewall-lite

+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -304,6 +309,12 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
+fi
+
+
 #
 # Create the version file
 #
--- a/Shorewall-lite/logrotate
+++ b/Shorewall-lite/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -95,7 +95,7 @@ get_config() {

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.1
-%define release 2
+%define version 4.4.5
+%define release 5

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -79,6 +79,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite

+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
 %attr(0755,root,root) /sbin/shorewall-lite

 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -98,10 +100,30 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -269,7 +269,7 @@
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
-#			this colume:
+#			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
@@ -304,6 +304,100 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -47,6 +47,7 @@ our @EXPORT = qw( merge_levels
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
+		  map_old_actions

 		  %usedactions
 		  %default_actions
@@ -56,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_5';

 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -85,6 +86,8 @@ our %macros;

 our $family;

+our @builtins;
+
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
@@ -111,6 +114,12 @@ sub initialize( $ ) {
    %actions         = ();
    %logactionchains = ();
    %macros          = ();
+
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
 }

 #
@@ -204,7 +213,7 @@ sub merge_macro_source_dest( $$ ) {
    if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~</;
 	    return "$invocation:$body";
 	}

@@ -264,6 +273,34 @@ sub add_requiredby ( $$ ) {
    $actions{$requires}{requires}{$requiredby} = 1;
 }

+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
@@ -302,7 +339,7 @@ sub createlogactionchain( $$ ) {

    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;

-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {

 	my $file = find_file $chain;

@@ -328,7 +365,7 @@ sub createsimpleactionchain( $ ) {

    $logactionchains{"$action:none"} = $chainref;

-    unless ( $targets{$action} & STANDARD ) {
+    unless ( $targets{$action} & BUILTIN ) {

 	my $file = find_file $action;

@@ -413,8 +450,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -476,10 +514,10 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {

    progress_message2 "Preprocessing Action Files...";
-
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
-	new_action $act;
-    }
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;

    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
@@ -515,7 +553,7 @@ sub process_actions1() {

 	    while ( read_a_line ) {

-		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';

 		process_action1( $action, $wholetarget );

@@ -552,8 +590,8 @@ sub process_actions2 () {
 #
 # This function is called to process each rule generated from an action file.
 #
-sub process_action( $$$$$$$$$$ ) {
-    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;

    my ( $action , $level ) = split_action $target;

@@ -571,7 +609,7 @@ sub process_action( $$$$$$$$$$ ) {

    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
@@ -584,8 +622,8 @@ sub process_action( $$$$$$$$$$ ) {
 #
 # Expand Macro in action files.
 #
-sub process_macro3( $$$$$$$$$$$ ) {
-    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;

    my $nocomment = no_comment;

@@ -601,12 +639,14 @@ sub process_macro3( $$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );

 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}

 	if ( $mtarget eq 'COMMENT' ) {
@@ -620,8 +660,6 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	    next;
 	}

-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
@@ -662,8 +700,9 @@ sub process_macro3( $$$$$$$$$$$ ) {
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;

-	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
    }

    pop_open;
@@ -688,7 +727,7 @@ sub process_action3( $$$$$ ) {

    while ( read_a_line ) {

-	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';

 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
@@ -712,9 +751,9 @@ sub process_action3( $$$$$ ) {
 	}

 	if ( $action2type == MACRO ) {
-	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
-	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
    }

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -74,7 +74,6 @@ our %EXPORT_TAGS = (
 				       initialize_chain_table
 				       add_commands
 				       move_rules
-				       move_rules1
 				       insert_rule1
 				       purge_jump
 				       add_tunnel_rule
@@ -86,6 +85,7 @@ our %EXPORT_TAGS = (
 				       decr_cmd_level
 				       chain_base
 				       forward_chain
+				       rules_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -147,6 +147,7 @@ our %EXPORT_TAGS = (
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
+				       mark_firewall6_not_started
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
@@ -166,7 +167,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_1';
+our $VERSION = '4.4_5';

 #
 # Chain Table
@@ -247,6 +248,8 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 our $iprangematch;
 our $chainseq;
 our $idiotcount;
+our $idiotcount1;
+our $warningcount;

 our $global_variables;

@@ -272,11 +275,11 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);

 #
-# Mode of the generator.
+# Mode of the emitter.
 #
-use constant { NULL_MODE => 0 ,   # Generating neither shell commands nor iptables-restore input
-	       CAT_MODE  => 1 ,   # Generating iptables-restore input
-	       CMD_MODE  => 2 };  # Generating shell commands.
+use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
+	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
+	       CMD_MODE  => 2 };  # Emitting shell commands.

 our $mode;

@@ -356,6 +359,8 @@ sub initialize( $ ) {

    $global_variables   = 0;
    $idiotcount         = 0;
+    $idiotcount1        = 0;
+    $warningcount       = 0;

 }

@@ -367,7 +372,7 @@ sub process_comment() {
 	( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
 	$comment =~ s/\s*$//;
    } else {
-	warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
+	warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++;
    }
 }

@@ -415,27 +420,22 @@ sub add_commands ( $$;@ ) {
    my $chainref    = shift @_;
    my $indentation = '    ' x $chainref->{cmdlevel};

-    for ( @_ ) {
-	push @{$chainref->{rules}}, join ('', $indentation , $_ );
-    }
+    push @{$chainref->{rules}}, join ('', $indentation , $_ ) for @_;

    $chainref->{referenced} = 1;
 }

 sub push_rule( $$ ) {
-    my ($chainref, $rule) = @_;
+    my $chainref = $_[0];
+    my $rule     = join( ' ',  '-A',  $chainref->{name} , $_[1]);

    $rule .= qq( -m comment --comment "$comment") if $comment;

    if ( $chainref->{cmdlevel} ) {
 	$rule =~ s/"/\\"/g; #Must preserve quotes in the rule
-	add_commands $chainref , qq(echo "-A $chainref->{name} $rule" >&3);
+	add_commands $chainref , qq(echo "$rule" >&3);
    } else {
-	#
-	# We omit the chain name for now -- this makes it easier to move rules from one
-	# chain to another
-	#
-	push @{$chainref->{rules}}, join( ' ', '-A' , $rule );
+	push @{$chainref->{rules}}, $rule;
 	$chainref->{referenced} = 1;
    }
 }
@@ -607,7 +607,7 @@ sub insert_rule1($$$)

    $rule .= "-m comment --comment \"$comment\"" if $comment;

-    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $rule ) );
+    splice( @{$chainref->{rules}}, $number, 0,  join( ' ', '-A', $chainref->{name}, $rule ) );

    $iprangematch = 0;

@@ -637,17 +637,19 @@ sub add_tunnel_rule( $$ ) {
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
 # a zone-oriented chain, hence this function.
 #
-# The source chain must not have any run-time code included in its rules.
-#
 sub move_rules( $$ ) {
    my ($chain1, $chain2 ) = @_;

    if ( $chain1->{referenced} ) {
-	my @rules = @{$chain1->{rules}};
+	my $name  = $chain1->{name};
+	#
+	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
+	#
+	$name =~ s/\+/\\+/;

-	assert( /^-A/ ) for @rules;
+	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @{$chain1->{rules}};

-	splice @{$chain2->{rules}}, 0, 0, @rules;
+	splice @{$chain2->{rules}}, 0, 0, @{$chain1->{rules}};

 	$chain2->{referenced} = 1;
 	$chain1->{referenced} = 0;
@@ -655,29 +657,6 @@ sub move_rules( $$ ) {
    }
 }

-#
-# Like above except it returns 0 if it can't move the rules
-#
-sub move_rules1( $$ ) {
-    my ($chain1, $chain2 ) = @_;
-
-    if ( $chain1->{referenced} ) {
-	my @rules = @{$chain1->{rules}};
-
-	for ( @rules ) {
-	    return 0 unless /^-A/;
-	}
-
-	splice @{$chain2->{rules}}, 0, 0, @rules;
-
-	$chain2->{referenced} = 1;
-	$chain1->{referenced} = 0;
-	$chain1->{rules}      = [];
-    }
-
-    1;
-}
-
 #
 # Transform the passed interface name into a legal shell variable name.
 #
@@ -690,6 +669,13 @@ sub chain_base($) {
    $chain;
 }

+#
+# Name of canonical chain
+#
+sub rules_chain ($$) {
+    join "$config{ZONE2ZONE}", @_;
+}
+
 #
 # Forward Chain for an interface
 #
@@ -779,7 +765,7 @@ sub use_input_chain($) {
    #
    # Use the '<zone>2fw' chain if it is referenced.
    #
-    $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
+    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};

    ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -823,7 +809,7 @@ sub use_output_chain($) {
    #
    # Use the 'fw2<zone>' chain if it is referenced.
    #
-    $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
+    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};

    ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -833,7 +819,7 @@ sub use_output_chain($) {
 #
 sub masq_chain($)
 {
-     $_[0] . '_masq';
+    $_[0] . '_masq';
 }

 #
@@ -940,15 +926,17 @@ sub ensure_filter_chain( $$ )

    my $chainref = ensure_chain 'filter', $chain;

-    if ( $populate and ! $chainref->{referenced} ) {
-	if ( $section eq 'NEW' or $section eq 'DONE' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
-	} elsif ( $section eq 'RELATED' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED';
+    unless ( $chainref->{referenced} ) {
+	if ( $populate ) {
+	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
+		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
+	    } elsif ( $section eq 'RELATED' ) {
+		finish_chain_section $chainref , 'ESTABLISHED';
+	    }
 	}
-    }

-    $chainref->{referenced} = 1;
+	$chainref->{referenced} = 1;
+    }

    $chainref;
 }
@@ -965,9 +953,25 @@ sub ensure_accounting_chain( $  )
    if ( $chainref ) {
 	fatal_error "Non-accounting chain ($chain) used in accounting rule" unless $chainref->{accounting};
    } else {
-	$chainref = new_chain 'filter' , $chain unless $chainref;
+	$chainref = new_chain 'filter' , $chain;
 	$chainref->{accounting} = 1;
 	$chainref->{referenced} = 1;
+
+	if ( $chain ne 'accounting' ) {
+	    my $file = find_file $chain;
+
+	    if ( -f $file ) {
+		progress_message "Processing $file...";
+
+		my ( $level, $tag ) = ( '', '' );
+
+		unless ( my $return = eval `cat $file` ) {
+		    fatal_error "Couldn't parse $file: $@" if $@;
+		    fatal_error "Couldn't do $file: $!"    unless defined $return;
+		    fatal_error "Couldn't run $file"       unless $return;
+		}
+	    }
+	}
    }

    $chainref;
@@ -1042,7 +1046,6 @@ sub ensure_manual_chain($) {
 # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
-#
 sub initialize_chain_table()
 {
    if ( $family == F_IPV4 ) {
@@ -1069,15 +1072,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
-		    'allowinUPnP'     => BUILTIN  + ACTION,
-		    'forwardUPnP'     => BUILTIN  + ACTION,
-		    'Limit'           => BUILTIN  + ACTION,
 		   );

 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1119,12 +1113,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );

 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1193,7 +1181,7 @@ sub finish_section ( $ ) {

    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
+	    my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
    }
@@ -1220,12 +1208,12 @@ sub set_mss( $$$ ) {

    for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
-	    set_mss1 "${zone}2${z}" , $mss;
+	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
 	} elsif ( $direction eq '_out' ) {
-	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
 	} else {
-	    set_mss1 "${z}2${zone}", $mss;
-	    set_mss1 "${zone}2${z}", $mss;
+	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
+	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
 	}
    }
 }
@@ -1551,12 +1539,14 @@ sub do_ratelimit( $$ ) {
 	require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';

 	my $limit = "-m hashlimit ";
+	my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
+
 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-burst $6 --hashlimit-name ";
+	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
-	    $limit .= "--hashlimit-upto $3 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall';
 	    $limit .= ' --hashlimit-mode ';
 	} else {
@@ -1743,6 +1733,7 @@ sub match_source_dev( $ ) {
    my $interface = shift;
    return '' if $interface eq '+';
    my $interfaceref =  known_interface( $interface );
+    $interface = $interfaceref->{physical} if $interfaceref;
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
    } else {
@@ -1757,6 +1748,7 @@ sub match_dest_dev( $ ) {
    my $interface = shift;
    return '' if $interface eq '+';
    my $interfaceref =  known_interface( $interface );
+    $interface = $interfaceref->{physical} if $interfaceref;
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $capabilities{PHYSDEV_BRIDGE} ) {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
@@ -2132,7 +2124,11 @@ sub set_chain_variables() {
 # Emit code that marks the firewall as not started.
 #
 sub mark_firewall_not_started() {
-    emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
+    if ( $family == F_IPV4 ) {
+	emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
+    } else {
+	emit ( 'qt1 $IPTABLES6 -L shorewall -n && qt1 $IPTABLES6 -F shorewall && qt1 $IPTABLES6 -X shorewall' );
+    }
 }

 ####################################################################################################################
@@ -2152,10 +2148,11 @@ sub interface_address( $ ) {
 # Record that the ruleset requires the first IP address on the passed interface
 #
 sub get_interface_address ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';

    $global_variables |= ALL_COMMANDS;

@@ -2176,7 +2173,7 @@ sub interface_bcasts( $ ) {
 # Record that the ruleset requires the broadcast addresses on the passed interface
 #
 sub get_interface_bcasts ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $interface ) = get_physical $_[0];

    my $variable = interface_bcasts( $interface );

@@ -2199,7 +2196,7 @@ sub interface_acasts( $ ) {
 # Record that the ruleset requires the anycast addresses on the passed interface
 #
 sub get_interface_acasts ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $interface ) = get_physical $_[0];

    $global_variables |= NOT_RESTORE;

@@ -2222,15 +2219,16 @@ sub interface_gateway( $ ) {
 # Record that the ruleset requires the gateway address on the passed interface
 #
 sub get_interface_gateway ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );

    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';

    $global_variables |= ALL_COMMANDS;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
@@ -2253,13 +2251,14 @@ sub interface_addresses( $ ) {
 # Record that the ruleset requires the IP addresses on the passed interface
 #
 sub get_interface_addresses ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical( $logical );
    my $variable = interface_addresses( $interface );

    $global_variables |= NOT_RESTORE;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)\n);
    } else {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)
@@ -2282,13 +2281,14 @@ sub interface_nets( $ ) {
 # Record that the ruleset requires the networks routed out of the passed interface
 #
 sub get_interface_nets ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical( $logical );
    my $variable = interface_nets( $interface );

    $global_variables |= ALL_COMMANDS;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)\n);
    } else {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)
@@ -2312,13 +2312,14 @@ sub interface_mac( $$ ) {
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
 sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $interface , $table ) = @_;
+    my ( $ipaddr, $logical , $table ) = @_;

+    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );

    $global_variables |= NOT_RESTORE;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
    } else {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
@@ -2481,7 +2482,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # An interface in the SOURCE column of a masq file
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );
-	    warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
+
+	    if ( $chainref->{table} eq 'nat' ) {
+		warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
+	    } else {
+		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
+	    }

 	    push_command $chainref, join( '', 'for source in ', get_interface_nets( $iiface) , '; do' ), 'done';

@@ -2745,10 +2751,8 @@ sub expand_rule( $$$$$$$$$$;$ )
 	add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
    } else {
 	#
-	# No exclusions -- save original chain
+	# No exclusions
 	#
-	my $savechainref = $chainref;
-
 	for my $onet ( mysplit $onets ) {
 	    $onet = match_orig_dest $onet;
 	    for my $inet ( mysplit $inets ) {
@@ -2757,11 +2761,6 @@ sub expand_rule( $$$$$$$$$$;$ )
 		$source_match = match_source_net( $inet, $restriction ) if $capabilities{KLUDGEFREE};

 		for my $dnet ( mysplit $dnets ) {
-		    #
-		    # Restore original Chain
-		    #
-		    $chainref = $savechainref;
-
 		    $source_match  = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet );
 		    my $predicates = join( '', $rule, $source_match, $dest_match, $onet );
@@ -2782,7 +2781,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				#
 				log_rule_limit(
 					       $loglevel ,
-					       $chainref = $logchainref ,
+					       $logchainref ,
 					       $chain ,
 					       $disposition ,
 					       '',
@@ -2790,7 +2789,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 					       'add',
 					       '' );

-				add_rule( $chainref, $exceptionrule . $target );
+				add_rule( $logchainref, $exceptionrule . $target );
 			    } else {
 				log_rule_limit(
 					       $loglevel ,
@@ -2839,14 +2838,15 @@ sub expand_rule( $$$$$$$$$$;$ )
 }

 #
-# The following code generates the input to iptables-restore
+# The following code generates the input to iptables-restore from the contents of the
+# @rules arrays in the chain table entries.
 #
 # We always write the iptables-restore input into a file then pass the
 # file to iptables-restore. That way, if things go wrong, the user (and Shorewall support)
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain rules (begin with '-A') or shell source. We alternate between
+# table entry may contain both rules (begin with '-A') or shell source. We alternate between
 # writing the rules ('-A') into the temporary file to be passed to iptables-restore
 # (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
@@ -2866,35 +2866,24 @@ sub enter_cmd_mode() {
 #
 # Emits the passed rule (input to iptables-restore) or command
 #
-sub emitr( $$ ) {
-    my ( $name, $rule ) = @_;
-
-    if ( $rule && substr( $rule, 0, 2 ) eq '-A' ) {
-	#
-	# A rule
-	#
-	enter_cat_mode unless $mode == CAT_MODE;
-	emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
-    } else {
-	#
-	# A command
-	#
-	enter_cmd_mode unless $mode == CMD_MODE;
-	emit $rule;
+sub emitr( $ ) {
+    if ( my $rule = $_[0] ) {
+	if ( substr( $rule, 0, 2 ) eq '-A' ) {
+	    #
+	    # A rule
+	    #
+	    enter_cat_mode unless $mode == CAT_MODE;
+	    emit_unindented $rule;
+	} else {
+	    #
+	    # A command
+	    #
+	    enter_cmd_mode unless $mode == CMD_MODE;
+	    emit $rule;
+	}
    }
 }

-#
-# Simple version that only handles rules
-#
-sub emitr1( $$ ) {
-    my ( $name, $rule ) = @_;
-
-    assert( substr( $rule, 0, 2 ) eq '-A' );
-
-    emit_unindented join( ' ', '-A', $name, substr( $rule, 3 ) );
-}
-
 #
 # Generate the netfilter input
 #
@@ -2968,7 +2957,7 @@ sub create_netfilter_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr $chainref->{name}, $_ for ( grep defined $_, @{$chainref->{rules}} );
+	    emitr $_ for ( grep defined $_, @{$chainref->{rules}} );
 	}
 	#
 	# Commit the changes to the table
@@ -3077,7 +3066,7 @@ sub create_chainlist_reload($) {
 		#
 		# Emit the chain rules
 		#
-		emitr $chain, $_ for ( grep defined $_, @rules );
+		emitr $_ for ( grep defined $_, @rules );
 	    }
 	    #
 	    # Commit the changes to the table
@@ -3182,7 +3171,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $chainref->{name}, $_ for @{$chainref->{rules}};
+	    emit_unindented $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 our $export;

@@ -90,14 +90,24 @@ sub generate_script_1() {
 	}
    }

+    my $lib = find_file 'lib.private';
+
+    if ( -f $lib ) {
+	emit <<'EOF';
+################################################################################
+# Functions imported from lib.private
+################################################################################
+EOF
+
+	copy1 $lib;
+	emit "\n";
+    }
+
    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    my $lib = find_file 'lib.private';
-
-    copy1 $lib, emit "\n" if -f $lib;

    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -129,7 +139,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.

 sub generate_script_2() {

@@ -204,8 +214,7 @@ sub generate_script_2() {

    emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
-	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );

    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;

@@ -230,14 +239,24 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );

+    pop_indent;
+
+    emit "\n}\n"; # End of initialize()
+
+    emit( '' ,
+	  '#' ,
+	  '# Set global variables holding detected IP information' ,
+	  '#' ,
+	  'detect_configuration()',
+	  '{' );
+
    my $global_variables = have_global_variables;

+    push_indent;
+
    if ( $global_variables ) {
-	emit( '' ,
-	      '#' ,
-	      '# Set global variables holding detected IP information' ,
-	      '#' ,
-	      'case $COMMAND in' );
+	
+	emit( 'case $COMMAND in' );

 	push_indent;

@@ -273,12 +292,14 @@ sub generate_script_2() {
 	pop_indent;

 	emit ( 'esac' ) ,
+    } else {
+	emit( 'true' ) unless handle_optional_interfaces;
    }

    pop_indent;

-    emit "\n}\n"; # End of initialize()
-
+    emit "\n}\n"; # End of detect_configuration()
+    
 }

 #
@@ -291,7 +312,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 #
 sub generate_script_3($) {

@@ -400,23 +421,10 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};

    } else {
-	emit ( '#',
-	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
-	       '#',
-	       'qt1 $IP6TABLES -N foox1234',
-	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
-	       'result=$?',
-	       'qt1 $IP6TABLES -F foox1234',
-	       'qt1 $IP6TABLES -X foox1234',
-	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
-		   '',
-	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
-	       ''
-	     );
-
+	mark_firewall_not_started;
+	emit '';
    }

    emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -438,6 +446,10 @@ sub generate_script_3($) {
    dump_zone_contents;
    emit_unindented '__EOF__';

+    emit 'cat > ${VARDIR}/policies << __EOF__';
+    save_policies;
+    emit_unindented '__EOF__';
+
    pop_indent;

    emit "fi\n";
@@ -524,8 +536,8 @@ EOF
 #
 sub compiler {

-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
-       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1 );

    $export = 0;
    $test   = 0;
@@ -545,7 +557,8 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
    }

-    my %parms = ( object        => { store => \$objectfile },
+    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -589,8 +602,6 @@ sub compiler {
    #
    get_configuration( $export );

-    initialize_chain_table;
-
    report_capabilities;

    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
@@ -598,12 +609,17 @@ sub compiler {
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_object( $objectfile , $export );
+	create_temp_script( $scriptfilename , $export );
    } else {
 	set_command( 'check', 'Checking', 'Checked' );
    }
+    #
+    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
+    # shorewall.conf has been processed and the capabilities have been determined.
+    #
+    initialize_chain_table;

    #
    # Allow user to load Perl modules
@@ -641,11 +657,11 @@ sub compiler {
    #
    setup_notrack;

-    enable_object;
+    enable_script;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
-	# Place Header in the object
+	# Place Header in the script
 	#
 	generate_script_1;
 	#
@@ -679,24 +695,24 @@ sub compiler {
    #
    setup_proxy_arp;
    #
-    # Handle MSS setings in the zones file
+    # Handle MSS settings in the zones file
    #
    setup_zone_mss;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
    }

-    disable_object;
+    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
-    enable_object;
+    enable_script;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -714,12 +730,12 @@ sub compiler {
    #
    setup_tc;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	pop_indent;
 	emit "}\n";
    }

-    disable_object;
+    disable_script;
    #
    #                                       N E T F I L T E R
    #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -775,16 +791,16 @@ sub compiler {
    #
    setup_accounting;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
 	# Generate the zone by zone matrix
 	#
 	generate_matrix;

-	enable_object;
+	enable_script;
 	#
-	#                                    I N I T I A L I Z E
-	#                  (Writes the initialize() function to the compiled script)
+	#                             I N I T I A L I Z E
+	#           (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -792,22 +808,19 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
-    } else {
-	enable_object;
-    }
-    #                               S T O P _ F I R E W A L L
-    #             (Writes the stop_firewall() function to the compiled script)
-    #
-    # We must reinitialize Shorewall::Chains before generating the iptables-restore input
-    # for stopping the firewall
-    #
-    Shorewall::Chains::initialize( $family );
-    initialize_chain_table;
-    compile_stop_firewall( $test );
-    
-    if ( $objectfile ) {
 	#
-	# Copy the footer to the object
+	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
+	# for stopping the firewall
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+	#
+	#                           S T O P _ F I R E W A L L
+	#         (Writes the stop_firewall() function to the compiled script)
+	#
+	compile_stop_firewall( $test );
+	#
+	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -817,16 +830,28 @@ sub compiler {
 	    }
 	}

-	disable_object;
+	disable_script;
 	#
-	# Close, rename and secure the object
+	# Close, rename and secure the script
 	#
-	finalize_object ( $export );
+	finalize_script ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_object, generate_aux_config if $export;
+	enable_script, generate_aux_config if $export;
    } else {
+	#
+	# Re-initialize the chain table so that process_routestopped() has the same
+	# environment that it would when called by compile_stop_firewall().
+	#
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
+	#
+	# compile_stop_firewall() also validates the routestopped file. Since we don't
+	# call that function during 'check', we must validate routestopped here.
+	#
+	process_routestopped;
+
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
 	} else {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -24,7 +24,7 @@
 #   It also exports functions for generating warning and error messages.
 #   The get_configuration function parses the shorewall.conf, capabilities and
 #   modules files during compiler startup. The module also provides the basic
-#   output file services such as creation of temporary 'object' files, writing
+#   output file services such as creation of temporary 'script' files, writing
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
@@ -54,10 +54,10 @@ our @EXPORT = qw(

 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);

-our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
-				       finalize_object
-				       enable_object
-				       disable_object
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
+				       finalize_script
+				       enable_script
+				       disable_script
 		                       numeric_value
 		                       numeric_value1
 		                       hex_value
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_1';
+our $VERSION = '4.4_5';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -146,13 +146,13 @@ our ( $log, $log_verbosity );
 #
 our $timestamp;
 #
-# Object file handle
+# Script (output) file handle
 #
-our $object;
+our $script;
 #
-# When 'true', writes to the object are enabled. Used to catch code emission between functions
+# When 'true', writes to the script are enabled. Used to catch code emission between functions
 #
-our $object_enabled;
+our $script_enabled;
 #
 # True, if last line emitted is blank
 #
@@ -170,7 +170,7 @@ our $indent2;
 #
 our $indent;
 #
-# Object's Directory and File
+# Script's Directory and File
 #
 our ( $dir, $file );
 #
@@ -186,10 +186,9 @@ our %globals;
 #
 our %config;
 #
-# Config options and global settings that are to be copied to object script
+# Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
-our @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX SUBSYSLOCK /;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -242,7 +241,9 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
+		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 CAPVERSION      => 'Capability Version',
+		 KERNELVERSION   => 'Kernel Version',
 	       );
 #
 # Directories to search for configuration files
@@ -261,8 +262,8 @@ our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
 our $currentfilename;         # File NAME
 our $currentlinenumber;       # Line number
-our $scriptfile;              # File Handle Reference to current temporary file being written by an in-line Perl script
-our $scriptfilename;          # Name of that file.
+our $perlscript;              # File Handle Reference to current temporary file being written by an in-line Perl script
+our $perlscriptname;          # Name of that file.
 our @tempfiles;               # Files that need unlinking at END
 our $first_entry;             # Message to output or function to call on first non-blank line of a file

