Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW
2010-09-21 07:50:13 -07:00 · 2010-09-20 09:40:31 -07:00 · 2010-09-20 08:15:24 -07:00 · 2010-09-20 07:25:33 -07:00 · 2010-09-19 15:19:48 -07:00 · 2010-09-19 15:13:54 -07:00
180 changed files with 7850 additions and 2039 deletions
--- a/Samples/Universal/interfaces
+++ b/Samples/Universal/interfaces
@@ -0,0 +1,12 @@
 #
 # Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 -	lo		-		ignore
 net	all		-		dhcp,physical=+,routeback,optional
--- a/Samples/Universal/policy
+++ b/Samples/Universal/policy
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
 net	all	DROP
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -0,0 +1,17 @@
 #
 # Shorewall version 4 - Rules File
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -0,0 +1,213 @@
 ###############################################################################
 #
 #  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
 LOGFILE=
 STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 LOG_MARTIANS=Yes
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 IPTABLES=
 IP=
 TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 DROP_DEFAULT="Drop"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 IP_FORWARDING=On
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 RETAIN_ALIASES=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=Yes
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=15
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=Yes
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/Universal/zones
+++ b/Samples/Universal/zones
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ip
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -42,9 +42,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -70,6 +68,8 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -205,6 +205,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -42,9 +42,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -70,6 +68,8 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -205,6 +205,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -49,9 +49,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -77,6 +75,8 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -212,6 +212,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/Universal/interfaces
+++ b/Samples6/Universal/interfaces
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 -	lo		-		ignore
 net	all		-		dhcp,physical=+,routeback
--- a/Samples6/Universal/policy
+++ b/Samples6/Universal/policy
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 fw	net	ACCEPT
 net	all	DROP
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -0,0 +1,17 @@
 #
 # Shorewall version 4 - Rules File
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -0,0 +1,168 @@
 ###############################################################################
 #
 #  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
 #  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
 LOGFILE=
 STARTUP_LOG=/var/log/shorewall6-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 IP6TABLES=
 IP=
 TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 MODULESDIR=
 CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 DROP_DEFAULT="Drop"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 IP_FORWARDING=Off
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=ko
 FASTACCEPT=Yes
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=15
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=Yes
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/Universal/zones
+++ b/Samples6/Universal/zones
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ip
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 IP6TABLES=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -153,6 +153,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 IP6TABLES=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -153,6 +153,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,9 +40,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -58,6 +56,8 @@ SMURF_LOG_LEVEL=info
 IP6TABLES=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -153,6 +153,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -93,7 +93,11 @@ for PRODUCT in $PRODUCTS; do
    VARDIR=/var/lib/$PRODUCT
    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
    if [ -x $VARDIR/firewall ]; then
-	$VARDIR/firewall -V0 $COMMAND $IFACE
+	  ( . /usr/share/$PRODUCT/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
 	    mutex_off
 	  )
    fi
 done
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -84,7 +84,20 @@ shorewall_start () {
      VARDIR=/var/lib/$product
      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall stop || echo_notdone
+	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
 	      . /usr/share/$product/lib.base
 	      #
 	      # Get mutex so the firewall state is stable
 	      #
 	      mutex_on
 	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
 		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
 	      mutex_off
 	  )
      fi
  done
@@ -103,7 +116,11 @@ shorewall_stop () {
      VARDIR=/var/lib/$product
      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || echo_notdone
+	  ( . /usr/share/$product/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall clear || echo_notdone
 	    mutex_off
 	  )
      fi
  done
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -55,15 +55,17 @@ fi
 # Initialize the firewall
 shorewall_start () {
-  local product
+  local PRODUCT
-  local vardir
+  local VARDIR
  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-      vardir=/var/lib/$product
+      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${vardir}/firewall ]; then
+      if [ -x ${VARDIR}/firewall ]; then
-	  ${vardir}/firewall stop || exit 1
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
@@ -72,15 +74,15 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
-  local vardir
+  local VARDIR
  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
+  for PRODUCT in $PRODUCTS; do
-      vardir=/var/lib/$PRODUCT
+      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${vardir}/firewall ]; then
+      if [ -x ${VARDIR}/firewall ]; then
-	  ${vardir}/firewall clear || exit 1
+	  ${VARDIR}/firewall clear || exit 1
      fi
  done
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -285,7 +285,12 @@ fi
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-init
 	    else
 		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
 	    fi
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.10
+%define version 4.4.13
-%define release 0RC1
+%define release 0base
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,6 +99,48 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -354,7 +354,13 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else
 		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    fi
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -628,14 +628,12 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|clear)
+    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	run_it $g_firewall $debugging $nolock $COMMAND
+	[ -n "$nolock" ] || mutex_on
-	;;
+	run_it $g_firewall $debugging $COMMAND
-    reset)
+	[ -n "$nolock" ] || mutex_off
 	verify_firewall_script
 	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
 	;;
    restart)
 	shift
@@ -777,14 +775,9 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE
 	if [ -x $g_restorepath ]; then
 	    if [ -x ${g_restorepath}-ipsets ]; then
 		rm -f ${g_restorepath}-ipsets
 		echo "    ${g_restorepath}-ipsets removed"
 	    fi
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
 	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.10
+%define version 4.4.13
-%define release 0RC1
+%define release 0base
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,6 +102,48 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.7';
+our $VERSION = '4.4.13';
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
    our $jumpchainref;
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
    if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,6 +61,16 @@ sub process_accounting_rule( ) {
    our $disposition = '';
    sub reserved_chain_name($) {
 	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
    }
    sub ipsec_chain_name($) {
 	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
 	    $1;
 	}
    }
    sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -72,10 +82,11 @@ sub process_accounting_rule( ) {
    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	$jumpchainref = ensure_accounting_chain( $jumpchain );
+	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
 	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	"-j $jumpchain";
+	$jumpchain;
    }
    my $target = '';
@@ -86,16 +97,19 @@ sub process_accounting_rule( ) {
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
    my $rule2 = 0;
    my $jump  = 0;
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = '-j RETURN';
+	    $target = 'RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2=1;
+		    $rule2 = 1;
-		} elsif ( $cmd ne 'JUMP' ) {
+		} elsif ( $cmd eq 'JUMP' ) {
 		    $jump = 1;
 		} else {
 		    accounting_error;
 		}
 	    }
@@ -137,7 +151,31 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }
-    my $chainref = ensure_accounting_chain $chain;
+    my $chainref = $filter_table->{$chain};
    my $dir;
    if ( ! $chainref ) {
 	$chainref = ensure_accounting_chain $chain, 0;
 	$dir      = ipsec_chain_name( $chain );
 	if ( $ipsec ne '-' ) {
 	    if ( $dir ) {
 		$rule .= do_ipsec( $dir, $ipsec );
 		$chainref->{ipsec} = $dir;
 	    } else {
 		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
 	} else {
 	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
 	    $chainref->{ipsec} = $dir;
 	}
    } elsif ( $ipsec ne '-' ) {
 	$dir = $chainref->{ipsec};
 	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
 	$rule .= do_ipsec( $dir , $ipsec );
    }
    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
    expand_rule
 	$chainref ,
@@ -151,6 +189,22 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
    if ( $rule2 || $jump ) {
 	if ( $chainref->{ipsec} ) {
 	    if ( $jumpchainref->{ipsec} ) {
 		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
 	    } else {
 		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
 		$jumpchainref->{ipsec} = $chainref->{ipsec};
 	    }
 	} elsif ( $jumpchainref->{ipsec} ) {
 	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
    }
    if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -178,8 +232,6 @@ sub setup_accounting() {
    $nonEmpty |= process_accounting_rule while read_a_line;
    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
    clear_comment;
    if ( have_bridges ) {
@@ -192,13 +244,28 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } else {
+    } elsif ( $filter_table->{accounting} ) {
-	if ( $filter_table->{accounting} ) {
+	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
    }
    if ( $filter_table->{accipsecin} ) {
 	for my $chain ( qw/INPUT FORWARD/ ) {
 	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 	}
    }
    if ( $filter_table->{accipsecout} ) {
 	for my $chain ( qw/FORWARD OUTPUT/ ) {
 	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
 	}
    }
    for ( accounting_chainrefs ) {
 	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -28,6 +28,7 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use strict;
@@ -57,7 +58,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -178,9 +179,27 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
    my $action = $_[0];
    my $target = '';
    my $max    = 3;
    #
    # The following rather grim RE, when matched, breaks the action into two parts:
    #
    #    basicaction(param)
    #    logging part (may be empty)
    #
    # The param may contain one or more ':' characters
    #
    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
 	$target = $1;
 	$action = $2 ? $3 : '';
 	$max    = 2;
    }
    my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
-    ( shift @a, join ":", @a );
+    $target = shift @a unless $target;
    ( $target, join ":", @a );
 }
 #
@@ -617,7 +636,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ? "-j $action" : '',
+		  $action ,
 		  $level ,
 		  $action ,
 		  '' );
@@ -776,7 +795,7 @@ sub dropBcast( $$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
 	    }
 	}
@@ -801,7 +820,7 @@ sub dropBcast( $$$ ) {
    if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    } else {
-	add_rule $chainref, '-d ff00::/10 -j DROP';
+	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
    }
 }
@@ -833,8 +852,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
+	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
 	}
    }
 }
@@ -868,7 +887,8 @@ sub allowInvalid ( $$$ ) {
 }
 sub forwardUPnP ( $$$ ) {
-    dont_optimize 'forwardUPnP';
+    my $chainref = dont_optimize 'forwardUPnP';
    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 sub allowinUPnP ( $$$ ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_12';
 our $export;
@@ -271,7 +271,7 @@ sub generate_script_2() {
 	set_global_variables(1);
-	handle_optional_interfaces;
+	handle_optional_interfaces(0);
 	emit ';;';
@@ -284,7 +284,7 @@ sub generate_script_2() {
 	    set_global_variables(0);
-	    handle_optional_interfaces;
+	    handle_optional_interfaces(0);
 	    emit ';;';
 	}
@@ -294,7 +294,7 @@ sub generate_script_2() {
 	emit ( 'esac' ) ,
    } else {
-	emit( 'true' ) unless handle_optional_interfaces;
+	emit( 'true' ) unless handle_optional_interfaces(1);
    }
    pop_indent;
@@ -303,7 +303,6 @@ sub generate_script_2() {
 }
 #
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -354,80 +353,17 @@ sub generate_script_3($) {
    }
    if ( $family == F_IPV4 ) {
-	my @ipsets = all_ipsets;
+	load_ipsets;
 	if ( @ipsets || $config{SAVE_IPSETS} ) {
 	    emit ( '',
 		   'local hack',
 		   '',
 		   'case $IPSET in',
 		   '    */*)',
 		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
 		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
 		   'if [ "$COMMAND" = start ]; then' ,
 		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET -F' ,
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
 		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
 		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		   '        if chain_exists shorewall; then' ,
 		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
 		   '        else' ,
 		   '            $IPSET -F' ,
 		   '            $IPSET -X' ,
 		   '            $IPSET -R < $(my_pathname)-ipsets' ,
 		   '        fi' ,
 		   '    fi' ,
 		 );
 	    if ( @ipsets ) {
 		emit '';
 		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 		emit ( '' ,
 		       'elif [ "$COMMAND" = restart ]; then' ,
 		       '' );
 		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 		emit ( '' ,
 		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
 		       '        #',
 		       '        hack=\'| grep -v /31\'' ,
 		       '    else' ,
 		       '        hack=' ,
 		       '    fi' ,
 		       '',
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		       '    fi' );
 	    }
 	    emit ( 'fi',
 		   '' );
 	}
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' );
+	       '   run_refresh_exit' ,
-
+	       'else' ,
 	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit ('',
@@ -450,6 +386,7 @@ sub generate_script_3($) {
    } else {
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
 	       '' );
 	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
    }
@@ -505,33 +442,37 @@ EOF
    setup_forwarding( $family , 1 );
    push_indent;
-    emit<<'EOF';
+    my $config_dir = $globals{CONFIGDIR};
-    set_state "Started"
+
    emit<<"EOF";
    set_state Started $config_dir 
    run_restored_exit
 else
-    if [ $COMMAND = refresh ]; then
+    if [ \$COMMAND = refresh ]; then
        chainlist_reload
 EOF
    setup_forwarding( $family , 0 );
-    emit<<'EOF';
+    emit<<"EOF";
        run_refreshed_exit
        do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
    else
        setup_netfilter
        restore_dynamic_rules
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
-    emit<<'EOF';
+    emit<<"EOF";
        run_start_exit
        do_iptables -N shorewall
-        set_state "Started"
+        set_state Started $config_dir
        run_started_exit
    fi
 EOF
    emit<<'EOF';
    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -114,6 +114,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $product
 				       $Product
 				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -131,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -218,6 +219,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -249,6 +251,8 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
 		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -288,6 +292,7 @@ our $sillyname;               # Name of temporary filter chains for testing capa
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
 our $tc;                      # Path to tc
 our $ip;                      # Path to ip
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -335,14 +340,15 @@ sub initialize( $ ) {
    #
    %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR =>  '/etc/shorewall',
+		    CONFDIR =>  '/etc/shorewall',     # Run-time configuration directory
 		    CONFIGDIR => '',                  # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.10-RC1",
+		    VERSION => "4.4.13",
-		    CAPVERSION => 40408 ,
+		    CAPVERSION => 40413 ,
 		  );
    #
@@ -360,6 +366,7 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
 	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -378,6 +385,7 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
 	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -461,6 +469,8 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
 	      FORWARD_CLEAR_MARK => undef,
 	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -505,6 +515,7 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
 	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -520,6 +531,7 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
 	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -582,6 +594,8 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
 	      FORWARD_CLEAR_MARK => undef,
 	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -631,6 +645,7 @@ sub initialize( $ ) {
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       IPSET_MATCH => undef,
 	       OLD_IPSET_MATCH => undef,
 	       CONNMARK => undef,
 	       XCONNMARK => undef,
 	       CONNMARK_MATCH => undef,
@@ -662,6 +677,8 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
 	       FWMARK_RT_MASK => undef,
 	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1462,10 +1479,12 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
 		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
 	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1764,7 +1783,9 @@ sub embedded_perl( $ ) {
 #   - Handle INCLUDE <filename>
 #
-sub read_a_line() {
+sub read_a_line(;$) {
    my $embedded_enabled = defined $_[0] ? shift : 1;
    while ( $currentfile ) {
 	$currentline = '';
@@ -1810,53 +1831,59 @@ sub read_a_line() {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+	    if ( $embedded_enabled ) {
-		embedded_shell( $1 );
+		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
-	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		    embedded_shell( $1 );
-		embedded_perl( $1 );
+		    next;
 	    } else {
 		my $count = 0;
 		#
 		# Expand Shell Variables using %ENV
 		#
 		#                            $1      $2      $3           -     $4
 		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 		    my $val = $ENV{$3};
 		    unless ( defined $val ) {
 			fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
 			$val = '';
 		    }
 		    $currentline = join( '', $1 , $val , $4 );
 		    fatal_error "Variable Expansion Loop" if ++$count > 100;
 		}
-		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
 		    embedded_perl( $1 );
 		    next;
 		}
 	    } 
-		    my @line = split ' ', $currentline;
+	    my $count = 0;
 	    #
 	    # Expand Shell Variables using %ENV
 	    #
 	    #                            $1      $2      $3           -     $4
 	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 		my $val = $ENV{$3};
-		    fatal_error "Invalid INCLUDE command"    if @line != 2;
+		unless ( defined $val ) {
-		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+		    fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
 		    $val = '';
 		}
-		    my $filename = find_file $line[1];
+		$currentline = join( '', $1 , $val , $4 );
 		fatal_error "Variable Expansion Loop" if ++$count > 100;
 	    }
-		    fatal_error "INCLUDE file $filename not found" unless -f $filename;
+	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
 		    fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
-		    if ( -s _ ) {
+		my @line = split ' ', $currentline;
 			push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 			$currentfile = undef;
 			do_open_file $filename;
 		    } else {
 			$currentlinenumber = 0;
 		    }
-		    $currentline = '';
+		fatal_error "Invalid INCLUDE command"    if @line != 2;
 		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
 		my $filename = find_file $line[1];
 		fatal_error "INCLUDE file $filename not found" unless -f $filename;
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 		if ( -s _ ) {
 		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
-		    print "IN===> $currentline\n" if $debug;
+		    $currentlinenumber = 0;
 		    return 1;
 		}
 		$currentline = '';
 	    } else {
 		print "IN===> $currentline\n" if $debug;
 		return 1;
 	    }
 	}
@@ -1899,9 +1926,11 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
    my ( $var, $val ) = @_;
-    my $curval = "\L$config{$var}";
+    my $curval = $config{$var};
    if ( defined $curval && $curval ne '' ) {
 	$curval = lc $curval;
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -2300,7 +2329,11 @@ sub Comments() {
 }
 sub Hashlimit_Match() {
-    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
+    if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) {
 	! ( $capabilities{OLD_HL_MATCH} = 0 );
    } else {
 	have_capability 'OLD_HL_MATCH';
    }
 }
 sub Old_Hashlimit_Match() {
@@ -2347,11 +2380,11 @@ sub Raw_Table() {
    qt1( "$iptables -t raw -L -n" );
 }
-sub IPSet_Match() {
+sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
-    $ipset = which $ipset unless $ipset =~ '//';
+    $ipset = which $ipset unless $ipset =~ '/';
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
