Add IP_FORWARDING=On to FAQ 1g

Clarify that Mac support requires Shorewall 4.4.9)
Modify first attempts to allow installaton on a Mac
2010-05-07 08:48:26 -07:00 · 2010-05-06 12:47:13 -07:00 · 2010-05-06 11:23:14 -07:00 · 2010-05-06 09:01:26 -07:00 · 2010-05-06 08:17:17 -07:00
114 changed files with 1507 additions and 5537 deletions
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -70,8 +70,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -207,10 +205,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=Yes

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -70,8 +70,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -207,10 +205,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=Yes

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -77,8 +77,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -214,10 +212,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=Yes

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -58,8 +58,6 @@ SMURF_LOG_LEVEL=info

 IP6TABLES=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -155,10 +153,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=Yes

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -58,8 +58,6 @@ SMURF_LOG_LEVEL=info

 IP6TABLES=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -155,10 +153,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=Yes

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -58,8 +58,6 @@ SMURF_LOG_LEVEL=info

 IP6TABLES=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -155,10 +153,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=Yes

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-init/COPYING
+++ b/Shorewall-init/COPYING
@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -1,100 +0,0 @@
-#!/bin/sh
-#
-# ifupdown script for Shorewall-based products
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-IFUPDOWN=0
-PRODUCTS=
-
-if [ -f /etc/default/shorewall-init ]; then
-    . /etc/default/shorewall-init
-elif [ -f /etc/sysconfig/shorewall-init ]; then
-    . /etc/sysconfig/shorewall-init
-fi
-
-[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
-
-if [ -f /etc/debian_version ]; then
-    #
-    # Debian ifupdown system
-    #
-    if [ "$MODE" = start ]; then
-	COMMAND=up
-    elif [ "$MODE" = stop ]; then
-	COMMAND=down
-    else
-	exit 0
-    fi
-
-    case "$PHASE" in
-	pre-*)
-	    exit 0
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    #
-    # SuSE ifupdown system
-    #
-    IFACE="$2"
-
-    case $0 in
-	*if-up.d*)
-	    COMMAND=up
-	    ;;
-	*if-down.d*)
-	    COMMAND=down
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    IFACE="$1"
-    
-    case $0 in 
-	*ifup*)
-	    COMMAND=up
-	    ;;
-	*ifdown*)
-	    COMMAND=down
-	    ;;
-	*dispatcher.d*)
-	    COMMAND="$2"
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-fi
-
-for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	$VARDIR/firewall -V0 $COMMAND $IFACE
-    fi
-done
-
-exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,129 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-### BEGIN INIT INFO
-# Provides:          shorewall-init
-# Required-Start:    $local_fs
-# X-Start-Before:    $network
-# Required-Stop:     $local_fs
-# X-Stop-After:      $network
-# Default-Start:     S
-# Default-Stop:      0 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time prior to
-#                    bringing up the network
-### END INIT INFO
-
-export VERBOSITY=0
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-echo_notdone () {
-  echo "not done."
-  exit 1
-}
-
-not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
-}
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
-then
-	. /etc/default/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
-	not_configured
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall stop || echo_notdone
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || echo_notdone
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  reload|force-reload)
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
-     exit 1
-esac
-
-exit 0
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,102 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# chkconfig: - 09 91
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-start: $local_fs
-# Required-stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local vardir
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall stop || exit 1
-      fi
-  done
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local vardir
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      vardir=/var/lib/$PRODUCT
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${vardir}/firewall ]; then
-	  ${vardir}/firewall clear || exit 1
-      fi
-  done
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -1,336 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Init
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=4.4.11.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-    shift
-    ARGS="yes"
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	T=
-	;;	
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
-	echo "Not setting file owner/group permissions, not running as root."
-	OWNERSHIP=""
-    fi
-    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Init Version $VERSION"
-
-#
-# Check for /usr/share/shorewall-init/version
-#
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
-    first_install=""
-else
-    first_install="Yes"
-fi
-
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /usr/share/shorewall-init if needed
-#
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
-
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
-
-#
-# Remove and create the symbolic link to the init script
-#
-if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
-fi
-
-if [ -n "$DEBIAN" ]; then
-    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    fi
-
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
-	fi
-
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-    fi
-else
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
-
-	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
-	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
-	    fi
-	fi
-    fi
-
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
-    fi 
-fi
-
-#
-# Install the ifupdown script
-#
-
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-
-install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
-
-if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-fi
-
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
-
-if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-init
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
-
-	    echo "Shorewall Init will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
-	fi
-    fi
-else
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
-	    fi
-
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	fi
-    fi
-fi
-
-#
-#  Report Success
-#
-echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,130 +0,0 @@
-%define name shorewall-init
-%define version 4.4.11
-%define release 1
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
- Initial version
-
-
-
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -1,12 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to 
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,97 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.sourceforge.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=4.4.11.1
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
-    VERSION=""
-fi
-
-echo "Uninstalling Shorewall Init $VERSION"
-
-INITSCRIPT=/etc/init.d/shorewall-init
-
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $INITSCRIPT)
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
-    fi
-
-    remove_file $INITSCRIPT
-fi
-
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
-
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
-
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-
-rm -rf /usr/share/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
-
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null

-#
-# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -88,11 +88,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi

+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@@ -128,12 +131,10 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
-INSTALLD='-D'
-T='-T'

 case $(uname) in
    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -141,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
-	INSTALLD=
-	T=
-	;;	   
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -153,14 +150,14 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -182,185 +179,170 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
    [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
+    rm -rf ${PREFIX}/etc/shorewall-lite
+    rm -rf ${PREFIX}/usr/share/shorewall-lite
+    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi

 #
 # Check for /sbin/shorewall-lite
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${PREFIX}/sbin/shorewall-lite ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules

-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout

-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"

 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout

 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi

-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"

 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite

-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${PREFIX}/etc/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi

 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"

 #
 # Install wait4ifup
 #

-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755

-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"

 #
 # Install the Modules file
 #
-
-if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
-fi
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"

 #
 # Install the Man Pages
 #

-if [ -d manpages ]; then
-    cd manpages
+cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done

-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done

-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+cd ..

-    cd ..
+echo "Man Pages Installed"

-    echo "Man Pages Installed"
-fi
-
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
 fi


 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    rm -f /usr/share/shorewall-lite/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    touch /var/log/shorewall-lite-init.log

    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
-	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	    fi
-
+	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -352,7 +352,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
@@ -383,62 +383,13 @@ usage() # $1 = exit status
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
    echo "   status"
    echo "   version [ -a ]"
    echo
    exit $1
 }

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -631,15 +582,11 @@ case "$COMMAND" in
    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $debugging $nolock $COMMAND
 	;;
    reset)
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $SHOREWALL_SHELL $g_firewall $debugging $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
 	;;
    restart)
 	shift
@@ -665,7 +612,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -686,8 +633,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
    logwatch)
 	logwatch_command $@
@@ -781,9 +727,14 @@ case "$COMMAND" in
 	g_restorepath=${VARDIR}/$RESTOREFILE

 	if [ -x $g_restorepath ]; then
+
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
+	    fi
+
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.11
-%define release 1
+%define version 4.4.9
+%define release 0base

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}

 %description

@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -102,34 +101,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi

 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall-lite
 fi
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-#
+# 
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#
+#  
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities:
+capabilities: 
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean:
+clean: 
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -28,7 +28,6 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;

 use strict;

@@ -58,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -777,8 +776,8 @@ sub dropBcast( $$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
-	    }
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
+	    }		
 	}

 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -802,7 +801,7 @@ sub dropBcast( $$$ ) {
    if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    } else {
-	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
+	add_rule $chainref, '-d ff00::/10 -j DROP';
    }
 }