@@ -307,13 +308,13 @@ sub initialize( $ ) {
    $log = undef;              # File reference for log file
    $log_verbosity = -1;       # Verbosity of log.
    $timestamp = '';           # If true, we are to timestamp each progress message
-    $object = 0;               # Object (script) file Handle Reference
-    $object_enabled = 0;       # Object (script) file Handle Reference
+    $script = 0;               # Script (output) file Handle Reference
+    $script_enabled = 0;       # Writing to output file is disabled initially
    $lastlineblank = 0;        # Avoid extra blank lines in the output
    $indent1       = '';       # Current indentation tabs
    $indent2       = '';       # Current indentation spaces
    $indent        = '';       # Current total indentation
-    ( $dir, $file ) = ('',''); # Object's Directory and File
+    ( $dir, $file ) = ('',''); # Script's Directory and Filename
    $tempfile = '';            # Temporary File Name

    #
@@ -327,8 +328,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.1.2",
-		    CAPVERSION => 40401 ,
+		    VERSION => "4.4.5.5",
+		    CAPVERSION => 40406 ,
 		  );

    #
@@ -439,6 +440,8 @@ sub initialize( $ ) {
 	      FAST_STOP => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
+	      TRACK_PROVIDERS => undef,
+	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -545,6 +548,8 @@ sub initialize( $ ) {
 	      MANGLE_ENABLED => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
+	      TRACK_PROVIDERS => undef,
+	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -566,7 +571,7 @@ sub initialize( $ ) {
 			 NONE    => '',
 			 NFLOG   => 'NFLOG',
 		         LOGMARK => 'LOGMARK' );
-	}
+    }
    #
    # From parsing the capabilities file
    #
@@ -614,7 +619,9 @@ sub initialize( $ ) {
 	       IPMARK_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
+	       OLD_HL_MATCH => undef,
 	       CAPVERSION => undef,
+	       KERNELVERSION => undef,
 	       );
    #
    # Directories to search for configuration files
@@ -683,14 +690,14 @@ sub cleanup() {
    #
    # Close files first in case we're running under Cygwin
    #
-    close  $object, $object = undef         if $object;
-    close  $scriptfile, $scriptfile = undef if $scriptfile;
+    close  $script, $script = undef         if $script;
+    close  $perlscript, $perlscript = undef if $perlscript;
    close  $log, $log = undef               if $log;
    #
    # Unlink temporary files
    #
    unlink ( $tempfile ), $tempfile = undef             if $tempfile;
-    unlink ( $scriptfilename ), $scriptfilename = undef if $scriptfilename;
+    unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
 }

@@ -813,14 +820,14 @@ sub in_hexp( $ ) {
 }

 #
-# Write the arguments to the object file (if any) with the current indentation.
+# Write the arguments to the script file (if any) with the current indentation.
 #
 # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
 #
 sub emit {
-    assert( $object_enabled );
+    assert( $script_enabled );

-    if ( $object ) {
+    if ( $script ) {
 	#
 	# 'compile' as opposed to 'check'
 	#
@@ -830,10 +837,10 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		print $object "$line\n";
+		print $script "$line\n";
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	    } else {
-		print $object "\n" unless $lastlineblank;
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    }
 	}
@@ -841,26 +848,26 @@ sub emit {
 }

 #
-# Write passed message to the object with newline but no indentation.
+# Write passed message to the script with newline but no indentation.
 #
 sub emit_unindented( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );

-    print $object "$_[0]\n" if $object;
+    print $script "$_[0]\n" if $script;
 }

 #
 # Write a progress_message2 command with surrounding blank lines to the output file.
 #
 sub save_progress_message( $ ) {
-    emit "\nprogress_message2 @_\n" if $object;
+    emit "\nprogress_message2 @_\n" if $script;
 }

 #
 # Write a progress_message command to the output file.
 #
 sub save_progress_message_short( $ ) {
-    emit "progress_message $_[0]" if $object;
+    emit "progress_message $_[0]" if $script;
 }

 #
@@ -1034,12 +1041,12 @@ sub pop_indent() {
 }

 #
-# Functions for copying files into the object
+# Functions for copying files into the script
 #
 sub copy( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );

-    if ( $object ) {
+    if ( $script ) {
 	my $file = $_[0];

 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1047,7 +1054,7 @@ sub copy( $ ) {
 	while ( <IF> ) {
 	    chomp;
 	    if ( /^\s*$/ ) {
-		print $object "\n" unless $lastlineblank;
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    } else {
 		if  ( $indent ) {
@@ -1055,8 +1062,8 @@ sub copy( $ ) {
 		    s/        /\t/ if $indent2;
 		}

-		print $object $_;
-		print $object "\n";
+		print $script $_;
+		print $script "\n";
 		$lastlineblank = 0;
 	    }
 	}
@@ -1069,11 +1076,11 @@ sub copy( $ ) {
 # This one handles line continuation and 'here documents'

 sub copy1( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );

    my $result = 0;

-    if ( $object ) {
+    if ( $script ) {
 	my $file = $_[0];

 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1084,8 +1091,8 @@ sub copy1( $ ) {
 	    chomp;

 	    if ( /^${here_documents}\s*$/ ) {
-		print $object $here_documents if $here_documents;
-		print $object "\n";
+		print $script $here_documents if $here_documents;
+		print $script "\n";
 		$do_indent = 1;
 		$here_documents = '';
 		next;
@@ -1096,8 +1103,8 @@ sub copy1( $ ) {
 		s/^(\s*)/$indent1$1$indent2/;
 		s/        /\t/ if $indent2;
 		$do_indent = 0;
-		print $object $_;
-		print $object "\n";
+		print $script $_;
+		print $script "\n";
 		$result = 1;
 		next;
 	    }
@@ -1107,8 +1114,8 @@ sub copy1( $ ) {
 		s/        /\t/ if $indent2;
 	    }

-	    print $object $_;
-	    print $object "\n";
+	    print $script $_;
+	    print $script "\n";
 	    $do_indent = ! ( $here_documents || /\\$/ );

 	    $result = 1 unless $result || /^\s*$/ || /^\s*#/;
@@ -1123,23 +1130,23 @@ sub copy1( $ ) {
 }

 #
-# Create the temporary object file -- the passed file name is the name of the final file.
+# Create the temporary script file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
 #
-sub create_temp_object( $$ ) {
-    my ( $objectfile, $export ) = @_;
+sub create_temp_script( $$ ) {
+    my ( $scriptfile, $export ) = @_;
    my $suffix;

-    if ( $objectfile eq '-' ) {
+    if ( $scriptfile eq '-' ) {
 	$verbosity = -1;
-	$object = undef;
-	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
+	$script = undef;
+	open( $script, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
 	return 1;
    }

    eval {
-	( $file, $dir, $suffix ) = fileparse( $objectfile );
+	( $file, $dir, $suffix ) = fileparse( $scriptfile );
    };

    cleanup, die if $@;
@@ -1147,14 +1154,14 @@ sub create_temp_object( $$ ) {
    fatal_error "$dir is a Symbolic Link"        if -l $dir;
    fatal_error "Directory $dir does not exist"  unless -d _;
    fatal_error "Directory $dir is not writable" unless -w _;
-    fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
-    fatal_error "$objectfile is a Directory"     if -d _;
-    fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
+    fatal_error "$scriptfile is a Symbolic Link" if -l $scriptfile;
+    fatal_error "$scriptfile is a Directory"     if -d _;
+    fatal_error "$scriptfile exists and is not a compiled script" if -e _ && ! -x _;
    fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';

    eval {
 	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
-	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };

    fatal_error "Unable to create temporary file in directory $dir" if $@;
@@ -1166,12 +1173,12 @@ sub create_temp_object( $$ ) {
 }

 #
-# Finalize the object file
+# Finalize the script file
 #
-sub finalize_object( $ ) {
+sub finalize_script( $ ) {
    my $export = $_[0];
-    close $object;
-    $object = 0;
+    close $script;
+    $script = 0;

    if ( $file ne '-' ) {
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
@@ -1185,7 +1192,7 @@ sub finalize_object( $ ) {
 #
 sub create_temp_aux_config() {
    eval {
-	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };

    cleanup, die if $@;
@@ -1195,24 +1202,24 @@ sub create_temp_aux_config() {
 # Finalize the aux config file.
 #
 sub finalize_aux_config() {
-    close $object;
-    $object = 0;
+    close $script;
+    $script = 0;
    rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
    progress_message3 "Shorewall configuration compiled to $file";
 }

 #
-# Enable writes to the object file
+# Enable writes to the script file
 #
-sub enable_object() {
-    $object_enabled = 1;
+sub enable_script() {
+    $script_enabled = 1;
 }

 #
-# Disable writes to the object file
+# Disable writes to the script file
 #
-sub disable_object() {
-    $object_enabled = 0;
+sub disable_script() {
+    $script_enabled = 0;
 }

 #
@@ -1429,19 +1436,19 @@ sub pop_open() {
 # processed as regular file input.
 #
 sub shorewall {
-    unless ( $scriptfile ) {
+    unless ( $perlscript ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;

 	$dir ||= '/tmp/';

 	eval {
-	    ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
+	    ( $perlscript, $perlscriptname ) = tempfile ( 'perlscriptXXXX' , DIR => $dir );
 	};

 	fatal_error "Unable to create temporary file in directory $dir" if $@;
    }

-    print $scriptfile "@_\n";
+    print $perlscript "@_\n";
 }

 #
@@ -1543,21 +1550,21 @@ sub embedded_perl( $ ) {
 	fatal_error "Perl Script Returned False";
    }

-    if ( $scriptfile ) {
+    if ( $perlscript ) {
 	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;

-	close $scriptfile or assert(0);
+	close $perlscript or assert(0);

-	$scriptfile = undef;
+	$perlscript = undef;

 	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 	$currentfile = undef;

-	open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
+	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";

-	push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
+	push @tempfiles, $perlscriptname unless unlink $perlscriptname; #unlink fails on Cygwin

-	$scriptfilename = '';
+	$perlscriptname = '';

 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
@@ -1592,11 +1599,16 @@ sub read_a_line() {
 	    #
 	    s/^\s*// if $currentline =~ /[,:]$/;
 	    #
+	    # If this isn't a continued line, remove trailing comments. Note that
+	    # the result may now end in '\'.
+	    #
+	    s/\s*#.*$// unless /\\$/;
+	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
 	    #
-	    # Remove Trailing Comments -- result might be a blank line
+	    # Now remove concatinated comments
 	    #
 	    $currentline =~ s/#.*$//;
 	    #
@@ -1834,8 +1846,8 @@ sub check_trivalue( $$ ) {
 sub report_capability( $ ) {
    my $cap = $_[0];
    print "   $capdesc{$cap}: ";
-    if ( $cap eq 'CAPVERSION' ) {
-	my $version = $capabilities{CAPVERSION};
+    if ( $cap eq 'CAPVERSION' || $cap eq 'KERNELVERSION') {
+	my $version = $capabilities{$cap};
 	printf "%d.%d.%d\n", int( $version / 10000 ) , int ( ( $version % 10000 ) / 100 ) , int ( $version % 100 );
    } else {
 	print $capabilities{$cap} ? "Available\n" : "Not Available\n";
@@ -1898,7 +1910,7 @@ sub load_kernel_modules( ) {

 	close LSMOD;

-	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULES_SUFFIX};
+	$config{MODULE_SUFFIX} = 'o gz ko o.gz ko.gz' unless $config{MODULE_SUFFIX};

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

@@ -1937,6 +1949,19 @@ sub qt1( $ ) {
    $? == 0;
 }

+#
+# Get the current kernel version
+#
+sub determine_kernelversion() {
+    my $kernelversion=`uname -r`;
+
+    if ( $kernelversion =~ /^(\d+)\.(\d+).(\d+)/ ) {
+	$capabilities{KERNELVERSION} = sprintf "%d%02d%02d", $1 , $2 , $3;
+    } else {
+	fatal_error "Inrecognized Kernel Version Format ($kernelversion)";
+    }
+}
+
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
@@ -1952,8 +1977,8 @@ sub determine_capabilities( $ ) {
    if ( $capabilities{NAT_ENABLED} ) {
 	if ( qt1( "$iptables -t nat -N $sillyname" ) ) {
 	    $capabilities{PERSISTENT_SNAT} = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
-	    qt1( "$iptables -t NAT -F $sillyname" );
-	    qt1( "$iptables -t NAT -X $sillyname" );
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
 	}
    }

@@ -2019,9 +2044,24 @@ sub determine_capabilities( $ ) {
    $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
    $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
    $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
-    $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
+    
+    if ( $family == F_IPV6 ) {
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-adm-prohibited" );
+    } else {
+	$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
+    }
+
    $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );

+    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+
+    if ( $capabilities{HASHLIMIT_MATCH} ) {
+	$capabilities{OLD_HL_MATCH} = '';
+    } else {
+	$capabilities{OLD_HL_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+	$capabilities{HASHLIMIT_MATCH} = $capabilities{OLD_HL_MATCH};
+    }
+
    if  ( $capabilities{MANGLE_ENABLED} ) {
 	qt1( "$iptables -t mangle -N $sillyname" );

@@ -2066,7 +2106,6 @@ sub determine_capabilities( $ ) {
    $capabilities{USEPKTTYPE}      = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
    $capabilities{ADDRTYPE}        = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
    $capabilities{TCPMSS_MATCH}    = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
-    $capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
    $capabilities{NFQUEUE_TARGET}  = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
    $capabilities{REALM_MATCH}     = qt1( "$iptables -A $sillyname -m realm --realm 1" );
    $capabilities{HELPER_MATCH}    = qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
@@ -2082,6 +2121,8 @@ sub determine_capabilities( $ ) {
    qt1( "$iptables -X $sillyname1" );

    $capabilities{CAPVERSION} = $globals{CAPVERSION};
+
+    determine_kernelversion;
 }

 #
@@ -2197,6 +2238,11 @@ sub read_capabilities() {
    } else {
 	warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
    }
+
+    unless ( $capabilities{KERNELVERSION} ) {
+	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
+	$capabilities{KERNELVERSION} = 20630;
+    }
 }

 #
@@ -2246,6 +2292,14 @@ sub unsupported_yes_no( $ ) {
    fatal_error "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }

+sub unsupported_yes_no_warning( $ ) {
+    my $option = shift;
+
+    default_yes_no $option, '';
+
+    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
+}
+
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2296,7 +2350,28 @@ sub get_configuration( $ ) {
    }

    check_trivalue ( 'IP_FORWARDING', 'on' );
-    check_trivalue ( 'ROUTE_FILTER',  '' );    fatal_error "ROUTE_FILTER=On is not supported in IPv6" if $config{ROUTE_FILTER} eq 'on' && $family == F_IPV6;
+    
+    my $val;
+
+    if ( $capabilities{KERNELVERSION} < 20631 ) {
+	check_trivalue ( 'ROUTE_FILTER',  '' );
+    } else {
+	$val = $config{ROUTE_FILTER};
+	if ( defined $val ) {
+	    if ( $val =~ /\d+/ ) {
+		fatal_error "Invalid value ($val) for ROUTE_FILTER" unless $val < 3;
+	    } else {
+		check_trivalue( 'ROUTE_FILTER', '' );
+	    }
+	} else {
+	    check_trivalue( 'ROUTE_FILTER' , '' );
+	}
+    }
+
+    if ( $family == F_IPV6 ) {
+	$val = $config{ROUTE_FILTER};	
+	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" unless $val eq 'off' || $val eq '';
+    }

    if ( $family == F_IPV4 ) {
 	check_trivalue ( 'LOG_MARTIANS',  'on' );
@@ -2345,14 +2420,14 @@ sub get_configuration( $ ) {
    default_yes_no 'BLACKLISTNEWONLY'           , '';
    default_yes_no 'DISABLE_IPV6'               , '';

-    unsupported_yes_no 'DYNAMIC_ZONES';
-    unsupported_yes_no 'BRIDGING';
-    unsupported_yes_no 'SAVE_IPSETS';
-    unsupported_yes_no 'MAPOLDACTIONS';
-    unsupported_yes_no 'RFC1918_STRICT';
+    unsupported_yes_no_warning 'DYNAMIC_ZONES';
+    unsupported_yes_no         'BRIDGING';
+    unsupported_yes_no_warning 'SAVE_IPSETS';
+    unsupported_yes_no_warning 'RFC1918_STRICT';

    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
+    default_yes_no 'MAPOLDACTIONS'              , 'Yes';

    warning_message 'DELAYBLACKLISTLOAD=Yes is not supported by Shorewall ' . $globals{VERSION} if $config{DELAYBLACKLISTLOAD};

@@ -2382,10 +2457,17 @@ sub get_configuration( $ ) {
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'WIDE_TC_MARKS'              , '';
+    default_yes_no 'TRACK_PROVIDERS'            , '';
+
+    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
+	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
+    } else {
+	$config{ZONE2ZONE} = '2';
+    }

    $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

-    default 'BLACKLIST_DISPOSITION'             , 'DROP';
+    default 'BLACKLIST_DISPOSITION'    , 'DROP';

    default_log_level 'BLACKLIST_LOGLEVEL',  '';
    default_log_level 'MACLIST_LOG_LEVEL',   '';
@@ -2397,8 +2479,6 @@ sub get_configuration( $ ) {
    default_log_level 'SMURF_LOG_LEVEL',     '';
    default_log_level 'LOGALLNEW',           '';

-    my $val;
-
    $globals{MACLIST_TARGET} = 'reject';

    if ( $val = $config{MACLIST_DISPOSITION} ) {
@@ -2509,18 +2589,13 @@ sub get_configuration( $ ) {
 }

 #
-# The values of the options in @propagateconfig are copied to the object file in OPTION=<value> format.
+# The values of the options in @propagateconfig are copied to the script file in OPTION=<value> format.
 #
 sub propagateconfig() {
    for my $option ( @propagateconfig ) {
 	my $value = $config{$option} || '';
 	emit "$option=\"$value\"";
    }
-
-    for my $option ( @propagateenv ) {
-	my $value = $globals{$option} || '';
-	emit "$option=\"$value\"";
-    }
 }

 #
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_5';

 #
 # Some IPv4/6 useful stuff
@@ -302,7 +302,7 @@ sub validate_port( $$ ) {
    my $value;

    if ( $port =~ /^(\d+)$/ ) {
-	return $port if $port <= 65535;
+	return $port if $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
@@ -476,6 +476,7 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
+	return 1 if @address eq ':';
    } else {
 	$max = 8;
    }
@@ -484,16 +485,16 @@ sub valid_6address( $ ) {
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;

-    if ( $address =~ /^:/ ) {
-	unless ( $address eq '::' ) {
-	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
-	}
-    } elsif ( $address =~ /:$/ ) {
-	return 0 if $address =~ /::.*:$/;
+    unless ( $address =~ /^::/ ) {
+	return 0 if $address =~ /^:/;
    }

+    unless ( $address =~ /::$/  ) {
+	return 0 if $address =~ /:$/;
+    }
+		 
    for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
    }

    1;
@@ -542,13 +543,27 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
    my $addr = shift;

-    while ( $addr =~ tr/:/:/ < 6 ) {
-	$addr =~ s/::/:0::/;
+    if ( $addr eq '::' ) {
+	'0:0:0:0:0:0:0:0';
+    } else {
+	#
+	# Suppress leading zeros
+	#
+	$addr =~ s/^0+//;
+	$addr =~ s/:0+/:/g;
+	$addr =~ s/^:/0:/;
+	$addr =~ s/:$/:0/;
+
+	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
+	#
+	# Note: "s/::/:0:/g" doesn't work here
+	#
+	1 while $addr =~ s/::/:0:/;
+
+	$addr =~ s/^0+:/0:/;
+	
+	$addr;
    }
-
-    $addr =~ s/::/:0:/;
-
-    $addr;
 }

 sub validate_6range( $$ ) {
@@ -572,7 +587,7 @@ sub validate_6range( $$ ) {
 }

 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = $_[0];
+    my ( $host, $allow_name )  = @_;

    if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 our @addresses_to_add;
 our %addresses_to_add;
@@ -104,7 +104,7 @@ sub do_ipsec_options($)
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $origaddresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -195,7 +195,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

 	unless ( $interfaceref->{root} ) {
-	    $rule .= "-o $interface ";
+	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}

@@ -208,9 +208,7 @@ sub process_one_masq( )
 	#
 	# Parse the ADDRESSES column
 	#
-	if ( $origaddresses ne '-' ) {
-	    my $addresses = $origaddresses;
-
+	if ( $addresses ne '-' ) {
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
@@ -228,7 +226,7 @@ sub process_one_masq( )
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
 				      '',
-				      qq(if [ "$variable" != 0.0.0.0 ]; then) );
+				      "if [ \"$variable\" != 0.0.0.0 ]; then" );
 			incr_cmd_level( $chainref );
 			$detectaddress = 1;
 		    }
@@ -241,7 +239,7 @@ sub process_one_masq( )
 			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $addr =~ /^(.+)-(.+)$/ ) {
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
@@ -286,13 +284,12 @@ sub process_one_masq( )
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
 	    fatal_error "Invalid alias ($alias:$remainder)" if defined $remainder;
-	    for my $address ( split_list $origaddresses, 'address' ) {
+	    for my $address ( split_list $addresses, 'address' ) {
 		my ( $addrs, $port ) = split /:/, $address;
 		next unless $addrs;
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
-			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -370,8 +367,8 @@ sub do_one_nat( $$$$$ )
    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

    unless ( $interfaceref->{root} ) {
-	$rulein  = "-i $interface ";
-	$ruleout = "-o $interface ";
+	$rulein  = match_source_dev $interface;
+	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
    }

@@ -463,8 +460,8 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );

 	    unless ( $interfaceref->{root} ) {
-		$rulein  = "-i $interface ";
-		$ruleout = "-o $interface ";
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }

@@ -484,12 +481,13 @@ sub setup_netmap() {

 sub add_addresses () {
    if ( @addresses_to_add ) {
+	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;

-	while ( @addresses_to_add ) {
-	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addresses_to_add;
+	while ( @addrs ) {
+	    my $addr      = shift @addrs;
+	    my $interface = shift @addrs;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 # @policy_chains is a list of references to policy chains in the filter table

@@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
 {
    my ($source, $dest, $policy, $optional) = @_;

-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );

    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );

@@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };

 sub add_or_modify_policy_chain( $$ ) {
    my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = rules_chain( ${zone}, ${zone1} );
    my $chainref = $filter_table->{$chain};

    if ( $chainref ) {
@@ -211,7 +211,7 @@ sub process_a_policy() {
 	}
    }

-    my $chain = "${client}2${server}";
+    my $chain = rules_chain( ${client}, ${server} );
    my $chainref;

    if ( defined $filter_table->{$chain} ) {
@@ -252,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}

@@ -273,6 +273,21 @@ sub process_a_policy() {
    }
 }

+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } elsif ( $zone1 ne $zone2 ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
+	    }
+	}
+    }
+}	    
+
 sub validate_policy()
 {
    our %validpolicies = (
@@ -334,7 +349,7 @@ sub validate_policy()

    for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
 	}
    }
 }
@@ -409,7 +424,7 @@ sub apply_policy_rules() {
 		ensure_filter_chain $name, 1;
 	    }

-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -418,7 +433,7 @@ sub apply_policy_rules() {

    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};

 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -444,7 +459,7 @@ sub complete_standard_chain ( $$$$ ) {

    run_user_exit $stdchainref;

-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;

--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_4';

 #
 # ARP Filtering
@@ -56,27 +56,35 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 	    my $value = get_interface_option $interface, 'arp_filter';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";

 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}

 	for my $interface ( @$interfaces1 ) {
-	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 	    my $value = get_interface_option $interface, 'arp_ignore';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";

 	    assert( defined $value );

 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
    }
@@ -88,16 +96,18 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {

    my $interfaces = find_interfaces_by_option 'routefilter';
+    my $config     = $config{ROUTE_FILTER};

-    if ( @$interfaces || $config{ROUTE_FILTER} ) {
+    if ( @$interfaces || $config ) {

 	progress_message2 "$doing Kernel Route Filtering...";

 	save_progress_message "Setting up Route Filtering...";

+	my $val = '';

-	if ( $config{ROUTE_FILTER} ) {
-	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
+	if ( $config{ROUTE_FILTER} ne '' ) {
+	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;

 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -106,24 +116,28 @@ sub setup_route_filtering() {
 	}

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 	    my $value = get_interface_option $interface, 'routefilter';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";

 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}

-	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-
-	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
-	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	if ( $capabilities{KERNELVERSION} < 20631 ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+	} elsif ( $val ne '' ) {
+	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
 	}

+	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+
 	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
    }
 }
@@ -153,14 +167,18 @@ sub setup_martian_logging() {
 	}

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 	    my $value = get_interface_option $interface, 'logmartians';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";

 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );

 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
 	    emit   "fi\n";
 	}
    }
@@ -180,13 +198,17 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 	    my $value = get_interface_option $interface, 'sourceroute';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";

 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
    }
@@ -227,13 +249,17 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';

 	    for my $interface ( @$interfaces ) {
-		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 		my $value = get_interface_option $interface, 'forward';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
+		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";

 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -96,7 +96,7 @@ sub initialize( $ ) {
 sub setup_route_marking() {
    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';

-    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

    add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

@@ -108,33 +108,21 @@ sub setup_route_marking() {

    for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
+	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
-	my $base      = uc chain_base $interface;
-
-	if ( $providerref->{optional} ) {
-	    if ( $providerref->{shared} ) {
-		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
-	    } else {
-		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
-	    }
-
-	    incr_cmd_level( $chainref );
-	}