@@ -2359,7 +2392,31 @@ sub IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = 1;
+		$result = $capabilities{IPSET_MATCH} = 1;
 	    }
 	    qt( "$ipset -X $sillyname" );
 	}
    }
    $result;
 }
 sub IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
    $ipset = which $ipset unless $ipset =~ '/';
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
 		$result = have_capability 'OLD_IPSET_MATCH';
 	    }
 	    qt( "$ipset -X $sillyname" );
@@ -2417,6 +2474,14 @@ sub Flow_Filter() {
    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
 }
 sub Fwmark_Rt_Mask() {
    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
 }
 sub Mark_Anywhere() {
    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
 }
 our %detect_capability =
    ( ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
@@ -2428,6 +2493,7 @@ our %detect_capability =
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HELPER_MATCH => \&Helper_Match,
@@ -2435,6 +2501,7 @@ our %detect_capability =
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
      IPSET_MATCH => \&IPSet_Match,
      OLD_IPSET_MATCH => \&Old_IPSet_Match,
      KLUDGEFREE => \&Kludgefree,
      LENGTH_MATCH => \&Length_Match,
      LOGMARK_TARGET => \&Logmark_Target,
@@ -2442,6 +2509,7 @@ our %detect_capability =
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
      MARK_ANYWHERE => \&Mark_Anywhere,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2585,6 +2653,8 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	qt1( "$iptables -F $sillyname" );
@@ -2662,12 +2732,15 @@ sub process_shorewall_conf() {
    my $file = find_file "$product.conf";
    if ( -f $file ) {
 	$globals{CONFIGDIR} =  $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;
 	if ( -r _ ) {
 	    open_file $file;
 	    first_entry "Processing $file...";
-	    while ( read_a_line ) {
+	    while ( read_a_line(0) ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@@ -2742,12 +2815,18 @@ sub get_capabilities( $ ) {
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
-	$tc = $config{TC};
+	$tc = $config{TC} || which 'tc';
 	if ( $tc ) {
 	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
 	}
 	$ip = $config{IP} || which 'ip';
 	if ( $ip ) {
 	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
 	}
 	load_kernel_modules;
 	if ( open_file 'capabilities' ) {
@@ -2820,7 +2899,60 @@ sub get_configuration( $ ) {
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
-    if ( $config{LOGRATE} || $config{LOGBURST} ) {
+    if ( my $rate = $config{LOGLIMIT} ) {
 	my $limit;
 	if ( $rate =~ /^[sd]:/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
 	    $limit = "-m hashlimit ";
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
 	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;
 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
 	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
 	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	    if ( $units && $units ne 'sec' ) {
 		my $expire = 60000; # 1 minute in milliseconds
 		if ( $units ne 'min' ) {
 		    $expire *= 60; #At least an hour
 		    $expire *= 24 if $units eq 'day';
 		}
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
 	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
 	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
 	$globals{LOGLIMIT} = $limit;
 	warning_message "LOGRATE Ignored when LOGLIMIT is specified"  if $config{LOGRATE};
 	warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
    } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 	}
@@ -2939,7 +3071,7 @@ sub get_configuration( $ ) {
    default_yes_no 'AUTO_COMMENT'               , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
+    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
    default_yes_no 'NULL_ROUTE_RFC1918'         , '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
@@ -2950,6 +3082,10 @@ sub get_configuration( $ ) {
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
@@ -2958,7 +3094,12 @@ sub get_configuration( $ ) {
    if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
 	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
 	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
    } else {
 	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
    }
    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
@@ -2966,6 +3107,12 @@ sub get_configuration( $ ) {
    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
    } else {
 	$globals{USER_MASK} = 0;
    }
    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
    } else {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_12';
 #
 # Some IPv4/6 useful stuff
@@ -87,18 +87,19 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
 our $family;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'FF00::/10' ,
+	       IPv6_MULTICAST      => 'ff00::/8' ,
-	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv6_LINKLOCAL      => 'fe80::/10' ,
-	       IPv6_SITELOCAL      => 'FFC0::/10' ,
+	       IPv6_SITELOCAL      => 'feC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
+	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
+	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
-	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
+	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
+	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
@@ -123,8 +124,8 @@ sub valid_4address( $ ) {
    my @address = split /\./, $address;
    return 0 unless @address == 4;
-    for my $a ( @address ) {
+    for ( @address ) {
-	return 0 unless $a =~ /^\d+$/ && $a < 256;
+	return 0 unless /^\d+$/ && $_ < 256;
    }
    1;
@@ -157,8 +158,8 @@ sub decodeaddr( $ ) {
    my $result = shift @address;
-    for my $a ( @address ) {
+    for ( @address ) {
-	$result = ( $result << 8 ) | $a;
+	$result = ( $result << 8 ) | $_;
    }
    $result;
@@ -292,6 +293,11 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 65535 ? $number : undef;
    } else {
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
 	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
    }
 }
@@ -332,7 +338,7 @@ sub validate_portpair( $$ ) {
    my @ports = split /:/, $portpair, 2;
-    $_ = validate_port( $proto, $_) for ( @ports );
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
    if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -439,7 +445,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
@@ -682,7 +688,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    my $family = shift;
+    $family = shift;
    if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,56 +49,6 @@ sub initialize() {
    %addresses_to_add = ();
 }
 #
 # Handle IPSEC Options in a masq record
 #
 sub do_ipsec_options($)
 {
    my %validoptions = ( strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
 			 spi          => NUMERIC,
 			 proto        => IPSECPROTO,
 			 mode         => IPSECMODE,
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
    my $list=$_[0];
    my $options = '-m policy --pol ipsec --dir out ';
    my $fmt;
    for my $e ( split_list $list, 'option' ) {
 	my $val    = undef;
 	my $invert = '';
 	if ( $e =~ /([\w-]+)!=(.+)/ ) {
 	    $val    = $2;
 	    $e      = $1;
 	    $invert = '! ';
 	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
 	    $val = $2;
 	    $e   = $1;
 	}
 	$fmt = $validoptions{$e};
 	fatal_error "Invalid Option ($e)" unless $fmt;
 	if ( $fmt eq NOTHING ) {
 	    fatal_error "Option \"$e\" does not take a value" if defined $val;
 	} else {
 	    fatal_error "Missing value for option \"$e\""        unless defined $val;
 	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	}
 	$options .= $invert;
 	$options .= "--$e ";
 	$options .= "$val " if defined $val;
    }
    $options;
 }
 #
 # Process a single rule from the the masq file
 #
@@ -153,11 +103,11 @@ sub process_one_masq( )
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= '-m policy --pol ipsec --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= '-m policy --pol none --dir out ';
+	    $baserule .= do_ipsec_options 'out', 'none', '';
 	} else {
-	    $baserule .= do_ipsec_options $ipsec;
+	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
 	}
    } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
@@ -175,7 +125,7 @@ sub process_one_masq( )
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = '-j MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -221,7 +171,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "-j SNAT --to-source $variable";
+		    $target = "SNAT --to-source $variable";
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -231,13 +181,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = '-j RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = '-j SNAT ';
+			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -448,7 +398,9 @@ sub setup_netmap() {
    while ( read_a_line ) {
-	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
 	$net3 = ALLIP if $net3 eq '-';
 	for my $interface ( split_list $interfacelist, 'interface' ) {
@@ -459,15 +411,15 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev $interface;
+		$rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev $interface;
+		$ruleout = match_dest_dev( $interface );
 		$interface = $interfaceref->{name};
 	    }
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_12';
 # @policy_chains is a list of references to policy chains in the filter table
@@ -246,7 +246,7 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
    }
-    $chainref->{default}   = $default if $default;
+    $chainref->{default} = $default if $default;
    if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -307,6 +307,7 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
    my $zone;
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -332,7 +333,9 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
-	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
+	my $zoneref = find_zone( $zone );
 	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
@@ -415,13 +418,14 @@ sub apply_policy_rules() {
    for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
 	my $loglevel    = $chainref->{loglevel};
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
 	my $synparms    = $chainref->{synparms};
-	if ( $policy ne 'NONE' ) {
+	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
@@ -492,7 +496,14 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
+	    log_rule_limit( $level , 
 			    $synchainref , 
 			    $chainref->{name} , 
 			    'DROP', 
 			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
 			    '' , 
 			    'add' , 
 			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
    my $physical    = get_physical $interface;
@@ -435,10 +435,12 @@ sub add_a_provider( ) {
    }
    if ( $mark ne '-' ) {
-	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
-	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
+
 	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
 	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
 	     );
    }
@@ -841,52 +843,101 @@ sub lookup_provider( $ ) {
 #
 # Returns true if there were required or optional interfaces
 #
-sub handle_optional_interfaces() {
+sub handle_optional_interfaces( $ ) {
-    my $returnvalue = verify_required_interfaces;
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
    my $interfaces = find_interfaces_by_option 'optional';
    if ( @$interfaces ) {
-	for my $interface ( @$interfaces ) {
+	my $require     = $config{REQUIRE_INTERFACE};
 	    my $provider = $provider_interfaces{$interface};
 	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );
-	    emit( '' );
+	verify_required_interfaces( shift );
-	    if ( $config{REQUIRE_INTERFACE} ) {
+	emit( 'HAVE_INTERFACE=', '' ) if $require;
-		emit( 'HAVE_INTERFACE=' );
+	#
-		emit( '' );
+	# Clear the '_IS_USABLE' variables
-	    }
+	#
 	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
-	    if ( $provider ) {
+	if ( $wildcards ) {
-		#
+	    #
-		# This interface is associated with a non-shared provider -- get the provider table entry
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
-		#
+	    #
-		my $providerref = $providers{$provider};
+	    emit( '', 
 		  'for interface in $(find_all_interfaces1); do',
 		);
-		if ( $providerref->{gatewaycase} eq 'detect' ) {
+	    push_indent;
-		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
+	    emit ( 'case "$interface" in' );
-		} else {
+	    push_indent;
-		    emit qq(if interface_is_usable $physical; then);
+	} else {
-		}
+	    emit '';
 	}
 	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
 	    my $provider    = $provider_interfaces{$interface};
 	    my $physical    = get_physical $interface;
 	    my $base        = uc chain_base( $physical );
 	    my $providerref = $providers{$provider};
 	    emit( "$physical)" ), push_indent if $wildcards;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		#
 		# Not a provider interface
 		#
 		emit qq(if interface_is_usable $physical; then);
 	    }
-	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
 		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
-	if ( $config{REQUIRE_INTERFACE} ) {
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
 	    my $base        = uc chain_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
 		if ( $wild ) {
 		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 		    push_indent; 
 		    emit ( 'if interface_is_usable $interface; then' );
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
 	    } else {
 		emit ( "if interface_is_usable $physical; then" );
 	    }
 	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		   'fi' );
 	    if ( $wildcards ) {
 		pop_indent, emit( 'fi' ) if $wild;
 		emit( ';;' );
 		pop_indent;
 	    }
 	}
 	if ( $wildcards ) {
 	    emit( '*)' ,
 		  '    ;;'
 		);
 	    pop_indent;
 	    emit( 'esac' );
 	    pop_indent;
 	    emit('done' );
 	}
 	if ( $require ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
@@ -901,7 +952,7 @@ sub handle_optional_interfaces() {
 	    emit( '                fatal_error "No network interface available"',
 		  '            else',
-		  '                startup_error "No network interface available',
+		  '                startup_error "No network interface available"',
 		  '            fi',
 		  '            ;;',
 		  '    esac',
@@ -909,10 +960,10 @@ sub handle_optional_interfaces() {
 		);
 	}
-	$returnvalue = 1;
+	return 1;
    }
-    $returnvalue;
+    verify_required_interfaces( shift );
 }
 #
@@ -951,14 +1002,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 			$rule2 = '';
 		    }
-		    $rule1 =~ s/-A tcpre //;
+		    assert ( $rule1 =~ s/^-A // );
 		    add_rule $chainref, $rule1;
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			assert ( $rule2 =~ s/^-A // );
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -978,14 +1029,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 			$rule2 = '';
 		    }
-		    $rule1 =~ s/-A tcout //;
+		    assert( $rule1 =~ s/-A // );
 		    add_rule $chainref, $rule1;
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 		}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_7';
+our $VERSION = '4.4_13';
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
    ( my $zone, $source) = split /:/, $source, 2;
    my $zoneref  = find_zone $zone;
    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'-j NOTRACK' ,
+	'NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,37 +40,44 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1
+		    fw       => 1,
 		    fwi      => 0,
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
 		    fwi      => 0,
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
 		    fwi      => 1 ,
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
 		    fwi      => 0 ,
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0
+		    fw       => 0 ,
 		    fwi      => 0 ,
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
 		    fwi      => 0 ,
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
 		    fwi      => 0 ,
 		    } ,
 	    );
@@ -158,6 +165,7 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
 		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 our $family;
@@ -218,12 +226,23 @@ sub process_tc_rule( ) {
 	}
    }
    if ( $dest ) {
 	if ( $dest eq $fw ) {
 	    $chain = 'tcin';
 	    $dest  = '';
 	} else {
 	    $chain = 'tcin' if $dest =~ s/^($fw)://;
 	}
    }
    if ( $designator ) {
 	$tcsref = $tcs{$designator};
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    } elsif ( $chain eq 'tcin' ) {
 		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -250,6 +269,8 @@ sub process_tc_rule( ) {
    $list = '';
    my $restriction = 0;
    unless ( $classid ) {
      MARK:
 	{
@@ -259,7 +280,7 @@ sub process_tc_rule( ) {
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
-		    $target      = "$tccmd->{target} ";
+		    $target      = $tccmd->{target};
 		    my $marktype = $tccmd->{mark};
 		    if ( $marktype == NOMARK ) {
@@ -268,15 +289,19 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
-		    if ( $target eq 'sticky ' ) {
+		    if ( $target eq 'sticky' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 			$restriction = DESTIFACE_DISALLOW;
 			ensure_mangle_chain($target);
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK ' ) {
+		    } elsif ( $target eq 'IPMARK' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -313,7 +338,7 @@ sub process_tc_rule( ) {
 			}
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY ' ) {
+		    } elsif ( $target eq 'TPROXY' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
@@ -371,14 +396,16 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		unless ( have_capability 'FWMARK_RT_MASK' ) {
-		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 		}
 	    }
 	}
    }
    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} ,
+				     $restrictions{$chain} | $restriction,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -389,9 +416,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "-j $target $mark" ,
+				     $mark ? "$target $mark" : $target,
 				     '' ,
 				     '' ,
 				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -408,11 +435,11 @@ sub rate_to_kbit( $ ) {
    my $rate = $_[0];
    return 0           if $rate eq '-';
-    return $1          if $rate =~ /^(\d+)kbit$/i;
+    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
-    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
+    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
-    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
+    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
-    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
+    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
-    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
+    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
    fatal_error "Invalid Rate ($rate)";
 }
@@ -431,8 +458,6 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
    my $flow = shift;
    $flow =~ s/^\(// if $flow =~ s/\)$//;
    my @flow = split /,/, $flow;
    for ( @flow ) {
@@ -443,7 +468,7 @@ sub process_flow($) {
 }
 sub process_simple_device() {
-    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -463,7 +488,21 @@ sub process_simple_device() {
 	}
    }
-    $bandwidth = rate_to_kbit( $bandwidth );
+    my $in_burst = '10kb';
    if ( $in_bandwidth =~ /:/ ) {
 	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
 	if ( defined $burst && $burst ne '' ) {
 	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $in_burst = $burst;
 	}
 	$in_bandwidth = rate_to_kbit( $in_band );
    } else {
 	$in_bandwidth = rate_to_kbit( $in_bandwidth );
    }
    emit "if interface_is_up $physical; then";
@@ -475,10 +514,50 @@ sub process_simple_device() {
 	 );
    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
-	 ) if $bandwidth;
+	 ) if $in_bandwidth;
-    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    if ( $out_part ne '-' ) {
 	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
 	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
 	$out_bandwidth = rate_to_kbit( $out_bandwidth );
 	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
 	if ( defined $burst && $burst ne '' ) {
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " burst $burst";
 	} else {
 	    $command .= ' burst 10kb';
 	}
 	if ( defined $latency && $latency ne '' ) {
 	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
 	    $command .= " latency $latency";
 	} else {
 	    $command .= ' latency 200ms';
 	}
 	if ( defined $peak && $peak ne '' ) {
 	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " peakrate $peak";
 	}
 	if ( defined $minburst && $minburst ne '' ) {
 	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " minburst $minburst";
 	}
 	emit $command;
 	my $id = $number; $number = in_hexp( $devnum | 0x100 );
 	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
    } else {
 	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
    }
    for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -1228,11 +1307,26 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}
-	my $inband = rate_to_kbit $devref->{in_bandwidth};
+	my $in_burst = '10kb';
 	my $inband;
 	if ( $devref->{in_bandwidth} =~ /:/ ) {
 	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
 	    if ( defined $burst && $burst ne '' ) {
 		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
 		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
 		$in_burst = $burst;
 	    }
 	    $inband = rate_to_kbit( $in_band );
 	} else {
 	    $inband = rate_to_kbit $devref->{in_bandwidth};
 	}
 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
 		   );
 	}
@@ -1350,6 +1444,68 @@ sub setup_traffic_shaping() {
    }
 }
 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
    if ( $secmark eq 'COMMENT' ) {
 	process_comment;
 	return;
    }
    my %chns = ( T => 'tcpost'  ,
 		 P => 'tcpre'   ,
 		 F => 'tcfor'   ,
 		 I => 'tcin'    ,
 		 O => 'tcout'   , );
    my %state = ( N =>  'NEW' ,
 		  E =>  'ESTABLISHED' , 
 		  ER => 'ESTABLISHED,RELATED' );
    my ( $chain , $state, $rest) = split ':', $chainin , 3;
    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
    my $chain1= $chns{$chain};
    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
    if ( ( $state ||= '' ) ne '' ) {
 	my $state1;
 	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
 	$state = "$globals{STATEMATCH} $state1 ";
    }
    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
 	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
 		 "SECMARK --selctx $secmark";
    my $disposition = $target;
    $disposition =~ s/ .*//;
    expand_rule( ensure_mangle_chain( $chain1 ) , 
 		 $restrictions{$chain1} ,
 		 $state .
 		 do_proto( $proto, $dport, $sport ) .