@@ -834,8 +833,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
    }
 }
@@ -869,8 +868,7 @@ sub allowInvalid ( $$$ ) {
 }

 sub forwardUPnP ( $$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
-    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+    dont_optimize 'forwardUPnP';
 }

 sub allowinUPnP ( $$$ ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -86,6 +86,7 @@ our %EXPORT_TAGS = (
 				       clear_comment
 				       incr_cmd_level
 				       decr_cmd_level
+				       chain_base
 				       forward_chain
 				       rules_chain
 				       zone_forward_chain
@@ -161,8 +162,6 @@ our %EXPORT_TAGS = (
 				       get_interface_mac
 				       have_global_variables
 				       set_global_variables
-				       save_dynamic_chains
-				       load_ipsets
 				       create_netfilter_load
 				       preview_netfilter_load
 				       create_chainlist_reload
@@ -175,7 +174,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 #
 # Chain Table
@@ -213,7 +212,7 @@ our $VERSION = '4.4_11';
 #                 }
 #
 #       'provisional' only applies to policy chains; when true, indicates that this is a provisional policy chain which might be
-#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone
+#       replaced. Policy chains created under the IMPLICIT_CONTINUE=Yes option are marked with provisional == 1 as are intra-zone 
 #       ACCEPT policies.
 #
 #       Only 'referenced' chains get written to the iptables-restore input.
@@ -631,7 +630,7 @@ sub insert_rule($$$) {
 # the target in the second argument. The third argument determines if a GOTO may be
 # used rather than a jump. The optional fourth argument specifies any matches to be
 # included in the rule and must end with a space character if it is non-null. The
-# optional 5th argument causes long port lists to be split. The optional 6th
+# optional 5th argument causes long port lists to be split. The optional 6th 
 # argument, if passed, gives the 0-relative index where the jump is to be inserted.
 #
 sub add_jump( $$$;$$$ ) {
@@ -650,7 +649,7 @@ sub add_jump( $$$;$$$ ) {
 	#
 	# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
 	#
-	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin.
+	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin. 
    }

    #
@@ -737,15 +736,6 @@ sub adjust_reference_counts( $$$ ) {
    }
 }

-#
-# Adjust reference counts after copying a jump with target $toref to chain $chain
-#
-sub increment_reference_count( $$ ) {
-    my ($toref, $chain) = @_;
-
-    $toref->{references}{$chain}++ if $toref;
-}
-
 #
 # Move the rules from one chain to another
 #
@@ -761,7 +751,7 @@ sub move_rules( $$ ) {
 	my $name2    = $chain2->{name};
 	my $rules    = $chain2->{rules};
 	my $count    = @{$chain1->{rules}};
-	my $tableref = $chain_table{$chain1->{table}};
+	my $tableref = $chain_table{$chain1->{table}}; 
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -769,7 +759,7 @@ sub move_rules( $$ ) {

 	for ( @{$chain1->{rules}} ) {
 	    adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
-	}
+	}	    

 	if ( $debug ) {
 	    my $rule = @{$chain1->{rules}};
@@ -809,20 +799,24 @@ sub copy_rules( $$ ) {
    #
    $name1 =~ s/\+/\\+/;

+    ( s/\-([AI]) $name1(\b)/-$1 ${name2}$2/ ) for @rules;
+
    my $last = pop @$rules; # Delete the jump to chain1

    if ( $debug ) {
 	my $rule = @$rules;
 	trace( $chain2, 'A', ++$rule, $_ ) for @rules;
    }
-    #
-    # Chain2 is now a referent of all of Chain1's targets
-    #
+
    for ( @rules ) {
-	increment_reference_count( $tableref->{$1}, $name2 ) if / -[jg] ([^\s]+)/;
+	adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
    }

    push @$rules, @rules;
+    #
+    # Add chain1's references to $chain2
+    #
+    $chain2->{references}{$_} += $chain1->{references}{$_} for keys %{$chain1->{references}}; 

    progress_message "  $count rules from $chain1->{name} appended to $chain2->{name}";

@@ -830,10 +824,22 @@ sub copy_rules( $$ ) {
 	delete $chain1->{references}{$name2};
 	unless ( keys %{$chain1->{references}} ) {
 	    delete_chain $chain1;
-	}
+	}    
    }
 }

+#
+# Transform the passed interface name into a legal shell variable name.
+#
+sub chain_base($) {
+    my $chain = $_[0];
+
+    $chain =~ s/^@/at_/;
+    $chain =~ tr/[.\-%@]/_/;
+    $chain =~ s/\+$//;
+    $chain;
+}
+
 #
 # Name of canonical chain between an ordered pair of zones
 #
@@ -1413,8 +1419,8 @@ sub optimize_chain( $ ) {
    if ( $chainref->{referenced} ) {
 	my $rules    = $chainref->{rules};
 	my $count    = 0;
-
-	pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain
+    
+	pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain 

 	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT(?:$|\s)/;

@@ -1441,7 +1447,7 @@ sub optimize_chain( $ ) {
 			$count++;
 			trace( $chainref, 'R', $rule, $_ ) if $debug;
 		    }
-		}
+		} 
 	    }

 	    progress_message "  $count references to ACCEPT policy chain $chainref->{name} replaced";
@@ -1501,7 +1507,7 @@ sub replace_references( $$ ) {
 			$count++;
 			trace( $fromref, 'R', $rule, $_ ) if $debug;
 		    }
-		}
+		}    
 	    }
 	}

@@ -1541,7 +1547,7 @@ sub replace_references1( $$$ ) {
    #
    # The caller has ensured that $matches does not contain /! -[piosd] /
    #
-    my $hasp     = $matches =~ / -p /;
+    my $hasp     = $matches =~ / -p /; 
    my $hasi     = $matches =~ / -i /;
    my $haso     = $matches =~ / -o /;
    my $hass     = $matches =~ / -s /;
@@ -1608,7 +1614,7 @@ sub replace_references1( $$$ ) {
 	}
    }

-
+    

    progress_message "  $count references to chain $chainref->{name} replaced" if $count;

@@ -1616,10 +1622,10 @@ sub replace_references1( $$$ ) {
 }

 #
-# The passed builtin chain has a single rule. If the target is a user chain without 'dont"move', copy the rules from the
+# The passed builtin chain has a single rule. If the target is a user chain without 'dont"move', move the rules from the 
 # chain to the builtin and return true; otherwise, do nothing and return false.
 #
-sub conditionally_copy_rules( $$ ) {
+sub conditionally_move_rules( $$ ) {
    my ( $chainref, $target ) = @_;

    if ( $target =~ /^\s*([^\s]+)/ ) {
@@ -1628,13 +1634,14 @@ sub conditionally_copy_rules( $$ ) {
 	#
 	my $basictarget = $1;
 	my $targetref = $chain_table{$chainref->{table}}{$basictarget};
-
+	
 	if ( $targetref && ! $targetref->{dont_move} ) {
 	    #
 	    # Move is safe -- start with an empty rule list
 	    #
 	    $chainref->{rules} = [];
-	    copy_rules( $targetref, $chainref );
+	    my $count = move_rules( $targetref, $chainref );
+	    progress_message "  $count rules moved from chain $targetref->{name} to chain $chainref->{name}" if $count;
 	    1;
 	}
    }
@@ -1691,10 +1698,10 @@ sub optimize_ruleset() {
 			delete_chain $chainref;
 			next;
 		    }
-
+		    
 		    unless ( $chainref->{dont_optimize} ) {
 			my $numrules = @{$chainref->{rules}};
-
+			
 			if ( $numrules == 0 ) {
 			    #
 			    # No rules in this chain
@@ -1723,9 +1730,9 @@ sub optimize_ruleset() {
 				if ( $chainref->{builtin} ) {
 				    #
 				    # A built-in chain. If the target is a user chain without 'dont_move',
-				    # we can copy its rules to the built-in
+				    # we can move its rules to the built-in
 				    #
-				    if ( conditionally_copy_rules $chainref, $1 ) {
+				    if ( conditionally_move_rules $chainref, $1 ) {
 					#
 					# Target was a user chain -- rules moved
 					#
@@ -1765,25 +1772,25 @@ sub optimize_ruleset() {
 		    }
 		}
 	    }
-
+	    
 	    #
 	    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
 	    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
 	    #
 	    $progress = 1;
-
+	    
 	    while ( $progress ) {
 		$progress = 0;
 		$passes++;
-
+		
 		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
 		    my $lastrule = $chainref->{rules}[-1];
-
+		    
 		    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
 			#
 			# Last rule is a simple branch
 			my $targetref = $chain_table{$table}{$1};
-
+			
 			if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
 			    copy_rules( $targetref, $chainref );
 			    $progress = 1;
@@ -1808,11 +1815,11 @@ sub optimize_ruleset() {
 		    my $rules1 = $chainref1->{rules};
 		    next if @$rules != @$rules1;
 		    next if $chainref1->{dont_delete};
-
+		    
 		    for ( my $i = 0; $i <= $#$rules; $i++ ) {
 			next CHAIN unless $rules->[$i] eq $rules1->[$i];
 		    }
-
+		    
 		    replace_references1 $chainref1, $chainref->{name}, '';
 		}
 	    }
@@ -1855,7 +1862,7 @@ sub set_mss( $$$ ) {
 }