 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}

 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
 	}
-
-	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
    }

    add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -142,11 +130,15 @@ sub setup_route_marking() {

 sub copy_table( $$$ ) {
    my ( $duplicate, $number, $realm ) = @_;
+    #
+    # Hack to work around problem in iproute
+    #
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';

    if ( $realm ) {
 	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
    } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
    }

    emit ( '    case $net in',
@@ -162,11 +154,23 @@ sub copy_table( $$$ ) {

 sub copy_and_edit_table( $$$$ ) {
    my ( $duplicate, $number, $copy, $realm) = @_;
+    #
+    # Hack to work around problem in iproute
+    #    
+    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    #
+    # Map physical names in $copy to logical names
+    #
+    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+    #
+    # Shell and iptables use a different wildcard character
+    #
+    $copy =~ s/\+/*/;

    if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
    } else {
-	emit  ( "\$IP -$family route show table $duplicate | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
    }

    emit (  '    case $net in',
@@ -270,9 +274,10 @@ sub add_a_provider( ) {
    }

    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

-    my $provider    = chain_base $table;
-    my $base        = uc chain_base $interface;
+    my $physical    = get_physical $interface;
+    my $base        = uc chain_base $physical;
    my $gatewaycase = '';

    if ( $gateway eq 'detect' ) {
@@ -316,12 +321,15 @@ sub add_a_provider( ) {

    }

-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -372,6 +380,7 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
+			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -399,19 +408,19 @@ sub add_a_provider( ) {
    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } else {
 	if ( $optional ) {
 	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
+	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}

 	$provider_interfaces{$interface} = $table;

-	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
    }

    if ( $mark ne '-' ) {
@@ -430,8 +439,7 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy =~ tr/,/|/;
-		$copy = "$interface|$copy";
+		$copy = "$interface,$copy";
 	    }

 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -443,28 +451,28 @@ sub add_a_provider( ) {

    if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
    }

-    balance_default_route $balance , $gateway, $interface, $realm if $balance;
+    balance_default_route $balance , $gateway, $physical, $realm if $balance;

    if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $interface, $realm;
+	balance_fallback_route $default , $gateway, $physical, $realm;
    } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
+	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
    }

    if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $interface | while read address; do",
+	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -478,7 +486,7 @@ sub add_a_provider( ) {

 	emit "\nrulenum=0\n";

-	emit  ( "find_interface_addresses $interface | while read address; do" );
+	emit  ( "find_interface_addresses $physical | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -494,15 +502,15 @@ sub add_a_provider( ) {

    if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
-	} else {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	} else {
+	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
 	}
    } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
    }

@@ -513,9 +521,32 @@ sub add_a_provider( ) {
    progress_message "   Provider \"$currentline\" $done";
 }

+#
+# Begin an 'if' statement testing whether the passed interface is available
+#
+sub start_new_if( $ ) {
+    our $current_if = shift;
+
+    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
+    push_indent;
+}
+  
+#
+# Complete any current 'if' statement in the output script
+#
+sub finish_current_if() {
+    if ( our $current_if ) {
+	pop_indent;
+	emit ( "fi\n" );
+	$current_if = '';
+    }
+}
+
 sub add_an_rtrule( ) {
    my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';

+    our $current_if;
+
    unless ( $providers{$provider} ) {
 	my $found = 0;

@@ -550,6 +581,7 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
+	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -560,6 +592,7 @@ sub add_an_rtrule( ) {
    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
+	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
    } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -572,21 +605,21 @@ sub add_an_rtrule( ) {

    $priority = "priority $priority";

-    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};

    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );

    if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{interface} );
-	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
-	push_indent;
+	my $base = uc chain_base( $providers{$provider}{physical} );
+	finish_current_if if $base ne $current_if;
+	start_new_if( $base ) unless $current_if;
+  } else {
+	finish_current_if;
    }

    emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );

-    pop_indent, emit ( "fi\n" ) if $optional;
-
    progress_message "   Routing rule \"$currentline\" $done";
 }

@@ -720,12 +753,15 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';

 	if ( $fn ) {
+	    our $current_if = '';

 	    first_entry "$doing $fn...";

 	    emit '';

 	    add_an_rtrule while read_a_line;
+
+	    finish_current_if;
 	}

 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
@@ -781,18 +817,21 @@ sub lookup_provider( $ ) {
 }

 #
-# This function is called by the compiler when it is generating the initialize() function.
+# This function is called by the compiler when it is generating the detect_configuration() function.
 # The function emits code to set the ..._IS_USABLE interface variables appropriately for the
 # optional interfaces
 #
+# Returns true if there were optional interfaces
+#
 sub handle_optional_interfaces() {

    my $interfaces = find_interfaces_by_option 'optional';

    if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
-	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
+	    my $physical = get_physical $interface;
+	    my $base     = uc chain_base( $physical );

 	    emit '';

@@ -803,15 +842,15 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};

 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $interface; then);
+		    emit qq(if interface_is_usable $physical; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $interface; then);
+		emit qq(if interface_is_usable $physical; then);
 	    }

 	    emit( "    ${base}_IS_USABLE=Yes" ,
@@ -819,6 +858,8 @@ sub handle_optional_interfaces() {
 		  "    ${base}_IS_USABLE=" ,
 		  'fi' );
 	}
+
+	1;
    }
 }

@@ -839,9 +880,8 @@ sub handle_stickiness( $ ) {
    if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;

-
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{interface};
+	    my $interface = $providerref->{physical};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};

@@ -851,9 +891,6 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;

 		for my $chainref ( $stickyref, $setstickyref ) {
-
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -864,17 +901,14 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }

-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcpre //;

 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
-
 		}
 	    }

@@ -884,8 +918,6 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';

 		for my $chainref ( $stickoref, $setstickoref ) {
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -896,16 +928,14 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 		    }

-		    $rule1 =~ s/-A //;
+		    $rule1 =~ s/-A tcout //;

 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 our @proxyarp;

@@ -117,6 +117,8 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}

+		$interface = get_physical $interface;
+
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};

@@ -143,10 +145,14 @@ sub setup_proxy_arp() {

 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
@@ -158,10 +164,14 @@ sub setup_proxy_arp() {

 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -24,6 +24,7 @@
 #
 package Shorewall::Rules;
 require Exporter;
+
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
@@ -40,11 +41,12 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_rules
+		  process_routestopped
 		  generate_matrix
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_5';

 #
 # Set to one if we find a SECTION
@@ -197,8 +199,8 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );

-		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
-		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp -o $interface ";
+		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
+		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp " . match_dest_dev( $interface );
 	    }

 	    for my $host ( @hosts ) {
@@ -320,7 +322,7 @@ sub process_routestopped() {

 	$seq++;

-	my $rule = do_proto( $proto, $ports, $sports, 1 );
+	my $rule = do_proto( $proto, $ports, $sports, 0 );

 	for my $host ( split /,/, $hosts ) {
 	    validate_host $host, 1;
@@ -329,18 +331,22 @@ sub process_routestopped() {
 	}

 	unless ( $options eq '-' ) {
+
 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
+			my $chainref = $filter_table->{FORWARD};
+
 			$routeback = 1;

 			for my $host ( split /,/, $hosts ) {
-			    my $source = match_source_net $host;
-			    my $dest   = match_dest_net   $host;
-
-			    emit "run_iptables -A FORWARD -i $interface -o $interface $source $dest -j ACCEPT";
+			    add_rule( $chainref , 
+				      match_source_dev( $interface ) . 
+				      match_dest_dev( $interface ) .
+				      match_source_net( $host ) .
+				      match_dest_net( $host ) );
 			    clearrule;
 			}
 		    }
@@ -374,24 +380,24 @@ sub process_routestopped() {
 	my $desti   = match_dest_dev $interface;
 	my $rule    = shift @rule;

-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT";
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
+	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};

 	my $matched = 0;

 	if ( $source{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT";
+	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
 	    $matched = 1;
 	}

 	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT";
+	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
 	    $matched = 1;
 	}

 	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK";
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK";
+	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
+	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
 	}

 	unless ( $matched ) {
@@ -400,7 +406,7 @@ sub process_routestopped() {
 		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
 		    my $dest1 = match_dest_net $h1;
 		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT";
+		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
 		    clearrule;
 		}
 	    }
@@ -546,7 +552,11 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }

-	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
+	    add_rule( $filter_table->{forward_chain $interface} , 
+		      "-p udp " .
+		      match_dest_dev( $interface ) .
+		      "--dport $ports -j ACCEPT" )
+		if get_interface_option( $interface, 'bridge' );
 	}
    }

@@ -630,10 +640,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
+				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -776,6 +786,9 @@ sub setup_mac_lists( $ ) {
 	    }
 	}
    } else {
+	#
+	# Phase II
+	#
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -848,12 +861,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);

 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
 	}

 	if ( $mtarget eq 'COMMENT' ) {
@@ -867,8 +881,6 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    next;
 	}

-	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
-
 	$mtarget = merge_levels $target, $mtarget;

 	if ( $mtarget =~ /^PARAM(:.*)?$/ ) {
@@ -914,15 +926,15 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 		      $mtarget,
 		      $msource,
 		      $mdest,
-		      merge_macro_column( $mproto,    $proto ) ,
-		      merge_macro_column( $mports,    $ports ) ,
-		      merge_macro_column( $msports,   $sports ) ,
-		      merge_macro_column( $morigdest, $origdest ) ,
-		      merge_macro_column( $mrate,     $rate ) ,
-		      merge_macro_column( $muser,     $user ) ,
-		      $mark,
-		      $connlimit,
-		      $time,
+		      merge_macro_column( $mproto,     $proto ) ,
+		      merge_macro_column( $mports,     $ports ) ,
+		      merge_macro_column( $msports,    $sports ) ,
+		      merge_macro_column( $morigdest,  $origdest ) ,
+		      merge_macro_column( $mrate,      $rate ) ,
+		      merge_macro_column( $muser,      $user ) ,
+		      merge_macro_column( $mmark,      $mark ) ,
+		      merge_macro_column( $mconnlimit, $connlimit) ,
+		      merge_macro_column( $mtime,      $time ),
 		      $wildcard
 		     );

@@ -937,7 +949,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {

 }
 #
-# Once a rule has been expanded via wildcards (source and/or dest zone == 'all'), it is processed by this function. If
+# Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 #
 sub process_rule1 ( $$$$$$$$$$$$$ ) {
@@ -948,10 +960,6 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    my $actionchainref;
    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} ) : 0;

-    unless ( defined $param ) {
-	( $basictarget, $param ) = ( $1, $2 ) if $action =~ /^(\w+)[(](.*)[)]$/;
-    }
-
    $param = '' unless defined $param;

    #
@@ -959,6 +967,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    #
    my $actiontype = $targets{$basictarget} || find_macro( $basictarget );

+    if ( $config{ MAPOLDACTIONS } ) {
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
+    }
+
    fatal_error "Unknown action ($action)" unless $actiontype;

    if ( $actiontype == MACRO ) {
@@ -1076,7 +1088,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    $destref = defined_zone( $destzone );

 	    if ( $destref ) {
-		warning_message "Destination zone ($destzone) ignored";
+		warning_message "The destination zone ($destzone) is ignored in $log_action rules";
 	    } else {
 		$dest = join ':', $destzone, $dest;
 		$destzone = '';
@@ -1116,7 +1128,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}

-	$chain    = "${sourcezone}2${destzone}";
+	$chain    = rules_chain( ${sourcezone}, ${destzone} );
+	#
+	# Ensure that the chain exists but don't mark it as referenced until after optimization is checked
+	#
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};

@@ -1221,10 +1236,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    $origdest = ALLIP;
 		}
 	    }
-	} else {
-	    fatal_error "A server must be specified in the DEST column in $action rules" if $server eq '';
-
-	    if ( $server =~ /^(.+)-(.+)$/ ) {
+	} else {            
+	    if ( $server eq '' ) {
+		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		my @servers = validate_address $server, 1;
@@ -1233,9 +1248,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

 	    if ( $action eq 'DNAT' ) {
 		$target = '-j DNAT ';
-		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= "--to-destination ${serv}${serverport} ";
+		if ( $server ) {
+		    $serverport = ":$serverport" if $serverport;
+		    for my $serv ( split /,/, $server ) {
+			$target .= "--to-destination ${serv}${serverport} ";
+		    }
+		} else {
+		    $target .= "--to-destination :$serverport ";
 		}
 	    }

@@ -1313,7 +1332,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? "-i $_ " : '';
+		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ )  : '';
 		}
 	    }

@@ -1364,7 +1383,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    #
 	    # And move the rules from the nonat chain to the zone dnat chain
 	    #
-	    add_rule( $nonat_chain, "-j $tgt" ) unless move_rules ( $chn, $nonat_chain );
+	    move_rules ( $chn, $nonat_chain );
 	}
    }

@@ -1569,6 +1588,9 @@ sub process_rules() {
 # Add jumps from the builtin chains to the interface-chains that are used by this configuration
 #
 sub add_interface_jumps {
+    our %input_jump_added;
+    our %output_jump_added;
+    our %forward_jump_added;
    #
    # Add Nat jumps
    #
@@ -1589,10 +1611,10 @@ sub add_interface_jumps {
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
    for my $interface ( @_ ) {
-	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
-	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) if use_input_chain $interface;
+	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
+	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface;

-	if ( use_output_chain $interface ) {
+	unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
 	    add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
    }
@@ -1600,7 +1622,7 @@ sub add_interface_jumps {
    # Loopback
    #
    my $fw = firewall_zone;
-    my $chainref = $filter_table->{"${fw}2${fw}"};
+    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};

    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
    add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@@ -1608,7 +1630,7 @@ sub add_interface_jumps {

 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse.
+# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@@ -1624,7 +1646,7 @@ sub generate_matrix() {
    #
    sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = "${zone}2${zone1}";
+	my $chain = rules_chain( ${zone}, ${zone1} );
 	my $chainref = $filter_table->{$chain};

 	return $chain   if $chainref && $chainref->{referenced};
@@ -1659,18 +1681,28 @@ sub generate_matrix() {
    my $notrackref = $raw_table->{notrack_chain $fw};
    my @zones = non_firewall_zones;
    my $interface_jumps_added = 0;
+    our %input_jump_added   = ();
+    our %output_jump_added  = ();
+    our %forward_jump_added = ();

    #
    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
-	my $zoneref    = find_zone( $zone );
+	my $zoneref = find_zone( $zone );

 	next if @zones <= 2 && ! $zoneref->{options}{complex};
-
+	#
+	# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
+	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

 	if ( $capabilities{POLICY_MATCH} ) {
+	    #
+	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
+	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
+	    #
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

@@ -1680,6 +1712,7 @@ sub generate_matrix() {

 		if ( use_forward_chain( $interface ) ) {
 		    $sourcechainref = $filter_table->{forward_chain $interface};
+		    add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
 		    $interfacematch = match_source_dev $interface;
@@ -1746,7 +1779,7 @@ sub generate_matrix() {

 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@@ -1791,6 +1824,7 @@ sub generate_matrix() {

 			    if ( use_output_chain $interface ) {
 				$outputref = $filter_table->{output_chain $interface};
+				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1839,6 +1873,7 @@ sub generate_matrix() {

 			if ( use_input_chain $interface ) {
 			    $inputchainref = $filter_table->{input_chain $interface};
+			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -1852,7 +1887,9 @@ sub generate_matrix() {
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
 			    my $ref = source_exclusion( $exclusions, $frwd_ref );
 			    if ( use_forward_chain $interface ) {
-				add_jump $filter_table->{forward_chain $interface} , $ref, 0, join( '', $source, $ipsec_in_match );
+				my $forwardref = $filter_table->{forward_chain $interface};
+				add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
+				add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			    } else {
 				add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
 				move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
@@ -1872,12 +1909,11 @@ sub generate_matrix() {
 	if ( $config{OPTIMIZE} > 0 ) {
 	    my @temp_zones;

-	  ZONE1:
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
+		my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};

-		next if $policy  eq 'NONE';
+		next if $policy eq 'NONE';

 		my $chain = rules_target $zone, $zone1;

@@ -1891,7 +1927,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}

-		if ( $chain =~ /2all$/ ) {
+		if ( $chain =~ /(2all|-all)$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@@ -1922,12 +1958,10 @@ sub generate_matrix() {
 	# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	# @dest_zones is the list of destination zones that we need to handle from this source zone
 	#
-      ZONE1:
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
-	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};

-	    next if $policy  eq 'NONE';
+	    next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';

 	    my $chain = rules_target $zone, $zone1;

@@ -1936,57 +1970,69 @@ sub generate_matrix() {
 	    my $num_ifaces = 0;

 	    if ( $zone eq $zone1 ) {
-		next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
+		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }

 	    if ( $zone1ref->{type} == BPORT ) {
-		next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
+		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }

-	    my $chainref    = $filter_table->{$chain};
-
-	    my $dest_hosts_ref = $zone1ref->{hosts};
+	    my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT

 	    if ( $frwd_ref ) {
-		for my $typeref ( values %$dest_hosts_ref ) {
+		#
+		# Simple case -- the source zone has it's own forwarding chain
+		#
+		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
-			my $arrayref = $typeref->{$interface};
-			for my $hostref ( @$arrayref ) {
+			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
+				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
 				for my $net ( @{$hostref->{hosts}} ) {
-				    add_jump $frwd_ref, dest_exclusion( $hostref->{exclusions}, $chain), 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
+				    add_jump $frwd_ref, $dest_exclusion, 0, join( '', match_dest_dev( $interface) , match_dest_net($net), $ipsec_out_match );
 				}
 			    }
 			}
 		    }
 		}
 	    } else {
+		#
+		# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
+		#
 		for my $typeref ( values %$source_hosts_ref ) {
 		    for my $interface ( keys %$typeref ) {
-			my $arrayref = $typeref->{$interface};
 			my $chain3ref;
 			my $match_source_dev = '';
+			my $forwardchainref = $filter_table->{forward_chain $interface};

-			if ( use_forward_chain $interface ) {
-			    $chain3ref = $filter_table->{forward_chain $interface};
+			if ( use_forward_chain( $interface ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
+			    #
+			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
+			    #
+			    $chain3ref = $forwardchainref;
+			    add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			} else {
+			    #
+			    # Don't use the interface's forward chain -- move any rules in that chain to this rules chain
+			    #
 			    $chain3ref  = $filter_table->{FORWARD};
 			    $match_source_dev = match_source_dev $interface;
-			    move_rules $filter_table->{forward_chain $interface}, $chainref;
+			    move_rules $forwardchainref, $chainref;
 			}

-			for my $hostref ( @$arrayref ) {
+			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{destonly};
 			    my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
 			    for my $net ( @{$hostref->{hosts}} ) {
-				for my $type1ref ( values %$dest_hosts_ref ) {
+				for my $type1ref ( values %{$zone1ref->{hosts}} ) {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
 					    next if $host1ref->{options}{sourceonly};
 					    my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
+					    my $dest_exclusion  = dest_exclusion( $host1ref->{exclusions}, $chain );
 					    for my $net1 ( @{$host1ref->{hosts}} ) {
 						unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
 						    #
@@ -1994,7 +2040,7 @@ sub generate_matrix() {
 						    #
 						    add_jump(
 							     $excl3ref ,
-							     dest_exclusion( $host1ref->{exclusions}, $chain ),
+							     $dest_exclusion,
 							     0,
 							     join( '',
 								   $match_source_dev,
@@ -2013,13 +2059,13 @@ sub generate_matrix() {
 		    }
 		}
 	    }
-	    #
-	    #                                      E N D   F O R W A R D I N G
-	    #
-	    # Now add an unconditional jump to the last unique policy-only chain determined above, if any
-	    #
-	    add_jump $frwd_ref , $last_chain, 1 if $last_chain;
 	}
+	#
+	#                                      E N D   F O R W A R D I N G
+	#
+	# Now add an unconditional jump to the last unique policy-only chain determined above, if any
+	#
+	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
    }

    add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2089,10 +2135,12 @@ sub setup_mss( ) {
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
 	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
-	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
-	    add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "-i $_ -j RETURN" if $clampmss;
+	    my $source   = match_source_dev $_;
+	    my $dest     = match_dest_dev $_;
+	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "${dest}-j RETURN" if $clampmss;
+	    add_rule $chainref, "${source}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "${source}-j RETURN" if $clampmss;
 	}
    }

@@ -2249,12 +2297,12 @@ EOF
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';

 	for my $interface ( @$interfaces ) {
-	    add_rule $input,  "-p udp -i $interface --dport $ports -j ACCEPT";
-	    add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	    add_rule $input,  "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    add_rule $output, "-p udp " . match_dest_dev( $interface )   . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
+	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
 	}
    }

@@ -2273,7 +2321,7 @@ EOF
 	}
    } else {
 	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
+	    emit "do_iptables -A FORWARD -p 58 " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "-j ACCEPT";
 	}

 	if ( $config{IP_FORWARDING} eq 'on' ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_5';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -153,7 +153,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
+# %tcdevices { <interface> => {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -531,6 +531,7 @@ sub validate_tc_device( ) {
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
 			    name          => $device,
+			    physical      => physical_name $device
 			  } ,

    push @tcdevices, $device;
@@ -647,15 +648,15 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
-
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;

+	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0x3fff : 0xff );
+
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -713,6 +714,7 @@ sub validate_tc_class( ) {
 			       parent    => $parentclass,
 			       leaf      => 1,
 			       guarantee => 0,
+			       limit     => 127,
 			     };

    $tcref = $tcref->{$classnumber};
@@ -761,6 +763,10 @@ sub validate_tc_class( ) {

 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
+	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
+		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
+		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
+		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -789,6 +795,7 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
+					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -825,7 +832,7 @@ sub process_tc_filter( ) {
    fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
    fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;

-    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";

    if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -896,7 +903,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;

-	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -906,7 +913,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";

 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -1033,12 +1040,15 @@ sub setup_traffic_shaping() {
    }

    for my $device ( @tcdevices ) {
-	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};

+	$device = physical_name $device;
+
+	my $dev = chain_base( $device );
+
 	emit "if interface_is_up $device; then";

 	push_indent;
@@ -1121,12 +1131,14 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+	$classids{$classid}=$device;
+	$device = physical_name $device;
+
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};

-	$classids{$classid}=$device;
-
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1153,7 +1165,7 @@ sub setup_traffic_shaping() {
 	    }
 	}

-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
@@ -1214,7 +1226,7 @@ sub setup_tc() {
 	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';

 	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
+		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
 	    }
 	}

--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@@ -239,8 +239,8 @@ sub setup_tunnels() {

 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;

-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

 	$gateway = ALLIP if $gateway eq '-';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -60,6 +60,8 @@ our @EXPORT = qw( NOTHING
 		  interface_number
 		  find_interface
 		  known_interface
+		  get_physical
+		  physical_name
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
@@ -73,7 +75,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 #
 # IPSEC Option types
@@ -135,7 +137,8 @@ our %reservedName = ( all => 1,
 #
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
-#                                     options     => { <option1> = <val1> ,
+#                                     options     => { port => undef|1
+#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
@@ -143,6 +146,7 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #
@@ -150,6 +154,7 @@ our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
+our %physical;
 our $family;

 use constant { FIREWALL => 1,
@@ -163,6 +168,8 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       NUMERIC_IF_OPTION  => 4,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
+	       STRING_IF_OPTION   => 7,
+
 	       MASK_IF_OPTION     => 7,

 	       IF_OPTION_ZONEONLY => 8,
@@ -171,6 +178,10 @@ use constant { SIMPLE_IF_OPTION   => 1,

 our %validinterfaceoptions;

+our %defaultinterfaceoptions = ( routefilter => 1 );
+
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );
+
 our %validhostoptions;

 #
@@ -193,6 +204,7 @@ sub initialize( $ ) {
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
+    %physical = ();

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -209,12 +221,13 @@ sub initialize( $ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
-				  routefilter => BINARY_IF_OPTION ,
+				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
+				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -239,7 +252,8 @@ sub initialize( $ ) {
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
-				    forward     => NUMERIC_IF_OPTION,
+				    forward     => BINARY_IF_OPTION,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -496,17 +510,19 @@ sub zone_report()
 		my $interfaceref = $hostref->{$type};

 		for my $interface ( sort keys %$interfaceref ) {
+		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
-			my $exclusions = join ',', @{$groupref->{exclusions}};
 			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
+			    my $grouplist  = join ',', ( @$hosts );
+			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
+		
 			    if ( $family == F_IPV4 ) {
-				progress_message_nocompress "      $interface:$grouplist";
+				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $interface:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -524,6 +540,9 @@ sub zone_report()
    }
 }

+#
+# This function is called to create the contents of the ${VARDIR}/zones file
+#
 sub dump_zone_contents()
 {
    my @xlate;
@@ -550,20 +569,21 @@ sub dump_zone_contents()
 		my $interfaceref = $hostref->{$type};

 		for my $interface ( sort keys %$interfaceref ) {
+		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
-			my $exclusions = join ',', @{$groupref->{exclusions}};

 			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
+			    my $grouplist  = join ',', ( @$hosts );
+			    my $exclusions = join ',', @{$groupref->{exclusions}};

 			    $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;

 			    if ( $family == F_IPV4 ) {
-				$entry .= " $interface:$grouplist";
+				$entry .= " $iref->{physical}:$grouplist";
 			    } else {
-				$entry .= " $interface:<$grouplist>";
+				$entry .= " $iref->{physical}:<$grouplist>";
 			    }
 			}
 		    }
@@ -649,7 +669,7 @@ sub add_group_to_zone($$$$$)

    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;

-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions );
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -708,8 +728,8 @@ sub firewall_zone() {
 #
 sub process_interface( $ ) {
    my $nextinum = $_[0];
-    my $nets;
-    my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
+    my $netsref = '';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
    my $zoneref;
    my $bridge = '';

@@ -722,18 +742,21 @@ sub process_interface( $ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }

-    $networks = '' if $networks eq '-';
+    $bcasts = '' if $bcasts eq '-';
    $options  = '' if $options  eq '-';

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

-    if ( defined $port ) {
+    if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
+
+	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
+
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;

@@ -745,10 +768,6 @@ sub process_interface( $ ) {
 	    }
 	}

-	next if $port eq '';
-
-	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
-
 	$bridge = $interface;
 	$interface = $port;
    } else {
@@ -767,10 +786,11 @@ sub process_interface( $ ) {
 	$root = $interface;
    }

+    my $physical = $interface;
    my $broadcasts;

-    unless ( $networks eq '' || $networks eq 'detect' ) {
-	my @broadcasts = split_list $networks, 'address';
+    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
+	my @broadcasts = split_list $bcasts, 'address';

 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
@@ -814,12 +834,12 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = 1 if $hostopt;
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
-		fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
@@ -834,15 +854,14 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The $option option requires a value" unless defined $value;
+		$value = $defaultinterfaceoptions{$option} unless defined $value;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
-		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
+		fatal_error "Invalid value ($value) for option $option" unless defined $numval && $numval <= $maxoptionvalue{$option};
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
-		fatal_error "The $option option requires a value" unless defined $value;
-		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
-		fatal_error "Duplicate $option option" if $nets;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
 		# Remove parentheses from address list if present
 		#
@@ -852,27 +871,54 @@ sub process_interface( $ ) {
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;