 		 do_user( $user ) .
 		 do_test( $mark, $globals{TC_MASK} ) ,
 		 $source , 
 		 $dest , 
 		 '' , 
 		 $target , 
 		 '' , 
 		 $disposition,
 		 '' );
    progress_message "Secmarks rule \"$currentline\" $done";
 }
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1362,6 +1518,7 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	    ensure_mangle_chain 'tcin';
 	}
 	my $mark_part = '';
@@ -1383,9 +1540,12 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
+	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
 	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
    }
@@ -1434,7 +1594,7 @@ sub setup_tc() {
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark ' ,
+			  target    => 'MARK --and-mark' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
@@ -1456,9 +1616,20 @@ sub setup_tc() {
 	}
    }
-    add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
+    if ( $config{MANGLE_ENABLED} ) {
 	if ( my $fn = open_file 'secmarks' ) {
-    handle_stickiness( $sticky );
+	    first_entry "$doing $fn...";
 	    process_secmark_rule while read_a_line;
 	    clear_comment;
 	}
 	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
 	handle_stickiness( $sticky );
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
-	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -37,6 +37,7 @@ our @EXPORT = qw( NOTHING
 		  IPSECPROTO
 		  IPSECMODE
 		  FIREWALL
 		  VSERVER
 		  IP
 		  BPORT
 		  IPSEC
@@ -52,8 +53,11 @@ our @EXPORT = qw( NOTHING
 		  all_zones
 		  all_parent_zones
 		  complex_zones
 		  vserver_zones
 		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
 		  all_bridges
@@ -67,18 +71,20 @@ our @EXPORT = qw( NOTHING
 		  source_port_to_bridge
 		  interface_is_optional
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
 		  set_interface_option
 		  verify_required_interfaces
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
 		 );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';
 #
 # IPSEC Option types
@@ -89,7 +95,6 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
 #
 # Zone Table.
 #
@@ -150,21 +155,29 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                   }
 #                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files. 
 #
 our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
 our %physical;
 our %basemap;
 our %mapbase;
 our $family;
 our $have_ipsec;
 our $baseseq;
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4 };
+	       IPSEC    => 4,
 	       VSERVER  => 5 };
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -178,6 +191,7 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
 	       IF_OPTION_VSERVER  => 32,
 	   };
 our %validinterfaceoptions;
@@ -210,6 +224,9 @@ sub initialize( $ ) {
    @bport_zones = ();
    %ipsets = ();
    %physical = ();
    %basemap = ();
    %mapbase = ();
    $baseseq = 0;
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -220,13 +237,13 @@ sub initialize( $ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
-				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
+				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
+				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -251,12 +268,12 @@ sub initialize( $ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
+				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
+				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
@@ -282,6 +299,7 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
    my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -291,10 +309,12 @@ sub parse_zone_option_list($$)
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
    use constant { UNRESTRICTED => 1, NOFW => 2 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => 'mss' );
+    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
    my ( $list, $zonetype ) = @_;
    my %h;
@@ -327,7 +347,8 @@ sub parse_zone_option_list($$)
 	    }
 	    if ( $key{$e} ) {
-		$h{$e} = $val;
+		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -374,6 +395,7 @@ sub process_zone( \$ ) {
 	    fatal_error "Invalid Parent List ($2)" unless $p;
 	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
 	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
 	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
 	    push @{$zones{$p}{children}}, $zone;
 	}
    }
@@ -400,11 +422,14 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
    } elsif ( $type eq 'vserver' ) {
 	fatal_error 'Vserver zones may not be nested' if @parents;
 	$type = VSERVER;
    } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
    } else {
-	fatal_error "Invalid zone type ($type)" ;
+	fatal_error "Invalid zone type ($type)";
    }
    if ( $type eq IPSEC ) {
@@ -414,20 +439,30 @@ sub process_zone( \$ ) {
 	}
    }
-    $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { type       => $type,
-		      parents    => \@parents,
+				    parents    => \@parents,
-		      bridge     => '',
+				    bridge     => '',
-		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-				      in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
-				      out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
-				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
-				      nested  => @parents > 0 ,
+						    nested  => @parents > 0 ,
-				      super   => 0 ,
+						    super   => 0 ,
-				    } ,
+						  } ,
-		      interfaces => {} ,
+				    interfaces => {} ,
-		      children   => [] ,
+				    children   => [] ,
-		      hosts      => {}
+				    hosts      => {}
-		    };
+				  };
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
 	    } else {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
    }
    return $zone;
@@ -493,9 +528,9 @@ sub zone_report()
    my @translate;
    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
    }
    for my $zone ( @zones )
@@ -552,9 +587,9 @@ sub dump_zone_contents()
    my @xlate;
    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
    }
    for my $zone ( @zones )
@@ -631,7 +666,9 @@ sub add_group_to_zone($$$$$)
    my $allip    = 0;
    for my $host ( @$networks ) {
-	$interfaces{$interface}{nets}++;
+	$interfaceref = $interfaces{$interface};
 	$interfaceref->{nets}++;
 	fatal_error "Invalid Host List" unless defined $host and $host ne '';
@@ -648,6 +685,13 @@ sub add_group_to_zone($$$$$)
 		if ( $host eq ALLIP ) {
 		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
 		    $interfaces{$interface}{zone} = $zone;
 		    #
 		    # Make 'find_hosts_by_option()' work correctly for this zone
 		    #
 		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
 			$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
 		    }
 		    $allip = 1;
 		}
 	    }
@@ -711,18 +755,30 @@ sub all_zones() {
    @zones;
 }
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
 }
 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL ,  @zones );
+   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
 }
 sub all_parent_zones() {
-   grep ( ! @{$zones{$_}{parents}} ,  @zones );
+    #
    # Although the firewall zone is technically a parent zone, we let the caller decide
    # if it is to be included or not.
    #
    grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 sub complex_zones() {
    grep( $zones{$_}{options}{complex} , @zones );
 }
 sub vserver_zones() {
    grep ( $zones{$_}{type} == VSERVER, @zones );
 }
 sub firewall_zone() {
    $firewall_zone;
 }
@@ -734,6 +790,55 @@ sub is_a_bridge( $ ) {
    which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
 }
 #
 # Transform the passed interface name into a legal shell variable name.
 #
 sub chain_base($) {
    my $chain = $_[0];
    my $name  = $basemap{$chain};
    #
    # Return existing mapping, if any
    #
    return $name if $name;
    #
    # Remember initial value 
    #
    my $key = $chain;
    #
    # Handle VLANs and wildcards
    #
    $chain =~ s/\+$//;
    $chain =~ tr/./_/;
    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
 	$chain =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
 	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
 	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
    } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
 	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
    }
    #
    # Store the reverse mapping
    #
    $mapbase{$name} = $key;
    #
    # Store the mapping
    #
    $basemap{$key} = $name;
 }
 #
 # Process a record in the interfaces file
 #
@@ -774,6 +879,8 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
 	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}
 	$bridge = $interface;
@@ -781,6 +888,8 @@ sub process_interface( $$ ) {
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
 	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
 	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
 	$bridge = $interface;
    }
@@ -794,6 +903,8 @@ sub process_interface( $$ ) {
 	$root = $interface;
    }
    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
    my $physical = $interface;
    my $broadcasts;
@@ -817,7 +928,11 @@ sub process_interface( $$ ) {
    my $hostoptionsref = {};
-    $options{ignore} = 1, $options = '-' if $options eq 'ignore';
+    if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
 	$options{ignore} = 1;
 	$options = '-';
    }
    if ( $options ne '-' ) {
@@ -830,7 +945,11 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
-	    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
+	    if ( $zone ) {
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else { 
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
 	    my $hostopt = $type & IF_OPTION_HOST;
@@ -840,8 +959,16 @@ sub process_interface( $$ ) {
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
-		$options{$option} = 1;
+		if ( $option eq 'blacklist' ) {
-		$hostoptions{$option} = 1 if $hostopt;
+		    if ( $zone ) {
 			$zoneref->{options}{in}{blacklist} = 1;
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
 		}
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@@ -849,8 +976,8 @@ sub process_interface( $$ ) {
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -873,10 +1000,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
 		# Remove parentheses from address list if present
 		#
 		$value =~ s/\)$// if $value =~ s/^\(//;
 		#
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
@@ -909,7 +1032,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
@@ -955,7 +1078,8 @@ sub process_interface( $$ ) {
 						       broadcasts => $broadcasts ,
 						       options    => \%options ,
 						       zone       => '',
-						       physical   => $physical
+						       physical   => $physical ,
 						       base       => chain_base( $physical )
 						     };
    if ( $zone ) {
@@ -964,7 +1088,7 @@ sub process_interface( $$ ) {
 	add_group_to_zone( $zone,
 			   $zoneref->{type},
 			   $interface,
-			   [ IPv4_MULTICAST ], 
+			   $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] ,
 			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
    }
@@ -1011,6 +1135,27 @@ sub validate_interfaces_file( $ ) {
    # Be sure that we have at least one interface
    #
    fatal_error "No network interfaces defined" unless @interfaces;
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
 	# We create an interface to associated them with.
 	#
 	my $interface = '%vserver%';
 	$interfaces{$interface} = { name       => $interface ,
 				    bridge     => $interface ,
 				    nets       => 0 ,
 				    number     => $nextinum ,
 				    root       => $interface ,
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
 				    physical   => 'lo',
 				  };
 	push @interfaces, $interface;
    }
 }
 #
@@ -1030,28 +1175,35 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
 # %interfaces.
 #
-sub known_interface($)
+sub known_interface($;$)
 {
-    my $interface = $_[0];
+    my ( $interface, $cache ) = @_;
    my $interfaceref = $interfaces{$interface};
    return $interfaceref if $interfaceref;
    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
    for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
-	    #
+	    my $physical = map_physical( $interface, $interfaceref );
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
+	    
-	    #
+	    my $copyref = { options  => $interfaceref->{options},
-	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
+			    bridge   => $interfaceref->{bridge} ,
-					       bridge   => $interfaceref->{bridge} , 
+			    name     => $i ,
-					       name     => $i , 
+			    number   => $interfaceref->{number} ,
-					       number   => $interfaceref->{number} ,
+			    physical => $physical ,
-					       physical => map_physical( $interface, $interfaceref )
+			    base     => chain_base( $physical ) ,
-					     };
+			  };
 	    $interfaces{$interface} = $copyref if $cache;
 	    return $copyref;
 	}
    }
@@ -1161,6 +1313,36 @@ sub find_interfaces_by_option( $ ) {
    \@ints;
 }
 #
 # Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
 #
 # - All entries in %interfaces are searched.
 # - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
    my $option = $_[0];
    my @ints = ();
    my $wild = 0;
    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
 			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
    }
    return unless defined wantarray;
    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 #
 # Return the value of an option for an interface
 #
@@ -1182,54 +1364,123 @@ sub set_interface_option( $$$ ) {
 #
 # Verify that all required interfaces are available after waiting for any that specify the 'wait' option.
 #
-sub verify_required_interfaces() {
+sub verify_required_interfaces( $ ) {
    my $generate_case = shift;
    my $returnvalue = 0;
    my $interfaces = find_interfaces_by_option 'wait';
    if ( @$interfaces ) {
 	my $first = 1;
 	emit( "local waittime\n" );
 	emit( 'case "$COMMAND" in' );
 	push_indent;
 	emit( 'start|restart|restore)' );
 	push_indent;
 	for my $interface (@$interfaces ) {
 	    my $wait = $interfaces{$interface}{options}{wait};
 	    emit q() unless $first-- > 0;
 	    if ( $wait ) {
 		my $physical = get_physical $interface;
-		emit qq(if ! interface_is_usable $physical; then);
+		if ( $physical =~ /\+$/ ) {
-		emit  q(    local waittime);
+		    my $base = uc chain_base $physical;
-		emit qq(    waittime=$wait);
+
-		emit  '';
+		    $physical =~ s/\+$/*/;
-		emit  q(    while [ $waittime -gt 0 ]; do);
+
-		emit qq(        interface_is_usable $physical && break);
+		    emit( 'for interface in $(find_all_interfaces); do',
-		emit  q(        sleep 1);
+			  '    case $interface in',
-		emit   '        waittime=$(($waittime - 1))';
+			  "        $physical)",
-		emit  q(    done);
+			  "            waittime=$wait",
-		emit qq(fi\n);
+			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
 			  '    esac',
 			  'done',
 			  '',
 			);
 		} else {
 		    emit qq(if ! interface_is_usable $physical; then);
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
 		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
 		}
 		$returnvalue = 1;
 	    }
 	}
 	emit( ";;\n" );
 	pop_indent;
 	pop_indent;
 	emit( "esac\n" );
    }
    $interfaces = find_interfaces_by_option 'required';
    if ( @$interfaces ) {
-	emit( 'case "$COMMAND" in' );
+
-	push_indent;
+	if ( $generate_case ) {
-	emit( 'start|restart|restore|refresh)' );
+	    emit( 'case "$COMMAND" in' );
-	push_indent;
+	    push_indent;
 	    emit( 'start|restart|restore|refresh)' );
 	    push_indent;
 	}
 	for my $interface (@$interfaces ) {
 	    my $physical = get_physical $interface;
-	    emit qq(if ! interface_is_usable $physical; then);
+	    if ( $physical =~ /\+$/ ) {
-	    emit qq(    startup_error "Required interface $physical not available");
+		my $base = uc chain_base $physical;
-	    emit qq(fi\n);
+
 		$physical =~ s/\+$/*/;
 		emit( "SW_${base}_IS_UP=\n",
 		      'for interface in $(find_all_interfaces); do',
 		      '    case $interface in',
 		      "        $physical)",
 		      "            interface_is_usable \$interface && SW_${base}_IS_UP=Yes && break",
 		      '            ;;',
 		      '    esac',
 		      'done',
 		      '',
 		      "if [ -z \"\$SW_${base}_IS_UP\" ]; then",
 		      "    startup_error \"None of the required interfaces $physical are available\"",
 		      "fi\n"
 		    );
 	    } else {
 		emit qq(if ! interface_is_usable $physical; then);
 		emit qq(    startup_error "Required interface $physical not available");
 		emit qq(fi\n);
 	    }
 	}
-	emit( ';;' );
+	if ( $generate_case ) {
-	pop_indent;
+	    emit( ';;' );
-	pop_indent;
+	    pop_indent;
-	emit( 'esac' );
+	    pop_indent;
 	    emit( 'esac' );
 	}
 	$returnvalue = 1;
    }
@@ -1255,6 +1506,9 @@ sub compile_updown() {
 	  'state=cleared',
 	  '' );
    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
    emit '';
    if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
    } else {
@@ -1293,6 +1547,7 @@ sub compile_updown() {
 	$interfaces =~ s/\+/*/;
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
@@ -1301,18 +1556,40 @@ sub compile_updown() {
    if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-	$interfaces =~ s/\+/*/;
+	my $wildcard = ( $interfaces =~ s/\+/*/ );
 	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
+	      '    if [ "$COMMAND" = up ]; then' );
-	      '        COMMAND=start',
+
 	if ( $wildcard ) {
 	    emit( '        if [ "$state" = started ]; then',
 		  '            COMMAND=restart',
 		  '        else',
 		  '            COMMAND=start',
 		  '        fi' );
 	} else {
 	    emit( '        COMMAND=start' );
 	}
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
-	      '        define_firewall',
+	      '        define_firewall' );
-	      '    else',
+
-	      '        COMMAND=stop',
+	if ( $wildcard ) {
-	      '        detect_configuration',
+	    emit( '    elif [ "$state" = started ]; then',
-	      '        stop_firewall',
+		  '        progress_message3 "$g_product attempting restart"',
-	      '    fi',
+		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall' );
 	} else {
 	    emit( '    else',
 		  '        COMMAND=stop',
 		  '        progress_message3 "$g_product attempting stop"',
 		  '        detect_configuration',
 		  '        stop_firewall' );
 	}
 	emit( '    fi',
 	      '    ;;'
 	    );
    }
@@ -1331,12 +1608,16 @@ sub compile_updown() {
 	      '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$state" = stopped ]; then',
 	      '        COMMAND=start',
 	      '        progress_message3 "$g_product attempting start"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    else',
 	      '        progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    fi',
 	      '    ;;',
 	    );
@@ -1346,9 +1627,13 @@ sub compile_updown() {
 	  '    case $state in',
 	  '        started)',
 	  '            COMMAND=restart',
 	  '            progress_message3 "$g_product attempting restart"',
 	  '            detect_configuration',
 	  '            define_firewall',
 	  '            ;;',
 	  '        *)',
 	  '            progress_message3 "$COMMAND on interface $1 ignored"',
 	  '            ;;',
 	  '    esac',
 	);
@@ -1418,14 +1703,19 @@ sub process_host( ) {
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
-		warning_message "The 'norfc1918' option is no longer supported"
+		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
 	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
 	$optionsref = \%options;
    }
@@ -1445,6 +1735,7 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = physical_name $interface;
 	$hosts = "+${zone}_${physical}";
@@ -1452,6 +1743,10 @@ sub process_host( ) {
 	$ipsets{"${zone}_${physical}"} = 1;
    }
    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
    $interface = '%vserver%' if $type == VSERVER;
    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
@@ -1515,6 +1810,21 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }
 #
 # Returns a reference to a list of zones with the passed in/out option
 #
 sub find_zones_by_option( $$ ) {
    my ($option, $in_out ) = @_;
    my @zns;
    for my $zone ( @zones ) {
 	push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
    }
    \@zns;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -218,6 +218,7 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
 	    COMMAND=start
 	fi
 	detect_configuration
@@ -256,7 +257,6 @@ case "$COMMAND" in
 	clear_firewall
 	status=0
 	if [ -n "$SUBSYSLOCK" ]; then
 	    rm -f ${SUBSYSLOCK}-prenet
 	    rm -f $SUBSYSLOCK
 	fi
 	progress_message3 "done."