 #
-# Interate over all zones with 'mss=' settings adding TCPMSS rules as appropriate.
+# Interate over non-firewall zones and interfaces with 'mss=' setting adding TCPMSS rules as appropriate.
 #
 sub setup_zone_mss() {
    for my $zone ( all_zones ) {
@@ -1903,12 +1910,12 @@ sub logchain( $$$$$$ ) {
 		       $logtag,
 		       'add',
 		       '' );
-
+	
 	add_rule( $logchainref, $exceptionrule . $target );
    }

    $logchainref;
-}
+}   

 sub newnonatchain() {
    my $seq = $chainseq++;
@@ -2226,7 +2233,7 @@ sub do_ratelimit( $$ ) {
 	    }

 	    $limit .= "--hashlimit-htable-expire $expire ";
-	}
+	} 

 	$limit;
    } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
@@ -2556,10 +2563,10 @@ sub match_ipsec_in( $$ ) {
    my $zoneref    = find_zone( $zone );
    my $optionsref = $zoneref->{options};

-    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
+    unless ( $optionsref->{super} ) {
 	$match = '-m policy --dir in --pol ';

-	if ( $zoneref->{type} == IPSEC ) {
+	if ( $zoneref->{type} eq 'ipsec' ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
 	} elsif ( have_ipsec ) {
 	    $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -2580,10 +2587,10 @@ sub match_ipsec_out( $$ ) {
    my $zoneref    = find_zone( $zone );
    my $optionsref = $zoneref->{options};

-    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
+    unless ( $optionsref->{super} ) {
 	$match = '-m policy --dir out --pol ';

-	if ( $zoneref->{type} == IPSEC ) {
+	if ( $zoneref->{type} eq 'ipsec' ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
 	} elsif ( have_ipsec ) {
 	    $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
@@ -2877,7 +2884,7 @@ sub get_interface_acasts ( $ ) {

    my $variable = interface_acasts( $interface );

-    $interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ) . IPv6_MULTICAST;
+    $interfaceacasts{$interface} = qq($variable="\$(get_interface_acasts $interface) ff00::/10");

    "\$$variable";
 }
@@ -3111,7 +3118,7 @@ sub expand_rule( $$$$$$$$$$;$ )
    if ( $target =~ /-[jg]\s+([^\s]+)/ ) {
 	my $targetref = $chain_table{$chainref->{table}}{$1};
 	if ( $targetref ) {
-	    $targetref->{referenced} = 1;
+	    $targetref->{referenced} = 1; 
 	    add_reference $chainref, $targetref;
 	}
    }
@@ -3450,9 +3457,9 @@ sub expand_rule( $$$$$$$$$$;$ )
 				# Find/Create a chain that both logs and applies the target action
 				# and jump to the log chain if all of the rule's conditions are met
 				#
-				add_jump( $chainref,
-					  logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ),
-					  $builtin_target{$disposition},
+				add_jump( $chainref, 
+					  logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ), 
+					  $builtin_target{$disposition},  
 					  $matches,
 					  1 );
 			    } else {
@@ -3537,7 +3544,7 @@ sub emitr( $$ ) {
    assert( $chain );

    if ( $rule ) {
-	my $replaced = ($rule =~ s/((^|[ "])?)-A /$1-A $chain /);
+	my $replaced = ($rule =~ s/( ?)-A /$1-A $chain /);

 	if ( substr( $rule, 0, 2 ) eq '-A' ) {
 	    #
@@ -3593,128 +3600,6 @@ sub emitr1( $$ ) {
    }
 }

-#
-# Emit code to save the dynamic chains to hidden files in ${VARDIR}
-#
-
-sub save_dynamic_chains() {
-
-    my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
-
-    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
-    push_indent;
-
-emit <<"EOF";
-if chain_exists 'UPnP -t nat'; then
-    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
-else
-    rm -f \${VARDIR}/.UPnP
-fi
-
-if chain_exists forwardUPnP; then
-    $tool -t filter | grep '^-A forwardUPnP ' > \${VARDIR}/.forwardUPnP
-else
-    rm -f \${VARDIR}/.forwardUPnP
-fi
-
-if chain_exists dynamic; then
-    $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
-else
-    rm -f \${VARDIR}/.dynamic
-fi
-EOF
-
-    pop_indent;
-    emit ( 'else' );
-    push_indent;
-
-emit <<"EOF";
-rm -f \${VARDIR}/.UPnP
-rm -f \${VARDIR}/.forwardUPnP
-
-if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
-    if chain_exists dynamic; then
-        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
-    fi
-fi
-EOF
-    pop_indent;
-
-    emit ( 'fi' ,
-	   '' );
-}
-
-sub load_ipsets() {
-
-    my @ipsets = all_ipsets;
-
-    if ( @ipsets || $config{SAVE_IPSETS} ) {
-	emit ( '',
-	       'local hack',
-	       '',
-	       'case $IPSET in',
-	       '    */*)',
-	       '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
-	       '        ;;',
-	       '    *)',
-	       '        IPSET="$(mywhich $IPSET)"',
-	       '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
-	       '        ;;',
-	       'esac',
-	       '',
-	       'if [ "$COMMAND" = start ]; then' ,
-	       '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
-	       '        $IPSET -F' ,
-	       '        $IPSET -X' ,
-	       '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-	       '    fi' ,
-	       'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
-	       '    if [ -f $(my_pathname)-ipsets ]; then' ,
-	       '        if chain_exists shorewall; then' ,
-	       '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
-	       '        else' ,
-	       '            $IPSET -F' ,
-	       '            $IPSET -X' ,
-	       '            $IPSET -R < $(my_pathname)-ipsets' ,
-	       '        fi' ,
-	       '    fi' ,
-	     );
-	
-	if ( @ipsets ) {
-	    emit '';
-
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	    emit ( '' ,
-		   'elif [ "$COMMAND" = restart ]; then' ,
-		   '' );
-
-	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-
-	    emit ( '' ,
-		   '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
-		   '        #',
-		   '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
-		   '        #',
-		   '        hack=\'| grep -v /31\'' ,
-		   '    else' ,
-		   '        hack=' ,
-		   '    fi' ,
-		   '',
-		   '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
-		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
-		   '    fi',
-		   'elif [ "$COMMAND" = refresh ]; then' );
-
-	    emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
-	}
-
-	emit ( 'fi' ,
-	       '' );
-    }
-}
-
-#
 #
 # Generate the netfilter input
 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_10';
+our $VERSION = '4.4_9';

 our $export;

@@ -87,22 +87,22 @@ sub generate_script_1( $ ) {
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;
-
+	    
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
+	    
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
-
+	    
 	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
-
+	
    }

    my $lib = find_file 'lib.private';
-
+	
    copy2( $lib, $debug ) if -f $lib;

    emit <<'EOF';
@@ -256,7 +256,7 @@ sub generate_script_2() {
    push_indent;

    if ( $global_variables ) {
-
+	
 	emit( 'case $COMMAND in' );

 	push_indent;
@@ -271,7 +271,7 @@ sub generate_script_2() {

 	set_global_variables(1);

-	handle_optional_interfaces(0);
+	handle_optional_interfaces;

 	emit ';;';

@@ -284,7 +284,7 @@ sub generate_script_2() {

 	    set_global_variables(0);