-		if ( $value eq 'dynamic' ) {
-		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-		    $value = "+${zone}_${interface}";
-		    $hostoptions{dynamic} = 1;
-		    $ipsets{"${zone}_${interface}"} = 1;
+		if ( $option eq 'nets' ) {
+		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
+		    fatal_error "Duplicate $option option" if $netsref;
+		    if ( $value eq 'dynamic' ) {
+			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			$hostoptions{dynamic} = 1;
+			#
+			# Defer remaining processing until we have the final physical interface name
+			#
+			$netsref = 'dynamic';
+		    } else {
+			$hostoptions{multicast} = 1;
+			#
+			# Convert into a Perl array reference
+			#
+			$netsref = [ split_list $value, 'address' ];
+		    }
+		    #
+		    # Assume 'broadcast'
+		    #
+		    $hostoptions{broadcast} = 1;
 		} else {
-		    $hostoptions{multicast} = 1;
+		    assert(0);
+		}
+	    } elsif ( $type == STRING_IF_OPTION ) {
+		fatal_error "The '$option' option requires a value" unless defined $value;
+
+		if ( $option eq 'physical' ) {
+		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
+
+		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physical = $value;
+		} else {
+		    assert(0);
 		}
-		#
-		# Convert into a Perl array reference
-		#
-		$nets = [ split_list $value, 'address' ];
-		#
-		# Assume 'broadcast'
-		#
-		$hostoptions{broadcast} = 1;
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
 	}

+	if ( $netsref eq 'dynamic' ) {
+	    my $ipset = "${zone}_" . chain_base $physical;
+	    $netsref = [ "+$ipset" ];
+	    $ipsets{$ipset} = 1;
+	}
+
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};

 	if ( $options{bridge} ) {
@@ -884,19 +930,20 @@ sub process_interface( $ ) {

    }

-    $interfaces{$interface} = { name       => $interface ,
-				bridge     => $bridge ,
-				nets       => 0 ,
-				number     => $nextinum ,
-				root       => $root ,
-				broadcasts => $broadcasts ,
-				options    => \%options ,
-			        zone       => ''
-			      };
+    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+						       bridge     => $bridge ,
+						       nets       => 0 ,
+						       number     => $nextinum ,
+						       root       => $root ,
+						       broadcasts => $broadcasts ,
+						       options    => \%options ,
+						       zone       => '',
+						       physical   => $physical
+						     };

    if ( $zone ) {
-	$nets ||= [ allip ];
-	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
+	$netsref ||= [ allip ];
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
 	add_group_to_zone( $zone, 
 			   $zoneref->{type}, 
 			   $interface, 
@@ -949,6 +996,20 @@ sub validate_interfaces_file( $ ) {
    fatal_error "No network interfaces defined" unless @interfaces;
 }

+#
+# Map the passed name to the corresponding physical name in the passed interface
+#
+sub map_physical( $$ ) {
+    my ( $name, $interfaceref ) = @_;
+    my $physical = $interfaceref->{physical};
+    
+    return $physical if $name eq $interfaceref->{name};
+
+    $physical =~ s/\+$//;
+
+    $physical . substr( $name, length  $interfaceref->{root} );
+}  
+
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
@@ -963,13 +1024,17 @@ sub known_interface($)

    for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
-	my $val = $interfaceref->{root};
-	next if $val eq $i;
-	if ( substr( $interface, 0, length $val ) eq $val ) {
+	my $root = $interfaceref->{root};
+	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
 	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
 	    #
-	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
+	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
+					       bridge   => $interfaceref->{bridge} , 
+					       name     => $i , 
+					       number   => $interfaceref->{number} ,
+					       physical => map_physical( $interface, $interfaceref )
+					     };
 	}
    }

@@ -1009,6 +1074,23 @@ sub find_interface( $ ) {
    $interfaceref;
 }

+#
+# Returns the physical interface associated with the passed logical name
+#
+sub get_physical( $ ) {
+    $interfaces{ $_[0] }->{physical};
+}
+
+#
+# This one doesn't insist that the passed name be the name of a configured interface
+#
+sub physical_name( $ ) {
+    my $device = shift;
+    my $devref = known_interface $device;
+
+    $devref ? $devref->{physical} : $device;
+}
+
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1049,7 +1131,11 @@ sub find_interfaces_by_option( $ ) {
    my @ints = ();

    for my $interface ( @interfaces ) {
-	my $optionsref = $interfaces{$interface}{options};
+	my $interfaceref = $interfaces{$interface};
+	
+	next unless $interfaceref->{root};
+
+	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
@@ -1160,9 +1246,10 @@ sub process_host( ) {

    if ( $hosts eq 'dynamic' ) {
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	$hosts = "+${zone}_${interface}";
+	my $physical = physical_name $interface;
+	$hosts = "+${zone}_${physical}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${interface}"} = 1;
+	$ipsets{"${zone}_${physical}"} = 1;

    }

@@ -1182,7 +1269,7 @@ sub validate_hosts_file()

    my $fn = open_file 'hosts';

-    first_entry "doing $fn...";
+    first_entry "$doing $fn...";

    $ipsec |= process_host while read_a_line;

--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -61,7 +61,7 @@ sub usage( $ ) {
    [ --family={4|6} ]
 ';

-    $returnval;
+    exit $returnval;
 }

 #
@@ -105,7 +105,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;

-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
+compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -1,283 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -304,6 +27,8 @@ fi
 initialize

 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -362,6 +87,7 @@ case "$COMMAND" in
 	    status=0
 	else
 	    progress_message3 "Starting $PRODUCT...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -371,6 +97,7 @@ case "$COMMAND" in
    stop)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Stopping $PRODUCT...."
+	detect_configuration
 	stop_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -414,6 +141,7 @@ case "$COMMAND" in
 	    progress_message3 "Starting $PRODUCT...."
 	fi

+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
@@ -425,6 +153,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
 	    progress_message3 "Refreshing $PRODUCT...."
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
@@ -435,6 +164,7 @@ case "$COMMAND" in
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
+	detect_configuration
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -1,244 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -265,6 +27,8 @@ fi
 initialize

 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
@@ -315,7 +79,7 @@ COMMAND="$1"

 [ -n "${PRODUCT:=Shorewall6}" ]

-kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
    status=2
@@ -328,6 +92,7 @@ else
 		status=0
 	    else
 		progress_message3 "Starting $PRODUCT...."
+		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
@@ -337,6 +102,7 @@ else
 	stop)
 	    [ $# -ne 1 ] && usage 2
 	    progress_message3 "Stopping $PRODUCT...."
+	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -379,6 +145,7 @@ else
 		progress_message3 "Starting $PRODUCT...."
 	    fi

+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
@@ -390,6 +157,7 @@ else
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
 		progress_message3 "Refreshing $PRODUCT...."
+		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
@@ -400,6 +168,7 @@ else
 	    ;;
 	restore)
 	    [ $# -ne 1 ] && usage 2
+	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -255,7 +255,7 @@ reload_kernel_modules() {

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    MODULES=$(lsmod | cut -d ' ' -f1)

@@ -294,7 +294,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -1071,6 +1071,283 @@ conditionally_flush_conntrack() {
    fi
 }

+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IPTABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -268,7 +268,7 @@ reload_kernel_modules() {

    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
    MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
@@ -304,7 +304,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -946,6 +946,244 @@ conditionally_flush_conntrack() {
    fi
 }

+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,18 +1,147 @@
-Changes in Shorewall 4.4.1.3
+Changes in Shorewall 4.4.5.5

-1)  Process routestopped during 'check'
+1)  Prevent jump to non-existant chain.

-2)  Apply Jesse Shrieve's patch for SNAT range.
+Changes in Shorewall 4.4.5.4

-Changes in Shorewall 4.4.1.2
+1)  Fix breakage in Shorewall6 'forward' interface option.

-1)  Re-initialize chain table before generating 'stop_firewall()'
+Changes in Shorewall 4.4.5.3

-Changes in Shorewall 4.4.1.1
+1)  Yet another fix for the ^%$& ROUTE_FILTER mess.

-1)  Fixed detection of Persistent SNAT
+Changes in Shorewall 4.4.5.2

-2)  Fix compiler initialization fiasco.
+1)  Allow KERNELVERSION in capabilities file.
+
+Changes in Shorewall 4.4.5.1
+
+1)  Handle rp_filter and kernel's 2.6.31 and later.
+
+Changes in Shorewall 4.4.5
+
+1)  Fix 15-port limit removal change.
+
+2)  Fix handling of interfaces with the 'bridge' option.
+
+3)  Generate error for port number 0
+
+4)  Allow zone::serverport in rules DEST column.
+
+5)  Fix 'show policies' in Shorewall6.
+
+6)  Auto-load tc modules.
+
+7)  Allow LOGFILE=/dev/null
+
+8)  Fix shorewall6-lite/shorecap
+
+9) Fix MODULE_SUFFIX.
+
+10) Fix ENHANCED_REJECT detection for IPv4.
+
+11) Fix DONT_LOAD vs 'reload -c'
+
+12) Fix handling of SOURCE and DEST vs macros.
+
+13) Remove silly logic in expand_rule().
+
+14) Add current and limit to Conntrack Table Heading.
+
+Changes in Shorewall 4.4.4
+
+1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
+
+2)  Fix access to uninitialized variable.
+
+3)  Add logrotate scripts.
+
+4)  Allow long port lists in /etc/shorewall/routestopped.
+
+5)  Implement 'physical' interface option.
+
+6)  Implement ZONE2ZONE option.
+
+7)  Suppress duplicate COMMENT warnings.
+
+8)  Implement 'show policies' command.
+
+9)  Fix route_rule suppression for down provider.
+
+10) Suppress redundant tests for provider availability in route rules
+    processing.
+
+11) Implement the '-l' option to the 'show' command.
+
+12) Fix class number assignment when WIDE_TC_MARKS=Yes
+
+13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+
+Changes in Shorewall 4.4.3
+
+1)  Move Debian INITLOG initialization to /etc/default/shorewall
+
+2)  Fix 'routeback' in /etc/shorewall/routestopped.
+
+3)  Rename 'object' to 'script' in compiler and config modules.
+
+4)  Correct RETAIN_ALIASES=No.
+
+5)  Fix detection of IP config.
+
+6)  Fix nested zones.
+
+7)  Move all function declarations from prog.footer to prog.header
+
+8)  Remove superfluous variables from generated script
+
+9)  Make 'track' the default.
+
+10)  Add TRACK_PROVIDERS option.
+
+11)  Fix IPv6 address parsing bug.
+
+12)  Add hack to work around iproute IPv6 bug in route handling
+
+13)  Correct messages issued when an optional provider is not usable.
+
+14)  Fix optional interfaces.
+
+15)  Add 'limit' option to tcclasses.
+
+Changes in Shorewall 4.4.2
+
+1)  BUGFIX: Correct detection of Persistent SNAT support
+
+2)  BUGFIX: Fix chain table initialization
+
+3)  BUGFIX: Validate routestopped file on 'check'
+
+4)  Let the Actions module add the builtin actions to
+    %Shorewall::Chains::targets. Much better modularization that way.
+
+5)  Some changes to make Lenny->Squeeze less painful.
+
+6)  Allow comments at the end of continued lines.
+
+7)  Call process_routestopped() during 'check' rather than
+    'compile_stop_firewall()'.
+
+8)  Don't look for an extension script for built-in actions.
+
+9)  Apply Jesse Shrieve's patch for SNAT range.
+
+10) Add -<family> to 'ip route del default' command.
+
+11) Add three new columns to macro body.
+
+12) Change 'wait4ifup' so that it requires no PATH
+
+13) Allow extension scripts for accounting chains.
+
+14) Allow per-ip LIMIT to work on ancient iptables releases.
+
+15) Add 'MARK' column to action body.

 Changes in Shorewall 4.4.1

@@ -63,7 +192,7 @@ Changes in Shorewall 4.4.0

 5)  Fix 'upnpclient' with required interfaces.

-5)  Fix provider number in masq file.
+6)  Fix provider number in masq file.

 Changes in Shorewall 4.4.0-RC2

--- a/Shorewall/configfiles/findgw
+++ b/Shorewall/configfiles/findgw
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Filegw File
+# Shorewall version 4 - Findgw File
 #
 # /etc/shorewall/findgw
 #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -189,6 +189,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=No

+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -21,4 +21,9 @@ startup=0

 OPTIONS=""

+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-# Note, set INITLOG to /dev/null if you want to
-# use Shorewall's STARTUP_LOG feature.
-INITLOG=/var/log/shorewall-init.log
+test -n ${INITLOG:=/var/log/shorewall-init.log}

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -49,7 +47,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
+		echo "/usr/share/doc/shorewall/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
@@ -176,7 +176,7 @@ else
    fi

    if [ -z "$CYGWIN" ]; then
-	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+	if [ -f /etc/debian_version ]; then
 	    DEBIAN=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "installing Slackware specific configuration..."
@@ -242,6 +242,12 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 chmod 755 ${PREFIX}/etc/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
+
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+    
 #
 # Install the config file
 #
@@ -453,6 +459,15 @@ if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
 #
+# Install the findgw file
+#
+run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw
+
+if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
+    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
+fi
+#
 # Delete the Routes file
 #
 delete_file ${PREFIX}/etc/shorewall/routes
@@ -783,6 +798,16 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall"
+fi
+
+if [ -z "$PREFIX" ]; then
+    rm -rf /usr/share/shorewall-perl
+    rm -rf /usr/share/shorewall-shell
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,22 +1,53 @@
-1)  The compiler's detection of Persistent SNAT support is broken.
+1)  In kernel 2.6.31, the handling of the rp_filter interface option was
+    changed incompatibly. Previously, the effective value was determined
+    by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
+    the setting of net.ipv4.config.all.rp_filter.

-    Fixed in Shorewall 4.4.1.1
+    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
+    those two values. 

-2)  Initialization of the compiler's chain table was broken in ways
-    that prevented some features from working.
+    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
+    there are any interfaces specifying 'routefilter', specifying
+    'routefilter' on any interface has the effect of setting the option
+    on all interfaces.

-    Fixed in Shorewall 4.4.1.1
+    A workaround for this problem is included in Shorewall 4.4.5.1.

-3)  Initialization of the compiler's chain table was still broken.
+2)  When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
+    following warning messages were issued.

-    Fixed in Shorewall 4.4.1.2.
+       WARNING: Unknown capability (KERNELVERSION) 
+         ignored : /etc/shorewall2/capabilities (line 49)
+       WARNING: Your capabilities file does not contain a Kernel Version --
+         using 2.6.30

-4)  It is currently not possible to specify an address range in the
-    ADDRESS column of /etc/shorewall/masq.
+    This defect was corrected in 4.4.5.2.

-    Fixed in Shorewall 4.4.1.3.
+3)  'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
+    error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
+    was broken.

-5)  The routestopped file is not being verified by 'shorewall check'.
+    This was fixed in 4.4.5.3.

-    Fixed in Shorewall 4.4.1.3.
+4)  With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
+    will result in the following warnings during compilation:

+       WARNING: Your capabilities file is out of date -- it does not
+          contain all of the capabilities defined by Shorewall6 version
+          4.4.5.3
+
+       WARNING: Your capabilities file does not contain a Kernel
+          Version -- using 2.6.30
+
+    Corrected in 4.4.5.4.
+
+5)  The change in Shorewall 4.4.5.1 broke the 'forward' interface
+    option in Shorewall6.
+
+    Corrected in 4.4.5.4.
+
+6)  Under circumstances, the Netfilter ruleset generated by Shorewall
+    can include jumps to non-existent chains. This problem was
+    apparently introduced between 4.4.0 and 4.4.5.
+
+    Corrected in 4.4.5.5.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -30,7 +30,7 @@
 #

 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40406

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -220,7 +220,7 @@ reload_kernel_modules() {

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    MODULES=$(lsmod | cut -d ' ' -f1)

@@ -259,7 +259,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -945,7 +945,11 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -961,6 +965,7 @@ determine_capabilities() {
    qt $IPTABLES -X $chain1

    CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }

 report_capabilities() {
@@ -1011,6 +1016,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -1069,6 +1075,7 @@ report_capabilities1() {
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
@@ -1081,6 +1088,7 @@ report_capabilities1() {
    report_capability1 PERSISTENT_SNAT
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION
 }

 # Function to truncate a string -- It uses 'cut -b -<n>'
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -430,6 +430,10 @@ show_command() {
 			    option=
 			    shift
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -443,11 +447,15 @@ show_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ -n "$debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -560,6 +568,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -673,6 +687,10 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -686,6 +704,8 @@ dump_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ $VERBOSE -lt 2 ] && VERBOSE=2

    [ -n "$debugging" ] && set -x
@@ -710,7 +730,10 @@ dump_command() {
    heading "Raw Table"
    $IPTABLES -t raw -L $IPT_OPTIONS

-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+    heading "Conntrack Table ($count out of $max)"
    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack

    heading "IP Configuration"
--- a/Shorewall/logrotate
+++ b/Shorewall/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 4.4.1 patch release 3
+Shorewall 4.4.5 Patch Release 5.

 ----------------------------------------------------------------------------
               R E L E A S E  4 . 4  H I G H L I G H T S
@@ -66,10 +66,9 @@ Shorewall 4.4.1 patch release 3
       WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell
                support has been removed in this release.

-    b) Review the incompatibilities between Shorewall-shell and
-       Shorewall-perl at
-       http://www.shorewall.net/Shorewall-perl.html#Incompatibilities
-       and make changes to your configuration as necessary.
+    b) Review the migration issues at
+       http://www.shorewall.net/LennyToSqueeze.html and make changes as
+       required.

    We strongly recommend that you migrate to Shorewall-perl on your
    current Shorewall version before upgrading to Shorewall 4.4.0. That
@@ -105,7 +104,7 @@ Shorewall 4.4.1 patch release 3
             starts/restarts

    To avoid this warning, replace interface names by the corresponding
-    network addresses (e.g., 192.168.144.0/24).
+    network(s) in CIDR format (e.g., 192.168.144.0/24).

 6)  Previously, Shorewall has treated traffic shaping class IDs as
    decimal numbers (or pairs of decimal numbers). That worked fine
@@ -171,62 +170,137 @@ Shorewall 4.4.1 patch release 3
    then it may have no additional members in /etc/shorewall/hosts.

 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 3
----------------------------------------------------------------------------
-1)  The routestopped file wasn't verified during 'shorewall check' and
-    'shorewall6 check'.
-
-2)  Previously, it was not possible to specify an IP address range in
-    ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee Shrieve
-    for the patch.
-
----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 2
----------------------------------------------------------------------------
-1)  The compiler's chain table was not being re-initialized prior to
-    creating the stop_firewall() function, resulting in Perl run-time
-    errors.
----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 . 1
----------------------------------------------------------------------------
-1)  Detection of Persistent SNAT support was broken in the compiler.
-
-2)  Initialization of the compiler's chain table was broken in ways
-    that made some features not work and that caused Perl runtime errors.
-
----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 5
 ----------------------------------------------------------------------------

-1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
-    rules at the end of the INPUT and OUTPUT chains would still use the
-    LOG target rather than ULOG.
+1)  Under rare circumstances, the Netfilter ruleset generated by
+    Shorewall could include jumps to non-exitent chains.

-2)  Using CONTINUE policies with a nested IPSEC zone was still broken
-    in some cases.
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 4
+----------------------------------------------------------------------------

-3)  The setting of IP_FORWARDING has been change to Off in the
-    one-interface sample configuration since forwarding is typically
-    not required with only a single interface.
+1)  With Shorewall 4.4.5.3, using a capabilities file with Shorewall6
+    will result in the following warnings during compilation:

-4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
-    incorrectly exempted from ACCEPT policies.
+       WARNING: Your capabilities file is out of date -- it does not
+          contain all of the capabilities defined by Shorewall6 version
+          4.4.5.3

-5)  Previously, the definition of a zone that specified "nets=" in
-    /etc/shorewall/interfaces could not be extended by entries in
-    /etc/shorewall/hosts.
+       WARNING: Your capabilities file does not contain a Kernel
+          Version -- using 2.6.30

-6)  Previously, "nets=" could be specified in a multi-zone interface
-    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
-    now raises a fatal compilation error.
+2)  The change in Shoreawll 4.4.5.1 broke the 'forward' interface
+    option in Shorewall6.

-7)  MULTICAST=Yes generates an incorrect rule that limits its
-    effectiveness to a small part of the multicast address space.
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 3
+----------------------------------------------------------------------------

-8)  Checking for zone membership has been tighened up. Previously, 
-    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
-    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
-    then it may have no additional members in /etc/shorewall/hosts.
+1)  'shorewall6 start' on Shorewall 4.4.5.2 generates a Perl run-time
+    error. Also, handling of ROUTE_FILTER on kernel 2.6.31 and later
+    was broken.
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 2
+----------------------------------------------------------------------------
+
+1)  When using an up-to-date capabilities file with Shorewall 4.4.5.1, the
+    following warning messages were issued.
+
+       WARNING: Unknown capability (KERNELVERSION) 
+         ignored : /etc/shorewall2/capabilities (line 49)
+       WARNING: Your capabilities file does not contain a Kernel Version --
+         using 2.6.30
+
+----------------------------------------------------------------------------
+        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5 . 1
+----------------------------------------------------------------------------
+
+1)  In kernel 2.6.31, the handling of the rp_filter interface option was
+    changed incompatibly. Previously, the effective value was determined
+    by the setting of net.ipv4.config.dev.rp_filter logically ANDed with
+    the setting of net.ipv4.config.all.rp_filter.
+
+    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
+    those two values. 
+
+    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
+    there are any interfaces specifying 'routefilter', specifying
+    'routefilter' on any interface has the effect of setting the option
+    on all interfaces.
+
+    To allow Shorewall to handle this issue, a number of changes were
+    necessary:
+
+    a)  There is no way to safely determine if a kernel supports the
+        new semantics or the old so the Shorewall compiler uses the
+        kernel version reported by uname.
+
+    b)  This means that the kernel version is now recorded in
+        the capabilities file. So if you use capabilities files, you
+        need to regenerate the files with Shorewall[-lite] 4.4.5.1.
+
+    c)  If the capabilities file does not contain a kernel version,
+        the compiler assumes version 2.6.30 (the old rp_filter
+        behavior).
+
+    d)  The ROUTE_FILTER option in shorewall.conf now accepts the
+    	following values:
+
+	0 or No  - Shorewall sets net.ipv4.config.all.rp_filter to 0.
+	1 or Yes - Shorewall sets net.ipv4.config.all.rp_filter to 1.
+	2        - Shorewall sets net.ipv4.config.all.rp_filter to 2.
+	Keep	 - Shorewall does not change the setting of
+	           net.ipv4.config.all.rp_filter if the kernel version
+		   is 2.6.31 or later.
+        
+	The default remains Keep.
+
+    e)  The 'routefilter' interface option can have values 0,1 or 2. If
+    	'routefilter' is specified without a value, the value 1 is
+    	assumed. 
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 5
+----------------------------------------------------------------------------
+
+1)  The change which removed the 15 port limitation on
+    /etc/shorewall/routestopped was incomplete. The result was that if
+    more than 15 ports were listed, an error was generated.
+
+2)  If any interfaces had the 'bridge' option specified, compilation
+    failed with the error:
+
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
+    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
+
+3)  The compiler now flags port number 0 as an error in all
+    contexts. Previously, port 0 was allowed with the result that
+    invalid iptables-restore input could be generated in some cases.
+
+4)  The 'show policies' command now works in Shorewall6 and
+    Shorewall6-lite.
+
+5)  Traffic shaping modules from /lib/modules/<version>/net/sched/ are
+    now correctly loaded. Previously, that directory was not
+    searched. Additionally, Shorewall6 now tries to load the cls_flow
+    module; previously, only Shorewall attempts to load that module.
+
+6)  The Shorewall6-lite shorecap program was previously including the
+    IPv4 base library rather than the IPv6 version. Also, Shorewall6
+    capability detection was determing the availablity of the mangle
+    capability before it had determined if ip6tables was installed.
+
+7)  The setting of MODULE_SUFFIX was previously ignored except when
+    compiling for export.
+
+8)  Detection of the Enhanced Reject capability in the compiler was
+    broken for IPv4 compilations.
+
+9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
+    shorewall.conf. The 'reload' command without '-c' worked as
+    expected. 

 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
@@ -235,66 +309,40 @@ Shorewall 4.4.1 patch release 3
 None.

 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 1
+                N E W   F E A T U R E S   I N   4 . 4 . 5
 ----------------------------------------------------------------------------

-1)  To replace the SAME keyword in /etc/shorewall/masq, support has
-    been added for 'persistent' SNAT. Persistent SNAT is required when
-    an address range is specified in the ADDRESS column and when you
-    want a client to always receive the same source/destination IP
-    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
-
-    To specify persistence, follow the address range with
-    ":persistent".
+1)  Shorewall now allows DNAT rules that change only the destination
+    port.

    Example:

-    #INTERFACE	SOURCE	   ADDRESS
-    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+	DNAT	loc	net::456	udp	234

-    This feature requires Persistent SNAT support in your kernel and
-    iptables. 
+    That rule will modify the destination port in UDP packets received
+    from the 'loc' zone from 456 to 234. Note that if the destination
+    is the firewall itself, then the destination port will be rewritten
+    but that no ACCEPT rule from the loc zone to the $FW zone will have
+    been created to handle the request. So such rules should probably
+    exclude the firewall's IP addresses in the ORIGINAL DEST column.

-    If you use a capabilities file, you will need to create a new one
-    as a result of this feature.
+2)  Systems that do not log Netfilter messages locally can now set
+    LOGFILE=/dev/null in shorewall.conf.

-    WARNING: Linux kernels beginning with 2.6.29 include persistent
-    SNAT support. If your iptables supports persistent SNAT but your
-    kernel does not, there is no way for Shorewall to determine that
-    persistent SNAT isn't going to work. The kernel SNAT code blindly
-    accepts all SNAT flags without verifying them and returns them to
-    iptables when asked.
+3)  The 'shorewall show connections' and 'shorewall dump' commands now
+    display the current number of connections and the max supported
+    connections.