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -219,6 +219,7 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
 		COMMAND=start
 	    fi
 	    detect_configuration
@@ -257,7 +258,6 @@ else
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f ${SUBSYSLOCK}-prenet
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -89,35 +89,17 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 #
-# Set a standard chain to enable established and related connections
+# Generate a list of all network interfaces on the system
 #
-setcontinue() # $1 = name of chain
+find_all_interfaces() {
-{
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 #
-# Flush one of the NAT table chains
+# Generate a list of all network interfaces on the system that have an ipv4 address
 #
-flushnat() # $1 = name of chain
+find_all_interfaces1() {
-{
+    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
    run_iptables -t nat -F $1
 }
 #
 # Flush one of the Mangle table chains
 #
 flushmangle() # $1 = name of chain
 {
    run_iptables -t mangle -F $1
 }
 #
 # Flush and delete all user-defined chains in the filter table
 #
 deleteallchains() {
    run_iptables -F
    run_iptables -X
 }
 #
@@ -526,11 +508,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
    local result
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	local result
 	result=1
 	while read route ; do
@@ -615,9 +598,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
    fi
-    rm -f ${VARDIR}/proxyarp
+	rm -f ${VARDIR}/proxyarp
    fi
 }
 #
@@ -631,6 +614,7 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -690,7 +674,7 @@ startup_error() # $* = Error Message
 	    ;;
    esac
-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
 	case $COMMAND in
@@ -767,34 +751,6 @@ run_tc() {
    fi
 }
 #
 # Restore the rules generated by 'drop','reject','logdrop', etc.
 #
 restore_dynamic_rules() {
    if [ -f ${VARDIR}/save ]; then
 	progress_message2 "Setting up dynamic rules..."
 	rangematch='source IP range'
 	while read target ignore1 ignore2 address ignore3 rest; do
 	    case $target in
 		DROP|reject|logdrop|logreject)
 		    case $rest in
 			$rangematch*)
 			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
 			    ;;
 			*)
 			    if [ -z "$rest" ]; then
 				run_iptables -A dynamic -s $address -j $target
 			    else
 				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
 			    fi
 			    ;;
 		    esac
 		    ;;
 	    esac
 	done < ${VARDIR}/save
    fi
 }
 #
 # Get a list of all configured broadcast addresses on the system
 #
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -89,27 +89,17 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 #
-# Set a standard chain to enable established and related connections
+# Generate a list of all network interfaces on the system
 #
-setcontinue() # $1 = name of chain
+find_all_interfaces() {
-{
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 #
-# Flush one of the Mangle table chains
+# Generate a list of all network interfaces on the system that have an ipv6 address
 #
-flushmangle() # $1 = name of chain
+find_all_interfaces1() {
-{
+    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
    run_iptables -t mangle -F $1
 }
 #
 # Flush and delete all user-defined chains in the filter table
 #
 deleteallchains() {
    run_iptables -F
    run_iptables -X
 }
 #
@@ -506,11 +496,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
    local result
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	local result
 	result=1
 	while read route ; do
@@ -593,6 +584,7 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
@@ -721,34 +713,6 @@ run_tc() {
    fi
 }
 #
 # Restore the rules generated by 'drop','reject','logdrop', etc.
 #
 restore_dynamic_rules() {
    if [ -f ${VARDIR}/save ]; then
 	progress_message2 "Setting up dynamic rules..."
 	rangematch='source IP range'
 	while read target ignore1 ignore2 address ignore3 rest; do
 	    case $target in
 		DROP|reject|logdrop|logreject)
 		    case $rest in
 			$rangematch*)
 			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
 			    ;;
 			*)
 			    if [ -z "$rest" ]; then
 				run_iptables -A dynamic -s $address -j $target
 			    else
 				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
 			    fi
 			    ;;
 		    esac
 		    ;;
 	    esac
 	done < ${VARDIR}/save
    fi
 }
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,3 +1,102 @@
 Changes in Shorewall 4.4.13
 1)  Allow zone lists in rules SOURCE and DEST.
 2)  Fix exclusion in the blacklist file.
 3)  Correct several old exclusion bugs.
 4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
 5)  Re-implement optional interface handling.
 6)  Add secmark config file.
 7)  Split in and out blacklisting.
 8)  Correct handling of [{src|dst},...] in ipset invocation
 9)  Correct SAME.
 10) TC Enhancements:
    <burst> in IN-BANDWIDTH columns.
    OUT-BANDWIDTH column in tcinterfaces.
 11) Create dynamic zone ipsets on 'start'.
 12) Remove new blacklisting implementation.
 13) Implement an alternative blacklisting scheme.
 14) Use '-m state' for UNTRACKED.
 15) Clear raw table on 'clear'
 16) Correct port-range check in tcfilters.
 17) Disallow '*' in interface names.
 Changes in Shorewall 4.4.12
 1)  Fix IPv6 shorecap program.
 2)  Eradicate incorrect IPv6 Multicast Network
 3)  Add ADD/DEL support.
 4)  Allow :random to work with REDIRECT
 5)  Add per-ip log rate limiting.
 6)  Use new hashlimit match syntax if available.
 7)  Add Universal sample.
 8)  Add COMPLETE option.
 9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
 10) Support new set match syntax.
 11) Blacklisting by DEST IP.
 12) Fix duplicate rule generation with 'any'.
 13) Fix port range editing problem.
 14) Display the .conf file directory in response to the status command.
 15)  Correct AUTOMAKE
 Changes in Shorewall 4.4.11
 1)  Apply patch from Gabriel.
 2)  Fix IPSET match detection when a pathname is specified for IPSET.
 3)  Fix start priority of shorewall-init on Debian
 4)  Make IPv6 log and connections output readable.
 5)  Add REQUIRE_INTERFACE to shorewall*.conf
 6)  Avoid run-time warnings when options are not listed in
    shorewall.conf.
 7)  Implement Vserver zones.
 8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
    hosts file.
 9)  Add CLEAR_FORWARD_MARK option.
 10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
 11) Add PERL option.
 12) Fix nets= in Shorewall6
 Changes in Shorewall 4.4.10
 1)  Fix regression with scripts.
@@ -14,6 +113,8 @@ Changes in Shorewall 4.4.10
 7)  Rename PREFIX to DESTDIR in install scripts
 8)  Correct handling of optional/required interfaces with wildcard names.
 Changes in Shorewall 4.4.9
 1)  Auto-detection of bridges.
--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################
+#####################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -7,4 +7,5 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2
+#TYPE	NET1			INTERFACE	NET2		NET3
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - Secmarks File
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
 ############################################################################################################
 #SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
 #				STATE						PORT(S)	PORT(S) GROUP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -31,9 +31,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -59,6 +57,8 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -194,6 +194,12 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=No
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -8,4 +8,3 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
    echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi
 #
 # Install the secmarks file
 #
 run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
 fi
 #
 # Install the default config path file
 #
@@ -745,7 +755,7 @@ fi
 #
 # Install the  Makefiles
 #
-install-file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
+install_file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
 if [ -z "$SPARSE" ]; then
    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall
@@ -867,7 +877,13 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
-	ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+
 	if [ -x /sbin/insserv ]; then
 	    insserv /etc/init.d/shorewall
 	else
 	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
 	fi
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1 +1,2 @@
-There are no known problems in Shorewall 4.4.9
+1)  On systems running Upstart, shorewall-init cannot reliably start the
    firewall before interfaces are brought up.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,7 +29,7 @@
 #
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40408
+SHOREWALL_CAPVERSION=40413
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -226,6 +226,18 @@ show_classifiers() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
@@ -362,17 +374,7 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-
+		    do_save && rm -f ${VARDIR}/save
 		    if chain_exists dynamic; then
 			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
 			    echo "   Dynamic Rules Saved"
 			    do_save
 			else
 		            echo "Error Saving the Dynamic Rules" >&2
 			fi
 		    else
 			do_save && rm -f ${VARDIR}/save
 		    fi
 		    ;;
 	    esac
 	fi
@@ -551,6 +553,20 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    if [ -z "$LOGFILE" ]; then
 		LOGFILE=/var/log/messages
 		if [ -n "$(syslog_circular_buffer)" ]; then
 		    g_logread="logread | tac"
 		elif [ -r $LOGFILE ]; then
 		    g_logread="tac $LOGFILE"
 		else
 		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		    exit 2
 		fi
 	    fi
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -791,6 +807,19 @@ dump_command() {
 	esac
    done
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    g_ipt_options="$g_ipt_options $g_ipt_options1"
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -1037,6 +1066,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    chain=$1
    local finished
    finished=$2
    local which
    which='-s'
    local range
    range='--src-range'
    if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -1048,19 +1081,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    while [ $# -gt 0 ]; do
 	case $1 in
 	    from)
 		which='-s'
 		range='--src-range'
 		shift
 		continue
 		;;
 	    to)
 		which='-d'
 		range='--dst-range'
 		shift
 		continue
 		;;
 	    *-*)
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
-		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP
+		qt $IPTABLES -D dynamic -m iprange $range  $1 -j DROP
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
-		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
+		qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
-		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
+		$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IPTABLES -D dynamic -s $1 -j reject
+		qt $IPTABLES -D dynamic $which $1 -j reject
-		qt $IPTABLES -D dynamic -s $1 -j DROP
+		qt $IPTABLES -D dynamic $which $1 -j DROP
-		qt $IPTABLES -D dynamic -s $1 -j logreject
+		qt $IPTABLES -D dynamic $which $1 -j logreject
-		qt $IPTABLES -D dynamic -s $1 -j logdrop
+		qt $IPTABLES -D dynamic $which $1 -j logdrop
-		$IPTABLES -A dynamic -s $1 -j $chain || break 1
+		$IPTABLES -A dynamic $which $1 -j $chain || break 1
 		;;
 	esac
@@ -1350,6 +1395,11 @@ allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall_is_started ; then
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1359,11 +1409,21 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
 		from)
 		    which='-s'
 		    range='--src-range'
 		    continue
 		    ;;
 		to)
 		    which='-d'
 		    range='--dst-range'
 		    continue
 		    ;;
 		*-*)
-		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
+		    if  qt $IPTABLES -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
+			qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1371,10 +1431,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\
+		    if  qt $IPTABLES -D dynamic $which $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic $which $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic $which $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -s $1 -j logreject
+			qt $IPTABLES -D dynamic $which $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1459,6 +1519,10 @@ determine_capabilities() {
 	exit 1
    fi
    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
    [ -n "$IP" -a -x "$IP" ] || IP=
    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
    [ -n "$TC" -a -x "$TC" ] || TC=
@@ -1478,6 +1542,7 @@ determine_capabilities() {
    RECENT_MATCH=
    OWNER_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
@@ -1510,6 +1575,8 @@ determine_capabilities() {
    LOG_TARGET=Yes
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    chain=fooX$$
@@ -1619,9 +1686,13 @@ determine_capabilities() {
 	qt ipset -X $chain # Just in case something went wrong the last time
 	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 	    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1643,6 +1714,7 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
@@ -1650,6 +1722,7 @@ determine_capabilities() {
    qt $IPTABLES -X $chain1
    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1685,7 +1758,10 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
+	if [ -n "$IPSET_MATCH" ]; then
 	    report_capability "Ipset Match" $IPSET_MATCH
 	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
 	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1717,6 +1793,8 @@ report_capabilities() {
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1748,6 +1826,7 @@ report_capabilities1() {
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
@@ -1779,6 +1858,8 @@ report_capabilities1() {
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -94,7 +94,12 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	options='-'
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
 	    options="$1 -"
 	    shift;
 	else
 	    options='-'
 	fi
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -509,9 +514,13 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state
+set_state () # $1 = state $2 
 {
-    echo "$1 ($(date))" > ${VARDIR}/state
+    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
 	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,17 +1,266 @@
 ----------------------------------------------------------------------------
-                       S H O R E W A L L  4 . 4 . 10
+                      S H O R E W A L L  4 . 4 . 1 3
                                 R C  1
 ----------------------------------------------------------------------------
-I.    RELEASE 4.4 HIGHLIGHTS
+I.    PROBLEMS CORRECTED IN THIS RELEASE
-II.   MIGRATION ISSUES
+II.   KNOWN PROBLEMS REMAINING
-III.  PROBLEMS CORRECTED IN THIS RELEASE
+III.  NEW FEATURES IN THIS RELEASE
-IV.   KNOWN PROBLEMS REMAINING
+IV.   RELEASE 4.4 HIGHLIGHTS
-V.    NEW FEATURES IN THIS RELEASE
+V.    MIGRATION ISSUES
 VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
-             I.  R E L E A S E  4 . 4  H I G H L I G H T S
+  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Under rare circumstances where COMMENT is used to attach comments
    to rules, OPTIMIZE 8 through 15 could result in invalid
    iptables-restore (ip6tables-restore) input.
 2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
    could result in invalid iptables-restore (ip6tables-restore) input.
 3)  The change in 4.4.12 to detect and use the new ipset match syntax
    broke the ability to detect the old ipset match capability. Now,
    both versions of the capability can be correctly detected.
 4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
    if the last optional interface tested was not available.
 5)  Exclusion in the blacklist file was correctly validated but was then
    ignored when generating iptables (ip6tables) rules.
 6)  Previously, non-trivial exclusion (more than one excluded
    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
    valid but incorrect iptables input. This has been corrected but
    requires that your iptables/kernel support marking rules in any
    Netfilter table (CONTINUE in the tcrules file does not require this
    support).
    This fix implements a new 'Mark in any table' capability; those
    who utilize a capabilities file should re-generate the file using
    this release.
 7)  Interface handling has been extensively modified in this release
    to correct a number of problems with the earlier
    implementation. Among those problems:
    - Invalid shell variable names could be generated in the firewall
      script. The generated firewall script uses shell variables to
      track the availability of optional and required interfaces and
      to record detected gateways, detected addresses, etc.
    - The same shell variable name could be generated by two different
      interface names.
    - Entries in the interfaces file with a wildcard physical name
      (physical name ends with "+") and with the 'optional' option were
      handled strangely.
      o If there were references to specific interfaces that matched
        the wildcard, those entries were handled as if they had been
        defined as optional in the interfaces file.
      o If there were no references matching the wildcard, then the
        'optional' option was effectively ignored. 
    The new implementation:
    - Insures valid shell variable names.
    - Insures that shell variable names are unique.
    - Handles interface names appearing in the INTERFACE column of the
      providers file as a special case for 'optional'. If the name
      matches a wildcard entry in the interfaces file then the
      usability of the specific interface is tracked individually. 
    - Handles the availabilty of other interfaces matching a wildcard
      as a group; if there is one useable interface in the group then
      the wildcard itself is considered usable.
      The following example illustrates this use case:
      /etc/shorewall/interfaces
 	net	ppp+	-	optional
      /etc/shorewall/shorewall.conf
 	REQUIRE_INTERFACE=Yes
      If there is any usable PPP interface then the firewall will be
      allowed to start. Previously, the firewall would never be allowed
      to start.
 8)  When a comma-separated list of 'src' and/or 'dst' was specified in
    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
    or 'dst' was previously ignored when generating the resulting
    iptables rule.
 9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
    generated invalid iptables (ip6tables) input. That target now
    generates correct input.
 10) Ipsets associated with 'dynamic' zones were being created during
    'restart' but not during 'start'.
 11) To work around an issue in Netfilter/iptables, Shorewall now uses
    state match rather than conntrack match for UNTRACKED state
    matching.
 12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
    did not clear the raw table.
 13) An error message was incorrectly generated if a port range of the
    form :<port> (e.g., :22) appeared.
 14) An error is now generated if '*' appears in an interface name.
 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 1)  On systems running Upstart, shorewall-init cannot reliably start the
    firewall before interfaces are brought up.
 ----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Entries in the rules file (both Shorewall and Shorewall6) may now
    contain zone lists in the SOURCE and DEST column. A zone list is a
    comma-separated list of zone names where each name appears in the
    zones file. A zone list may be optionally followed by a plus sign
    ("+") to indicate that the rule should apply to intra-zone traffic
    as well as to inter-zone traffic.
    Zone lists behave like 'all' and 'any' with respect to Optimization
    1. If the rule matches the applicable policy for a given (source
    zone, dest zone), then the rule will be suppessed for that pair of
    zones unless overridden by the '!' suffix on the target in the
    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
    Additionally, 'any', 'all' and zone lists may be qualified in the
    same way as a single zone.
    Examples:
 	fw,dmz:90.90.191.120/29
 	all:+blacklist
    The 'all' and 'any' keywords now support exclusion in the form of a
    comma-separated list of excluded zones.
    Examples: 
    	     all!fw         (same as all-).
 	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
 	     		     include intra-zone rules).
 2)  An IPSEC column has been added to the accounting file, allowing you
    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
    shorewall-accounting' (man shorewall6-accounting) for details.
    With this change, there are now three trees of accounting chains:
    - The one rooted in the 'accounting' chain.
    - The one rooted in the 'accipsecin' chain. This tree handles
      traffic that has been decrypted on the firewall. Rules in this
      tree cannot specify an interface name in the DEST column.
    - The one rooted in the 'accipsecout' chain. This tree handles
      traffic that will be encrypted on the firewall. Rules in this
      tree cannot specify an interface name in the SOURCE column.
    In reality, when there are bridges defined in the configuration,
    there is a fourth tree rooted in the 'accountout' chain. That chain
    handles traffic that originates on the firewall (both IPSEC and
    non-IPSEC).
    This change also implements a couple of new warnings:
    - WARNING: Adding rule to unreferenced accounting chain <name>
      The first reference to user-defined accounting chain <name> is
      not a JUMP or COUNT from an already-defined chain.
    - WARNING: Accounting chain <name> has o references
      The named chain contains accounting rules but no JUMP or COUNT
      specifies that chain as the target.
 3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
    manipulating the SELinux context of packets.