-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;

 	    emit ';;';
 	}
@@ -294,15 +294,16 @@ sub generate_script_2() {

 	emit ( 'esac' ) ,
    } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
    }

    pop_indent;

    emit "\n}\n"; # End of detect_configuration()
-
+    
 }

+#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -353,17 +354,80 @@ sub generate_script_3($) {
    }

    if ( $family == F_IPV4 ) {
-	load_ipsets;
+	my @ipsets = all_ipsets;
+
+	if ( @ipsets || $config{SAVE_IPSETS} ) {
+	    emit ( '',
+		   'local hack',
+		   '',
+		   'case $IPSET in',
+		   '    */*)',
+		   '        [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        ;;',
+		   '    *)',
+		   '        IPSET="$(mywhich $IPSET)"',
+		   '        [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
+		   '        ;;',
+		   'esac',
+		   '',
+		   'if [ "$COMMAND" = start ]; then' ,
+		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		   '    fi' ,
+		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
+		   '        if chain_exists shorewall; then' ,
+		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
+		   '        else' ,
+		   '            $IPSET -F' ,
+		   '            $IPSET -X' ,
+		   '            $IPSET -R < $(my_pathname)-ipsets' ,
+		   '        fi' ,
+		   '    fi' ,
+		 );
+
+	    if ( @ipsets ) {
+		emit '';
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       'elif [ "$COMMAND" = restart ]; then' ,
+		       '' );
+
+		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+		emit ( '' ,
+		       '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
+		       '        #',
+		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
+		       '        #',
+		       '        hack=\'| grep -v /31\'' ,
+		       '    else' ,
+		       '        hack=' ,
+		       '    fi' ,
+		       '',
+		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
+		       '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		       '    fi' );
+	    }
+
+	    emit ( 'fi',
+		   '' );
+	}

 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
+	       '   run_refresh_exit' );
+
+	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );

-	save_dynamic_chains;
-
 	mark_firewall_not_started;

 	emit ('',
@@ -384,9 +448,8 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};

    } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
    }
@@ -457,6 +520,7 @@ EOF
        set_state "Started"
    else
        setup_netfilter
+        restore_dynamic_rules
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
@@ -801,11 +865,6 @@ sub compiler {
 	#
 	compile_stop_firewall( $test, $export );
 	#
-	#                               U P D O W N
-	#               (Writes the updown() function to the compiled script)
-	#
-	compile_updown;
-	#
 	# Copy the footer to the script
 	#
 	unless ( $test ) {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -131,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -249,7 +249,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
-		 FWMARK_RT_MASK  => 'fwmark route mask',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -289,7 +288,6 @@ our $sillyname;               # Name of temporary filter chains for testing capa
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
 our $tc;                      # Path to tc
-our $ip;                      # Path to ip

 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -343,8 +341,8 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.11.1",
-		    CAPVERSION => 40411 ,
+		    VERSION => "4.4.9",
+		    CAPVERSION => 40408 ,
 		  );

    #
@@ -380,7 +378,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
-	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -463,8 +460,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
-	      FORWARD_CLEAR_MARK => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -585,8 +580,6 @@ sub initialize( $ ) {
 	      OPTIMIZE_ACCOUNTING => undef,
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
-	      REQUIRE_INTERFACE => undef,
-	      FORWARD_CLEAR_MARK => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -667,7 +660,6 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
-	       FWMARK_RT_MASK => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1187,7 +1179,7 @@ sub copy1( $ ) {
 		    print $script $here_documents if $here_documents;
 		    print $script "\n";
 		}
-
+		
 		if ( $debug ) {
 		    print "GS-----> $here_documents" if $here_documents;
 		    print "GS----->\n";
@@ -1287,7 +1279,7 @@ EOF
 			s/^(\s*)/$indent1$1$indent2/;
 			s/        /\t/ if $indent2;
 		    }
-
+		    
 		    if ( $script ) {
 			print $script $_;
 			print $script "\n";
@@ -1301,9 +1293,9 @@ EOF
 		    $lastlineblank = 0;
 		}
 	    }
-
+	    
 	    close IF;
-
+	
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1770,9 +1762,7 @@ sub embedded_perl( $ ) {
 #   - Handle INCLUDE <filename>
 #

-sub read_a_line(;$) {
-    my $embedded_enabled = defined $_[0] ? shift : 1;
-
+sub read_a_line() {
    while ( $currentfile ) {

 	$currentline = '';
@@ -1818,59 +1808,53 @@ sub read_a_line(;$) {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
-		    embedded_shell( $1 );
-		    next;
-		}
-
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
-		    embedded_perl( $1 );
-		    next;
-		}
-	    } 
-
-	    my $count = 0;
-	    #
-	    # Expand Shell Variables using %ENV
-	    #
-	    #                            $1      $2      $3           -     $4
-	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
-		my $val = $ENV{$3};
-
-		unless ( defined $val ) {
-		    fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
-		    $val = '';
-		}
-
-		$currentline = join( '', $1 , $val , $4 );
-		fatal_error "Variable Expansion Loop" if ++$count > 100;
-	    }
-
-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
-
-		my @line = split ' ', $currentline;
-
-		fatal_error "Invalid INCLUDE command"    if @line != 2;
-		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
-
-		my $filename = find_file $line[1];
-
-		fatal_error "INCLUDE file $filename not found" unless -f $filename;
-		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
-
-		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
-		    $currentfile = undef;
-		    do_open_file $filename;
-		} else {
-		    $currentlinenumber = 0;
-		}
-
-		$currentline = '';
+	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		embedded_shell( $1 );
+	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		embedded_perl( $1 );
 	    } else {
-		print "IN===> $currentline\n" if $debug;
-		return 1;
+		my $count = 0;
+		#
+		# Expand Shell Variables using %ENV
+		#
+		#                            $1      $2      $3           -     $4
+		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
+		    my $val = $ENV{$3};
+
+		    unless ( defined $val ) {
+			fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
+			$val = '';
+		    }
+
+		    $currentline = join( '', $1 , $val , $4 );
+		    fatal_error "Variable Expansion Loop" if ++$count > 100;
+		}
+
+		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+
+		    my @line = split ' ', $currentline;
+
+		    fatal_error "Invalid INCLUDE command"    if @line != 2;
+		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
+
+		    my $filename = find_file $line[1];
+
+		    fatal_error "INCLUDE file $filename not found" unless -f $filename;
+		    fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
+
+		    if ( -s _ ) {
+			push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			$currentfile = undef;
+			do_open_file $filename;
+		    } else {
+			$currentlinenumber = 0;
+		    }
+
+		    $currentline = '';
+		} else {
+		    print "IN===> $currentline\n" if $debug;
+		    return 1;
+		}
 	    }
 	}

@@ -1913,11 +1897,9 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
    my ( $var, $val ) = @_;

-    my $curval = $config{$var};
+    my $curval = "\L$config{$var}";

    if ( defined $curval && $curval ne '' ) {
-	$curval = lc $curval;
-
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -1940,7 +1922,7 @@ sub numeric_option( $$$ ) {
    my $value = $config{$option};

    my $val = $default;
-
+    
    if ( defined $value && $value ne '' ) {
 	$val = numeric_value $value;
 	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
@@ -1953,7 +1935,7 @@ sub numeric_option( $$$ ) {

 sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
-}
+}   

 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);

@@ -2199,14 +2181,14 @@ sub Persistent_Snat() {
 	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	qt1( "$iptables -t nat -F $sillyname" );
 	qt1( "$iptables -t nat -X $sillyname" );
-
+	
    }

    $result;
 }

 sub Mangle_Enabled() {
-    if ( qt1( "$iptables -t mangle -L -n" ) ) {
+    if ( qt1( "$iptables -t mangle -L -n" ) ) { 
 	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
    }
 }
@@ -2367,7 +2349,7 @@ sub IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;

-    $ipset = which $ipset unless $ipset =~ '/';
+    $ipset = which $ipset unless $ipset =~ '//';

    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
@@ -2433,10 +2415,6 @@ sub Flow_Filter() {
    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
 }

-sub Fwmark_Rt_Mask() {
-    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
-}
-
 our %detect_capability =
    ( ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
@@ -2448,7 +2426,6 @@ our %detect_capability =
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
-      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HELPER_MATCH => \&Helper_Match,
@@ -2505,7 +2482,7 @@ sub have_capability( $ ) {

    $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability };

-    $capabilities{ $capability };
+    $capabilities{ $capability }; 
 }

 #
@@ -2526,11 +2503,11 @@ sub determine_capabilities() {
    qt1( "$iptables -N $sillyname1" );

    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless
+	unless 
 	    qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
 	    qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
-
-
+	    
+  
    unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -2539,7 +2516,7 @@ sub determine_capabilities() {
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
+	
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
 	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
 	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
@@ -2552,7 +2529,7 @@ sub determine_capabilities() {
 	     $capabilities{KLUDGEFREE}  = Kludgefree1;
 	}

-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
+	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' ); 
 	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );

 	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
@@ -2688,7 +2665,7 @@ sub process_shorewall_conf() {

 	    first_entry "Processing $file...";

-	    while ( read_a_line(0) ) {
+	    while ( read_a_line ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@@ -2763,18 +2740,12 @@ sub get_capabilities( $ ) {

 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;

-	$tc = $config{TC} || which 'tc';
+	$tc = $config{TC};

 	if ( $tc ) {
 	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
 	}

-	$ip = $config{IP} || which 'ip';
-
-	if ( $ip ) {
-	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
-	}
-
 	load_kernel_modules;

 	if ( open_file 'capabilities' ) {
@@ -2864,7 +2835,7 @@ sub get_configuration( $ ) {
    }

    check_trivalue ( 'IP_FORWARDING', 'on' );
-
+    
    my $val;

    if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
@@ -2883,7 +2854,7 @@ sub get_configuration( $ ) {
    }

    if ( $family == F_IPV6 ) {
-	$val = $config{ROUTE_FILTER};
+	$val = $config{ROUTE_FILTER};	
 	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
    }

@@ -2976,16 +2947,12 @@ sub get_configuration( $ ) {
    default_yes_no 'ACCOUNTING'                 , 'Yes';
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
-    default_yes_no 'REQUIRE_INTERFACE'          , '';
-    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
-
-    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
    numeric_option 'PROVIDER_BITS' ,   8, 0;
    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
-
+    
    if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
 	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_7';

 #
 # Some IPv4/6 useful stuff
@@ -91,14 +91,14 @@ our $validate_host;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
-	       IPv6_LINKLOCAL      => 'fe80::/10' ,
-	       IPv6_SITELOCAL      => 'feC0::/10' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
@@ -501,7 +501,7 @@ sub valid_6address( $ ) {
    unless ( $address =~ /::$/  ) {
 	return 0 if $address =~ /:$/;
    }
-
+		 
    for my $a ( @address ) {
 	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
    }
@@ -570,7 +570,7 @@ sub normalize_6addr( $ ) {
 	1 while $addr =~ s/::/:0:/;

 	$addr =~ s/^0+:/0:/;
-
+	
 	$addr;
    }
 }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 our @addresses_to_add;
 our %addresses_to_add;
@@ -448,9 +448,7 @@ sub setup_netmap() {

    while ( read_a_line ) {

-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	$net3 = ALLIP if $net3 eq '-';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';

 	for my $interface ( split_list $interfacelist, 'interface' ) {

@@ -461,15 +459,15 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev( $interface );
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }

 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 # @policy_chains is a list of references to policy chains in the filter table

@@ -246,7 +246,7 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
    }

-    $chainref->{default} = $default if $default;
+    $chainref->{default}   = $default if $default;

    if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -286,7 +286,7 @@ sub save_policies() {
 	    }
 	}
    }
-}
+}	    

 sub validate_policy()
 {
@@ -307,7 +307,6 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );

    my $zone;
-    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );

    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -333,15 +332,13 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;

-	my $zoneref = find_zone( $zone );
-
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }		
+	    }
 	}
    }

@@ -418,14 +415,13 @@ sub apply_policy_rules() {

    for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
+	my $loglevel    = $chainref->{loglevel};
+	my $provisional = $chainref->{provisional};
+	my $default     = $chainref->{default};
+	my $name        = $chainref->{name};
+	my $synparms    = $chainref->{synparms};

-	unless ( $policy eq 'NONE' ) {
-	    my $loglevel    = $chainref->{loglevel};
-	    my $provisional = $chainref->{provisional};
-	    my $default     = $chainref->{default};
-	    my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};
-
+	if ( $policy ne 'NONE' ) {
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -58,7 +58,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'arp_filter';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;

 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
@@ -74,7 +74,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces1 ) {
 	    my $value = get_interface_option $interface, 'arp_ignore';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;

 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
@@ -118,7 +118,7 @@ sub setup_route_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'routefilter';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;

 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
@@ -169,7 +169,7 @@ sub setup_martian_logging() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'logmartians';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;

 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -158,7 +158,7 @@ sub copy_and_edit_table( $$$$ ) {
    my ( $duplicate, $number, $copy, $realm) = @_;
    #
    # Hack to work around problem in iproute
-    #
+    #    
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
    #
    # Map physical names in $copy to logical names
@@ -295,7 +295,7 @@ sub add_a_provider( ) {
 	$gateway = '';
    }

-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
 	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );

    unless ( $options eq '-' ) {
@@ -340,7 +340,7 @@ sub add_a_provider( ) {
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -435,12 +435,10 @@ sub add_a_provider( ) {
    }

    if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};

-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	     );
    }

@@ -548,7 +546,7 @@ sub start_new_if( $ ) {
    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
    push_indent;
 }
-
+  
 #
 # Complete any current 'if' statement in the output script
 #
@@ -838,20 +836,14 @@ sub lookup_provider( $ ) {

 #
 # This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# optional interfaces
 #
-# Returns true if there were required or optional interfaces
+# Returns true if there were optional interfaces
 #
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {

-    my $returnvalue = verify_required_interfaces( shift );
-    #
-    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
-    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that
-    # wildcard are returned.
-    #
-    my $interfaces = find_interfaces_by_option1 'optional';
+    my $interfaces = find_interfaces_by_option 'optional';

    if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
@@ -859,12 +851,7 @@ sub handle_optional_interfaces( $ ) {
 	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );

-	    emit( '' );
-
-	    if ( $config{REQUIRE_INTERFACE} ) {
-		emit( 'HAVE_INTERFACE=' );
-		emit( '' );
-	    }
+	    emit '';

 	    if ( $provider ) {
 		#
@@ -884,41 +871,14 @@ sub handle_optional_interfaces( $ ) {
 		emit qq(if interface_is_usable $physical; then);
 	    }

-	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
-
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
 		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	}

-	if ( $config{REQUIRE_INTERFACE} ) {
-	    emit( '',
-		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
-		  '    case "$COMMAND" in',
-		  '        start|restart|restore|refresh)'
-		);
-
-	    if ( $family == F_IPV4 ) {
-		emit( '            if shorewall_is_started; then' );
-	    } else {
-		emit( '            if shorewall6_is_started; then' );
-	    }
-
-	    emit( '                fatal_error "No network interface available"',
-		  '            else',
-		  '                startup_error "No network interface available"',
-		  '            fi',
-		  '            ;;',
-		  '    esac',
-		  'fi'
-		);
-	}
-
-	$returnvalue = 1;
+	1;
    }
-
-    $returnvalue;
 }

 #
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_11';
+our $VERSION = '4.3_7';

 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
    ( my $zone, $source) = split /:/, $source, 2;
    my $zoneref  = find_zone $zone;
    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 #
 # Set to one if we find a SECTION
@@ -370,8 +370,8 @@ sub process_routestopped() {
 	    my $chainref = $filter_table->{FORWARD};

 	    for my $host ( split /,/, $hosts ) {
-		add_rule( $chainref ,
-			  match_source_dev( $interface ) .
+		add_rule( $chainref , 
+			  match_source_dev( $interface ) . 
 			  match_dest_dev( $interface ) .
 			  match_source_net( $host ) .
 			  match_dest_net( $host ) );
@@ -443,7 +443,6 @@ sub add_common_rules() {
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), ' ' , 'reject' , $level ;
 	$chainref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_jump $filter_table->{$_}, $chainref, 0, $state for qw( INPUT FORWARD );
-	add_commands( $chainref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }

    setup_mss;
@@ -452,7 +451,7 @@ sub add_common_rules() {
 	add_rule( $filter_table->{$_} , "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" ) for qw( INPUT FORWARD OUTPUT );
    }

-    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
+    for $interface ( all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
    }

@@ -466,18 +465,18 @@ sub add_common_rules() {
 	progress_message2 'Adding Anti-smurf Rules';