-2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~). 
+    Example:

-3)  The meaning of 'full' has been redefined when used in the context
-    of a traffic shaping sub-class. Previously, 'full' always meant the
-    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
-    that definition is awkward to use because the sub-class is limited
-    by the parent class.
+	shorewall show connections
+    	Shorewall 4.5.0 Connections (62 out of 65536) at gateway - Sat ...

-    Beginning with this release, 'full' in a sub-class definition
-    refers to the specified rate defined for the parent class. So
-    'full' used in the RATE column refers to the parent class's RATE;
-    when used in the CEIL column, 'full' refers to the parent class's
-    CEIL.
-
-    As part of this change, the compiler now issues a warning if the
-    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
-    the device. Similarly, a warning is issued if the sum of the RATEs
-    of a class's sub-classes exceeds the rate of the CLASS.
-
-4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
-    /etc/shorewall/interfaces, multicast traffic will now be sent to
-    the zone along with limited broadcasts.
-
-5)  A flaw in the parsing logic for the zones file allowed most zone
-    types containing the character string 'ip' to be accepted as a
-    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+    In that case, there were 62 current connections out of a maximum
+    number supported of 65536.

 ----------------------------------------------------------------------------
-                 N E W   F E A T U R E S   I N   4 . 4
+                N E W   F E A T U R E S   I N   4 . 4 . 0
 ----------------------------------------------------------------------------

 1)  The Shorewall packaging has been completely revamped in Shorewall
@@ -303,7 +351,7 @@ None.
    The new packages are:

    - Shorewall.   Includes the former Shorewall-common and
-                   Shorewall-perl packages. Has everything needed
+                   Shorewall-perl packages. Includes everything needed
                   to create an IPv4 firewall.

 		   Shorewall-shell is no longer available.
@@ -942,3 +990,472 @@ None.
    the iptables utility is discovered using the PATH setting, then
    ip6tables in the same directory as the discovered iptables will be
    used.
+
+28) A 'flow=<keys>' option has been added to the
+    /etc/shorewall/tcclasses OPTIONS column.
+
+    Shorewall attaches an SFQ queuing discipline to each leaf HTB
+    and HFSC class. SFQ ensures that each flow gets equal access to the
+    interface. The default definition of a flow corresponds roughly to
+    a Netfilter connection. So if one internal system is running
+    BitTorrent, for example, it can have lots of 'flows' and can thus
+    take up a larger share of the bandwidth than a system having only a
+    single active connection. The flow classifier (module cls_flow)
+    works around this by letting you define what a 'flow' is.
+
+    The clasifier must be used carefully or it can block off all
+    traffic on an interface!
+
+    The flow option can be specified for an HTB or HFSC leaf class (one
+    that has no sub-classes). We recommend that you use the following:
+
+    	Shaping internet-bound traffic: flow=nfct-src
+	Shaping traffic bound for your local net: flow=dst
+
+    These will cause a 'flow' to consists of the traffic to/from each
+    internal system.
+
+    When more than one key is give, they must be enclosed in
+    parenthesis and separated by commas.
+
+    To see a list of the possible flow keys, run this command:
+
+       tc filter add flow help
+
+    Those that begin with "nfct-" are Netfilter connection tracking
+    fields. As shown above, we recommend flow=nfct-src; that means that
+    we want to use the source IP address before SNAT as the key.
+
+    Note: Shorewall cannot determine ahead of time if the flow
+    classifier is available in your kernel (especially if it was built
+    into the kernel as opposed to being loaded as a
+    module). Consequently, you should check ahead of time to ensure
+    that both your kernel and 'tc' utility support the feature.
+
+    You can test the 'tc' utility by typing (as root):
+
+    	tc filter add flow help
+
+    If flow is supported, you will see:
+
+       Usage: ... flow ...
+
+       	      [mapping mode]: map key KEY [ OPS ] ...
+ 	      [hashing mode]: hash keys KEY-LIST ...
+
+       ...
+
+    If flow is not supported, you will see:
+
+       Unknown filter "flow", hence option "help" is unparsable
+    
+    If your kernel supports module autoloading, just type (as root):
+
+       modprobe cls_flow
+
+    If 'flow' is supported, no output is produced; otherwise, you will
+    see:
+
+       FATAL: Module cls_flow not found.
+    
+    If your kernel is not modularized or does not support module
+     autoloading, look at your kernel configuration (either
+    /proc/config.gz or the .config file in
+    /lib/modules/<kernel-version>/build/
+
+    If 'flow' is supported, you will see:
+
+       NET_CLS_FLOW=m 
+
+    or
+
+       NET_CLS_FLOW=y
+
+    For modularized kernels, Shorewall will attempt to load
+    /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.
+       
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  If ULOG was specified as the LOG LEVEL in the all->all policy, the
+    rules at the end of the INPUT and OUTPUT chains would still use the
+    LOG target rather than ULOG.
+
+2)  Using CONTINUE policies with a nested IPSEC zone was still broken
+    in some cases.
+
+3)  The setting of IP_FORWARDING has been change to Off in the
+    one-interface sample configuration since forwarding is typically
+    not required with only a single interface.
+
+4)  If MULTICAST=Yes in shorewall.conf, multicast traffic was
+    incorrectly exempted from ACCEPT policies.
+
+5)  Previously, the definition of a zone that specified "nets=" in
+    /etc/shorewall/interfaces could not be extended by entries in
+    /etc/shorewall/hosts.
+
+6)  Previously, "nets=" could be specified in a multi-zone interface
+    definition ("-" in the ZONES column) in /etc/shorewall/zones. This
+    now raises a fatal compilation error.
+
+7)  MULTICAST=Yes generates an incorrect rule that limits its
+    effectiveness to a small part of the multicast address space.
+
+8)  Checking for zone membership has been tighened up. Previously, 
+    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
+    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
+    then it may have no additional members in /etc/shorewall/hosts.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 1
+----------------------------------------------------------------------------
+
+1)  To replace the SAME keyword in /etc/shorewall/masq, support has
+    been added for 'persistent' SNAT. Persistent SNAT is required when
+    an address range is specified in the ADDRESS column and when you
+    want a client to always receive the same source/destination IP
+    pair. It replaces SAME: which was removed in Shorewall 4.4.0.
+
+    To specify persistence, follow the address range with
+    ":persistent".
+
+    Example:
+
+    #INTERFACE	SOURCE	   ADDRESS
+    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
+
+    This feature requires Persistent SNAT support in your kernel and
+    iptables. 
+
+    If you use a capabilities file, you will need to create a new one
+    as a result of this feature.
+
+    WARNING: Linux kernels beginning with 2.6.29 include persistent
+    SNAT support. If your iptables supports persistent SNAT but your
+    kernel does not, there is no way for Shorewall to determine that
+    persistent SNAT isn't going to work. The kernel SNAT code blindly
+    accepts all SNAT flags without verifying them and returns them to
+    iptables when asked.
+
+2)  A 'clean' target has been added to the Makefiles. It removes backup
+    files (*~ and .*~). 
+
+3)  The meaning of 'full' has been redefined when used in the context
+    of a traffic shaping sub-class. Previously, 'full' always meant the
+    OUT-BANDWIDTH of the device. In the case of a sub-class, however,
+    that definition is awkward to use because the sub-class is limited
+    by the parent class.
+
+    Beginning with this release, 'full' in a sub-class definition
+    refers to the specified rate defined for the parent class. So
+    'full' used in the RATE column refers to the parent class's RATE;
+    when used in the CEIL column, 'full' refers to the parent class's
+    CEIL.
+
+    As part of this change, the compiler now issues a warning if the
+    sum of the top-level classes' RATEs exceeds the OUT-BANDWIDTH of
+    the device. Similarly, a warning is issued if the sum of the RATEs
+    of a class's sub-classes exceeds the rate of the CLASS.
+
+4)  When 'nets=<network>' or 'nets=(<net1>,<net2>,...) is specified in
+    /etc/shorewall/interfaces, multicast traffic will now be sent to
+    the zone along with limited broadcasts.
+
+5)  A flaw in the parsing logic for the zones file allowed most zone
+    types containing the character string 'ip' to be accepted as a
+    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of Persistent SNAT was broken in the rules compiler. 
+
+2)  Initialization of the compiler's chain table was occurring before 
+    shorewall.conf had been read and before the capabilities had been
+    determined. This could lead to incorrect rules and Perl runtime
+    errors.
+
+3)  The 'shorewall check' command previously did not detect errors in
+    /etc/shorewall/routestopped.
+
+4)  In earlier versions, if a file with the same name as a built-in
+    action were present in the CONFIG_PATH, then the compiler would
+    process that file like it was an extension script.
+
+    The compiler now ignores the presence of such files.
+
+5)  Several configuration issues which previously produced an error or
+    warning are now handled differently.
+
+    a)  MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now
+        handled as they were by the old shell-based compiler. That is,
+        they cause pre-3.0 built-in actions to be mapped automatically
+        to the corresponding macro invocation.
+
+    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
+        warning.
+
+    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+    d)  RFC1918_STRICT=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+6)  Previously, it was not possible to specify an IP address range in
+    the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee
+    Shrieve for the patch.
+
+7)  The 'wait4ifup' script included for Debian compatibility now runs
+    correctly with no PATH.
+
+8)  The new per-IP LIMIT feature now works with ancient iptables
+    releases (e.g., 1.3.5 as found on RHEL 5). This change required
+    testing for an additional capability which means that those who use
+    a capabilities file should regenerate that file after installing
+    4.4.2.
+
+9)  One unintended difference between Shorewall-shell and
+    Shorewall-perl was that Shorewall-perl did not support the MARK
+    column in action bodies. This has been corrected.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Prior to this release, line continuation has taken precedence over 
+    #-style comments. This prevented us from doing the following:
+
+    	    ACCEPT    net:206.124.146.176,\   #Gateway
+	    	          206.124.146.177,\   #Mail
+			  206.124.146.178\    #Server
+			  		      ...
+    
+    Now, unless a line ends with '\', any trailing comment is stripped
+    off (including any white-space preceding the '#'). Then if the line
+    ends with '\', it is treated as a continuation line as normal.
+
+2)  Three new columns have been added to FORMAT-2 macro bodies.
+
+    	  MARK
+	  CONNLIMIT
+	  TIME
+
+    These three columns correspond to the similar columns in
+    /etc/shorewall/rules and must be empty in macros invoked from an
+    action.
+
+3)  Accounting chains may now have extension scripts. Simply place your
+    Perl script in the file /etc/shorewall/<chain> and when the
+    accounting chain named <chain> is created, your script will be
+    invoked.
+
+    As usual, the variable $chainref will contain a reference to the
+    chain's table entry.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
+----------------------------------------------------------------------------
+
+1.  Previously, if 'routeback' was specified in /etc/shorewall/routestopped:
+
+    a) 'shorewall check' produced an internal error
+    b) The 'routeback' option didn't work
+
+2)  If an alias IP address was added and RETAIN_ALIASES=No in
+    shorewall.conf, then a compiler internal error resulted.
+
+3)  Previously, the generated script would try to detect the values
+    for all run-time variables (such as IP addresses), regardless of
+    what command was being executed. Now, this information is only
+    detected when it is needed.
+
+4)  Nested zones where the parent zone was defined by a wildcard
+    interface (name ends with +) in /etc/shorewall/interfaces did
+    not work correctly in some cases.
+
+5)  IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were
+    incorrectly reported as invalid.
+
+6)  Under certain circumstances, optional providers were not detected
+    as being usable.
+
+    Additionally, the messages issued when an optional provider was not
+    usable were confusing; the message intended to be issued when the
+    provider shared an interface ("WARNING: Gateway <gateway> is not
+    reachable -- Provider <name> (<number>) not Added") was being
+    issued when the provider did not share an interface. Similarly, the
+    message intended to be issued when the provider did not share an
+    interface ("WARNING: Interface <interface> is not usable --
+    Provider <name> (<number>) not Added") was being issued when the
+    provider did share an interface.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 3
+----------------------------------------------------------------------------
+
+1)  On Debian systems, a default installation will now set
+    INITLOG=/dev/null in /etc/default/shorewall. In all configurations,
+    the default values for the log variables are changed to:
+
+    	STARTUP_LOG=/var/log/shorewall-init.log
+	LOG_VERBOSITY=2
+
+    The effect is much the same as the old defaults, with the exception 
+    that:
+
+	a) Start, stop, etc. commands issued through /sbin/shorewall
+	   will be logged.
+	b) Logging will occur at maximum verbosity.
+	c) Log entries will be date/time stamped.
+
+    On non-Debian systems, new installs will now log all Shorewall 
+    commands to /var/log/shorewall-init.log.
+
+2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
+    The value of this option becomes the default for the 'track'
+    provider option in /etc/shorewall/providers.
+
+3)  A new 'limit' option has been added to
+    /etc/shorewall/tcclasses. This option specifies the number of
+    packets that are allowed to be queued within the class. Packets
+    exceeding this limit are dropped. The default value is 127 which is
+    the value that earlier versions of Shorewall used.  The option is
+    ignored with a warning if the 'pfifo' option has been specified.
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4
+----------------------------------------------------------------------------
+
+1)  In some simple one-interface configurations, the following Perl
+    run-time error messages were issued:
+
+      Generating Rule Matrix...
+      Use of uninitialized value in concatenation (.) or string at
+      /usr/share/shorewall/Shorewall/Chains.pm line 649.
+      Use of uninitialized value in concatenation (.) or string at
+      /usr/share/shorewall/Shorewall/Chains.pm line 649.
+      Creating iptables-restore input...
+
+2)  The Shorewall operations log (specified by STARTUP_LOG) is now
+    secured 0600.
+
+3)  Previously, the compiler generated an incorrect test for interface
+    availability in the generated code for adding route rules. The
+    result was that the rules were always added, regardless of the
+    state of the provider's interface. Now, the rules are only added
+    when the interface is available.
+
+4)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
+    specified in /etc/shorewall/tcclasses, duplicate class numbers
+    result. A typical error message is:
+
+    	    ERROR: Command "tc class add dev eth3 parent 1:1 classid
+    	    1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
+    	    Failed
+
+    Note that the class ID of the class being added is a duplicate of
+    the parent's class ID.
+
+    Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
+    /etc/shorewall/tcclasses were rejected.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 4
+----------------------------------------------------------------------------
+
+1)  The Shorewall packages now include a logrotate configuration file.
+
+2)  The limit of 15 entries in a port list has been relaxed in
+    /etc/shorewall/routestopped.
+
+3)  The following seemingly valid configuration produces a fatal
+    error reporting "Duplicate interface name (p+)"
+
+    /etc/shorewall/zones:
+
+       #ZONE		TYPE	
+       fw		firewall
+       world		ipv4
+       z1:world		bport4
+       z2:world		bport4
+
+    /etc/shorewall/interfaces:
+
+       #ZONE		INTERFACE	BROADCAST	OPTIONS
+       world		br0		-		bridge
+       world		br1		-		bridge
+       z1		br0:p+
+       z2		br1:p+
+
+    This error occurs because the Shorewall implementation requires
+    that each bridge port must have a unique name.
+
+    To work around this problem, a new 'physical' interface option has
+    been created. The above configuration may be defined using the
+    following in /etc/shorewall/interfaces:
+
+       #ZONE		INTERFACE	BROADCAST	OPTIONS
+       world		br0		-		bridge
+       world		br1		-		bridge
+       z1		br0:x+		-		physical=p+
+       z2		br1:y+		-		physical=p+
+
+    In this configuration, 'x+' is the logical name for ports p+ on
+    bridge br0 while 'y+' is the logical name for ports p+ on bridge
+    br1.
+
+    If you need to refer to a particular port on br1 (for example
+    p1023), you write it as y1023; Shorewall will translate that name
+    to p1023 when needed.
+
+    It is allowed to have a physical name ending in '+' with a logical
+    name that does not end with '+'. The reverse is not allowed; if the
+    logical name ends in '+' then the physical name must also end in
+    '+'.
+
+    This feature is not restricted to bridge ports. Beginning with this
+    release, the interface name in the INTERFACE column can be
+    considered a logical name for the interface, and the actual
+    interface name is specified using the 'physical' option. If no
+    'physical' option is present, then the physical name is assumed to
+    be the same as the logical name. As before, the logical interface
+    name is used throughout the rest of the configuration to refer to
+    the interface.
+
+4)  Previously, Shorewall has used the character '2' to form the name
+    of chains involving zones and/or the word 'all' (e.g., fw2net,
+    all2all). When zones names are given numeric suffixes, these
+    generated names are hard to read (e.g., foo1232bar). To make these
+    names clearer, a ZONE2ZONE option has been added.
+
+    ZONE2ZONE has a default value of "2" but can also be given the
+    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
+    the two parts of the name with a hyphen (e.g., foo123-bar).
+
+5)  Only one instance of the following warning is now generated;
+    previously, one instance of a similar warning was generated for
+    each COMMENT encountered.
+
+	COMMENTs ignored -- require comment support in iptables/Netfilter
+
+6)  The shorewall and shorewall6 utilities now support a 'show
+    policies' command. Once Shorewall or Shorewall6 has been restarted
+    using a script generated by this version, the 'show policies'
+    command will list each pair of zones and give the applicable
+    policy. If the policy is enforced in a chain, the name of the chain
+    is given.
+
+    Example:
+
+	net 	=>	loc	DROP using chain net2all
+
+    Note that implicit intrazone ACCEPT policies are not displayed for
+    zones associated with a single network where that network
+    doesn't specify 'routeback'.
+
+7)  The 'show' and 'dump' commands now support an '-l' option which
+    causes chain displays to include the rule number of each rule.
+
+    (Type 'iptables -h' and look for '--line-number')
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall add <iface>[:<host>] zone     Adds a host or subnet to a zone
-#          shorewall delete <iface>[:<host>] zone  Deletes a host or subnet from a zone
-#          shorewall dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#	   shorewall start 			   Starts the firewall
-#	   shorewall restart			   Restarts the firewall
-#	   shorewall stop			   Stops the firewall
-#	   shorewall status			   Displays firewall status
-#	   shorewall reset			   Resets iptables packet and
-#						   byte counts
-#	   shorewall clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall Lite system.
-#	   shorewall show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#          shorewall show actions                  Displays the available actions
-#	   shorewall show log			   Print the last 20 log messages
-#	   shorewall show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall show nat			   Display the rules in the nat table
-#	   shorewall show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall show tc			   Display traffic control info
-#	   shorewall show classifiers		   Display classifiers
-#          shorewall show capabilities             Display iptables/kernel capabilities
-#          shorewall show vardir                   Display the VARDIR setting.
-#	   shorewall version			   Display the installed version id
-#	   shorewall check [ -e ] [ <directory> ]  Dry-run compilation.
-#	   shorewall try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#	   shorewall drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#          shorewall forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#          shorewall restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall safe-start [ <directory> ]    Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall safe-restart [ <directory> ]  Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+#####################################################################################################
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -123,7 +33,6 @@
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
 #     
-#
 get_config() {
    local prog

@@ -164,7 +73,7 @@ get_config() {

 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -275,7 +184,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -1062,7 +971,7 @@ safe_commands() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $command; then
+    if ${VARDIR}/.$command $debugging $command; then

 	echo -n "Do you want to accept the new firewall configuration? [y/n] "

@@ -1322,8 +1231,10 @@ reload_command() # $* = original arguments less the command.
 	    ensure_config_path
 	fi

+	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"
+
 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
    fi
@@ -1478,6 +1389,7 @@ usage() # $1 = exit status
    echo "   show [ -m ] log"
    echo "   show macros"
    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
    echo "   show tc"
    echo "   show vardir"
    echo "   show zones"
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.1
-%define release 2
+%define version 4.4.5
+%define release 5

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -77,6 +77,8 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
 %attr(0600,root,root) /etc/shorewall/Makefile

+%attr(0644,root,root) /etc/logrotate.d/shorewall
+
 %attr(0755,root,root) /sbin/shorewall

 %attr(0644,root,root) /usr/share/shorewall/version
@@ -104,10 +106,32 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Mon Dec 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-3
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Sun Aug 09 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/Shorewall/wait4ifup
+++ b/Shorewall/wait4ifup
@@ -33,7 +33,7 @@
 #

 interface_is_up() {
-    [ -n "$(ip link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ] 
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }

 case $# in
@@ -51,7 +51,7 @@ esac

 while [ $timeout -gt 0 ]; do
    interface_is_up $1 && exit 0
-    sleep 1
+    /bin/sleep 1
    timeout=$(( $timeout - 1 ))
 done

--- a/Shorewall6-lite/default.debian
+++ b/Shorewall6-lite/default.debian
@@ -21,4 +21,9 @@ startup=0

 OPTIONS=""

+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -15,9 +15,7 @@

 SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
@@ -219,6 +219,11 @@ mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 chmod 755 ${PREFIX}/etc/shorewall6-lite
 chmod 755 ${PREFIX}/usr/share/shorewall6-lite

+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -303,6 +308,11 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
+fi
+
 #
 # Create the version file
 #
--- a/Shorewall6-lite/logrotate
+++ b/Shorewall6-lite/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall6-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -45,17 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-SHAREDIR=/usr/share/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
-CONFDIR=/etc/shorewall-lite
+SHAREDIR=/usr/share/shorewall6-lite
+VARDIR=/var/lib/shorewall6-lite
+CONFDIR=/etc/shorewall6-lite
 PRODUCT="Shorewall Lite"

-. /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/configpath
+. /usr/share/shorewall6-lite/lib.base
+. /usr/share/shorewall6-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-VERSION=$(cat /usr/share/shorewall-lite/version)
+VERSION=$(cat /usr/share/shorewall6-lite/version)

 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -95,7 +95,7 @@ get_config() {

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -f $LOGFILE ]; then
+    elif [ -r $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.1
-%define release 2
+%define version 4.4.5
+%define release 5

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -70,6 +70,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall6-lite
 %attr(0700,root,root) %dir /var/lib/shorewall6-lite

+%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
+
 %attr(0755,root,root) /sbin/shorewall6-lite

 %attr(0644,root,root) /usr/share/shorewall6-lite/version
@@ -89,10 +91,30 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall6/wait4ifup
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-init.log
+test -n ${INITLOG:=/var/log/shorewall6-init.log}

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
@@ -234,6 +234,12 @@ mkdir -p ${PREFIX}/var/lib/shorewall6
 chmod 755 ${PREFIX}/etc/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
+
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -642,6 +648,11 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40300
-SHOREWALL_CAPVERSION=40401
+SHOREWALL_CAPVERSION=40406

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -260,7 +260,7 @@ reload_kernel_modules() {

    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
    MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
@@ -296,7 +296,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -696,8 +696,6 @@ set_state () # $1 = state
 # Determine which optional facilities are supported by iptables/netfilter
 #
 determine_capabilities() {
-    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
    CONNTRACK_MATCH=
    NEW_CONNTRACK_MATCH=
    OLD_CONNTRACK_MATCH=
@@ -747,6 +745,8 @@ determine_capabilities() {
 	exit 1
    fi

+    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+    
    qt $IP6TABLES -F $chain
    qt $IP6TABLES -X $chain
    if ! $IP6TABLES -N $chain; then
@@ -853,7 +853,11 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
    qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
    qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
    qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -868,6 +872,7 @@ determine_capabilities() {
    qt $IP6TABLES -X $chain1

    CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }

 report_capabilities() {
@@ -917,6 +922,7 @@ report_capabilities() {
 	report_capability "Address Type Match" $ADDRTYPE
 	report_capability "TCPMSS Match" $TCPMSS_MATCH
 	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
 	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
 	report_capability "Realm Match" $REALM_MATCH
 	report_capability "Helper Match" $HELPER_MATCH
@@ -972,6 +978,7 @@ report_capabilities1() {
    report_capability1 ADDRTYPE
    report_capability1 TCPMSS_MATCH
    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
    report_capability1 NFQUEUE_TARGET
    report_capability1 REALM_MATCH
    report_capability1 HELPER_MATCH
@@ -982,6 +989,7 @@ report_capabilities1() {
    report_capability1 LOG_TARGET
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION    
 }

 detect_gateway() # $1 = interface
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -383,6 +383,10 @@ show_command() {
 			    option=
 			    shift
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -396,11 +400,15 @@ show_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ -n "$debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Connections at $HOSTNAME - $(date)"
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$PRODUCT $version Connections ($count of $max) at $HOSTNAME - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
@@ -505,6 +513,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall6 ]; then
 		case $1 in
@@ -602,6 +616,10 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -615,6 +633,8 @@ dump_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ $VERBOSE -lt 2 ] && VERBOSE=2

    [ -n "$debugging" ] && set -x
@@ -641,7 +661,10 @@ dump_command() {
    heading "Raw Table"
    $IP6TABLES -t raw -L $IPT_OPTIONS