    See the shorewall-secmarks and shorewall6-secmarks manpages for
    details.
    As part of this change, the tcrules file now accepts $FW in the
    DEST column for marking packets in the INPUT chain.
 4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
    a) Blacklisting is now based on zones rather than on interfaces and
       host groups.
    b) Near compatibility with earlier releases is maintained.
    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
       respectively. The old keywords are still supported.
    d) The 'blacklist' keyword may now appear in the OPTIONS,
       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
       i)  In the IN_OPTIONS column, it indicates that packets received
           on the interface are checked against the 'src' entries in
           /etc/shorewall/blacklist.
       ii) In the OUT_OPTIONS column, it indicates that packets being
           sent to the interface are checked against the 'dst' entries.
       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
    e) The 'blacklist' option in the OPTIONS column of
       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
       equivalent to placing it in the IN_OPTIONS column of the
       associates record in /etc/shorewall/zones. If no zone is given
       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
       option is ignored with a warning (it was previously ignored
       silently).
    f) The 'blacklist' option in the /etc/shorewall/interfaces and
       /etc/shorewall/hosts files is now deprecated but will continue
       to be supported for several releases. A warning will be added at
       least one release before support is removed.
 5)  There is now an OUT-BANDWIDTH column in
    /etc/shorewall/tcinterfaces.
    The format of this column is:
    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
    These terms are described in tc-tbf(8). Shorewall supplies default
    values as follows:
    	   <burst>   = 10kb
 	   <latency> = 200ms
    The remaining options are defaulted by tc.
 6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
        <rate>[:<burst>]
    The default <burst> is 10kb. A larger <burst> can help make the
    <rate> more accurate; often for fast lines, the enforced rate is
    well below the specified <rate>.
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -68,8 +317,14 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 15) TPROXY support has been added.
 16) Explicit support for Linux-vserver has been added. It is now
    possible to define sub-zones of $FW.
 17) A 'Universal' sample configuration is now availale for a
    'plug-and-play' firewall.
 ----------------------------------------------------------------------------
-                  I I.  M I G R A T I O N   I S S U E S
+                   V.  M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
 1)  If you are currently using Shorewall-shell:
@@ -215,10 +470,258 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    where 'iface' is a capitalized interface name (e.g., ETH0) and
    'provider' is the capitalized name of a provider.
 15) Support for the OPTIONS column in /etc/shorewall/blacklist
    (/etc/shorewall6/blacklist) has been removed. Blacklisting by
    destination IP address will be included in a later Shorewall
    release.
 ----------------------------------------------------------------------------
-I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 1)  Previously, the Shorewall6-lite version of shorecap was using
    iptables rather than ip6tables, with the result that many capabilities
    that are only available in IPv4 were being reported as available.
 2)  In a number of cases, Shorewall6 generated incorrect rules
    involving the IPv6 multicast network. The rules specified
    ff00::/10 where they should have specified ff00::/8. Also, rules
    instantiated when the firewall was stopped used ff80::/10 rather
    than fe80::/10 (IPv6 Link Local network).
 3)  Previously, using a destination port-range with :random produced a
    fatal compilation error in REDIRECT rules.
 4)  A number of problems associated with Shorewall-init and Upstart
    have been corrected. 
    If you use Shorewall-init, then when upgrading to this version, be
    sure to recompile all firewall scripts before you take interfaces
    down or reboot.
 5)  Previously, the Shorewall installer (install.sh) failed to install
    /usr/share/shorewall/configfiles/Makefile and rather issued the
    following message:
    	      install-file: command not found 
    This caused the Makefile to be omitted from RPMs as well.
 6)  When 'any' was used in the SOURCE column, a duplicate rule was
    generated in all "fw2*" ("fw-* if ZONE2ZONE="-"). If 'any' was used
    in the DEST column, then a duplicate rule appeared in all "*2fw"
    (*-fw) chains.
 7)  A port range that omitted the first port number (e.g., ":80") was
    rejected with the following error:
    	 ERROR: Invalid/Unknown tcp port/service (0) : ......
 8)  AUTOMAKE=Yes has been broken for some time. It is now working
    correctly.
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 1)  Support has been added for ADD and DEL rules in
    /etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
    IP address to be added to an ipset; DEL deletes an address
    previously added.
 2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
    option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
    LOGBURST are ignored. 
    LOGRATE and LOGBURST are now deprecated.
    LOGLIMIT value format is [{s|d}:]<rate>[/<unit>][:<burst>]
    If the value starts with 's:' then logging is limited per source
    IP. If the value starts with 'd:', then logging is limited per
    destination IP. Otherwise, the overall logging rate is limited.
    <unit> is one of sec, min, hour, day.
    If <burst> is not specified, then a value of 5 is assumed.
 3)  The sample configurations now include a 'Universal' configuration
    that will start on any system and protect that system while
    allowing the system to forward traffic.
    As part of this change, several additional features were added:
    - You may now specify "physical=+" in the interfaces file.
    - A 'COMPLETE' option is added to shorewall.conf and
      shorewall6.conf. When you set this option to Yes, you are
      asserting that the configuration is complete so that your set of
      zones encompasses any hosts that can send or receive traffic
      to/from/through the firewall. This causes Shorewall to omit the
      rules that catch packets in which the source or destination IP
      address is outside of any of your zones. Default is No.  It is
      recommended that this option only be set to Yes if:
      o You have defined an interface whose effective physical setting
        is '+'
      o That interface is assigned to a zone.
      o You have no CONTINUE policies or rules.
 4)  'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
    compilations.
 5)  Shorewall now detects the presence of a recent ipset iptables
    module and uses its new syntax. This avoids a warning on iptables
    1.4.9. This change involves a new capabilities file version so if
    you use a capabilities file, be sure to regenerate it with 4.4.12
    shorewall-lite or shorewall6-lite.
 6)  Blacklisting can now be done by destination IP address as well as
    by source address.
    The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
    now have an optional OPTIONS column. Initially, this column can
    contain either 'from' (the default) or 'to'; the latter causes the
    address(es) in the ADDRESS/SUBNET column to be interpreted as a
    DESTINATION address rather than a source address.
    Note that static blacklisting is still restricted to traffic
    ARRIVING on an interface that has the 'blacklist' option set. So to
    block traffic from your local network to an internet host, you must
    specify 'blacklist' on your internal interface.
    Similarly, dynamic blacklisting has been enhanced to recognize the
    'from' and 'to' keywords.
    Example:
 	shorewall drop to 1.2.3.4
    This command will silently drop connection requests to1.2.3.4.
    The reciprocal of that command would be:
    	shorewall allow to 1.2.3.4
 7)  The status command now displays the directory containing the .conf
    file (shorewall.conf or shorewall6.conf) when the running
    configuration was compiled.
    Example:
        gateway:/etc/shorewall# shorewall status
 	Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 19:41:51 PDT 2010
 	Shorewall is running
 	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
 	gateway:/etc/shorewall# 
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  The IPv6 allowBcast action generated an invalid rule.
 2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
    ipset was used in a configuration file entry, the following
    fatal compilation error occurred:
    ERROR: ipset names in Shorewall configuration files require Ipset
    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
    If you applied the workaround given in the "Known Problems", then
    you should remove /etc/shorewall/capabilities after installing
    this fix.
 3)  The start priority of shorewall-init on Debian and Debian-based
    distributions was previously too low, making it start too late.
 4)  The log output from IPv6 logs was almost unreadable due to display
    of IPv6 addresses in uncompressed format. A similar problem
    occurred with 'shorewall6 show connections'. This update makes the
    displays much clearer at the expense of opening the slight
    possibility of two '::' sequences being incorrectly shown in the
    same address.
 5)  The new REQUIRE_INTERFACE was inadvertently omitted from
    shorewall.conf and shorewall6.conf. It has been added.
 6)  Under some versions of Perl, a Perl run-time diagnostic was produced
    when options were omitted from shorewall.conf or shorewall6.conf. 
 7) If the following options were specified in /etc/shorewall/interfaces
   for an interface with '-' in the ZONE column, then these options
   would be ignored if there was an entry in the hosts file for the
   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
   implied when the host list begins with '!').
   	blacklist
 	maclist
 	nosmurfs
 	tcpflags
   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
 8) The generated script was missing a closing quote when
   REQUIRE_INTERFACE=Yes.
 9) Previously, if nets= was specified under Shorewall6, this error
   would result:
   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
                /etc/shorewall6/interfaces (line 16)
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  Beginning with this release, Shorewall supports a 'vserver'
    zone type. This zone type is used with Shorewall running on a
    Linux-vserver host system and allows you to define zones that
    represent a set of Linux-vserver hosts.
    See http://www.shorewall.net/Vserver.html for details.
 2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
    and shorewall6.conf. 
    Traditionally, Shorewall has cleared the packet mark in the first
    rule in the mangle FORWARD chain. This behavior is maintained with
    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
    set to No, packet marks set in the PREROUTING chain are retained in
    the FORWARD chains.
    As part of this change, a new "fwmark route mask" capability has
    been added. If your version of iproute2 supports this capability,
    fwmark routing rules may specify a mask to be applied to the mark
    prior to comparison with the mark value in the rule. The presence
    of this capability allows Shorewall to relax the restriction that
    small mark values may not be set in the PREROUTING chain when
    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
    capability, be sure that you logically OR mark values in PREROUTING
    makring rules rather then simply setting them unless you are able
    to set both the high and low bits in the mark in a single rule.
    As always when a new capability has been introduced, be sure to
    regenerate your capabilities file(s) after installing this release.
 3)  A new column (NET3) has been added to the /etc/shorewall/netmap
    file. This new column can qualify the INTERFACE column by
    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
    associated with the interface.
 4)  To accomodate systems with more than one version of Perl installed,
    the shorewall.conf and shorewall6.conf files now support a PERL
    option. If the program specified by that option does not exist or
    is not executable, Shorewall (and Shorewall6) fall back to
    /usr/bin/perl.
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
 1)  Startup Errors (those that are detected before the state of the
    system has been altered), were previously not sent to the
    STARTUP_LOG.
@@ -244,14 +747,28 @@ I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
        `sys2sys':/usr/local/libexec/xtables/libipt_sys2sys.so:
 	cannot open shared object file: No such file or directory
----------------------------------------------------------------------------
+4)  Previously, if the 'optional' option was given to an interface with
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
+    a wildcard physical name, specific instances of the interface were
----------------------------------------------------------------------------
+    never considered usable.
-None.
+    Example:
    /etc/shorewall/interfaces:
    #ZONE	INTERFACE	BROADCAST	OPTIONS
    net		ppp+		-		optional
    /etc/shorewall/providers:
    #PROVIDER	NUMBER	MARK	DUPLICATE	INTERFACE	...
    XYZTEL	1	-	main		ppp0
    The XYZTEL provider was never usable.
    This configuration now works correctly.
 ----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+               N E W   F E A T U R E S   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
 1)  Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
@@ -314,7 +831,11 @@ None.
    b)  In your Shorewall interfaces file(s), set the 'required' option
        on any interfaces that must be up in order for the firewall to
        start. At least one interface must have the 'required' or
-        'optional' option if you perform the next optional step.
+        'optional' option if you perform the next optional step. If
 	'required' is specified on an interface with a wildcard name
        (the physical name ends with '+'), then at least one interface
        that matches the name must be in a usable state for the
        firewall to start successfully.
    c)  (Optional) -- If you have specified at least one 'required'
        or 'optional interface, you can then disable automatic firewall
@@ -387,9 +908,6 @@ None.
 	shorewall-init: 4.4.10-RC1
 	gateway:~#
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
 ----------------------------------------------------------------------------
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+	    if [ -n "$LOGFILE" ]; then
-
+		if [ -n "$(syslog_circular_buffer)" ]; then
-	    if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
-		g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
-	    elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
-		g_logread="tac $LOGFILE"
+		else
-	    else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
-		exit 2
+		fi
 	    fi
 	fi
@@ -360,7 +360,16 @@ compiler() {
    run_user_exit params
    set +a
-    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
+    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
 	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
 	    PERL=/usr/bin/perl
 	fi
    else
 	PERL=/usr/bin/perl
    fi
    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
 }
 #
@@ -477,7 +486,7 @@ start_command() {
 	    export RESTOREFILE
-	    if make -qf ${CONFDIR}/Makefile; then
+	    if ! make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1622,17 +1631,17 @@ case "$COMMAND" in
 	get_config
 	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	mutex_on
+	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $nolock $COMMAND
+	run_it $g_firewall $g_debugging $COMMAND
-	mutex_off
+	[ -n "$nolock" ] || mutex_off
 	;;
    reset)
 	get_config
 	shift
-	mutex_on
+	[ -n "$nolock" ] || mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	run_it $g_firewall $g_debugging $nolock reset $@
+	run_it $g_firewall $g_debugging reset $@
-	mutex_off
+	[ -n "$nolock" ] || mutex_off
 	;;
    compile)
 	get_config Yes
@@ -1829,6 +1838,7 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
 	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.10
+%define version 4.4.13
-%define release 0RC1
+%define release 0base
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,6 +108,48 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -350,7 +350,13 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall6-lite
 	    else
 		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
 	    fi
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -58,7 +58,7 @@ g_product="Shorewall Lite"
 SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
 VERBOSITY=0
 load_kernel_modules No
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -615,7 +615,9 @@ case "$COMMAND" in
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	run_it $g_firewall $debugging $nolock $COMMAND
+	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $debugging $COMMAND
 	[ -n "$nolock" ] || mutex_off
 	;;
    restart)
 	shift
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.10
+%define version 4.4.13
-%define release 0RC1
+%define release 0base
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,6 +93,48 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -28,6 +28,11 @@ Auth(REJECT)
 #
 AllowICMPs	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -20,10 +20,16 @@
 #
 Auth(REJECT)
 #
-# ACCEPT critical ICMP types
+# Drop Multicasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 AllowICMPs	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall6/blacklist
+++ b/Shorewall6/blacklist
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT
+#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -311,8 +311,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
 #
 # Install wait4ifup
@@ -507,6 +507,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
 fi
 #
 # Install the Secmarks file
 #
 run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
 fi
 #
 # Install the default config path file
 #
@@ -718,7 +728,13 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
+
 	if [ -x /sbin/insserv ]; then
 	    insserv /etc/init.d/shorewall6
 	else
 	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
 	fi
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40408
+SHOREWALL_CAPVERSION=40413
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
    fi
 }
 search_log() # $1 = IP address to search for
 {
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
    fi
 }    
@@ -208,6 +208,19 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')
@@ -439,7 +452,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack
+	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -457,6 +470,20 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    if [ -z "$LOGFILE" ]; then
 		LOGFILE=/var/log/messages
 		if [ -n "$(syslog_circular_buffer)" ]; then
 		    g_logread="logread | tac"
 		elif [ -r $LOGFILE ]; then
 		    g_logread="tac $LOGFILE"
 		else
 		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		    exit 2
 		fi
 	    fi
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -667,6 +694,19 @@ dump_command() {
 	esac
    done
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    g_ipt_options="$g_ipt_options $g_ipt_options1"
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -747,7 +787,7 @@ dump_command() {
    report_capabilities
    echo
-    netstat -tunap
+    netstat -6tunap
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -918,6 +958,10 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    chain=$1
    local finished
    finished=$2
    local which
    which='-s'
    local range
    range='--src-range'
    if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -929,19 +973,31 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    while [ $# -gt 0 ]; do
 	case $1 in
 	    from)
 		which='-s'
 		range='--src-range'
 		shift
 		continue
 		;;
 	    to)
 		which='-d'
 		range='--dst-range'
 		shift
 		continue
 		;;
 	    *-*)
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
-		qt $IP6TABLES -D dynamic -m iprange --src-range  $1 -j DROP
+		qt $IP6TABLES -D dynamic -m iprange $range  $1 -j DROP
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
-		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
+		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
-		$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
+		$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IP6TABLES -D dynamic -s $1 -j reject
+		qt $IP6TABLES -D dynamic $which $1 -j reject
-		qt $IP6TABLES -D dynamic -s $1 -j DROP
+		qt $IP6TABLES -D dynamic $which $1 -j DROP
-		qt $IP6TABLES -D dynamic -s $1 -j logreject
+		qt $IP6TABLES -D dynamic $which $1 -j logreject
-		qt $IP6TABLES -D dynamic -s $1 -j logdrop
+		qt $IP6TABLES -D dynamic $which $1 -j logdrop
-		$IP6TABLES -A dynamic -s $1 -j $chain || break 1
+		$IP6TABLES -A dynamic $which $1 -j $chain || break 1
 		;;
 	esac
@@ -1046,6 +1102,11 @@ allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall6_is_started ; then
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1055,11 +1116,21 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
 		from)
 		    which='-s'
 		    range='--src-range'
 		    continue
 		    ;;
 		to)
 		    which='-d'
 		    range='--dst-range'
 		    continue
 		    ;;
 		*-*)
-		    if  qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
+		    if  qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
+			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1067,10 +1138,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IP6TABLES -D dynamic -s $1 -j reject    ||\
+		    if  qt $IP6TABLES -D dynamic $which $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -s $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic $which $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -s $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic $which $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -s $1 -j logreject
+			qt $IP6TABLES -D dynamic $which $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1160,6 +1231,7 @@ determine_capabilities() {
    RECENT_MATCH=
    OWNER_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
@@ -1190,6 +1262,8 @@ determine_capabilities() {
    IPMARK_TARGET=
    LOG_TARGET=Yes
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    chain=fooX$$
@@ -1204,6 +1278,10 @@ determine_capabilities() {
    [ -n "$IP" -a -x "$IP" ] || IP=
    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
    [ -n "$TC" -a -x "$TC" ] || TC=
    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
    qt $IP6TABLES -F $chain
@@ -1327,13 +1405,15 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IP6TABLES -F $chain
    qt $IP6TABLES -X $chain
    qt $IP6TABLES -F $chain1
    qt $IP6TABLES -X $chain1
-    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1368,7 +1448,10 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
+	if [ -n "$IPSET_MATCH" ]; then
 	    report_capability "Ipset Match" $IPSET_MATCH
 	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
 	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1398,6 +1481,8 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1428,6 +1513,7 @@ report_capabilities1() {
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
@@ -1457,6 +1543,8 @@ report_capabilities1() {
    report_capability1 LOG_TARGET
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -92,7 +92,12 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	options='-'
+	if [ x$1 = xtrace -o x$1 = xdebug ]; then
 	    options="$1 -"
 	    shift;
 	else
 	    options='-'
 	fi
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -447,7 +452,11 @@ find_file()
 #
 set_state () # $1 = state
 {
-    echo "$1 ($(date))" > ${VARDIR}/state
+    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
 	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
 #
--- a/Shorewall6/secmarks
+++ b/Shorewall6/secmarks
@@ -0,0 +1,8 @@
 #
 # Shorewall6 version 4 - Secmarks File
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
 ############################################################################################################
 #SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
 #										PORT(S)	PORT(S)
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
+	    if [ -n "$LOGFILE" ]; then
-
+		if [ -n "$(syslog_circular_buffer)" ]; then
-	    if [ -n "$(syslog_circular_buffer)" ]; then
+		    g_logread="logread | tac"
-		g_logread="logread | tac"
+		elif [ -r $LOGFILE ]; then
-	    elif [ -r $LOGFILE ]; then
+		    g_logread="tac $LOGFILE"
-		g_logread="tac $LOGFILE"
+		else
-	    else
+		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		echo "LOGFILE ($LOGFILE) does not exist!" >&2
+		    exit 2
-		exit 2
+		fi
 	    fi
 	fi
@@ -299,7 +299,16 @@ compiler() {
 	set +a
    fi
-    $command perl $debugflags $pc $options $@
+    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
 	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
 	    PERL=/usr/bin/perl
 	fi
    else
 	PERL=/usr/bin/perl
    fi
    $command $PERL $debugflags $pc $options $@
 }    
 #
@@ -410,7 +419,7 @@ start_command() {
 	    export RESTOREFILE
-	    if make -qf ${CONFDIR}/Makefile; then
+	    if ! make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1535,17 +1544,17 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	mutex_on
+	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $nolock $COMMAND
+	run_it $g_firewall $g_debugging $COMMAND
-	mutex_off
+	[ -n "$nolock" ] || mutex_off
 	;;
    reset)
 	get_config
 	shift
-	mutex_on
+	[ -n "$nolock" ] || mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	run_it $g_firewall $g_debugging $nolock reset $@
+	run_it $g_firewall $g_debugging reset $@
-	mutex_off
+	[ -n "$nolock" ] || mutex_off
 	;;
    compile)
 	get_config Yes
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -32,9 +32,7 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGRATE=
+LOGLIMIT=
 LOGBURST=
 LOGALLNEW=
@@ -56,6 +54,8 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -151,6 +151,12 @@ DYNAMIC_BLACKLIST=Yes
 LOAD_HELPERS_ONLY=No
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.10
+%define version 4.4.13
-%define release 0RC1
+%define release 0base
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,6 +98,48 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.10-RC1
+VERSION=4.4.13
 usage() # $1 = exit status
 {
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -119,8 +119,7 @@
        (from <filename>/etc/protocols</filename>), a protocol number or
        <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
        iptables must have ipp2p match support from <ulink
-        url="http://www.netfilter.org">Netfilter
+        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
        Patch_o_matic_ng</ulink>.</para>
      </listitem>
      <listitem>
@@ -146,7 +145,7 @@
        only be non-empty if the CHAIN is OUTPUT. The column may
        contain:</para>
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
        <para>When this column is non-empty, the rule applies only if the
        program generating the output is running under the effective
@@ -163,9 +162,6 @@
          <member>!:kids #program must not be run by a member of the
          <quote>kids</quote> group</member>
          <member>+upnpd #program named upnpd (This feature was removed from
          Netfilter in kernel version 2.6.14).</member>
        </simplelist>
      </listitem>
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2006-2007</year>
+      <year>2006-2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -180,11 +180,11 @@
        disable startup of Shorewall in your init scripts. For ease of
        reference, we call this system the 'administrative system'.</para>
-        <para>The administrative system may be a Windows system running <ulink
+        <para>The administrative system may be a GNU/Linux system, a Windows
-        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
+        system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
-        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
+        an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
-        Install from a shell prompt <ulink url="Install.htm">using the
+        running OS X. Install from a shell prompt <ulink
-        install.sh script</ulink>.</para>
+        url="Install.htm">using the install.sh script</ulink>.</para>
      </listitem>
      <listitem>
@@ -241,8 +241,10 @@
        <orderedlist>
          <listitem>
            <para>modify the files in the corresponding export directory
-            appropriately. It's a good idea to include the IP address of the
+            appropriately (i.e., <emphasis>just as you would if you were
-            administrative system in the <ulink
+            configuring Shorewall on the firewall system itself</emphasis>).