 	$chainref = new_standard_chain 'smurfs';
-
+    
 	my $smurfdest;

 	if ( defined $config{SMURF_LOG_LEVEL} && $config{SMURF_LOG_LEVEL} ne '' ) {
 	    my $smurfref = new_chain( 'filter', $smurfdest = 'smurflog' );
-
+	    
 	    log_rule_limit( $config{SMURF_LOG_LEVEL},
 			    $smurfref,
 			    'smurfs' ,
 			    'DROP',
 			    $globals{LOGLIMIT},
-			    '',
+			    '', 
 			    'add',
 			    '' );
 	    add_rule( $smurfref, '-j DROP' );
@@ -499,7 +498,7 @@ sub add_common_rules() {
 	    } else {
 		add_commands $chainref, 'for address in $ALL_ACASTS; do';
 	    }
-
+	    
 	    incr_cmd_level $chainref;
 	    add_jump( $chainref, $smurfdest, 1, '-s $address ' );
 	    decr_cmd_level $chainref;
@@ -509,7 +508,7 @@ sub add_common_rules() {
 	if ( $family == F_IPV4 ) {
 	    add_jump( $chainref, $smurfdest, 1, '-s 224.0.0.0/4 ' );
 	} else {
-	    add_jump( $chainref, $smurfdest, 1, '-s ' . IPv6_MULTICAST . ' ' );
+	    add_jump( $chainref, $smurfdest, 1, '-s ff00::/10 ' );
 	}

 	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
@@ -547,7 +546,7 @@ sub add_common_rules() {
    if ( $family == F_IPV4 ) {
 	add_rule $rejectref , '-s 224.0.0.0/4 -j DROP';
    } else {
-	add_rule $rejectref , '-s ' . IPv6_MULTICAST . ' -j DROP';
+	add_rule $rejectref , '-s ff00::/10 -j DROP';
    }

    add_rule $rejectref , '-p 2 -j DROP';
@@ -582,7 +581,7 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }

-	    add_rule( $filter_table->{forward_chain $interface} ,
+	    add_rule( $filter_table->{forward_chain $interface} , 
 		      "-p udp " .
 		      match_dest_dev( $interface ) .
 		      "--dport $ports -j ACCEPT" )
@@ -648,9 +647,7 @@ sub add_common_rules() {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";

-	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
-
-	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
+	    dont_optimize new_nat_chain( 'UPnP' );

 	    $announced = 1;

@@ -672,10 +669,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  '    echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) ,
+				  '    echo -A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_rule( $chainref, match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT) );
+		    add_commands( $chainref, 'echo -A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -729,7 +726,7 @@ sub setup_mac_lists( $ ) {
 		#
 		# Accept Multicast
 		#
-		add_rule $chainref , '-d ' . IPv6_MULTICAST . ' -j RETURN';
+		add_rule $chainref , '-d ff00::/10 -j RETURN';
 	    }

 	    if ( $ttl ) {
@@ -1069,7 +1066,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	if ( $dest eq '-' ) {
 	    $dest = join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
 	} else {
-	    $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
+	    $dest = join( '', $z, '::', $dest ) unless $dest =~ /:/;
 	}
    } elsif ( $action eq 'REJECT' ) {
 	$action = 'reject';
@@ -1133,10 +1130,10 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

    my $restriction = NO_RESTRICT;

-    if ( $sourceref && ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ) ) {
-	$restriction = $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
+    if ( $sourcezone eq firewall_zone ) {
+	$restriction = $destzone eq firewall_zone ? ALL_RESTRICT : OUTPUT_RESTRICT;
    } else {
-	$restriction = INPUT_RESTRICT if $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER );
+	$restriction = INPUT_RESTRICT if $destzone eq firewall_zone;
    }

    my ( $chain, $chainref, $policy );
@@ -1199,14 +1196,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#
 	# Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice
 	#
-	$rule = join( '',
+	$rule = join( '', 
 		      do_proto($proto, $ports, $sports),
 		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) );
    } else {
-	$rule = join( '',
+	$rule = join( '', 
 		      do_proto($proto, $ports, $sports),
 		      do_ratelimit( $ratelimit, $basictarget ) ,
 		      do_user( $user ) ,
@@ -1290,7 +1287,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    $origdest = ALLIP;
 		}
 	    }
-	} else {
+	} else {            
 	    if ( $server eq '' ) {
 		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
@@ -1652,7 +1649,7 @@ sub rules_target( $$ ) {
    my ( $zone, $zone1 ) = @_;
    my $chain = rules_chain( ${zone}, ${zone1} );
    my $chainref = $filter_table->{$chain};
-
+    
    return $chain   if $chainref && $chainref->{referenced};
    return 'ACCEPT' if $zone eq $zone1;

@@ -1668,111 +1665,6 @@ sub rules_target( $$ ) {
    ''; # CONTINUE policy
 }

-#
-# Generate rules for one destination zone
-#
-sub generate_dest_rules( $$$$ ) {
-    my ( $chainref, $chain, $z2, $match ) = @_;
-
-    my $z2ref            = find_zone( $z2 );
-    my $type2            = $z2ref->{type};
-
-    if ( $type2 == VSERVER ) {
-	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
-	    my $exclusion   = dest_exclusion( $hostref->{exclusions}, $chain); 
-
-	    for my $net ( @{$hostref->{hosts}} ) {
-		add_jump( $chainref, 
-			  $exclusion ,
-			  0,
-			  join('', $match, match_dest_net( $net ) ) ) 
-	    }
-	}
-    } else {
-	add_jump( $chainref, $chain, 0, $match );
-    }
-}
-
-#
-# Generate rules for one vserver source zone
-#
-sub generate_source_rules( $$$$ ) {
-    my ( $outchainref, $z1, $z2, $match ) = @_;
-    my $chain = rules_target ( $z1, $z2 );
-	    
-    if ( $chain ) {
-	#
-	# Not a CONTINUE policy with no rules
-	#
-	for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
-	    my $ipsec_match = match_ipsec_in $z1 , $hostref;
-	    my $exclusion   = source_exclusion( $hostref->{exclusions}, $chain);
-		
-	    for my $net ( @{$hostref->{hosts}} ) {
-		generate_dest_rules( $outchainref,
-				     $exclusion,
-				     $z2,  
-				     join('', match_source_net( $net ), $match , $ipsec_match )
-				   );
-	    }	
-	}
-    } 
-}
-
-#
-# Loopback traffic -- this is where we assemble the intra-firewall traffic routing
-#
-sub handle_loopback_traffic() {
-    my @zones   = ( vserver_zones, firewall_zone );
-    my $natout  = $nat_table->{OUTPUT};
-    my $rulenum = 0;
-
-    my $outchainref;
-    my $rule = '';
-
-    if ( @zones > 1 ) {
-	$outchainref = new_standard_chain 'loopback';
-	add_jump $filter_table->{OUTPUT}, $outchainref, 0, '-o lo ';
-    } else {
-	$outchainref = $filter_table->{OUTPUT};
-	$rule = '-o lo ';
-    }
-
-    for my $z1 ( @zones ) {
-	my $z1ref            = find_zone( $z1 );
-	my $type1            = $z1ref->{type};
-	my $natref           = $nat_table->{dnat_chain $z1};
-
-	if ( $type1 == FIREWALL ) {
-	    for my $z2 ( @zones ) {
-		my $chain = rules_target( $z1, $z2 );
-
-		generate_dest_rules( $outchainref, $chain, $z2, $rule ) if $chain;
-	    }
-	} else {
-	    for my $z2 ( @zones ) {
-		generate_source_rules( $outchainref, $z1, $z2, $rule );
-	    }
-	}
-
-	if ( $natref && $natref->{referenced} ) {
-	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
-
-	    for my $typeref ( values %{$source_hosts_ref} ) {
-		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
-		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
-		
-		    for my $net ( @{$hostref->{hosts}} ) {
-			add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ );
-		    }
-		}	
-	    }
-	}
-    }
-
-    add_rule $filter_table->{INPUT}  , '-i lo -j ACCEPT';
-}
-
 #
 # Add jumps from the builtin chains to the interface-chains that are used by this configuration
 #
@@ -1791,7 +1683,7 @@ sub add_interface_jumps {
    addnatjump 'POSTROUTING' , 'nat_out' , '';
    addnatjump 'PREROUTING', 'dnat', '';