-    heading "Conntrack Table"
+    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+
+    heading "Conntrack Table ($count out of $max)"
    grep '^ipv6' /proc/net/nf_conntrack

    heading "IP Configuration"
@@ -673,8 +696,8 @@ dump_command() {

    show_routing

-    heading "ARP"
-    arp -na
+    heading "Neighbors"
+    ip -6 neigh ls

    if qt mywhich lsmod; then
 	heading "Modules"
--- a/Shorewall6/logrotate
+++ b/Shorewall6/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall6-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall6/modules
+++ b/Shorewall6/modules
@@ -85,6 +85,7 @@ loadmodule sch_ingress
 loadmodule sch_htb
 loadmodule cls_u32
 loadmodule cls_fw
+loadmodule cls_flow
 loadmodule act_police
 #
 # Extensions
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -23,99 +23,9 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall6 help'
 #
-#	The firewall uses configuration files in /etc/shorewall/ - skeleton
-#	files are included with the firewall.
-#
-#	Commands are:
-#
-#          shorewall6 add <iface>[:<host>] zone    Adds a host or subnet to a zone
-#          shorewall6 delete <iface>[:<host>] zone Deletes a host or subnet from a zone
-#          shorewall6 dump                         Dumps all Shorewall6-related information
-#                                                  for problem analysis
-#	   shorewall6 start 			   Starts the firewall
-#	   shorewall6 restart			   Restarts the firewall
-#	   shorewall6 stop			   Stops the firewall
-#	   shorewall6 status			   Displays firewall status
-#	   shorewall6 reset			   Resets ip6tables packet and
-#						   byte counts
-#	   shorewall6 clear			   Open the floodgates by
-#						   removing all ip6tables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#	   shorewall6 refresh			   Rebuild the common chain to
-#						   compensate for a change of
-#						   broadcast address on any "detect"
-#						   interface.
-#	   shorewall6 [re]load [ <directory> ] <system>
-#						   Compile a script and install it on a
-#						   remote Shorewall6 Lite system.
-#	   shorewall6 show <chain> [ <chain> ... ] Display the rules in each <chain> listed
-#          shorewall6 show actions                 Displays the available actions
-#	   shorewall6 show log			   Print the last 20 log messages
-#	   shorewall6 show connections		   Show the kernel's connection
-#						   tracking table
-#	   shorewall6 show nat			   Display the rules in the nat table
-#	   shorewall6 show {mangle|tos}		   Display the rules in the mangle table
-#	   shorewall6 show tc			   Display traffic control info
-#	   shorewall6 show classifiers		   Display classifiers
-#          shorewall6 show capabilities            Display ip6tables/kernel capabilities
-#          shorewall6 show vardir                  Display the VARDIR setting.
-#	   shorewall6 version			   Display the installed version id
-#	   shorewall6 check [ -e ] [ <directory> ] Dry-run compilation.
-#	   shorewall6 try <directory> [ <timeout> ] Try a new configuration and if
-#						   it doesn't work, revert to the
-#						   standard one. If a timeout is supplied
-#						   the command reverts back to the
-#						   standard configuration after that many
-#						   seconds have elapsed after successfully
-#						   starting the new configuration.
-#	   shorewall6 logwatch [ refresh-interval ] Monitor the local log for Shorewall6
-#						    messages.
-#	   shorewall6 drop <address> ...	   Temporarily drop all packets from the
-#						   listed address(es)
-#	   shorewall6 reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#	   shorewall6 allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#	   shorewall6 save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall6 starts.
-#                                                  Save the current state so that 'shorewall6
-#                                                  restore' can be used.
-#
-#          shorewall6 forget [ <file> ]            Discard the data saved by 'shorewall6 save'
-#
-#          shorewall6 restore [ <file> ]           Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#          shorewall6 ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#          shorewall6 iprange <address>-<address>  Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#          shorewall6 ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
-#
-#          shorewall6 safe-start [ <directory> ]   Starts the firewall and promtp for a c
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 safe-restart [ <directory> ] Restarts the firewall and prompt for a
-#                                                  confirmation to accept or reject the new
-#                                                  configuration
-#
-#          shorewall6 compile [ -e ] [ <directory> ] <filename>
-#                                                  Compile a firewall program file.
-
+################################################################################################
 #
 # Set the configuration variables from shorewall6.conf
 #
@@ -163,7 +73,7 @@ get_config() {

 	    if [ -n "$(syslog_circular_buffer)" ]; then
 		LOGREAD="logread | tac"
-	    elif [ -f $LOGFILE ]; then
+	    elif [ -r $LOGFILE ]; then
 		LOGREAD="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -205,7 +115,7 @@ get_config() {
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLE: $STARTUP_ENABLED" >&2
+			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
 			exit 2
 		    fi
 		    ;;
@@ -1379,7 +1289,7 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
    echo "   start [ -f ] [ -n ] [ <directory> ]"
    echo "   stop [ -f ]"
    echo "   status"
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -145,6 +145,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=No

+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.1
-%define release 2
+%define version 4.4.5
+%define release 5

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -69,6 +69,8 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall6/*
 %attr(0600,root,root) /etc/shorewall6/Makefile

+%attr(0644,root,root) /etc/logrotate.d/shorewall6
+
 %attr(0755,root,root) /sbin/shorewall6

 %attr(0644,root,root) /usr/share/shorewall6/version
@@ -93,10 +95,30 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-2
-* Thu Sep 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-1
+* Mon Dec 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-5
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-4
+* Sun Dec 20 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-2
+* Sat Dec 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-1
+* Fri Nov 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.1.2
+VERSION=4.4.5.5

 usage() # $1 = exit status
 {
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -193,17 +193,6 @@ ACCEPT   -              -               tcp     135,139,445
        action begins with a capital letter; that way, the name won't conflict
        with a Shorewall-defined chain name.</para>

-        <para>The name of the action may be optionally followed by a colon
-        (<quote>:</quote>) and ACCEPT, DROP or REJECT. When this is done, the
-        named action will become the <emphasis>default action</emphasis> for
-        policies of type ACCEPT, DROP or REJECT, respectively. The default
-        action is applied immediately before the policy is enforced (before
-        any logging is done under that policy) and is used mainly to suppress
-        logging of uninteresting traffic which would otherwise clog your logs.
-        The same policy name can appear in multiple actions; the last such
-        action for each policy name is the one which Shorewall will
-        use.</para>
-
        <para>Shorewall includes pre-defined actions for DROP and REJECT --
        see above.</para>
      </listitem>
@@ -246,8 +235,8 @@ ACCEPT   -              -               tcp     135,139,445
        <para>You may also use a <ulink url="Macros.html">macro</ulink> in
        your action provided that the macro's expansion only results in the
        ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
-        <filename>/usr/share/shorewall/Drop</filename> for an example of an
-        action that users macros extensively.</para>
+        <filename>/usr/share/shorewall/action.Drop</filename> for an example
+        of an action that users macros extensively.</para>
      </listitem>

      <listitem>
@@ -506,74 +495,6 @@ ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
    </orderedlist>
-
-    <para>If you define an action <quote>acton</quote> and you have an
-    <filename>/etc/shorewall/acton</filename> script, when that script is
-    invoked, the following three variables will be set for use by the
-    script:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>$CHAIN = the name of the chain where your rules are to be
-        placed. When logging is used on an action invocation, Shorewall
-        creates a chain with a slightly different name from the action
-        itself.</para>
-      </listitem>
-
-      <listitem>
-        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
-      </listitem>
-
-      <listitem>
-        <para>$TAG = Log Tag.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Example:</para>
-
-    <para><filename>/etc/shorewall/rules</filename>:</para>
-
-    <programlisting>#ACTION          SOURCE           DEST
-acton:info:test  $FW              net</programlisting>
-
-    <para>Your <filename>/etc/shorewall/acton</filename> file will be run
-    with:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>$CHAIN=<quote>%acton1</quote></para>
-      </listitem>
-
-      <listitem>
-        <para>$LEVEL=<quote>info</quote></para>
-      </listitem>
-
-      <listitem>
-        <para>$TAG=<quote>test</quote></para>
-      </listitem>
-    </itemizedlist>
-
-    <para>Shorewall-perl sets lexical variables as follows:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><emphasis role="bold">$chainref</emphasis> is a reference to the
-        chain-table entry for the chain where your rules are to be
-        placed.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">$level</emphasis> is the log level. If
-        false, no logging was specified.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>For an example of how to use these variablesl, see <ulink
-    url="PortKnocking.html">this article</ulink>.</para>
  </section>

  <section id="Extension">
@@ -591,6 +512,29 @@ acton:info:test  $FW              net</programlisting>
    <example id="Example">
      <title>An action to drop all broadcast packets</title>

+      <para>If you define an action <quote>acton</quote> and you have an
+      <filename>/etc/shorewall/acton</filename> script, the rules compiler
+      sets lexical variables as follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para><emphasis role="bold">$chainref</emphasis> is a reference to
+          the chain-table entry for the chain where your rules are to be
+          placed.</para>
+        </listitem>
+
+        <listitem>
+          <para><emphasis role="bold">$level</emphasis> is the log level. If
+          false, no logging was specified.</para>
+        </listitem>
+
+        <listitem>
+          <para><emphasis role="bold">$tag</emphasis> is the log tag.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Example:</para>
+
      <para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>

      <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting>/etc/shorewall/DropBcasts<programlisting>use Shorewall::Chains;
--- a/docs/ConnectionRate.xml
+++ b/docs/ConnectionRate.xml
@@ -20,6 +20,8 @@
    <copyright>
      <year>2008</year>

+      <year>2009</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -208,7 +208,8 @@
            <entry><ulink url="Multiple_Zones.html"><ulink
            url="OPENVPN.html">OpenVPN</ulink></ulink></entry>

-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
          </row>

          <row>
@@ -218,7 +219,7 @@

            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>

-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>

          <row>
@@ -227,8 +228,7 @@
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>

-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
          </row>

          <row>
@@ -238,8 +238,8 @@
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>

-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
          </row>

          <row>
@@ -250,8 +250,8 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>

-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
          </row>

          <row>
@@ -260,7 +260,8 @@

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

-            <entry></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
          </row>

          <row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -520,6 +520,10 @@ eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlistin
        <programlisting>#ACTION         SOURCE        DEST        PROTO        DEST
 #                                                      PORT(S)
 REDIRECT        net           22          tcp          9022</programlisting>
+
+        <para>Note that the above rule will also allow connections from the
+        net on TCP port 22. If you don't want that, see <link
+        linkend="faq1e">FAQ 1e</link>.</para>
      </section>
    </section>

@@ -534,7 +538,13 @@ REDIRECT        net           22          tcp          9022</programlisting>
      to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
      or use SNAT from your local network to the Internet then you will need
      to use DNAT rules to allow connections from the Internet to your local
-      network. You also want to use DNAT rules when you intentionally want to
+      network.<note>
+          <para>If you use both 1:1 NAT and SNAT/MASQUERADE, those connections
+          that are subject to 1:1 NAT should use ACCEPT rather than DNAT.
+          Note, however, that DNAT can be used to override 1:1 NAT so as to
+          redirect a connection to a different internal system or port than
+          would be the case using 1:1 NAT.</para>
+        </note> You also want to use DNAT rules when you intentionally want to
      rewrite the destination IP address or port number. In all other cases,
      you use ACCEPT unless you need to hijack connections as they go through
      your firewall and handle them on the firewall box itself; in that case,
@@ -683,6 +693,15 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
          <para>Using this technique, you will want to configure your
          DHCP/PPPoE/PPTP/… client to automatically restart Shorewall each
          time that you get a new IP address.</para>
+
+          <note>
+            <para>For optional interfaces, use the function <emphasis
+            role="bold">find_first_interface_address_if_any()</emphasis>
+            rather than <emphasis
+            role="bold">find_first_interface_address()</emphasis>. The former
+            will return 0.0.0.0 if the interface has no configured IP address;
+            the latter terminates the calling program.</para>
+          </note>
        </listitem>
      </itemizedlist>

@@ -802,6 +821,15 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
          save</command> and <command>shorewall[-lite]
          restore</command></ulink>.</para>
        </warning>
+
+        <note>
+          <para>For optional interfaces, use the function <emphasis
+          role="bold">find_first_interface_address_if_any()</emphasis> rather
+          than <emphasis
+          role="bold">find_first_interface_address()</emphasis>. The former
+          will return 0.0.0.0 if the interface has no configured IP address;
+          the latter terminates the calling program.</para>
+        </note>
      </section>

      <section id="faq2c">
@@ -1972,6 +2000,35 @@ iptables: Invalid argument
      <filename><ulink
      url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
    </section>
+
+    <section id="faq86">
+      <title>(FAQ 86) My distribution (Ubuntu) uses NetworkManager to manage
+      my interfaces. I want to specify the upnpclient option for my interfaces
+      which requires them to be up and configured when Shorewall starts but
+      Shorewall is being started before NetworkManager.</title>
+
+      <para>Answer: I faced a similar problem which I solved as
+      follows:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Don't start Shorewall at boot time (Debian and Ubuntu users
+          may simply set startup=0 in
+          <filename>/etc/default/shorewall</filename>).</para>
+        </listitem>
+
+        <listitem>
+          <para>In <filename>/etc/network/ip-up.d</filename>, I added a
+          <filename>shorewall</filename> script as follows:</para>
+
+          <programlisting>#!/bin/sh
+
+shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall if it isn't already running</programlisting>
+
+          <para>Be sure to secure the script for execute access.</para>
+        </listitem>
+      </itemizedlist>
+    </section>
  </section>

  <section id="MultiISP">
@@ -2497,30 +2554,53 @@ REJECT    fw            net:216.239.39.99    all</programlisting>Given that
      <command>shorewall[-lite] show capabilities</command> command at a root
      prompt.</para>

-      <programlisting>gateway:~# shorewall show capabilities
-Loading /usr/share/shorewall/functions...
-Processing /etc/shorewall/params ...
-Processing /etc/shorewall/shorewall.conf...
-Loading Modules...
+      <programlisting>gateway:~# <command>shorewall show capabilities</command>
 Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
+   Extended Connection Tracking Match Support: Available
+   Old Connection Tracking Match Syntax: Not available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
+   Physdev-is-bridged Support: Available
+   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Available
-   ROUTE Target: Available
-   Extended MARK Target: Available
   CONNMARK Target: Available
+   Extended CONNMARK Target: Available
   Connmark Match: Available
+   Extended Connmark Match: Available
   Raw Table: Available
-gateway:~#</programlisting>
+   IPP2P Match: Available
+   Old IPP2P Match Syntax: Not available
+   CLASSIFY Target: Available
+   Extended REJECT: Available
+   Repeat match: Available
+   MARK Target: Available
+   Extended MARK Target: Available
+   Mangle FORWARD Chain: Available
+   Comments: Available
+   Address Type Match: Available
+   TCPMSS Match: Available
+   Hashlimit Match: Available
+   Old Hashlimit Match: Not available
+   NFQUEUE Target: Available
+   Realm Match: Available
+   Helper Match: Available
+   Connlimit Match: Available
+   Time Match: Available
+   Goto Support: Available
+   LOGMARK Target: Available
+   IPMARK Target: Available
+   LOG Target: Available
+   Persistent SNAT: Available
+gateway:~# </programlisting>
    </section>

    <section id="faq19">
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -57,26 +57,31 @@
    release.</emphasis></para>
  </caution>

+  <important>
+    <para><emphasis role="bold">Shorewall does not configure IPSEC for
+    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
+    configuration.</para>
+  </important>
+
  <important>
    <para>The information in this article is only applicable if you plan to
    have IPSEC end-points on the same system where Shorewall is used.</para>
  </important>

  <important>
-    <para>While this article shows configuration of IPSEC using ipsec-tools,
-    Shorewall configuration is exactly the same when using OpenSwan or
+    <para>While this <emphasis role="bold">article shows configuration of
+    IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
+    configuration is exactly the same when using OpenSwan</emphasis> or
    FreeSwan.</para>
  </important>

  <warning>
    <para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
    policy match support are broken when used with a bridge device. The
-    problem has been reported to the responsible Netfilter developer who has
-    confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
-    result of the removal of deferred FORWARD/OUTPUT processing of traffic
-    destined for a bridge. See the <ulink
-    url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
-    Firewalls</emphasis>"</ulink> article.</para>
+    problem was corrected in Kernel 2.6.20 as a result of the removal of
+    deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
+    the <ulink url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and
+    Bridged Firewalls</emphasis>"</ulink> article.</para>
  </warning>

  <section id="Overview">
@@ -132,12 +137,12 @@

    <para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
    and zones was made easy by the presence of IPSEC pseudo-interfaces with
-    names of the form <filename class="devicefile">ipsecn</filename> (e.g.
+    names of the form <filename class="devicefile">ipsecN</filename> (e.g.
    <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
    traffic (case 1.) was send through an <filename
-    class="devicefile">ipsecn</filename> device while incoming unencrypted
+    class="devicefile">ipsecN</filename> device while incoming unencrypted
    traffic (case 2) arrived from an <filename
-    class="devicefile">ipsecn</filename> device. The 2.6 kernel-based
+    class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
    implementation does away with these pseudo-interfaces. Outgoing traffic
    that is going to be encrypted and incoming traffic that has been decrypted
    must be matched against policies in the SPD and/or the appropriate
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -167,8 +167,7 @@ dmz                    Demilitarized Zone</programlisting>
 fw      firewall
 net     ipv4
 loc     ipv4
-dmz     ipv4
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+dmz     ipv4</programlisting>

    <para>Note that Shorewall recognizes the firewall system as its own zone.
    The name of the zone designating the firewall itself (usually 'fw' as
@@ -212,8 +211,8 @@ dmz        eth2          detect        nets=(192.168.1.0/24)</programlisting>
    for 192.168.0.0/23, the <emphasis>loc</emphasis> zone as IPv4 hosts
    192.168.0.0/24 interfacing through eth1 and the <emphasis>dmz</emphasis>
    as IPv4 hosts 192.168.1.0/24 interfacing through eth2 (Note that
-    192.168.0.0/24 together with 192.168.1.0/24 constitutes
-    192.168.0.0.23).</para>
+    192.168.0.0/24 together with 192.168.1.0/24 comprises
+    192.168.0.0/23).</para>