            It's a good idea to include the IP address of the administrative
            system in the <ulink
            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
            file</ulink>.</para>
@@ -283,26 +285,29 @@
          <listitem>
            <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load -c firewall</command></programlisting>
+<command>/sbin/shorewall load firewall</command></programlisting>
            <para>The <ulink
            url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
            command compiles a firewall script from the configuration files in
            the current working directory (using <command>shorewall compile
            -e</command>), copies that file to the remote system via scp and
-            starts Shorewall Lite on the remote system via ssh. The -c option
+            starts Shorewall Lite on the remote system via ssh.</para>
            causes the capabilities of the remote system to be generated and
            copied to a file named <filename>capabilities</filename> in the
            export directory. See <link
            linkend="Shorecap">below</link>.</para>
            <para>Example (firewall's DNS name is 'gateway'):</para>
-            <para><command>/sbin/shorewall load -c gateway</command><note>
+            <para><command>/sbin/shorewall load gateway</command><note>
                <para>Although scp and ssh are used by default, you can use
                other utilities by setting RSH_COMMAND and RCP_COMMAND in
                <filename>/etc/shorewall/shorewall.conf</filename>.</para>
              </note></para>
            <para>The first time that you issue a <command>load</command>
            command, Shorewall will use ssh to run
            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
            remote firewall to create a capabilities file in the firewall's
            administrative direction. See <link
            linkend="Shorecap">below</link>.</para>
          </listitem>
        </orderedlist>
      </listitem>
@@ -456,7 +461,7 @@ clean:
      </simplelist>
    </blockquote>
-    <para>You will normally not need to touch
+    <para>You will normally never touch
    <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
    run Debian or one of its derivatives (see <link
    linkend="Debian">above</link>).</para>
@@ -559,11 +564,11 @@ clean:
          <blockquote>
            <para>Before editing:</para>
-            <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
            <para>After editing:</para>
-            <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
          </blockquote>
          <para>Changing CONFIG_PATH will ensure that subsequent compilations
@@ -596,14 +601,21 @@ clean:
          <blockquote>
            <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load -c &lt;firewall system&gt;</command>
+<command>/sbin/shorewall load &lt;firewall system&gt;</command>
 </programlisting>
            <para>Example (firewall's DNS name is 'gateway'):</para>
-            <para><command>/sbin/shorewall load -c gateway</command></para>
+            <para><command>/sbin/shorewall load gateway</command></para>
          </blockquote>
          <para>The first time that you issue a <command>load</command>
          command, Shorewall will use ssh to run
          <filename>/usr/share/shorewall-lite/shorecap</filename> on the
          remote firewall to create a capabilities file in the firewall's
          administrative direction. See <link
          linkend="Shorecap">below</link>.</para>
          <para>The <ulink
          url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
          command compiles a firewall script from the configuration files in
@@ -640,7 +652,8 @@ clean:
 <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
          <para>Or simply use the -c option the next time that you use the
-          <command>reload</command> command.</para>
+          <command>reload</command> command (e.g., <command>shorewall reload
          -c gateway</command>).</para>
        </listitem>
      </orderedlist>
    </section>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -57,11 +57,9 @@
          <row>
            <entry></entry>
-            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
+            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
            Machine)</ulink></entry>
-            <entry><ulink url="Laptop.html">Shorewall on a
+            <entry></entry>
            Laptop</ulink></entry>
          </row>
          <row>
@@ -104,8 +102,8 @@
          </row>
          <row>
-            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
+            <entry><ulink url="Anatomy.html">Anatomy of
-            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
+            Shorewall</ulink></entry>
            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
@@ -114,8 +112,8 @@
          </row>
          <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth
-            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            Control</ulink></entry>
            <entry><ulink url="ManualChains.html">Manual
            Chains</ulink></entry>
@@ -125,9 +123,8 @@
          </row>
          <row>
-            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
+            <entry><ulink
-            (<ulink
+            url="blacklisting_support.htm">Blacklisting</ulink></entry>
            url="blacklisting_support_ru.html">Russian</ulink>)</entry>
            <entry><ulink
            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@@ -187,7 +184,7 @@
            <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
-            <entry> <ulink url="simple_traffic_shaping.html">Traffic
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
            Shaping/QOS - Simple</ulink></entry>
          </row>
@@ -199,8 +196,7 @@
            NAT)</entry>
            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink> (<ulink
+            Complex</ulink></entry>
            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
          </row>
          <row>
@@ -322,8 +318,8 @@
          </row>
          <row>
-            <entry><ulink url="Install.htm">Installation/Upgrade</ulink>
+            <entry><ulink
-            (<ulink url="Install_fr.html">Français</ulink>)</entry>
+            url="Install.htm">Installation/Upgrade</ulink></entry>
            <entry><ulink url="ReleaseModel.html">Release
            Model</ulink></entry>
@@ -386,6 +382,16 @@
            <entry></entry>
          </row>
          <row>
            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
            Machine)</ulink></entry>
            <entry><ulink url="Laptop.html">Shorewall on a
            Laptop</ulink></entry>
            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -687,11 +687,9 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
          <para>That rule (and the second one in the previous bullet) only
          works of course if you have a static external IP address. If you
          have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename> (or your
+          <filename>/etc/shorewall/params</filename>.</para>
          <filename>&lt;export directory&gt;/init</filename> file if you are
          using Shorewall Lite on the firewall system):</para>
-          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
+          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
          <para>and make your DNAT rule:</para>
@@ -712,6 +710,14 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
            will return 0.0.0.0 if the interface has no configured IP address;
            the latter terminates the calling program.</para>
          </note>
          <note>
            <para>If you run Shorewall-lite on your firewall, you must use the
            following in the firewall's configuration directory
            <filename>params</filename> file:</para>
            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
          </note>
        </listitem>
      </itemizedlist>
@@ -1182,6 +1188,18 @@ to debug/develop the newnat interface.</programlisting></para>
  <section id="Logging">
    <title>Logging</title>
    <section id="faq91">
      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
      spit out logs to /var/log/shorewall.log and it's not happening after I
      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
      the correct line, right? </title>
      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
      The LOGFILE setting tells Shorewall where to find the log; it does not
      determine where messages are written. See <link linkend="faq6">the next
      FAQ</link>.</para>
    </section>
    <section id="faq6">
      <title>(FAQ 6) Where are the log messages written and how do I change
      the destination?</title>
@@ -2090,6 +2108,57 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
      <filename>/etc/shorewall/params</filename> when processing the <emphasis
      role="bold">restore</emphasis> command.</para>
    </section>
    <section id="faq90">
      <title>(FAQ 90) Shorewall starts fine but after several minutes, it
      stops. Why is it doing that?</title>
      <para><emphasis role="bold">Answer:</emphasis> Shorewall uses the
      presence of a chain named <emphasis>shorewall</emphasis> to indicate
      whether is started or stopped. That chain is created during execution of
      a successful <emphasis role="bold">start</emphasis>, <emphasis
      role="bold">restart</emphasis> or <emphasis
      role="bold">restore</emphasis> command and is removed during <emphasis
      role="bold">stop</emphasis> and <emphasis role="bold">clear</emphasis>.
      If <emphasis role="bold">shorewall status</emphasis> indicates that
      Shorewall is stopped, then something has deleted that chain. Look at the
      output of <emphasis role="bold">shorewall status</emphasis>; if it looks
      like this:</para>
      <blockquote>
        <programlisting>gateway:~# shorewall status
 Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010
 Shorewall is <emphasis role="bold">stopped</emphasis>
 State:<emphasis role="bold">Started</emphasis> (Tue Jul 20 16:01:49 PDT 2010)
 gateway:~# 
 </programlisting>
      </blockquote>
      <para>then it means that somehing outside of Shorewall has deleted the
      chain. This usually means that you were running another firewall package
      before you installed Shorewall and that other package has replaced
      Shorewall's Netfilter configuration with its own. You must remove (or at
      least disable) the other firewall package and restart Shorewall.</para>
      <blockquote>
        <programlisting>gateway:~# shorewall status
 Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010
 Shorewall is <emphasis role="bold">stopped</emphasis>
 State:<emphasis role="bold">Stopped</emphasis> (Wed Jul 21 13:26:26 PDT 2010)
 gateway:~# </programlisting>
      </blockquote>
      <para>then a <emphasis role="bold">shorewall stop</emphasis> command has
      been executed (if the State shown in the output is <emphasis
      role="bold">Cleared</emphasis>, then a <emphasis role="bold">shorewall
      clear</emphasis> command was executed). Most likely, you have installed
      and configured the <emphasis>shorewall-init</emphasis> package and a
      required interface has gone down.</para>
    </section>
  </section>
  <section id="MultiISP">
@@ -2324,9 +2393,13 @@ We have an error talking to the kernel
      subzones? I've got a system with Linux-VServers, it's one interface
      (eth0) with multiple IPs</title>
-      <para><emphasis role="bold">Answer</emphasis>: There is no way to create
+      <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
-      sub-zones of the firewall zone. But you can use shell variables to make
+      4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
-      vservers easier to deal with.</para>
+      zones</ulink> that are nested within the firewall zone.</para>
      <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
      firewall zone. But you can use shell variables to make vservers easier
      to deal with.</para>
      <para><filename>/etc/shorewall/params</filename>:</para>
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -22,6 +22,8 @@
      <year>2007</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -45,33 +47,41 @@
    </listitem>
  </itemizedlist>
  <para>Now, <ulink url="Install.htm">install Shorewall</ulink>.</para>
  <para>Next, read the QuickStart Guide that is appropriate for your
  configuration:</para>
  <para><emphasis role="bold">If you just want to protect a system: (Requires
  Shorewall 4.4.12-Beta3 or later)</emphasis></para>
  <itemizedlist>
    <listitem>
      <para><ulink url="Universal.html">Universal</ulink> configuration --
      requires no configuration to protect a single system.</para>
    </listitem>
  </itemizedlist>
  <para><emphasis role="bold">If you have only one public IP
  address:</emphasis></para>
  <itemizedlist>
    <listitem>
      <para><ulink url="standalone.htm">Standalone</ulink> Linux System with a
-      single network interface (<ulink url="standalone_fr.html">Version
+      single network interface (if you are running Shorewall 4.4.12 Beta 3 or
-      Française</ulink>) <ulink url="standalone_ru.html">(Russian
+      later, use the <ulink url="Universal.html">Universal</ulink>
-      Version)</ulink> <ulink url="standalone_es.html">Version en
+      configuration instead).</para>
      Español</ulink></para>
    </listitem>
    <listitem>
      <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network (<ulink
+      acting as a firewall/router for a small local network</para>
      url="two-interface_fr.html">Version Française</ulink>) (<ulink
      url="two-interface_ru.html">Russian Version</ulink>)</para>
    </listitem>
    <listitem>
      <para><ulink url="three-interface.htm">Three-interface</ulink> Linux
-      System acting as a firewall/router for a small local network and a DMZ..