-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @_ ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , match_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , match_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
@@ -1799,7 +1691,7 @@ sub add_interface_jumps {
    #
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @_ ) {
 	my $forwardref   = $filter_table->{forward_chain $interface};
 	my $inputref     = $filter_table->{input_chain $interface};
 	my $outputref    = $filter_table->{output_chain $interface};
@@ -1814,8 +1706,14 @@ sub add_interface_jumps {
 	    add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
    }
+    #
+    # Loopback
+    #
+    my $fw = firewall_zone;
+    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};

-    handle_loopback_traffic;
+    add_jump $filter_table->{OUTPUT} ,  ($chainref->{referenced} ? $chainref : 'ACCEPT' ), 0, '-o lo ';
+    add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
 }

 # Generate the rules matrix.
@@ -1832,8 +1730,7 @@ sub generate_matrix() {
    my $preroutingref = ensure_chain 'nat', 'dnat';
    my $fw = firewall_zone;
    my $notrackref = $raw_table->{notrack_chain $fw};
-    my @zones = off_firewall_zones;
-    my @vservers = vserver_zones;
+    my @zones = non_firewall_zones;
    my $interface_jumps_added = 0;
    our %input_jump_added   = ();
    our %output_jump_added  = ();
@@ -1902,6 +1799,7 @@ sub generate_matrix() {
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
+	my $chain3           = rules_target $zone, $zone;
 	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
@@ -1978,16 +1876,10 @@ sub generate_matrix() {
 			    my $interfacematch = '';
 			    my $use_output = 0;

-			    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+			    if ( use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 				$outputref = $interfacechainref;
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 				$use_output = 1;
-
-				unless ( lc $net eq IPv6_LINKLOCAL ) {
-				    for my $vzone ( vserver_zones ) {
-					generate_source_rules ( $outputref, $vzone, $zone, $dest );
-				    }
-				}
 			    } else {
 				$outputref = $filter_table->{OUTPUT};
 				$interfacematch = match_dest_dev $interface;
@@ -1996,7 +1888,7 @@ sub generate_matrix() {
 			    add_jump $outputref , $nextchain, 0, join( '', $interfacematch, $dest, $ipsec_out_match );

 			    add_jump( $outputref , $nextchain, 0, join('', $interfacematch, '-d 255.255.255.255 ' , $ipsec_out_match ) )
-				if $family == F_IPV4 && $hostref->{options}{broadcast};
+				if $hostref->{options}{broadcast};

 			    move_rules( $interfacechainref , $chain1ref ) unless $use_output;
 			}
@@ -2039,17 +1931,10 @@ sub generate_matrix() {
 			my $interfacematch = '';
 			my $use_input;

-			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+			if ( use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
 			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			    $use_input = 1;
-
-			    unless ( lc $net eq IPv6_LINKLOCAL ) {
-				for my $vzone ( @vservers ) {
-				    my $target = rules_target( $zone, $vzone );
-				    generate_dest_rules( $inputchainref, $target, $vzone, $source . $ipsec_in_match ) if $target;
-				}
-			    }
 			} else {
 			    $inputchainref = $filter_table->{INPUT};
 			    $interfacematch = match_source_dev $interface;
@@ -2384,7 +2269,7 @@ EOF

 	        if [ -x $g_restorepath ]; then
 		    echo Restoring ${g_product:=Shorewall}...
-
+                    
                    g_recovering=Yes

 		    if run_it $g_restorepath restore; then
@@ -2456,13 +2341,13 @@ EOF
    add_rule $filter_table->{$_}, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" for @chains;

    if ( $family == F_IPV6 ) {
-	add_rule $input, '-s ' . IPv6_LINKLOCAL . ' -j ACCEPT';
-	add_rule $input, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT';
-	add_rule $input, '-d ' . IPv6_MULTICAST . ' -j ACCEPT';
+	add_rule $input, '-s ff80::/10 -j ACCEPT';
+	add_rule $input, '-d ff80::/10 -j ACCEPT';
+	add_rule $input, '-d ff00::/10 -j ACCEPT';

 	unless ( $config{ADMINISABSENTMINDED} ) {
-	    add_rule $output, '-d ' . IPv6_LINKLOCAL . ' -j ACCEPT';
-	    add_rule $output, '-d ' . IPv6_MULTICAST . ' -j ACCEPT';
+	    add_rule $output, '-d ff80::/10 -j ACCEPT';
+	    add_rule $output, '-d ff00::/10 -j ACCEPT';
 	}
    }

@@ -2560,8 +2445,8 @@ EOF
    }

    emit '
-
    set_state "Stopped"
+
    logger -p kern.info "$g_product Stopped"

    case $COMMAND in
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -317,7 +317,7 @@ sub process_tc_rule( ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');

 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
+			
 			$chain = 'tcpre';

 			$cmd =~ /TPROXY\((.+?)\)$/;
@@ -337,15 +337,15 @@ sub process_tc_rule( ) {
 			}

 			$target .= "--on-port $port";
-
+			
 			if ( defined $ip && $ip ne '' ) {
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}

-			$target .= ' --tproxy-mark';
+			$target .= ' --tproxy-mark';	
 		    }
-
+			

 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -371,10 +371,8 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
-		}
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
    }
@@ -445,7 +443,7 @@ sub process_flow($) {
 }

 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth ) = split_line 1, 3, 'tcinterfaces';
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';

    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -465,7 +463,7 @@ sub process_simple_device() {
 	}
    }

-    $in_bandwidth = rate_to_kbit( $in_bandwidth );
+    $bandwidth = rate_to_kbit( $bandwidth );

    emit "if interface_is_up $physical; then";

@@ -473,13 +471,13 @@ sub process_simple_device() {

    emit ( "${dev}_exists=Yes",
 	   "qt \$TC qdisc del dev $physical root",
-	   "qt \$TC qdisc del dev $physical ingress\n"
+	   "qt \$TC qdisc del dev $physical ingress\n"	   
 	 );

    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
-	 ) if $in_bandwidth;
-
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	 ) if $bandwidth;
+	  
    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";

    for ( my $i = 1; $i <= 3; $i++ ) {
@@ -490,7 +488,7 @@ sub process_simple_device() {
    }

    save_progress_message_short qq("   TC Device $physical defined.");
-
+    
    pop_indent;
    emit 'else';
    push_indent;
@@ -499,9 +497,9 @@ sub process_simple_device() {
    emit "${dev}_exists=";
    pop_indent;
    emit "fi\n";
-
+ 
    progress_message "  Simple tcdevice \"$currentline\" $done.";
-}
+}    

 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
@@ -1096,14 +1094,14 @@ sub process_tc_priority() {
 		  1 );
    } else {
 	my $postref = $mangle_table->{tcpost};
-
+	
 	if ( $address ne '-' ) {
 	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
-	    add_rule( $postref ,
+	    add_rule( $postref , 
 		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
 		      1 );

@@ -1115,7 +1113,7 @@ sub process_tc_priority() {
 		    $ipp2p = 1;
 		}

-		add_rule( $postref ,
+		add_rule( $postref , 
 			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
 			  1 )
 		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
@@ -1141,8 +1139,8 @@ sub setup_simple_traffic_shaping() {
    my $fn1 = open_file 'tcpri';

    if ( $fn1 ) {
-	first_entry
-	    sub {
+	first_entry 
+	    sub { 
 		progress_message2 "$doing $fn1...";
 		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
 	    };
@@ -1385,9 +1383,7 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
-
-	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -11,7 +11,7 @@
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the shope that it will be useful,
+#       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
@@ -37,7 +37,6 @@ our @EXPORT = qw( NOTHING
 		  IPSECPROTO
 		  IPSECMODE
 		  FIREWALL
-		  VSERVER
 		  IP
 		  BPORT
 		  IPSEC
@@ -53,11 +52,8 @@ our @EXPORT = qw( NOTHING
 		  all_zones
 		  all_parent_zones
 		  complex_zones
-		  vserver_zones
-		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
-		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
 		  all_bridges
@@ -71,11 +67,8 @@ our @EXPORT = qw( NOTHING
 		  source_port_to_bridge
 		  interface_is_optional
 		  find_interfaces_by_option
-		  find_interfaces_by_option1
 		  get_interface_option
 		  set_interface_option
-		  verify_required_interfaces
-		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  all_ipsets
@@ -83,7 +76,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_9';