    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones. <itemizedlist spacing="compact">
--- a/docs/LennyToSqueeze.xml
+++ b/docs/LennyToSqueeze.xml
@@ -0,0 +1,969 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Issues when Upgrading to Shorewall 4.4 (Upgrading from Debian Lenny
+    to Squeeze)</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2009</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>Debian Lenny includes Shorewall version 4.0.15 while Squeeze will
+    soon include Shorewall 4.4. Because there are significant differences
+    between the two product versions, some users may experience upgrade
+    issues. This article outlines those issues and offers advice for dealing
+    with them.</para>
+
+    <note>
+      <para>Although this article is targeted specifically at Lenny -&gt;
+      Squeeze upgrades, it should be useful to any Shorewall-shell user
+      upgrading to Shorewall 4.4.x. Footnotes are used to flag areas where
+      non-Debian users may experience different results.</para>
+    </note>
+  </section>
+
+  <section id="Packages">
+    <title>Packaging Differences</title>
+
+    <para>The first key difference between Shorewall 4.0 and Shorewall 4.4 is
+    in the packaging<footnote>
+        <para>Most distributions use a similar packaging structure. Note,
+        however, that the 'shorewall' package in Simon Mater's RPMs for
+        RedHat/Fedora/CentOS is like the Lenny shorewall-common
+        package.</para>
+      </footnote>. In Lenny, there are six Shorewall packages:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>shorewall-common — Contains the basic components needed to
+        create an IPv4 firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-shell — The legacy Shorewall configuration compiler
+        written in Bourne shell.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall — A transitional package that depends on
+        shorewall-common and shorewall-shell. Installing this package installs
+        both shorewall-common and shorewall-shell.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-perl — A re-implementation of the Shorewall
+        configuration compiler in Perl. This compiler has many advantages over
+        the shell-based compiler:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>The compiler is much faster</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler does a much better job of validating the
+            configuration, thus avoiding run-time errors.</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler produces better and more consistent diagnostic
+            messages.</para>
+          </listitem>
+
+          <listitem>
+            <para>The compiler produces a script that runs much faster and
+            that does not reject/drop connections during start/restart.</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-lite — A small package that can run scripts generated
+        by shorewall-shell or shorewall-perl. Allows centralized firewall
+        administration.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-doc — Documentation.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>In Squeeze, there are five packages:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>shorewall — Contains everything needed to create an IPv4
+        firewall. It combines the former shorewall-common and shorewall-perl
+        packages.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall6 — Depends on shorewall. Adds those components needed
+        to create an IPv6 firewall.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-lite — Same as in Lenny; only runs IPv4 firewall
+        scripts.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall6-lite — Similar to shorewall-lite, except that it only
+        runs IPv6 firewall scripts.</para>
+      </listitem>
+
+      <listitem>
+        <para>shorewall-doc — Documentation.</para>
+      </listitem>
+    </orderedlist>
+
+    <warning>
+      <para>Do not purge the old packages (shorewall-common, shorewall-shell
+      and shorewall-perl) until after the new shorewall package has been
+      installed.</para>
+    </warning>
+
+    <para>The key change in Squeeze that may produce upgrade issues is that
+    Squeeze does not include the shell-based configuration compiler. As a
+    consequence, unless you are already using Shorewall-perl on Lenny, an
+    upgrade from Lenny to Squeeze will mean that you will be switching from
+    the old shell-based compiler to the new Perl-based compiler<footnote>
+        <para>Note that Perl is a required package on Debian. If you are
+        running an embedded distribution which does not include Perl and it is
+        not feasible to install Perl on your firewall, then you should
+        consider installing Shorewall on another system in your network (may
+        be a <trademark>Windows</trademark> system running
+        <trademark>Cygwin</trademark>) and installing Shorewall-lite on your
+        firewall.</para>
+      </footnote>. While the two compilers are highly compatible, there are
+    some differences. Those differences are detailed in the following
+    sections.</para>
+  </section>
+
+  <section id="Issues">
+    <title>Issues Most Likely to Cause Problems or Concerns</title>
+
+    <section id="conf">
+      <title>shorewall.conf</title>
+
+      <para>As always, when upgrading from one major release of Shorewall to
+      another, the installer will prompt you about replacing your existing
+      <filename>shorewall.conf</filename> with the updated one from the
+      package. Shorewall is designed with the assumption that users will never
+      replace shorewall.conf and retaining your existing file will always
+      produce upward-compatible behavior.</para>
+
+      <para>That having been said, there are a few settings that you may have
+      in your shorewall.conf that will cause compilation warning or error
+      messages after the upgrade.</para>
+
+      <variablelist>
+        <varlistentry>
+          <term>BLACKLISTNEWONLY</term>
+
+          <listitem>
+            <para>If you have BLACKLISTNEWONLY=No together with
+            FASTACCEPT=Yes, you will receive this error:</para>
+
+            <para><emphasis role="bold">ERROR: BLACKLISTNEWONLY=No may not be
+            specified with FASTACCEPT=Yes</emphasis></para>
+
+            <para>To eliminate the error, reverse the setting of one of the
+            options.</para>
+
+            <note>
+              <para>This combination never worked correctly in earlier
+              versions -- to duplicate the earlier behavior, you will want to
+              set BLACKLISTNEWONLY=Yes.</para>
+            </note>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>BRIDGING</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following error:</para>
+
+            <para><emphasis role="bold">ERROR: BRIDGING=Yes is not supported
+            by Shorewall 4.4.x</emphasis></para>
+
+            <para>You should not be receiving this error if you are upgrading
+            from Lenny since BRIDGING=Yes did not work in that
+            release<footnote>
+                <para>If you are upgrading from a release using a kernel
+                earlier than 2.6.20, then BRIDGING=Yes did work correctly with
+                Shorewall-shell.</para>
+              </footnote>. If you have a bridge configuration where you want
+            to control connections through the bridge, you will want to visit
+            <ulink
+            url="http://www.shorewall.net/bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink><footnote>
+                <para>Kernel 2.6.20 or later is required.</para>
+              </footnote>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DELAYBLACKLISTLOAD</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: DELAYBLACKLIST=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set DELAYBLACKLISTLOAD=No or
+            remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>DYNAMIC_ZONES</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: DYNAMIC_ZONES=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set DYNAMIC_ZONES=No or remove the
+            setting altogether. See <ulink url="Dynamic.html">this
+            article</ulink> to learn how to set up Dynamic Zones under
+            Shorewall 4.4.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry id="FW">
+          <term>FW</term>
+
+          <listitem>
+            <para>If a setting for FW appears in your shorewall.conf file, you
+            will receive this warning:</para>
+
+            <para><emphasis role="bold">WARNING: Unknown configuration option
+            (FW) ignored.</emphasis></para>
+
+            <para>Remove the setting from the file and modify your
+            <filename>/etc/shorewall/zones</filename> file as described <link
+            linkend="zones">below</link>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>IPSECFILE</term>
+
+          <listitem>
+            <para>If you have specified IPSECFILE=ipsec or IPSECFILE= or if
+            you do not have a setting for IPSECFILE, then you will receive the
+            following error:</para>
+
+            <para><emphasis role="bold">ERROR: IPSECFILE=ipsec is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, you will need to:</para>
+
+            <orderedlist>
+              <listitem>
+                <para>Set IPSECFILE=zones</para>
+              </listitem>
+
+              <listitem>
+                <para>Modify your <filename>/etc/shorewall/zones</filename>
+                file as described <link linkend="zones">below</link>.</para>
+              </listitem>
+            </orderedlist>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>PKTTYPE</term>
+
+          <listitem>
+            <para>The PKTTYPE option is ignored by Shorewall-perl.
+            Shorewall-perl will use Address type match if it is available;
+            otherwise, it will behave as if PKTTYPE=No had been
+            specified.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RFC1918_LOG_LEVEL</term>
+
+          <listitem>
+            <para>If you have specified any setting for this option, you will
+            receive the following warning:</para>
+
+            <para><emphasis role="bold">WARNING: RFC1918_LOG_LEVEL=value
+            ignored. The 'norfc1918' interface/host option is no longer
+            supported.</emphasis></para>
+
+            <para>To eliminate the warning, set RFC1918_LOG_LEVEL= or simply
+            remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>RFC1918_STRICT</term>
+
+          <listitem>
+            <para>If you have set this option to Yes, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: RFC1918_STRICT=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set RFC1918_STRICT=No or remove
+            the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>SAVE_IPSETS</term>
+
+          <listitem>
+            <para>Shorewall 4.4 will issue a warning if you set
+            SAVE_IPSETS=Yes in <filename>shorewall.conf</filename>:</para>
+
+            <para><emphasis role="bold">WARNING SAVE_IPSETS=Yes is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate this message, you will need to set
+            SAVE_IPSETS=No or remove the setting altogether.</para>
+
+            <para>See <link linkend="ipsets">below</link> for additional
+            information regarding ipsets in Shorewall 4.4.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>SHOREWALL_COMPILER</term>
+
+          <listitem>
+            <para>If you have specified SHOREWALL_COMPILER=shell, you will
+            receive the following warning message:</para>
+
+            <para><emphasis role="bold">WARNING: SHOREWALL_COMPILER=shell
+            ignored. Shorewall-shell support has been removed in this
+            release</emphasis></para>
+
+            <para>To eliminate the warning, set SHOREWALL_COMPILER=perl or
+            simply remove the setting altogether.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>USE_ACTIONS</term>
+
+          <listitem>
+            <para>If you have set this option to No, you will receive the
+            following warning:</para>
+
+            <para><emphasis role="bold">WARNING: USE_ACTIONS=No is not
+            supported by Shorewall 4.4.x</emphasis></para>
+
+            <para>To eliminate the warning, set USE_ACTIONS=Yes or remove the
+            setting altogether.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </section>
+
+    <section id="zones">
+      <title>/etc/shorewall/zones</title>
+
+      <para>If the column headings in your /etc/shorewall/zones file look like
+      this:</para>
+
+      <programlisting>#ZONE   DISPLAY         COMMENTS
+net     Net             The big bad net
+loc     Local           The local LAN</programlisting>
+
+      <para>then you are using the original zones file format that has been
+      deprecated since Shorewall 3.0.</para>
+
+      <para>You will need to convert to the new file format which has the
+      following headings:</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS</programlisting>
+
+      <para>You will need to add an entry for your firewall zone. The default
+      name for the firewall zone is 'fw' but may have been overriden using
+      <link linkend="FW">the FW option in
+      <filename>shorewall.conf</filename></link>.</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall</programlisting>
+
+      <para>The remainder of your zones will have type 'ipv4' unless they are
+      mentioned in your /etc/shorewall/ipsec file (see <link
+      linkend="ipsec">below</link>).</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+fw      firewall
+net     ipv4            # The big bad net
+loc     ipv4            # The local LAN</programlisting>
+    </section>
+
+    <section id="ipsec">
+      <title>/etc/shorewall/ipsec</title>
+
+      <para>This file is no longer used -- its specifications are now included
+      in <filename>/etc/shorewall/zones</filename>.</para>
+
+      <para>Take this example:</para>
+
+      <programlisting>#ZONE   IPSEC    OPTIONS         IN              OUT
+#       ONLY                     OPTIONS         OPTIONS
+ipsec1  Yes
+ipsec2  No</programlisting>
+
+      <para>This would translate to the following entries in
+      <filename>/etc/shorewall/zones</filename>:</para>
+
+      <programlisting>#ZONE   TYPE            OPTIONS         IN                      OUT
+#                                       OPTIONS                 OPTIONS
+ipsec1  ipsec4
+ipsec2  ipv4</programlisting>
+
+      <para>Any OPTIONS, IN OPTIONS and OUT OPTIONS should simply be copied
+      from <filename>/etc/shorewall/ipsec</filename> to
+      <filename>/etc/shorewall/zones</filename>.</para>
+    </section>
+
+    <section id="interfaces">
+      <title>/etc/shorewall/interfaces</title>
+
+      <para>The BROADCAST column is essentially unused in Squeeze. If it
+      contains anything except 'detect' or '-', then you will receive this
+      warning<footnote>
+          <para>Users whose kernel and/or iptables do not include Address Type
+          Match Support can continue to list broadcast addresses in this
+          column; no warning will be issued.</para>
+        </footnote>:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Shorewall no longer uses
+        broadcast addresses in rule generation when Address Type Match is
+        available</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, replace the contents of the BROADCAST
+      column with '-' or 'detect'.</para>
+
+      <para>The 'norfc1918' option has been removed. If you specify the
+      option, you will receive the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Support for the norfc1918
+        interface option has been removed from Shorewall</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, simply remove the 'norfc1918' option
+      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
+      as a replacement (see <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+    </section>
+
+    <section id="hosts">
+      <title>/etc/shorewall/hosts</title>
+
+      <para>The 'norfc1918' option has been removed. If you specify the
+      option, you will receive the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: The 'norfc1918' option is no
+        longer supported</emphasis></para>
+      </blockquote>
+
+      <para>To eliminate the warning, simply remove the 'norfc1918' option
+      from the OPTIONS list. You may wish to consider NULL_ROUTE_RFC1918=Yes
+      as a replacement (see <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).</para>
+    </section>
+
+    <section id="policy">
+      <title>/etc/shorewall/policy</title>
+
+      <para>Shorewall 4.4 detects dead policy file entries that result when an
+      entry is masked by an earlier more general entry.</para>
+
+      <para>Example:</para>
+
+      <programlisting>#SOURCE DEST     POLICY    LOG LEVEL
+all     all      REJECT    info
+loc     net      ACCEPT</programlisting>
+
+      <para>Shorewall-shell silently accepted the above even though the
+      loc-&gt;net policy is useless. Shorewall-perl generates a fatal
+      compilation error:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">ERROR: Policy "loc net ACCEPT" duplicates
+        earlier policy "all all REJECT"</emphasis></para>
+      </blockquote>
+    </section>
+
+    <section id="masq">
+      <title>/etc/shorewall/masq</title>
+
+      <para>There is a long tradition of specifying an interface name in the
+      SOURCE column of this file.</para>
+
+      <para>Masquerading/SNAT occurs in the Netfilter POSTROUTING chain where
+      an incoming interface may not be specified in iptables rules.
+      Consequently, while processing the <command>shorewall start</command>
+      and <command>shorewall restart</command> commands, the generated script
+      must examine the firewall's main routing table to determine those
+      networks that are routed out of the interface; the script then adds a
+      MASQUERADE/SNAT rule for connections from each of those networks. This
+      additional processing requires the named interface to be up and
+      configured when Shorewall starts or restarts.</para>
+
+      <para>Users often complain that Shorewall fails to start at boot time
+      because a VPN interface that is named as a masq SOURCE isn't up and
+      configured during boot.</para>
+
+      <para>To emphasize this restriction, if an interface is named in the
+      SOURCE column of one or more entries, a single warning is issued as
+      follows:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Using an interface as the masq
+        SOURCE requires the interface to be up and configured when Shorewall
+        starts/restarts</emphasis></para>
+      </blockquote>
+
+      <para>To suppress this warning, replace the interface name with the list
+      of networks that are routed out of the interface.</para>
+
+      <para>Example.</para>
+
+      <para>Existing entry:</para>
+
+      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
+#                                                                                       GROUP
+eth0                    eth1</programlisting>
+
+      <para>Current routing configuration:</para>
+
+      <programlisting>gateway:~# ip route ls dev eth1
+<emphasis role="bold">172.20.1.0/24</emphasis>  proto kernel  scope link  src 172.20.1.254 
+224.0.0.0/4  scope link 
+gateway:~# 
+</programlisting>
+
+      <para>Replacement entry:</para>
+
+      <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S) IPSEC   MARK    USER/
+#                                                                                       GROUP
+eth0                    <emphasis role="bold">172.20.1.0/24</emphasis></programlisting>
+
+      <para>Note that no entry is included for 224.0.0.0/4 since that is the
+      multicast IP range and there should never be any packets with a SOURCE
+      IP address in that network.</para>
+    </section>
+
+    <section id="rules">
+      <title>/etc/shorewall/rules</title>
+
+      <para>If you include a destination zone in a 'nonat' rule, Shorewall
+      issues the following warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: Destination zone (zonename)
+        ignored.</emphasis></para>
+      </blockquote>
+
+      <para>Nonat rules include:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>DNAT-</member>
+
+          <member>REDIRECT-</member>
+
+          <member>NONAT</member>
+        </simplelist>
+      </blockquote>
+
+      <para>To eliminate the warning, remove the DEST zone.</para>
+
+      <para>Example.</para>
+
+      <para>Before:</para>
+
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+NONAT           loc             net             tcp     80</programlisting>
+
+      <para>After:</para>
+
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DEST    SOURCE          ORIGINAL        RATE            USER/   MARK    CONNLIMIT       TIME
+#                                                       PORT    PORT(S)         DEST            LIMIT           GROUP
+NONAT           loc             -               tcp     80</programlisting>
+    </section>
+
+    <section id="routestopped">
+      <title>/etc/shorewall/routestopped</title>
+
+      <para>The 'critical' option is no longer needed and hence is no longer
+      supported. If you have critical hosts defined, you will receive this
+      warning:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">WARNING: The 'critical' option is no
+        longer supported (or needed)</emphasis></para>
+      </blockquote>
+
+      <para>To suppress the warning, simply remove the option.</para>
+
+      <para>Shorewall 4.4 also treats the <filename>routestopped</filename>
+      file differently from earlier releases. Previously, the
+      <filename>routestopped</filename> file was parsed during
+      <command>shorewall stop</command> processing so that changes made to the
+      file while Shorewall was running would be applied at the next
+      <command>stop</command>. This is no longer the case -- the
+      <filename>routestopped</filename> file is processed during compilation
+      just like the rest of the configuration files so that when
+      <command>shorewall stop</command> is issued, the firewall will pass
+      traffic based on the contents of the <filename>routestopped</filename>
+      file at the last <command>start</command> or
+      <command>restart</command>.</para>
+
+      <para>If you change the <filename>routestopped</filename> file and now
+      want to stop the firewall, you can run this sequence of commands:</para>
+
+      <programlisting><command>shorewall compile
+shorewall stop</command></programlisting>
+    </section>
+
+    <section id="tos">
+      <title>/etc/shorewall/tos</title>
+
+      <para>The <filename>/etc/shorewall/tos</filename> file now has
+      zone-independent SOURCE and DEST columns as do all other files except
+      the rules and policy files.</para>
+
+      <para>The SOURCE column may be one of the following:</para>
+
+      <simplelist>
+        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
+
+        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+
+        <member><command>$FW</command>[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+      </simplelist>
+
+      <para>The DEST column may be one of the following:</para>
+
+      <simplelist>
+        <member>[<command>all</command>:]&lt;<replaceable>address</replaceable>&gt;[,...]</member>
+
+        <member>[<command>all</command>:]&lt;<replaceable>interface</replaceable>&gt;[:&lt;<replaceable>address</replaceable>&gt;[,...]]</member>
+      </simplelist>
+
+      <para>This is a permanent change. The old zone-based rules have never
+      worked right and this is a good time to replace them. We have tried to
+      make the new syntax cover the most common cases without requiring change
+      to existing files. In particular, it will handle the
+      <filename>tos</filename> file released with Shorewall 1.4 and
+      earlier.</para>
+    </section>
+
+    <section id="extension">
+      <title>Extension Scripts</title>
+
+      <para>With the shell-based compiler, all extension scripts were copied
+      into the compiled script and executed at run-time. In some cases, this
+      approach doesn't work with Shorewall Perl because (almost) the entire
+      rule set is built by the compiler. As a result, Shorewall-perl runs some
+      extension scripts at compile-time rather than at run-time. Because the
+      compiler is written in Perl, these extension scripts from earlier
+      versions will no longer work.</para>
+
+      <para>The following table summarizes when the various extension scripts
+      are run:<informaltable align="left" frame="none">
+          <tgroup cols="3">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">Compile-time (Must be written in
+                Perl)</emphasis></entry>
+
+                <entry><emphasis role="bold">Run-time</emphasis></entry>
+
+                <entry><emphasis role="bold">Eliminated</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>initdone</entry>
+
+                <entry>clear</entry>
+
+                <entry>continue</entry>
+              </row>
+
+              <row>
+                <entry>maclog</entry>
+
+                <entry>init</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry>Per-chain (including those associated with
+                actions)</entry>
+
+                <entry>start</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>started</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>stop</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>stopped</entry>
+
+                <entry></entry>
+              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>tcclear</entry>
+
+                <entry></entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable></para>
+
+      <para>Compile-time extension scripts are executed using the Perl 'eval
+      `cat &lt;file&gt;`' mechanism. Be sure that each script returns a 'true'
+      value; otherwise, the Shorewall-perl compiler will assume that the
+      script failed and will abort the compilation.</para>
+
+      <para>When a script is invoked, the <emphasis
+      role="bold">$chainref</emphasis> scalar variable will usually hold a
+      reference to a chain table entry.</para>
+
+      <simplelist>
+        <member><emphasis role="bold">$chainref-&gt;{name}</emphasis> contains
+        the name of the chain</member>
+
+        <member><emphasis role="bold">$chainref-&gt;{table}</emphasis> holds
+        the table name</member>
+      </simplelist>
+
+      <para>To add a rule to the chain:</para>
+
+      <simplelist>
+        <member>add_rule $chainref,
+        <replaceable>the-rule</replaceable></member>
+      </simplelist>
+
+      <para>Where</para>
+
+      <simplelist>
+        <member><replaceable>the rule</replaceable> is a scalar argument
+        holding the rule text. Do not include "-A
+        <replaceable>chain-name</replaceable>"</member>
+      </simplelist>
+
+      <para>Example:</para>
+
+      <simplelist>
+        <member>add_rule $chainref, '-j ACCEPT';</member>
+      </simplelist>
+
+      <para>To insert a rule into the chain:</para>
+
+      <simplelist>
+        <member>insert_rule $chainref, <replaceable>rulenum</replaceable>,
+        <replaceable>the-rule</replaceable></member>
+      </simplelist>
+
+      <para>The log_rule_limit function works like it does in the shell
+      compiler with three exceptions:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>You pass the chain reference rather than the name of the
+          chain.</para>
+        </listitem>
+
+        <listitem>
+          <para>The commands are 'add' and 'insert' rather than '-A' and
+          '-I'.</para>
+        </listitem>
+
+        <listitem>
+          <para>There is only a single "pass as-is to iptables" argument (so
+          you must quote that part</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Example:</para>
+
+      <programlisting>    log_rule_limit
+              'info' , 
+              $chainref , 
+              $chainref-&gt;{name},
+              'DROP' , 
+              '',    #Limit
+              '' ,   #Log tag
+              'add'
+              '-p tcp ';         </programlisting>
+
+      <para>Here is an example of an actual initdone script used with
+      Shorewall 3.4:<programlisting>run_iptables -t mangle -I PREROUTING -p esp -j MARK --set-mark 0x50
+run_iptables -t filter -I INPUT -p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT
+run_iptables -t filter -I OUTPUT -p udp --sport 1701 -j ACCEPT
+</programlisting></para>
+
+      <para>Here is the corresponding script used with Shorewall
+      4.4:<programlisting>use Shorewall::Chains;
+
+insert_rule $mangle_table-&gt;{PREROUTING}, 1, "-p esp -j MARK --set-mark 0x50";
+insert_rule $filter_table-&gt;{INPUT},      1, "-p udp --dport 1701 -m mark --mark 0x50 -j ACCEPT";
+insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
+
+1;</programlisting></para>
+
+      <para>The initdone script is unique because the $chainref variable is
+      not set before the script is called. The above script illustrates how
+      the $mangle_table, $filter_table, and $nat_table references can be used
+      to add or insert rules in arbitrary chains.</para>
+    </section>
+
+    <section id="ipsets">
+      <title>Ipsets</title>
+
+      <para>Shorewall 4.4 insists that ipset names begin with a letter and be
+      composed of alphanumeric characters and underscores (_). When used in a
+      Shorewall configuration file, the name must be preceded by a plus sign
+      (+) as with the shell-based compiler.</para>
+
+      <para>Shorewall 4.4 is out of the ipset load/reload business with the
+      exception of ipsets used for dynamic zones. With scripts generated by
+      Shorwall 4.4, the Netfilter rule set is never cleared. That means that
+      there is no opportunity for Shorewall to load/reload your ipsets since
+      that cannot be done while there are any current rules using
+      ipsets.</para>
+
+      <para>So:</para>
+
+      <orderedlist numeration="upperroman">
+        <listitem>
+          <para>Your ipsets must be loaded before Shorewall starts. You are
+          free to try to do that with the following code in
+          <filename>/etc/shorewall/init (it works for me; your mileage may
+          vary)</filename>:</para>
+
+          <programlisting>if [ "$COMMAND" = start ]; then
+    ipset -U :all: :all:
+    ipset -U :all: :default:
+    ipset -F
+    ipset -X
+    ipset -R &lt; /etc/shorewall/ipsets
+fi</programlisting>
+
+          <para>The file <filename>/etc/shorewall/ipsets</filename> will
+          normally be produced using the <command>ipset -S</command> command.
+          I have this in my<filename> /etc/shorewall/stop</filename>
+          file:</para>
+
+          <programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
+    mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
+    mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
+fi</programlisting>
+
+          <para>The above extension scripts will work most of the time but
+          will fail in a <command>shorewall stop</command> -
+          <command>shorewall start</command> sequence if you use ipsets in
+          your routestopped file (see <link
+          linkend="routestopped">below</link>).</para>
+        </listitem>
+
+        <listitem>
+          <para>Your ipsets may not be reloaded until Shorewall is stopped or
+          cleared.</para>
+        </listitem>
+
+        <listitem>
+          <para>If you specify ipsets in your routestopped file then Shorewall
+          must be cleared in order to reload your ipsets.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
+  <section id="Additional">
+    <title>Additional Sources of Information</title>
+
+    <para>The following articles provide additional information.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink url="Shorewall-perl.html#Incompatibilities">Shorewall
+        Perl Incompatibilities</ulink></para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="upgrade_issues.htm">Upgrade Issues</ulink></para>
+      </listitem>
+    </itemizedlist>
+  </section>
+</article>
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -248,7 +248,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
      </varlistentry>
    </variablelist>

-    <para>One remaining restriction should be noted: macros that are invoked
+    <para>One additional restriction should be noted: macros that are invoked
    from actions cannot themselves invoke other actions.</para>
  </section>

@@ -433,46 +433,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
        non-comment line in your macro file.</para>

        <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
-        included and is different from the IP address given in the SERVER
-        column, then connections destined for that address will be forwarded
-        to the IP and port specified in the DEST column.</para>
-
-        <para>A comma-separated list of addresses may also be used. This is
-        most useful with the REDIRECT target where you want to redirect
-        traffic destined for particular set of hosts. Finally, if the list of
-        addresses begins with "!" (exclusion) then the rule will be followed
-        only if the original destination address in the connection request
-        does not match any of the addresses listed.</para>
-
-        <para>For other actions, this column may be included and may contain
-        one or more addresses (host or network) separated by commas. Address
-        ranges are not allowed. When this column is supplied, rules are
-        generated that require that the original destination address matches
-        one of the listed addresses. This feature is most useful when you want
-        to generate a filter rule that corresponds to a DNAT- or REDIRECT-
-        rule. In this usage, the list of addresses should not begin with
-        "!".</para>
-
-        <para>It is also possible to specify a set of addresses then exclude
-        part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
-        specifies the addresses 192.168.1.0-182.168.1.15 and
-        192.168.1.32-192.168.1.255. See <ulink
-        url="manpages/shorewall_exclusion.html">shorewall-exclusion</ulink>(5).</para>
-
-        <para>See <ulink
-        url="http://shorewall.net/PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
-        for an example of using an entry in this column with a user-defined
-        action rule.</para>
-      </listitem>
-
-      <listitem>
-        <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
-
-        <para>To use this column, you must include 'FORMAT 2' as the first
-        non-comment line in your macro file.</para>
-
-        <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
-        included and is different from the IP address given in the SERVER
+        included and is different from the IP address given in the DEST
        column, then connections destined for that address will be forwarded
        to the IP and port specified in the DEST column.</para>

@@ -554,6 +515,151 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
          2.6.14).</member>
        </simplelist>
      </listitem>
+
+      <listitem>
+        <para>MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
+        packet or connection mark. The rule will match only if the test
+        returns true. Must be empty or '-' if the macro is to be used within
+        an action.</para>
+
+        <programlisting>     [!]<replaceable>value</replaceable>[/<replaceable>mask</replaceable>][:C]</programlisting>
+
+        <variablelist>
+          <varlistentry>
+            <term>!</term>
+
+            <listitem>
+              <para>Inverts the test (not equal)</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><replaceable>value</replaceable></term>
+
+            <listitem>
+              <para>Value of the packet or connection mark.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term><replaceable>mask</replaceable></term>
+
+            <listitem>
+              <para>A mask to be applied to the mark before testing.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>:C</term>
+
+            <listitem>
+              <para>Designates a connection mark. If omitted, the # packet
+              mark's value is tested.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
+
+      <listitem>
+        <para>CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
+        the macro is to be used within an action.</para>
+
+        <programlisting>     [!]<replaceable>limit</replaceable>[:<replaceable>mask</replaceable>]</programlisting>
+
+        <para>May be used to limit the number of simultaneous connections from
+        each individual host to limit connections. Requires connlimit match in
+        your kernel and iptables. While the limit is only checked on rules
+        specifying CONNLIMIT, the number of current connections is calculated
+        over all current connections from the SOURCE host. By default, the
+        <replaceable>limit</replaceable> is applied to each host but can be
+        made to apply to networks of hosts by specifying a
+        <replaceable>mask</replaceable>. The mask specifies the width of a
+        VLSM mask to be applied to the source address; the number of current
+        connections is then taken over all hosts in the subnet
+        <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
+        When ! is specified, the rule matches when the number of connection
+        exceeds the limit.</para>
+      </listitem>
+
+      <listitem>
+        <para>TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
+        macro is to be used within an action.</para>
+
+        <programlisting>     &lt;timeelement&gt;[&amp;...]</programlisting>
+
+        <para><replaceable>timeelement</replaceable> may be:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>timestart=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+            <listitem>
+              <para>Defines the starting time of day.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>timestop=<replaceable>hh</replaceable>:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]</term>
+
+            <listitem>
+              <para>Defines the ending time of day.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>utc</term>
+
+            <listitem>
+              <para>Times are expressed in Greenwich Mean Time.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>localtz</term>
+
+            <listitem>
+              <para>Times are expressed in Local Civil Time (default).</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>weekdays=ddd[,ddd]...</term>
+
+            <listitem>
+              <para>where <replaceable>ddd</replaceable> is one of
+              <option>Mon</option>, <option>Tue</option>,
+              <option>Wed</option>, <option>Thu</option>,
+              <option>Fri</option>, <option>Sat</option> or
+              <option>Sun</option></para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>monthdays=dd[,dd],...</term>
+
+            <listitem>
+              <para>where <replaceable>dd</replaceable> is an ordinal day of
+              the month</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>datestart=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+            <listitem>
+              <para>Defines the starting date and time.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>datestop=<replaceable>yyyy</replaceable>[-<replaceable>mm</replaceable>[-<replaceable>dd</replaceable>[<option>T</option><replaceable>hh</replaceable>[:<replaceable>mm</replaceable>[:<replaceable>ss</replaceable>]]]]]</term>
+
+            <listitem>
+              <para>Defines the ending date and time.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+      </listitem>
    </itemizedlist>

    <para>Omitted column entries should be entered using a dash ("-:).</para>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -105,8 +105,11 @@
      <title>Overview</title>

      <para>Let's assume that a firewall is connected via two separate
-      Ethernet interfaces to two different ISPs as in the following
-      diagram.</para>
+      Ethernet interfaces to two different ISPs.<footnote>
+          <para>While we describe a setup using different ISPs in this
+          article, the facility also works with two uplinks from the same
+          ISP.</para>
+        </footnote> as in the following diagram.</para>

      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />

@@ -235,7 +238,7 @@

              <listitem>
                <para>Use mark values &gt; 255 for provider marks in this
-                column. </para>
+                column.</para>

                <itemizedlist>
                  <listitem>
@@ -329,9 +332,18 @@
                <term>track</term>

                <listitem>
-                  <para>If specified, connections FROM this interface are to
-                  be tracked so that responses may be routed back out this
-                  same interface.</para>
+                  <para><important>
+                      <para>Beginning with Shorwall 4.3.3, <emphasis
+                      role="bold">track</emphasis> defaults to the setting of
+                      the <option>TRACK_PROVIDERS</option> option in <ulink
+                      url="manpages/shorewall.conf">shorewall.conf
+                      </ulink>(5). To disable this option when you have
+                      specified TRACK_PROVIDERS=Yes, you must specify
+                      <emphasis role="bold">notrack</emphasis> (see
+                      below).</para>
+                    </important>If specified, connections FROM this interface
+                  are to be tracked so that responses may be routed back out
+                  this same interface.</para>

                  <para>You want to specify 'track' if Internet hosts will be
                  connecting to local servers through this provider. Any time
@@ -350,7 +362,8 @@
                  support</emphasis>).</para>

                  <important>
-                    <para>If you are using
+                    <para>If you are running a version of Shorewall earlier
+                    than 4.4.3 and are using
                    <filename>/etc/shorewall/providers</filename> because you
                    have multiple Internet connections, we recommend that you
                    specify <emphasis role="bold">track</emphasis> even if you
@@ -423,11 +436,30 @@
                <term>loose</term>

                <listitem>
-                  <para>Do not include routing rules that force traffic whose
+                  <para>Do not generate routing rules that force traffic whose
                  source IP is an address of the INTERFACE to be routed to
                  this provider. Useful for defining providers that are to be
                  used only when the appropriate packet mark is
                  applied.</para>
+
+                  <para>Shorewall makes no attempt to consolidate the routing
+                  rules added when <emphasis role="bold">loose</emphasis> is
+                  not specified. So, if you have multiple IP addresses on a
+                  provider interface, you may be able to replace the rules
+                  that Shorewall generates with one or two rules in
+                  <filename>/etc/shorewall/route_rules</filename>. In that
+                  case, you can specify <emphasis role="bold">loose</emphasis>
+                  to suppress Shorewall's rule generation. See the <link
+                  linkend="Complete">example</link> below.</para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term>notrack</term>
+
+                <listitem>
+                  <para>Added in Shorewall 4.4.3. This option turns off the
+                  <emphasis role="bold">track</emphasis> option.</para>
                </listitem>
              </varlistentry>

@@ -1151,7 +1183,10 @@ shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional<
      <title>Gateway Monitoring and Failover</title>

      <para>There are a couple of options available for monitoring the status
-      of provider links and taking action when a failure occurs.</para>
+      of provider links and taking action when a failure occurs. Both of these
+      options assume that each provider has a unique nexthop gateway; if two
+      or more providers use the same gateway router then neither option is
+      suitable.</para>

      <para>You specify the <option>optional</option> option in
      <filename>/etc/shorewall/interfaces</filename>:</para>
@@ -1353,19 +1388,85 @@ fi</programlisting></para>
        supported. This allows additional files to be sourced in from the main
        configuration file.</para>

+        <para>LSM monitors the status of the links defined in its
+        configuration file and runs a user-provided script when the status of
+        a link changes. The script name is specified in the
+        <firstterm>eventscript</firstterm> option in the configuration file.
+        Key arguments to the script are as follows:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>$1</term>
+
+            <listitem>
+              <para>The state of the link ('up' or 'down')</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$2</term>
+
+            <listitem>
+              <para>The name of the connection as specified in the
+              configuration file.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$4</term>
+
+            <listitem>
+              <para>The name of the network interface associated with the
+              connection.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$5</term>
+
+            <listitem>
+              <para>The email address of the person specified to receive
+              notifications. Specified in the
+              <firstterm>warn_email</firstterm> option in the configuration
+              file.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+
+        <para>It is the responsibility of the script to perform any action
+        needed in reaction to the connection state change. The default script
+        supplied with LSM composes an email and sends it to $5.</para>
+
        <para>I personally use LSM here at shorewall.net (configuration is
        described <link linkend="Complete">below</link>). I have set things up
-        so that Shorewall [re]starts lsm during processing of the
-        <command>start</command> and <command>restore</command> commands. I
-        don't have Shorewall restart lsm during Shorewall
-        <command>restart</command> because I restart Shorewall much more often
-        than the average user is likely to do. I have Shorewall start lsm
-        because I have a dynamic IP address from one of my providers
-        (Comcast); Shorewall detects the default gateway to that provider and
-        creates a secondary configuration file
-        (<filename>/etc/lsm/shorewall.conf</filename>) that contains the link
-        configurations. That file is included by
-        <filename>/etc/lsm/lsm.conf</filename>.B</para>
+        so that:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Shorewall [re]starts lsm during processing of the
+            <command>start</command> and <command>restore</command> commands.
+            I don't have Shorewall restart lsm during Shorewall
+            <command>restart</command> because I restart Shorewall much more
+            often than the average user is likely to do.</para>
+          </listitem>
+
+          <listitem>
+            <para>Shorewall starts lsm because I have a dynamic IP address
+            from one of my providers (Comcast); Shorewall detects the default
+            gateway to that provider and creates a secondary configuration
+            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
+            the link configurations. That file is included by
+            <filename>/etc/lsm/lsm.conf</filename>.</para>
+          </listitem>
+
+          <listitem>
+            <para>The script run by LSM during state change
+            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            ${VARDIR}/xxx.status</filename> file when the status of an
+            interface changes. Those files are read by the
+            <filename>isusable</filename> extension script (see below).</para>
+          </listitem>
+        </itemizedlist>