+      System acting as a firewall/router for a small local network and a
-      (<ulink url="three-interface_fr.html">Version Française</ulink>) (<ulink
+      DMZ.</para>
      url="three-interface_ru.html">Russian Version</ulink>)</para>
    </listitem>
  </itemizedlist>
@@ -81,11 +91,10 @@
  <itemizedlist>
    <listitem>
      <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
+      Guide</ulink> outlines the steps necessary to set up a firewall where
-      Française</ulink>) outlines the steps necessary to set up a firewall
+      there are multiple public IP addresses involved or if you want to learn
-      where there are multiple public IP addresses involved or if you want to
+      more about Shorewall than is explained in the single-address guides
-      learn more about Shorewall than is explained in the single-address
+      above.</para>
      guides above.</para>
    </listitem>
  </itemizedlist>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -5,7 +5,7 @@
  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
  <articleinfo>
-    <title>Shorewall 4.4/4.5 Manpages</title>
+    <title>Shorewall 4.4 Manpages</title>
    <authorgroup>
      <author>
@@ -129,6 +129,9 @@
        <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
        Specify exceptions to policies, including DNAT and REDIRECT.</member>
        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
        - Attach an SELinux context to a packet.</member>
        <member><ulink
        url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
        classes for traffic shaping.</member>
@@ -137,6 +140,11 @@
        url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
        speed of devices for traffic shaping.</member>
        <member><ulink
        url="manpages/shorewall-tcfilters.html">tcfilters</ulink> - Classify
        traffic for shaping; often used with an IFB to shape ingress
        traffic.</member>
        <member><ulink
        url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
        Specify devices for simplified traffic shaping.</member>
@@ -184,6 +192,11 @@
        <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
        /sbin/shorewall command syntax and semantics.</member>
        <member><ulink
        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
        package that allows for automatic start/stop of other Shorewall
        products based on network events.</member>
        <member><ulink
        url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
        /sbin/shorewall-lite command syntax and semantics.</member>
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -5,7 +5,7 @@
  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
  <articleinfo>
-    <title>Shorewall6 4.4/4.5 Manpages</title>
+    <title>Shorewall6 4.4 Manpages</title>
    <authorgroup>
      <author>
@@ -114,6 +114,10 @@
        <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
        Specify exceptions to policies, including DNAT and REDIRECT.</member>
        <member><ulink
        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
        an SELinux context to a packet.</member>
        <member><ulink
        url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
        htb classes for traffic shaping.</member>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1100,6 +1100,40 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
      </section>
    </section>
    <section>
      <title>Looking at the routing tables</title>
      <para>To look at the various routing tables, you must use the <emphasis
      role="bold">ip</emphasis> utility. To see the entire routing
      configuration (including rules), the command is <command>shorewall show
      routing</command>. To look at an individual provider's table use
      <command>ip route ls table <replaceable>provider</replaceable></command>
      where <replaceable>provider</replaceable> can be either the provider
      name or number.</para>
      <para>Example:</para>
      <programlisting>lillycat:- #<command>ip route ls</command>
 144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199
 71.190.227.208 dev ppp1  proto kernel  scope link  src 71.24.88.151
 192.168.7.254 dev eth1  scope link  src 192.168.7.1
 192.168.7.253 dev eth1  scope link  src 192.168.7.1
 192.168.7.0/24 dev eth1  proto kernel  scope link  src 192.168.7.1
 192.168.5.0/24 via 192.168.4.2 dev eth0
 192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223
 192.168.1.0/24 via 192.168.4.222 dev eth0
 default
        nexthop dev ppp1 weight 2
        nexthop dev ppp0 weight 1
 lillycat: #ip <command>route ls provider 1</command>
 144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199 
 192.168.5.0/24 via 192.168.4.2 dev eth0 
 192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223 
 192.168.1.0/24 via 192.168.4.222 dev eth0 
 default dev ppp0  scope link 
 lillycat: #</programlisting>
    </section>
    <section id="USE_DEFAULT_RT">
      <title>USE_DEFAULT_RT</title>
@@ -1527,7 +1561,7 @@ connection {
 connection {
    name=Comcast
-    checkip=${ETH0_GATEWAY:-71.231.152.1}
+    checkip=${SW_ETH0_GATEWAY:-71.231.152.1}
    device=$COM_IF
    ttl=1
 }
@@ -1543,9 +1577,14 @@ EOF
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
-        <para>eth3 has a dynamic IP address so I need to use the
+        <para>eth0 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
+        Shorewall-detected gateway address ($SW_ETH1_GATEWAY). I supply a
-        value to be used in the event that detection fails.</para>
+        default value to be used in the event that detection fails.</para>
        <note>
          <para>In Shorewall 4.4.7 and earlier, the variable name is
          ETH1_GATEWAY.</para>
        </note>
        <para><filename>/etc/shorewall/started</filename>:</para>
--- a/docs/NetfilterOverview.xml
+++ b/docs/NetfilterOverview.xml
@@ -89,8 +89,8 @@
    Shorewall system itself.</para>
    <para>A more elaborate version of this flow is available <ulink
-    url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>
+    url="http://jengelh.medozas.de/images/nf-packet-flow.png">here</ulink> and
-    and <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
+    <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
    contrasts the Netfilter flow with that of ipchains.</para>
    <para>In the above diagram are boxes similar to this:</para>
--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -498,6 +498,202 @@ DNAT	172.20.1.0/24		tun1		192.168.1.0/24
    the right as 172.20.1.0/24.</para>
  </section>
  <section>
    <title>Roadwarrior with IPv6</title>
    <para>While OpenVPN supports tunneling of IPv6 packets, the version of the
    code that I run under OS X on my Macbook Pro does not support that option.
    Nevertheless, I am able to take IPv6 on the road with me by creating a
    6to4 tunnel through the OpenVPN IPv6 tunnel. In this configuration, the
    IPv4 address pair (172.20.0.10,172.20.0.11) is used for the OpenVPN tunnel
    and (2001:470:e857:2::1,2001:470:e857:2::2) is used for the 6to4
    tunnel.</para>
    <para>Here are my config files:</para>
    <para>Server (conventional routed server config):</para>
    <blockquote>
      <programlisting>dev tun
 local 70.90.191.121
 server 172.20.0.0 255.255.255.128
 dh dh1024.pem
 ca /etc/certs/cacert.pem
 crl-verify /etc/certs/crl.pem
 cert /etc/certs/gateway.pem
 key /etc/certs/gateway_key.pem
 port 1194
 comp-lzo
 user nobody
 group nogroup
 keepalive 15 45
 ping-timer-rem
 persist-tun
 persist-key
 client-config-dir /etc/openvpn/clients
 ccd-exclusive
 client-to-client
 push "route 172.20.1.0 255.255.255.0"
 verb 3</programlisting>
      <para>In the CCD file for the Macbook Pro:</para>
      <programlisting>ifconfig-push <emphasis role="bold">172.20.0.11 172.20.0.10</emphasis></programlisting>
      <para>From <filename>/etc/network/interfaces</filename> (very standard
      <ulink url="6to4.htm#SixInFour">6to4 tunnel
      configuration</ulink>):</para>
      <programlisting>auto mac
 iface mac inet6 v4tunnel
      address <emphasis role="bold">2001:470:e857:2::1</emphasis>
      netmask 64
      endpoint <emphasis role="bold">172.20.0.11</emphasis>
      local <emphasis role="bold">172.20.1.254</emphasis></programlisting>
      <para>Note that while the remote endpoint (172.20.0.11) is also the
      remote endpoint of the OpenVPN tunnel, the local endpoint (172.20.1.254)
      of the 6to4 tunnel is not the local endpoint of the OpenVPN tunnel
      (that;s 172.20.0.10). 172.20.1.254 is the IPv4 address of the Shorewall
      firewall's LAN interface.</para>
      <para>The following excerpts from the Shorewall configuration show the
      parts of that configuration that are relevant to these two tunnels (bold
      font). <emphasis role="bold">This is not a complete
      configuration.</emphasis></para>
      <para><filename>/etc/shorewall/zones</filename>:</para>
      <programlisting>#ZONE           TYPE
 fw              firewall
 loc             ip              #Local Zone
 drct:loc        ipv4            #Direct internet access
 net             ipv4            #Internet
 <emphasis role="bold">vpn             ipv4 </emphasis>           #OpenVPN clients</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
 loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
 net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
 <emphasis role="bold">vpn    TUN_IF+    detect    physical=tun+,routeback</emphasis>
 -      sit1       -         ignore
 <emphasis role="bold">-      mac        -         ignore</emphasis>
 -      EXT_IF     -         ignore
 -      lo         -         ignore</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
      <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
 #                                               ZONE
 <emphasis role="bold">openvpnserver:udp       net</emphasis>
 6to4                    net
 <emphasis role="bold">6to4                    vpn</emphasis></programlisting>
      <para>Similarly, here are exerpts from the Shorewall6
      configuration.</para>
      <para><filename>/etc/shorewall6/zones</filename>:</para>
      <programlisting>#ZONE     TYPE     OPTIONS        IN            OUT
 #                                 OPTIONS       OPTIONS
 fw        firewall
 net       ipv6
 <emphasis role="bold">loc       ipv6</emphasis>
 rest      ipv6</programlisting>
      <para><filename>/etc/shorewall6/interfaces</filename>:</para>
      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     sit1            detect          tcpflags,forward=1,nosmurfs,routeback
 loc     eth4            detect          tcpflags,forward=1
 <emphasis role="bold">loc     mac             detect          tcpflags,forward=1</emphasis>
 rest    eth+</programlisting>
      <para>Note that in the IPv6 firewall configuration, the remove Macbook
      Pro is considered to be part of the local zone (loc).</para>
    </blockquote>
    <para>Client (conventional routed client config):</para>
    <blockquote>
      <programlisting>client
 dev tun
 proto udp
 remote gateway.shorewall.net 1194
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 mute-replay-warnings
 ca ca.crt
 cert mac.crt
 key mac.key
 ns-cert-type server
 comp-lzo
 verb 3
 up /Users/teastep/bin/up
 down /Users/teastep/bin/down
 </programlisting>
      <para><filename>/Users/teastep/bin/up</filename>:</para>
      <programlisting>#!/bin/bash
 LOCAL_IP=<emphasis role="bold">172.20.0.11</emphasis>
 LOCAL_IPV6=<emphasis role="bold">2001:470:e857:2::2</emphasis>
 REMOTE_IP=<emphasis role="bold">172.20.1.254</emphasis>
 REMOTE_IPV6=<emphasis role="bold">2001:470:e857:2::1</emphasis>
 TUNNEL_IF=gif0
 if [ $(ifconfig gif0 | wc -l ) -eq 1 ]; then
    #
    # Tunnel interface is not configured yet
    #
    /sbin/ifconfig $TUNNEL_IF tunnel $LOCAL_IP $REMOTE_IP
    /sbin/ifconfig $TUNNEL_IF inet6 $LOCAL_IPV6 $REMOTE_IPV6 prefixlen 128
 else
    /sbin/ifconfig $TUNNEL_IF up
 fi
 /sbin/route -n add -inet6 default $REMOTE_IPV6 &gt; /dev/null 2&gt;&amp;1</programlisting>
      <para><filename>/Users/teastep/bin/down</filename>:</para>
      <programlisting>#!/bin/bash
 TUNNEL_IF=gif0
 /sbin/ifconfig $TUNNEL_IF down
 /sbin/route -n delete -inet6 default &gt; /dev/null 2&gt;&amp;1
 </programlisting>
    </blockquote>
  </section>
  <section>
    <title>Bridged Roadwarrior</title>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -267,6 +267,108 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>Connection marking rules use a mask value of 0xff.</para>
      </listitem>
    </itemizedlist>
    <para>Shorewall actually allows you to have complete control over the
    layout of the 32-bit mark using the following options in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
    <variablelist>
      <varlistentry>
        <term>TC_BITS</term>
        <listitem>
          <para>The number of bits at the low end of the mark to be used for
          traffic shaping marking. May be zero.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROVIDER_BITS</term>
        <listitem>
          <para>The number of bits in the mark to be used for provider
          numbers. May be zero.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROVIDER_OFFSET</term>
        <listitem>
          <para>The offset from the right (low-order end) of the provider
          number field. If non-zero, must be &gt;= TC_BITS (Shorewall
          automatically adjusts PROVIDER_OFFSET's value). PROVIDER_OFFSET +
          PROVIDER_BITS must be &lt;= 32.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>MASK_BITS</term>
        <listitem>
          <para>Number of bits on the right of the mark to be masked when
          clearing the traffic shaping mark. Must be &gt;= TC_BITS and &lt;=
          PROVIDER_OFFSET (if PROVIDER_OFFSET &gt; 0)</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The relationship between these options is shown in this
    diagram.</para>
    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
    <para></para>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
    <table>
      <title>Default Values</title>
      <tgroup cols="2">
        <tbody>
          <row>
            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
            MASK_BITS=8</entry>
          </row>
          <row>
            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes</entry>
            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8,
            MASK_BITS=8</entry>
          </row>
          <row>
            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No</entry>
            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
            MASK_BITS=16</entry>
          </row>
          <row>
            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes</entry>
            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16,
            MASK_BITS=16</entry>
          </row>
        </tbody>
      </tgroup>
    </table>
    <para>The existence of both TC_BITS and MASK_BITS is owed to the way that
    WIDE_TC_MARKS was originally implemented. Note that TC_BITS is 14 rather
    than 16 when WIDE_TC_MARKS=Yes.</para>
    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
    PROVIDER_OFFSET can be used for any purpose you want.</para>
    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
  </section>
  <section id="Shorewall">
--- a/docs/Shorewall-init.xml
+++ b/docs/Shorewall-init.xml
@@ -74,13 +74,13 @@
    <title>Closing the Firewall before the Network Interfaces are brought
    up</title>
-    <para> When Shorewall-init is first installed, it does nothing until you
+    <para>When Shorewall-init is first installed, it does nothing until you
    configure it.</para>
    <para>The configuration file is <filename>/etc/default/shorewall-init
    </filename>on Debian-based systems and
    <filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
-    two settings in the file: </para>
+    two settings in the file:</para>
    <variablelist>
      <varlistentry>
@@ -115,7 +115,7 @@
      <listitem>
        <para>Be sure that your current firewall script(s) (normally in
        <filename>/var/lib/&lt;product&gt;/firewall</filename>) is(are)
-        compiled with the 4.4.10 compiler. </para>
+        compiled with the 4.4.10 compiler.</para>
        <para>Shorewall and Shorewall6 users can execute these
        commands:</para>
@@ -139,7 +139,7 @@
      </listitem>
    </orderedlist>
-    <para>That's all that is required. </para>
+    <para>That's all that is required.</para>
  </section>
  <section id="NM">
@@ -147,7 +147,7 @@
    <para>To integrate with NetworkManager and ifup/ifdown, additional steps
    are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM. </para>
+    link status monitor like swping or LSM.</para>
    <orderedlist numeration="loweralpha">
      <listitem>
@@ -165,15 +165,21 @@
      <listitem>
        <para>Optional) -- If you have specified at least one
        <option>required</option> or <option>optional</option> interface, you
-        can then disable automatic firewall startup at boot time. On
+        can then disable automatic firewall startup at boot time. On Debian
-        Debian-based systems, set startup=0 in
+        systems, set startup=0 in
        <filename>/etc/default/<replaceable>product</replaceable></filename>.
        On other systems, use your service startup configuration tool
-        (chkconfig, insserv, ...) to disable startup. </para>
+        (chkconfig, insserv, ...) to disable startup.</para>
        <warning>
          <para>If your system uses Upstart as it's system initialization
          daemon, you should not disable startup. Upstart is standard on
          recent Ubuntu and Fedora releases and is optional on Debian.</para>
        </warning>
      </listitem>
    </orderedlist>
-    <para>The following actions occur when an interface comes up: </para>
+    <para>The following actions occur when an interface comes up:</para>
    <informaltable>
      <tgroup cols="3">
@@ -253,7 +259,7 @@
      </tgroup>
    </informaltable>
-    <para> For optional interfaces, the
+    <para>For optional interfaces, the
    <filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
    files are maintained to reflect the state of the interface so that they
    may be used by the standard <firstterm>isusable</firstterm> script. Please
@@ -272,13 +278,13 @@
    <para>Similarly, if an optional interface goes down and there are no
    optional interfaces remaining in the up state, then the firewall is
-    stopped. </para>
+    stopped.</para>
    <para>On Debian-based systems, during system shutdown the firewall is
    opened prior to network shutdown (<command>/etc/init.d/shorewall
    stop</command> performs a 'clear' operation rather than a 'stop'). This is
    required by Debian standards. You can change this default behavior by
    setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
-    (<filename>/etc/default/shorewall6</filename>, ...). </para>
+    (<filename>/etc/default/shorewall6</filename>, ...).</para>
  </section>
 </article>
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -320,7 +320,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
    <para>The following configuration works with Squid running on the firewall
-    itself.</para>
+    itself (assume that Squid is listening on port 3128).</para>
    <para><filename>/etc/shorewall/interfaces:</filename></para>
@@ -332,7 +332,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
 Tproxy    1        1        -           lo        -            local</programlisting>
-    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
+    <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
    eth1):</para>
    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
@@ -341,7 +341,7 @@ TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
    <para>/etc/shorewall/rules:</para>
    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
-ACCEPT    Z        $FW    tcp     SP
+ACCEPT    loc      $FW    tcp     3128
 ACCEPT    $FW      net    tcp     80</programlisting>
  </section>
 </article>
--- a/docs/UPnP.xml
+++ b/docs/UPnP.xml
@@ -109,6 +109,11 @@ forwardUPnP        net     loc</programlisting>
      this route during <command>start</command> and deletes it during
      <command>stop</command>.</para>
    </note>
    <caution>
      <para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
      added by linux-idg over a <command>shorewall restart</command>.</para>
    </caution>
  </section>
  <section>
--- a/docs/Universal.xml
+++ b/docs/Universal.xml
@@ -0,0 +1,352 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Universal Configuration</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Configuring Shorewall</title>
    <para>Once you have installed the Shorewall software, you must configure
    it. The easiest way to do that is to use one of Shorewall's
    <firstterm>Sample Configurations</firstterm>. The Universal Configuration
    is one of those samples.</para>
  </section>
  <section>
    <title>What the Universal Configuration does</title>
    <para>The Universal Shorewall configuration requires that you simply copy
    the configuration to <filename class="directory">/etc/shorewall</filename>
    and start Shorewall. This sample configuation:</para>
    <itemizedlist>
      <listitem>
        <para>Allows all outgoing traffic.</para>
      </listitem>
      <listitem>
        <para>Blocks all incoming connections except:</para>
        <itemizedlist>
          <listitem>
            <para>Secure Shell</para>
          </listitem>
          <listitem>
            <para>Ping</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>Allows forwarding of traffic, provided that the system has more
        than one interface or is set up to route between networks on a single
        interface.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>How to Install it</title>
    <para>The location of the sample configuration files is dependent on your
    distribution and <ulink url="Install.htm">how you installed
    Shorewall</ulink>.</para>
    <orderedlist>
      <listitem>
        <para>If you installed using an <acronym>RPM</acronym>, the samples
        will be in the <filename
        class="directory">Samples/Universal</filename> subdirectory of the
        Shorewall documentation directory. If you don't know where the
        Shorewall documentation directory is, you can find the samples using
        this command:</para>
        <programlisting>~# rpm -ql shorewall-common | fgrep Universal
 /usr/share/doc/packages/shorewall/Samples/Universal
 /usr/share/doc/packages/shorewall/Samples/Universal/interfaces
 /usr/share/doc/packages/shorewall/Samples/Universal/policy
 /usr/share/doc/packages/shorewall/Samples/Universal/rules
 /usr/share/doc/packages/shorewall/Samples/Universal/zones
 ~#</programlisting>
      </listitem>
      <listitem>
        <para>If you installed using the tarball, the samples are in the
        <filename class="directory">Samples/Universal</filename> directory in
        the tarball.</para>
      </listitem>
      <listitem>
        <para>If you installed using a Shorewall 4.x .deb, the samples are in
        <filename
        class="directory">/usr/share/doc/shorewall-common/examples/Universal</filename>..