        <para>Below are my relevant configuration files.</para>

@@ -1376,12 +1477,10 @@ fi</programlisting></para>

        <para><filename>/etc/shorewall/isusable</filename>:</para>

-        <para>Note that <filename>/etc/lsm/script </filename>writes
-        a<filename> ${VARDIR}/xxx.status</filename> file when the status of an
-        interface changes.</para>
-
        <programlisting>local status=0
-
+#
+# Read the status file (if any) created by /etc/lsm/script
+#
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)

 return $status</programlisting>
@@ -1394,7 +1493,16 @@ return $status</programlisting>
 # Start lsm
 ###############################################################################
 start_lsm() {
+   #
+   # Kill any existing lsm process(es)
+   #
   killall lsm 2&gt; /dev/null
+   #
+   # Create the Shorewall-specific part of the LSM configuration. This file is
+   # included by /etc/lsm/lsm.conf
+   #
+   # Avvanta has a static gateway while Comcast's is dynamic
+   #
   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
 connection {
    name=Avvanta
@@ -1410,13 +1518,20 @@ connection {
    ttl=1
 }
 EOF
+   #
+   # Since LSM assumes that interfaces start in the 'up' state, remove any
+   # existing status files that might have an interface in the down state
+   #
   rm -f /etc/shorewall/*.status
+   #
+   # Run LSM -- by default, it forks into the background
+   #
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>

        <para>eth3 has a dynamic IP address so I need to use the
        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        value in the event that detection fails.</para>
+        value to be used in the event that detection fails.</para>

        <para><filename>/etc/shorewall/started</filename>:</para>

@@ -1454,7 +1569,7 @@ defaults {
  warn_email=teastep@shorewall.net
  check_arp=0
  sourceip=
-  ttl=64
+  ttl=0
 }

 include /etc/lsm/shorewall.conf</programlisting>
@@ -1522,11 +1637,11 @@ EOM

 echo $state &gt; ${VARDIR}/${DEVICE}.status

-/sbin/shorewall -f restart &gt;&gt; /var/log/lsm 2&gt;&amp;1
+/sbin/shorewall restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1

 /sbin/shorewall show routing &gt;&gt; /var/log/lsm

-exit 0;
+exit 0

 #EOF</programlisting>:</para>
      </section>
--- a/docs/NetfilterOverview.xml
+++ b/docs/NetfilterOverview.xml
@@ -119,34 +119,38 @@
    </important>

    <para>The above diagram should help you understand the output of
-    <quote>shorewall status</quote>. You may also wish to refer to <ulink
+    <quote>shorewall dump</quote>. You may also wish to refer to <ulink
    url="PacketHandling.html">this article</ulink> that describes the flow of
    packets through a Shorewall-generated firewall.</para>

-    <para>Here are some excerpts from <quote>shorewall status</quote> on a
+    <para>Here are some excerpts from <quote>shorewall dump</quote> on a
    server with one interface (eth0):</para>

-    <programlisting>[root@lists html]# shorewall status
+    <programlisting>[root@tipper ~]# shorewall dump
 
-Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
-                                                                                                                                                                                    
-Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
+Shorewall 4.4.2.2 Dump at tipper - Fri Oct 16 07:38:16 PDT 2009
+
+Counters reset Thu Oct  8 00:38:06 PDT 2009</programlisting>

    <para>The first table shown is the <emphasis role="bold">Filter</emphasis>
    table.</para>

    <programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
- 679K  182M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
- 785K   93M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID</programlisting>
+ 6428 1417K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW 
+ 967K  629M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
+   49  3896 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED</programlisting>
+
+    <para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
+    is done.</para>

    <para>The following rule indicates that all traffic destined for the
    firewall that comes into the firewall on eth0 is passed to a chain called
    <quote>eth0_in</quote>. That chain will be shown further down.</para>

    <programlisting> 785K   93M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
                                                                                                                                                                                    
@@ -155,87 +159,87 @@ Chain FORWARD (policy DROP 0 packets, 0 bytes)
    0     0 accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
                                                                                                                                                                                    
 Chain OUTPUT (policy DROP 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
- 679K  182M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
- 922K  618M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
- 922K  618M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
-    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0</programlisting>
+ 895K  181M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
+   49  3896 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
+    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
+</programlisting>

    <para>Here is the eth0_in chain:</para>

    <programlisting>Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
- 785K   93M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 785K   93M net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0</programlisting>
-
-    <para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
-    is done.</para>
+   49  3896 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
+    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
+</programlisting>

    <para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>

    <programlisting>NAT Table
- 
-Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
- pkts bytes target     prot opt in     out     source               destination
-20005 1314K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
- 
-Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain net_dnat (1 references)
- pkts bytes target     prot opt in     out     source               destination
-  638 32968 REDIRECT   tcp  --  *      *       0.0.0.0/0           !206.124.146.177    tcp dpt:80 redir ports 3128
-</programlisting>

-    <para>And finally, the <emphasis role="bold">Mangle</emphasis>
-    table:</para>
+Chain PREROUTING (policy ACCEPT 5593 packets, 1181K bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
+
+    <para>Next, the <emphasis role="bold">Mangle</emphasis> table:</para>

    <programlisting>Mangle Table
- 
-Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
- pkts bytes target     prot opt in     out     source               destination
-1464K  275M pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 
-Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
+
+Chain PREROUTING (policy ACCEPT 967K packets, 629M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 967K  629M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain INPUT (policy ACCEPT 967K packets, 629M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
- pkts bytes target     prot opt in     out     source               destination
-1601K  800M outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 
-Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain outtos (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10
- 315K  311M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10
-  683 59143 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10
- 3667 5357K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08
- 
-Chain pretos (1 references)
- pkts bytes target     prot opt in     out     source               destination
- 271K   15M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10
-  730 41538 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08
- 2065  111K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08</programlisting>
+ pkts bytes target     prot opt in     out     source               destination         
+    0     0 tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain OUTPUT (policy ACCEPT 895K packets, 181M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 895K  181M tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain POSTROUTING (policy ACCEPT 895K packets, 181M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 895K  181M tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain tcfor (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcout (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcpost (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcpre (1 references)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
+
+    <para>And finally, the <emphasis role="bold">Raw</emphasis> table:</para>
+
+    <programlisting>Raw Table
+
+Chain PREROUTING (policy ACCEPT 1004K packets, 658M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 926K packets, 186M bytes)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
  </section>
 </article>
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -135,7 +135,7 @@ server:~ # </programlisting>
    <section>
      <title>Shorewall Configuration</title>

-      <para>We recommend handlintg the strange OpenVZ configuration in
+      <para>We recommend handling the strange OpenVZ configuration in
      Shorewall as follows:</para>

      <para><filename>/etc/shorewall/zones</filename>:</para>
@@ -233,7 +233,7 @@ vz       venet0             -              routeback,rp_filter=0</programlisting
    </variablelist>

    <para>if you see annoying error messages as shown below during
-    start/restart, remove the module-init-tools package.</para>
+    start/restart, remove the module-init-tools package from the VE.</para>

    <programlisting>server:/etc/shorewall # shorewall restart
 Compiling...
@@ -476,7 +476,7 @@ INT_IF=eth1
 net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0,<emphasis
            role="bold">proxyarp=1</emphasis>
 loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
-<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=1,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
+<emphasis role="bold">dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback</emphasis>
 ...</programlisting>This is a multi-ISP configuration so entries are required
      in <filename>/etc/shorewall/route_rules</filename>:</para>

--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -143,7 +143,7 @@
          </itemizedlist>
        </listitem>

-        <listitem>
+        <listitem id="Extensions">
          <para>With the shell-based compiler, extension scripts were copied
          into the compiled script and executed at run-time. In many cases,
          this approach doesn't work with Shorewall Perl because (almost) the
@@ -153,71 +153,83 @@
          extension scripts from earlier versions will no longer work.</para>

          <para>The following table summarizes when the various extension
-          scripts are run:<informaltable align="left" frame="none">
-              <tgroup cols="3">
-                <tbody>
-                  <row>
-                    <entry><emphasis role="bold">Compile-time (Must be written
-                    in Perl)</emphasis></entry>
+          scripts are run:</para>

-                    <entry><emphasis role="bold">Run-time</emphasis></entry>
+          <informaltable align="left" frame="none">
+            <tgroup cols="3">
+              <tbody>
+                <row>
+                  <entry><emphasis role="bold">Compile-time (Must be written
+                  in Perl)</emphasis></entry>

-                    <entry><emphasis role="bold">Eliminated</emphasis></entry>
-                  </row>
+                  <entry><emphasis role="bold">Run-time</emphasis></entry>

-                  <row>
-                    <entry>initdone</entry>
+                  <entry><emphasis role="bold">Eliminated</emphasis></entry>
+                </row>

-                    <entry>clear</entry>
+                <row>
+                  <entry>initdone</entry>

-                    <entry>continue</entry>
-                  </row>
+                  <entry>clear</entry>

-                  <row>
-                    <entry>maclog</entry>
+                  <entry>continue</entry>
+                </row>

-                    <entry>start</entry>
-                  </row>
+                <row>
+                  <entry>maclog</entry>

-                  <row>
-                    <entry>Per-chain (including those associated with
-                    actions)</entry>
+                  <entry>init</entry>

-                    <entry>started</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry>Per-chain (including those associated with
+                  actions)</entry>

-                  <row>
-                    <entry></entry>
+                  <entry>start</entry>

-                    <entry>stop</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry></entry>

-                  <row>
-                    <entry></entry>
+                  <entry>started</entry>

-                    <entry>stopped</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
+                <row>
+                  <entry></entry>

-                  <row>
-                    <entry></entry>
+                  <entry>stop</entry>

-                    <entry>tcclear</entry>
+                  <entry></entry>
+                </row>

-                    <entry></entry>
-                  </row>
-                </tbody>
-              </tgroup>
-            </informaltable></para>
+                <row>
+                  <entry></entry>
+
+                  <entry>stopped</entry>
+
+                  <entry></entry>
+                </row>
+
+                <row>
+                  <entry></entry>
+
+                  <entry>tcclear</entry>
+
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable>

          <para>Compile-time extension scripts are executed using the Perl
          'eval `cat &lt;file&gt;`' mechanism. Be sure that each script
-          returns a 'true' value; otherwise, the Shorweall-perl compiler will
+          returns a 'true' value; otherwise, the Shorewall-perl compiler will
          assume that the script failed and will abort the compilation.</para>

          <para>When a script is invoked, the <emphasis
@@ -276,7 +288,7 @@

            <listitem>
              <para>There is only a single "pass as-is to iptables" argument
-              (so you must quote that part</para>
+              (so you must quote that part)</para>
            </listitem>
          </itemizedlist>

@@ -343,7 +355,7 @@ insert_rule $filter_table-&gt;{OUTPUT},     1, "-p udp --sport 1701 -j ACCEPT";
          the tos file released with Shorewall 1.4 and earlier.</para>
        </listitem>

-        <listitem>
+        <listitem id="SAVE_IPSETS">
          <para>Shorewall-perl insists that ipset names begin with a letter
          and be composed of alphanumeric characters and underscores (_). When
          used in a Shorewall configuration file, the name must be preceded by
@@ -547,7 +559,8 @@ DNAT-              net                192.168.1.3      tcp          21</programl
          starts/restarts</para>

          <para>To avoid this warning, replace interface names by the
-          corresponding network addresses (e.g., 192.168.144.0/24).</para>
+          corresponding network() in CIDR format (e.g.,
+          192.168.144.0/24).</para>
        </listitem>
      </orderedlist>
    </section>
@@ -657,15 +670,15 @@ DNAT-              net                192.168.1.3      tcp          21</programl
  <section id="Modules">
    <title>The Shorewall Perl Modules</title>

-    <para>Shorewall's Perl modules are installed in
-    /usr/share/shorewall-perl/Shorewall and the names of the packages are of
-    the form Shorewall::<firstterm>name</firstterm>. So by using this
-    directive<programlisting>use lib '/usr/share/shorewall-perl';</programlisting></para>
+    <para>In Shorewall 4.4 and later, Shorewall's Perl modules are installed
+    in /usr/share/shorewall/Shorewall and the names of the packages are of the
+    form Shorewall::<firstterm>name</firstterm>. So by using this
+    directive<programlisting>use lib '/usr/share/shorewall';</programlisting></para>

    <para>You can then load the modules via normal Perl use statements.</para>

    <section id="compiler.pl">
-      <title>/usr/share/shorewall-perl/compiler.pl</title>
+      <title>/usr/share/shorewall/compiler.pl</title>

      <para>While the compiler is normally run indirectly using
      /sbin/shorewall, it can be run directly as well.<programlisting><command>compiler.pl</command> [ <emphasis>option</emphasis> ... ] [ <emphasis>filename</emphasis> ]</programlisting></para>
@@ -721,25 +734,25 @@ DNAT-              net                192.168.1.3      tcp          21</programl
          role="bold">--log</emphasis>=&lt;logfile&gt;</member>
        </simplelist></para>

-      <para>Added in Shorewall 4.2. If given, compiler will log to this file
-      provider that --log_verbosity is &gt; -1.<simplelist>
+      <para>If given, compiler will log to this file provider that
+      --log_verbosity is &gt; -1.<simplelist>
          <member><emphasis
          role="bold">--log_verbosity</emphasis>=-1|0|1|2</member>
        </simplelist></para>

-      <para>Added in Shorewall 4.1. If given, controls the verbosity of
-      logging to the log specified by the --log parameter.</para>
+      <para>If given, controls the verbosity of logging to the log specified
+      by the --log parameter.</para>

      <simplelist>
        <member><emphasis role="bold">--family=</emphasis>4|6</member>
      </simplelist>

-      <para>Added in Shorewall 4.2.4. Specifies whether an IPv4 or an IPv6
-      firewall is to be created.</para>
+      <para>Specifies whether an IPv4 or an IPv6 firewall is to be
+      created.</para>

      <para>Example (compiles the configuration in the current directory
      generating a script named 'firewall' and using VERBOSITY
-      2).<programlisting><emphasis role="bold">/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
+      2).<programlisting><emphasis role="bold">/usr/share/shorewall/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
          <para>The Perl-based compiler does not process
          <filename>/etc/shorewall/params</filename>. To include definitions
          in that file, you would need to do something like the
@@ -747,216 +760,135 @@ DNAT-              net                192.168.1.3      tcp          21</programl
 set -a                           # Export all variables set in /etc/shorewall/params
 . /etc/shorewall/params
 set +a
-/usr/share/shorewall-perl/compiler.pl ...</command></programlisting></para>
+/usr/share/compiler.pl ...</command></programlisting></para>
        </note></para>
    </section>

    <section id="Compiler">
      <title>Shorewall::Compiler</title>

-      <section id="Compiler-4.0">
-        <title>Shorewall 4.0</title>
+      <para>To avoid a proliferation of parameters to
+      Shorewall::Compiler::compile(), that function uses named parameters.
+      Parameter names are:</para>

-        <para><programlisting> use lib '/usr/share/shorewall-perl';
- use Shorewall::Compiler;
-        
- compiler $filename, $directory, $verbose, $options $chains</programlisting>Arguments
-        to the compiler are:</para>
+      <variablelist>
+        <varlistentry>
+          <term>script ('object' is also accepted but deprecated)</term>

-        <variablelist>
-          <varlistentry>
-            <term>$filename</term>
+          <listitem>
+            <para>Output script file. If omitted or '', the configuration is
+            syntax checked.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>Name of the compiled script to be created. If the
-              arguments evaluates to false, the configuration is syntax
-              checked.</para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>directory</term>

-          <varlistentry>
-            <term>$directory</term>
+          <listitem>
+            <para>Directory. If omitted or '', configuration files are located
+            using CONFIG_PATH. Otherwise, the directory named by this
+            parameter is searched first.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>The directory containing the configuration. If passed as
-              '', then <filename class="directory">/etc/shorewall/</filename>
-              is assumed.</para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>verbosity</term>

-          <varlistentry>
-            <term>$verbose</term>
+          <listitem>
+            <para>Verbosity; range -1 to 2</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>The verbosity level that the compiler will run with
-              (0-2).<note>
-                  <para>The VERBOSITY setting in the
-                  <filename>shorewall.conf</filename> file read by the
-                  compiler will determine the default verbosity for the
-                  compiled program.</para>
-                </note></para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>timestamp</term>

-          <varlistentry>
-            <term>$options</term>
+          <listitem>
+            <para>0|1 -- timestamp messages.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>A bitmap of options. Shorewall::Compiler exports three
-              constants to help building this argument:<simplelist>
-                  <member>EXPORT = 0x01</member>
+        <varlistentry>
+          <term>debug</term>

-                  <member>TIMESTAMP = 0x02</member>
+          <listitem>
+            <para>0|1 -- include stack trace in warning/error messages.</para>
+          </listitem>
+        </varlistentry>

-                  <member>DEBUG = 0x04</member>
-                </simplelist></para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>export</term>

-          <varlistentry>
-            <term>$chains</term>
+          <listitem>
+            <para>0|1 -- compile for export.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>A comma-separated list of chains that the generated
-              script's 'refresh' command will reload. If passed as an empty
-              string, then 'blacklist' is assumed.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
+        <varlistentry>
+          <term>chains</term>

-        <para>The compiler raises an exception with 'die' if it encounters an
-        error; $@ contains the 'ERROR' messages describing the problem. The
-        compiler function can be called repeatedly with different
-        inputs.</para>
-      </section>
+          <listitem>
+            <para>List of chains to be reloaded by 'refresh'</para>
+          </listitem>
+        </varlistentry>

-      <section>
-        <title>Shorewall 4.2 and Later</title>
+        <varlistentry>
+          <term>log</term>

-        <para>To avoid a proliferation of parameters to
-        Shorewall::Compiler::compile(), that function has been changed to use
-        named parameters. Parameter names are:</para>
+          <listitem>
+            <para>File to log compiler messages to.</para>
+          </listitem>
+        </varlistentry>

-        <variablelist>
-          <varlistentry>
-            <term>object</term>
+        <varlistentry>
+          <term>log_verbosity</term>

-            <listitem>
-              <para>Object file. If omitted or '', the configuration is syntax
-              checked.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Log Verbosity; range -1 to 2.</para>
+          </listitem>
+        </varlistentry>

-          <varlistentry>
-            <term>directory</term>
+        <varlistentry>
+          <term>family</term>

-            <listitem>
-              <para>Directory. If omitted or '', configuration files are
-              located using CONFIG_PATH. Otherwise, the directory named by
-              this parameter is searched first.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Address family: 4 or 6</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>

-          <varlistentry>
-            <term>verbosity</term>
+      <para>Those parameters that are supplied must have defined values.
+      Defaults are: <simplelist>
+          <member>script '' ('check' command)</member>

-            <listitem>
-              <para>Verbosity; range -1 to 2</para>
-            </listitem>
-          </varlistentry>
+          <member>directory ''</member>

-          <varlistentry>
-            <term>timestamp</term>
+          <member>verbosity 1</member>

-            <listitem>
-              <para>0|1 -- timestamp messages.</para>
-            </listitem>
-          </varlistentry>
+          <member>timestamp 0</member>

-          <varlistentry>
-            <term>debug</term>
+          <member>debug 0</member>

-            <listitem>
-              <para>0|1 -- include stack trace in warning/error
-              messages.</para>
-            </listitem>
-          </varlistentry>
+          <member>export 0</member>

-          <varlistentry>
-            <term>export</term>
+          <member>chains ''</member>

-            <listitem>
-              <para>0|1 -- compile for export.</para>
-            </listitem>
-          </varlistentry>
+          <member>log ''</member>

-          <varlistentry>
-            <term>chains</term>
+          <member>log_verbosity -1</member>

-            <listitem>
-              <para>List of chains to be reloaded by 'refresh'</para>
-            </listitem>
-          </varlistentry>
+          <member>family 4</member>
+        </simplelist></para>

-          <varlistentry>
-            <term>log</term>
-
-            <listitem>
-              <para>File to log compiler messages to.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>log_verbosity</term>
-
-            <listitem>
-              <para>Log Verbosity; range -1 to 2.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>family</term>
-
-            <listitem>
-              <para>Address family: 4 or 6</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-
-        <para>Those parameters that are supplied must have defined values.
-        Defaults are: <simplelist>
-            <member>object '' ('check' command)</member>
-
-            <member>directory ''</member>
-
-            <member>verbosity 1</member>
-
-            <member>timestamp 0</member>
-
-            <member>debug 0</member>
-
-            <member>export 0</member>
-
-            <member>chains ''</member>
-
-            <member>log ''</member>
-
-            <member>log_verbosity -1</member>
-
-            <member>family 4</member>
-          </simplelist></para>
-
-        <para>Example: <programlisting>use lib '/usr/share/shorewall-perl/';
+      <para>Example: <programlisting>use lib '/usr/share/shorewall/';
 use Shorewall::Compiler;

-compiler( object =&gt; '/root/firewall', log =&gt; '/root/compile.log', log_verbosity =&gt; 2 ); </programlisting></para>
-      </section>
+compiler( script =&gt; '/root/firewall', log =&gt; '/root/compile.log', log_verbosity =&gt; 2 ); </programlisting></para>
    </section>

    <section id="Chains">
      <title>Shorewall::Chains</title>

-      <para><programlisting>use lib '/usr/share/shorewall-perl';
+      <para><programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Chains;

 my $chainref1 = chain_new $table, $name1;
@@ -1195,7 +1127,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
    <section id="Config">
      <title>Shorewall::Config</title>

-      <para><programlisting>use lib '/usr/share/shorewall-perl';
+      <para><programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Config;

 warning message "This entry is bogus";
@@ -1205,7 +1137,7 @@ progress_message  "This will only be seen if VERBOSITY &gt;= 2";
 progress_message2 "This will only be seen if VERBOSITY &gt;= 1";
 progress_message3 "This will be seen unless VERBOSITY &lt; 0";
 </programlisting>The <emphasis role="bold">shorewall()</emphasis> function may
-      be optionally included:<programlisting>use lib '/usr/share/shorewall-perl';
+      be optionally included:<programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Config qw/shorewall/;

 shorewall $config_file_entry;</programlisting>The Shorewall::Config module
--- a/docs/SimpleBridge.xml
+++ b/docs/SimpleBridge.xml
@@ -93,6 +93,12 @@
    bridge-specific changes are restricted to the
    <filename>/etc/shorewall/interfaces</filename> file.</para>

+    <note>
+      <para>Older configurations that specify an interface name in the SOURCE
+      column of <filename>/etc/shorewall/masq</filename> will also need to
+      change that file.</para>
+    </note>
+
    <para>This example illustrates the bridging of two Ethernet devices but
    the types of the devices really isn't important. What is shown here would
    apply equally to bridging an Ethernet device to an <ulink
@@ -138,5 +144,11 @@ loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <
 net            eth0            detect         ...
 loc            <emphasis role="bold">br0</emphasis>             10.0.1.255     <emphasis
          role="bold">routeback,bridge</emphasis>,...</programlisting></para>
+
+    <para>Your entry in <filename>/etc/shorewall/masq</filename> should be
+    unchanged:</para>
+
+    <programlisting>#INTERFACE     SOURCE          ADDRESS
+eth0           10.0.1.0/24     ...            # 10.0.1.0/24 is the local network on LAN A and LAN B</programlisting>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -226,5 +226,15 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>

      <para>Re-enables traffic from 192.0.2.125.</para>
    </example>
+
+    <example>
+      <title>Displaying the Dynamic Blacklist</title>
+
+      <programlisting>    <command>shorewall show dynamic</command></programlisting>
+
+      <para>Displays the 'dynamic' chain which contains rules for the dynamic
+      blacklist. The <firstterm>source</firstterm> column contains the set of
+      blacklisted addresses.</para>
+    </example>
  </section>
 </article>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -619,6 +619,60 @@ br0             192.168.1.0/24  routeback
    firewall rules.</para>
  </section>

+  <section id="Multiple">
+    <title>Multiple Bridges with Wildcard Ports</title>
+
+    <para>It is sometimes required to configure multiple bridges on a single
+    firewall/gateway. The following seemingly valid configuration results in a
+    compile-time error</para>
+
+    <simplelist>
+      <member>ERROR: Duplicate Interface Name (p+)</member>
+    </simplelist>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>       #ZONE            TYPE    
+       fw               firewall
+       world            ipv4
+       z1:world         bport4
+       z2:world         bport4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:p+
+       z2               br1:p+</programlisting>
+
+    <para>The reason is that the Shorewall implementation requires each bridge
+    port to have a unique name. The <option>physical</option> interface option
+    was added in Shorewall 4.4.4 to work around this problem. The above
+    configuration may be defined using the following in
+    <filename>/etc/shorewall/interfaces</filename>: </para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:x+          -               physical=p+
+       z2               br1:y+          -               physical=p+</programlisting>
+
+    <para>In this configuration, 'x+' is the logical name for ports p+ on
+    bridge br0 while 'y+' is the logical name for ports p+ on bridge
+    br1.</para>
+
+    <para>If you need to refer to a particular port on br1 (for example
+    p1023), you write it as y1023; Shorewall will translate that name to p1023
+    when needed.</para>
+
+    <para>Example from /etc/shorewall/rules:</para>
+
+    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
+       #                                        PORT(S)
+       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
+  </section>
+
  <section id="bridge-router">
    <title>Combination Router/Bridge</title>

--- a/Show More
+++ b/Show More