        You do not need the shorewall-doc package to have access to the
        samples.</para>
      </listitem>
    </orderedlist>
    <para>Simple copy the files from the Universal directory to
    /etc/shorewall.</para>
  </section>
  <section>
    <title>How to Start the firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt
    type:</para>
    <blockquote>
      <para><command>service iptables stop</command></para>
    </blockquote>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
    <blockquote>
      <para><command>chkconfig --del iptables</command></para>
    </blockquote>
    <para>At a root prompt, type:</para>
    <blockquote>
      <para><command>/sbin/shorewall start</command></para>
    </blockquote>
    <para>That's it. Shorewall will automatically start again when you
    reboot.</para>
  </section>
  <section>
    <title>Now that it is running, ...</title>
    <section>
      <title>How do I stop the firewall?</title>
      <para>At a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall clear</command></para>
      </blockquote>
      <para>The system is now 'wide open'.</para>
    </section>
    <section>
      <title>How do I prevent it from responding to ping?</title>
      <para>Edit <filename>/etc/shorewall/rules</filename> and remove the line
      that reads:</para>
      <blockquote>
        <para>Ping(ACCEPT) net $FW</para>
      </blockquote>
      <para>and at a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall restart</command></para>
      </blockquote>
    </section>
    <section>
      <title>How do I allow other kinds of incoming connections?</title>
      <para>Shorewall includes a collection of <firstterm>macros</firstterm>
      that can be used to quickly allow or deny services. You can find a list
      of the macros included in your version of Shorewall using the command
      <command>ls <filename>/usr/share/shorewall/macro.*</filename></command>
      or at a shell prompt type:</para>
      <blockquote>
        <para><command>/sbin/shorewall show macros</command></para>
      </blockquote>
      <para>If you wish to enable connections from the Internet to your
      firewall and you find an appropriate macro in
      <filename>/etc/shorewall/macro.*</filename>, the general format of a
      rule in <filename>/etc/shorewall/rules</filename> is:</para>
      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
 &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>
      <important>
        <para>Be sure to add your rules after the line that reads <emphasis
        role="bold">SECTION NEW.</emphasis></para>
      </important>
      <example id="Example1">
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>
        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
 Web(ACCEPT) net       $FW
 IMAP(ACCEPT)net       $FW</programlisting>
      </example>
      <para>You may also choose to code your rules directly without using the
      pre-defined macros. This will be necessary in the event that there is
      not a pre-defined macro that meets your requirements. In that case the
      general format of a rule in <filename>/etc/shorewall/rules</filename>
      is:</para>
      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
      <example id="Example2">
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>
        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 ACCEPT    net       $FW             tcp          80
 ACCEPT    net       $FW             tcp          143</programlisting></para>
      </example>
      <para>If you don't know what port and protocol a particular application
      uses, see <ulink url="ports.htm">here</ulink>.</para>
    </section>
    <section>
      <title>How do I make the firewall log a message when it disallows an
      incoming connection?</title>
      <para>Shorewall does not maintain a log itself but rather relies on your
      <ulink url="shorewall_logging.html">system's logging
      configuration</ulink>. The following <ulink
      url="manpages/shorewall.html">commands</ulink> rely on knowing where
      Netfilter messages are logged:</para>
      <itemizedlist>
        <listitem>
          <para><command>shorewall show log</command> (Displays the last 20
          Netfilter log messages)</para>
        </listitem>
        <listitem>
          <para><command>shorewall logwatch</command> (Polls the log at a
          settable interval</para>
        </listitem>
        <listitem>
          <para><command>shorewall dump</command> (Produces an extensive
          report for inclusion in Shorewall problem reports)</para>
        </listitem>
      </itemizedlist>
      <para>It is important that these commands work properly because when you
      encounter connection problems when Shorewall is running, the first thing
      that you should do is to look at the Netfilter log; with the help of
      <ulink url="FAQ.htm#faq17">Shorewall FAQ 17</ulink>, you can usually
      resolve the problem quickly.</para>
      <para>The Netfilter log location is distribution-dependent:</para>
      <itemizedlist>
        <listitem>
          <para>Debian and its derivatives log Netfilter messages to
          <filename>/var/log/kern.log</filename>.</para>
        </listitem>
        <listitem>
          <para>Recent <trademark>SuSE/OpenSuSE</trademark> releases come
          preconfigured with syslog-ng and log netfilter messages to
          <filename>/var/log/firewall</filename>.</para>
        </listitem>
        <listitem>
          <para>For other distributions, Netfilter messages are most commonly
          logged to <filename>/var/log/messages</filename>.</para>
        </listitem>
      </itemizedlist>
      <para>Modify the LOGFILE setting in
      <filename>/etc/shorewall/shorewall.conf</filename> to specify the name
      of your log.</para>
      <important>
        <para>The LOGFILE setting does not control where the Netfilter log is
        maintained -- it simply tells the /sbin/<filename>shorewall</filename>
        utility where to find the log.</para>
      </important>
      <para>Now, edit <filename>/etc/shorewall/policy</filename> and modify
      the line that reads:</para>
      <blockquote>
        <para>net all DROP</para>
      </blockquote>
      <para>to</para>
      <blockquote>
        <para>net all DROP <emphasis role="bold">info</emphasis></para>
      </blockquote>
      <para>Then at a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall restart</command></para>
      </blockquote>
    </section>
    <section>
      <title>How do I prevent the firewall from forwarding connection
      requests?</title>
      <para>Edit /etc/shorewall/interfaces, and remove the routeback option
      from the interface. e.g., change the line that reads:</para>
      <blockquote>
        <para>net all - dhcp,physical=+<emphasis
        role="bold">,routeback</emphasis>,optional</para>
      </blockquote>
      <para>to</para>
      <blockquote>
        <para>net all - dhcp,physical=+,optional</para>
      </blockquote>
      <para>Then at a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall restart</command></para>
      </blockquote>
    </section>
  </section>
 </article>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -0,0 +1,172 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Shorewall and Linux-vserver</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Introduction</title>
    <para>Formal support for Linux-vserver was added in Shorewall 4.4.11
    Beta2. The centerpiece of that support is the
    <firstterm>vserver</firstterm> zone type. Vserver zones have the following
    characteristics:</para>
    <itemizedlist>
      <listitem>
        <para>They are defined on the Linux-vserver host.</para>
      </listitem>
      <listitem>
        <para>The $FW zone is their implicit parent.</para>
      </listitem>
      <listitem>
        <para>Their contents must be defined using the <ulink
        url="manpages/shorewall-hosts.html">shorewall-hosts </ulink>(5) file.
        The <emphasis role="bold">ipsec</emphasis> option may not be
        specified.</para>
      </listitem>
      <listitem>
        <para>They may not appear in the ZONE column of the <ulink
        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
        (5) file.</para>
      </listitem>
    </itemizedlist>
    <para>If you use these zones, keep in mind that Linux-vserver implements a
    very weak form of network virtualization:</para>
    <itemizedlist>
      <listitem>
        <para>From a networking point of view, vservers live on the host
        system. So if you don't use care, Vserver traffic to/from zone z will
        be controlled by the fw-&gt;z and z-&gt;fw rules and policies rather
        than by vserver-&gt;z and z-&gt;vserver rules and policies.</para>
      </listitem>
      <listitem>
        <para>Outgoing connections from a vserver will not use the Vserver's
        address as the SOURCE IP address unless you configure applications
        running in the Vserver properly. This is especially true for IPv6
        applications. Such connections will appear to come from the $FW zone
        rather than the intended Vserver zone.</para>
      </listitem>
      <listitem>
        <para>While you can define the vservers to be associated with the
        network interface where their IP addresses are added at vserver
        startup time, Shorewall internally associates all vservers with the
        loopback interface (<emphasis role="bold">lo</emphasis>). Here's an
        example of how that association can show up:</para>
        <programlisting>gateway:~# shorewall show zones
 Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul  2 12:26:30 PDT 2010
 fw (firewall)
 drct (ipv4)
   eth4:+drct_eth4
 loc (ipv4)
   eth4:0.0.0.0/0
 net (ipv4)
   eth1:0.0.0.0/0
 vpn (ipv4)
   tun+:0.0.0.0/0
 dmz (<emphasis role="bold">vserver</emphasis>)
   <emphasis role="bold">lo</emphasis>:70.90.191.124/31
 gateway:~#</programlisting>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Vserver Zones</title>
    <para>Here is a diagram of the network configuration here at Shorewall.net
    during the summer of 2010:</para>
    <graphic align="center" fileref="images/Network2010a.png" />
    <para>I created a zone for the vservers as follows:</para>
    <para><filename>/etc/shorewall/zones</filename>:</para>
    <programlisting>#ZONE           TYPE            OPTIONS            ...
 fw              firewall
 loc             ip              #Local Zone
 drct:loc        ipv4            #Direct internet access
 net             ipv4            #Internet
 vpn             ipv4            #OpenVPN clients
 <emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>
    <para><filename>/etc/shorewall/hosts</filename>:</para>
    <programlisting>#ZONE   HOST(S)                                 OPTIONS
 drct    eth4:dynamic
 <emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>
    <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
    configured on eth1, the actual interface name is irrelevate so long as the
    interface is defined in <ulink
    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
    Shorewall will consider all vserver zones to be associated with the
    loopback interface (<emphasis role="bold">lo</emphasis>).</para>
    <para>Once a vserver zone is defined, it can be used like any other zone
    type.</para>
    <para>Here is the corresponding IPv6 configuration.</para>
    <para><filename>/etc/shorewall6/zones</filename></para>
    <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ipv6
 loc	ipv6
 vpn	ipv6
 <emphasis role="bold">dmz	vserver</emphasis>
 </programlisting>
    <para><filename>/etc/shorewall6/hosts</filename>:</para>
    <programlisting>#ZONE   HOST(S)                                 OPTIONS
 dmz	sit1:[2001:470:e857:1::/64]</programlisting>
    <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
    interface) rather than on eth1. Again, it really doesn't matter
    much.</para>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -20,6 +20,8 @@
    <copyright>
      <year>2002-2006</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -34,6 +36,13 @@
    </legalnotice>
  </articleinfo>
  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
    later. If you are running a version of Shorewall earlier than Shorewall
    4.3.5 then please see the documentation for that
    release.</emphasis></para>
  </caution>
  <section id="Intro">
    <title>Introduction</title>
@@ -61,6 +70,20 @@
      the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
      connecting to you — they do not stop you or your users from connecting
      to blacklisted hosts .</para>
      <variablelist>
        <varlistentry>
          <term>UPDATE</term>
          <listitem>
            <para>Beginning with Shorewall 4.4.12, you can also blacklist by
            destination address. See <ulink
            url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
            (5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
            for details.</para>
          </listitem>
        </varlistentry>
      </variablelist>
    </important>
    <important>
@@ -161,25 +184,28 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
    Prior to that release, the feature is always enabled.</para>
    <para>Once enabled, dynamic blacklisting doesn't use any configuration
-    parameters but is rather controlled using /sbin/shorewall[-lite]
+    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
-    commands:</para>
+    <emphasis role="bold">Note</emphasis> that <emphasis
    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
    later</emphasis>.</para>
    <itemizedlist>
      <listitem>
-        <para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
+        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-        packets from the listed IP addresses to be silently dropped by the
+        causes packets from the listed IP addresses to be silently dropped by
        the firewall.</para>
      </listitem>
      <listitem>
        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
        causes packets from the listed IP addresses to be rejected by the
        firewall.</para>
      </listitem>
      <listitem>
-        <para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
+        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-        packets from the listed IP addresses to be rejected by the
+        re-enables receipt of packets from hosts previously blacklisted by a
        firewall.</para>
      </listitem>
      <listitem>
        <para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
        receipt of packets from hosts previously blacklisted by a
        <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
        command.</para>
      </listitem>
@@ -188,6 +214,11 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
        <para>save - save the dynamic blacklisting configuration so that it
        will be automatically restored the next time that the firewall is
        restarted.</para>
        <para><emphasis role="bold">Update:</emphasis> Beginning with
        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
        <command>stop/start</command> sequences and over
        <command>restart</command>.</para>
      </listitem>
      <listitem>
@@ -196,19 +227,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
      </listitem>
      <listitem>
-        <para>logdrop <emphasis>&lt;ip address list&gt;</emphasis> - causes
+        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-        packets from the listed IP addresses to be dropped and logged by the
+        causes packets from the listed IP addresses to be dropped and logged
-        firewall. Logging will occur at the level specified by the
+        by the firewall. Logging will occur at the level specified by the
        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
      </listitem>
      <listitem>
-        <para>logreject <emphasis>&lt;ip address list&gt;</emphasis> - causes
+        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
-        packets from the listed IP addresses to be rejected and logged by the
+        - causes packets from the listed IP addresses to be rejected and
-        firewall. Logging will occur at the level specified by the
+        logged by the firewall. Logging will occur at the level specified by
-        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
+        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
-        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
      </listitem>
    </itemizedlist>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -48,6 +48,17 @@
    before you use them with Shorewall.</para>
  </caution>
  <section>
    <title id="Intro">Introduction</title>
    <para>This article offers hints about how to accomplish common tasks with
    Shorewall. The <ulink url="Introduction.html">Introduction to
    Shorewall</ulink> is required reading for being able to use this article
    effectively. For information about setting up your first Shorewall-based
    firewall, see the <ulink url="GettingStarted.html">Quickstart
    Guides</ulink>.</para>
  </section>
  <section id="Files">
    <title>Files</title>
@@ -111,8 +122,9 @@
        </listitem>
        <listitem>
-          <para><filename>/etc/shorewall/tcrules </filename>- defines marking
+          <para><filename>/etc/shorewall/tcrules </filename>- The file has a
-          of packets for later use by traffic control/shaping or policy
+          rather unfortunate name because it is used to define marking of
          packets for later use by both traffic control/shaping and policy
          routing.</para>
        </listitem>
@@ -201,6 +213,12 @@
          shaping.</para>
        </listitem>
        <listitem>
          <para><filename>/etc/shorewall/secmarks</filename> - Added in
          Shorewall 4.4.13. Attach an SELinux context to selected
          packets.</para>
        </listitem>
        <listitem>
          <para><filename>/etc/shorewall/vardir</filename> - Determines the
          directory where Shorewall maintains its state.</para>
@@ -278,6 +296,30 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
    </example>
  </section>
  <section id="Names">
    <title>Names</title>
    <para>When you define an object in Shorewall (<ulink
    url="manpages/shorewall-zones.html">Zone</ulink>, <link
    linkend="Logical">Logical Interface</link>, <ulink
    url="ipsets.html">ipsets</ulink>, <ulink
    url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
    names start with a letter and consist of letters, digits or underscores
    ("_"). Except for Zone names, Shorewall does not impose a limit on name
    length.</para>
    <para>When an ipset is referenced, the name must be preceded by a plus
    sign ("+").</para>
    <para>The last character of an interface may also be a plus sign to
    indicate a wildcard name.</para>
    <para>Physical interface names match names shown by 'ip link ls'; if the
    name includes an at sign ("@"), do not include that character or any
    character that follows. For example, "sit1@NONE" is referred to as simply
    'sit1".</para>
  </section>
  <section id="COMMENT">
    <title>Attach Comment to Netfilter Rules</title>
@@ -307,6 +349,10 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
        <para><filename>/etc/shorewall/rules</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/secmarks</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/tcrules</filename></para>
      </listitem>
@@ -384,7 +430,7 @@ gateway:~ #
 COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home
-SSH/ALLOW    net:$MYIP      $FW
+SSH(ACCEPT)    net:$MYIP      $FW
 COMMENT</programlisting>The comment line in macro.SSH will not override the
    COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
@@ -474,8 +520,9 @@ ACCEPT      net:\
      <listitem>
        <para>ADDRESS LIST — A list of one or more addresses (host or network)
        or address ranges, separated by commas. In an IPv6 configuration, this
-        list must be includes in angled brackets ("&lt;...&gt;"). The list may
+        list must be includef in square or angled brackets ("[...]" or
-        have <link linkend="Exclusion">exclusion</link>.</para>
+        "&lt;...&gt;"). The list may have <link
        linkend="Exclusion">exclusion</link>.</para>
      </listitem>
    </orderedlist>
@@ -514,7 +561,7 @@ ACCEPT      net:\
      <listitem>
        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
+        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
      </listitem>
    </orderedlist>
  </section>
@@ -738,9 +785,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
      </listitem>
      <listitem>
-        <para>Should not depend on where the code is called from (the params
+        <para>Should not depend on where the code is called from.</para>
        file is sourced by both /sbin/shorewall and
        /usr/lib/shorewall/firewall).</para>
      </listitem>
      <listitem>
@@ -1306,7 +1351,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    <para>Beginning with Shorewall 4.4.4, you can use logical interface names
    which are mapped to the actual interface using the
    <option>physical</option> option in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfraces</ulink>
+    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
    (5).</para>
    <para>Here is an example:</para>
--- a/docs/images/MarkGeometry.dia
+++ b/docs/images/MarkGeometry.dia
--- a/docs/images/MarkGeometry.png
+++ b/docs/images/MarkGeometry.png
--- a/docs/images/Network2010a.dia
+++ b/docs/images/Network2010a.dia
--- a/docs/images/Network2010a.png
+++ b/docs/images/Network2010a.png
--- a/Show More
+++ b/Show More
`@@ -1 +1,2 @@`
	`There are no known problems in Shorewall 4.4.9`	`1) On systems running Upstart, shorewall-init cannot reliably start the`
		`firewall before interfaces are brought up.`