 #
 # IPSEC Option types
@@ -169,8 +162,7 @@ our $have_ipsec;
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       IPSEC    => 4 };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -184,14 +176,13 @@ use constant { SIMPLE_IF_OPTION   => 1,

 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
-	       IF_OPTION_VSERVER  => 32,
 	   };

 our %validinterfaceoptions;

-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 );

-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 );

 our %validhostoptions;

@@ -227,13 +218,12 @@ sub initialize( $ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
-				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
-				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -241,7 +231,6 @@ sub initialize( $ ) {
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
 				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -258,18 +247,16 @@ sub initialize( $ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
-				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -381,7 +368,6 @@ sub process_zone( \$ ) {
 	    fatal_error "Invalid Parent List ($2)" unless $p;
 	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
 	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
 	    push @{$zones{$p}{children}}, $zone;
 	}
    }
@@ -408,14 +394,11 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
-    } elsif ( $type eq 'vserver' ) {
-	fatal_error 'Vserver zones may not be nested' if @parents;
-	$type = VSERVER;
    } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
    } else {
-	fatal_error "Invalid zone type ($type)";
+	fatal_error "Invalid zone type ($type)" ;
    }

    if ( $type eq IPSEC ) {
@@ -504,9 +487,9 @@ sub zone_report()
    my @translate;

    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
    }

    for my $zone ( @zones )
@@ -533,7 +516,7 @@ sub zone_report()
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
-
+		
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
@@ -563,9 +546,9 @@ sub dump_zone_contents()
    my @xlate;

    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
    }

    for my $zone ( @zones )
@@ -642,9 +625,7 @@ sub add_group_to_zone($$$$$)
    my $allip    = 0;

    for my $host ( @$networks ) {
-	$interfaceref = $interfaces{$interface};
-
-	$interfaceref->{nets}++;
+	$interfaces{$interface}{nets}++;

 	fatal_error "Invalid Host List" unless defined $host and $host ne '';

@@ -661,13 +642,6 @@ sub add_group_to_zone($$$$$)
 		if ( $host eq ALLIP ) {
 		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
 		    $interfaces{$interface}{zone} = $zone;
-		    #
-		    # Make 'find_hosts_by_option()' work correctly for this zone
-		    #
-		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
-			$options->{$_} = 1 if $interfaceref->{options}{$_};
-		    }
-
 		    $allip = 1;
 		}
 	    }
@@ -731,12 +705,8 @@ sub all_zones() {
    @zones;
 }

-sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
-}
-
 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( $zones{$_}{type} != FIREWALL ,  @zones );
 }

 sub all_parent_zones() {
@@ -747,10 +717,6 @@ sub complex_zones() {
    grep( $zones{$_}{options}{complex} , @zones );
 }

-sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
-}
-
 sub firewall_zone() {
    $firewall_zone;
 }
@@ -760,19 +726,7 @@ sub firewall_zone() {
 #
 sub is_a_bridge( $ ) {
    which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
-}
-
-#
-# Transform the passed interface name into a legal shell variable name.
-#
-sub chain_base($) {
-    my $chain = $_[0];
-
-    $chain =~ s/^@/at_/;
-    $chain =~ tr/[.\-%@]/_/;
-    $chain =~ s/\+$//;
-    $chain;
-}
+} 

 #
 # Process a record in the interfaces file
@@ -814,8 +768,6 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
-	    
-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}

 	$bridge = $interface;
@@ -823,8 +775,6 @@ sub process_interface( $$ ) {
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
 	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
-
 	$bridge = $interface;
    }

@@ -861,12 +811,6 @@ sub process_interface( $$ ) {

    my $hostoptionsref = {};

-    if ( $options eq 'ignore' ) {
-	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
-	$options = '-';
-    }
-
    if ( $options ne '-' ) {

 	my %hostoptions = ( dynamic => 0 );
@@ -878,11 +822,7 @@ sub process_interface( $$ ) {

 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

-	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else { 
-		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
-	    }
+	    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;

 	    my $hostopt = $type & IF_OPTION_HOST;

@@ -975,8 +915,6 @@ sub process_interface( $$ ) {
 	    }
 	}

-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
-
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = "${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
@@ -991,14 +929,13 @@ sub process_interface( $$ ) {

 	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};

-
 	$hostoptionsref = \%hostoptions;
    } else {
 	#
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
-    }
+    }	

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
@@ -1014,12 +951,12 @@ sub process_interface( $$ ) {
    if ( $zone ) {
 	$netsref ||= [ allip ];
 	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
-	add_group_to_zone( $zone,
-			   $zoneref->{type},
-			   $interface,
-			   $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] ,
+	add_group_to_zone( $zone, 
+			   $zoneref->{type}, 
+			   $interface, 
+			   [ IPv4_MULTICAST ], 
 			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
-    }
+    } 

    progress_message "  Interface \"$currentline\" Validated";

@@ -1064,27 +1001,6 @@ sub validate_interfaces_file( $ ) {
    # Be sure that we have at least one interface
    #
    fatal_error "No network interfaces defined" unless @interfaces;
-
-    if ( vserver_zones ) {
-	#
-	# While the user thinks that vservers are associated with a particular interface, they really are not.
-	# We create an interface to associated them with.
-	#
-	my $interface = '%vserver%';
-
-	$interfaces{$interface} = { name       => $interface ,
-				    bridge     => $interface ,
-				    nets       => 0 ,
-				    number     => $nextinum ,
-				    root       => $interface ,
-				    broadcasts => undef ,
-				    options    => {} ,
-				    zone       => '',
-				    physical   => 'lo',
-				  };
-
-	push @interfaces, $interface;
-    }
 }

 #
@@ -1093,13 +1009,13 @@ sub validate_interfaces_file( $ ) {
 sub map_physical( $$ ) {
    my ( $name, $interfaceref ) = @_;
    my $physical = $interfaceref->{physical};
-
+    
    return $physical if $name eq $interfaceref->{name};

    $physical =~ s/\+$//;

    $physical . substr( $name, length  $interfaceref->{root} );
-}
+}  

 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
@@ -1120,9 +1036,9 @@ sub known_interface($)
 	    #
 	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
 	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options},
-					       bridge   => $interfaceref->{bridge} ,
-					       name     => $i ,
+	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
+					       bridge   => $interfaceref->{bridge} , 
+					       name     => $i , 
 					       number   => $interfaceref->{number} ,
 					       physical => map_physical( $interface, $interfaceref )
 					     };
@@ -1223,7 +1139,7 @@ sub find_interfaces_by_option( $ ) {

    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
-
+	
 	next unless $interfaceref->{root};

 	my $optionsref = $interfaceref->{options};
@@ -1235,28 +1151,6 @@ sub find_interfaces_by_option( $ ) {
    \@ints;
 }

-#
-# Returns reference to array of interfaces with the passed option
-#
-sub find_interfaces_by_option1( $ ) {
-    my $option = $_[0];
-    my @ints = ();
-
-    for my $interface ( keys %interfaces ) {
-	my $interfaceref = $interfaces{$interface};
-
-	next unless defined $interfaceref->{physical};
-	next if $interfaceref->{physical} =~ /\+/;
-
-	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
-	    push @ints , $interface
-	}
-    }
-
-    \@ints;
-}
-
 #
 # Return the value of an option for an interface
 #
@@ -1275,289 +1169,6 @@ sub set_interface_option( $$$ ) {
    $interfaces{$interface}{options}{$option} = $value;
 }

-#
-# Verify that all required interfaces are available after waiting for any that specify the 'wait' option.
-#
-sub verify_required_interfaces( $ ) {
-
-    my $generate_case = shift;
-
-    my $returnvalue = 0;
-
-    my $interfaces = find_interfaces_by_option 'wait';
-
-    if ( @$interfaces ) {
-	emit( "local waittime\n" );
-
-	emit( 'case "$COMMAND" in' );
-
-	push_indent;
-
-	emit( 'start|restart|restore)' );
-
-	push_indent;
-
-	for my $interface (@$interfaces ) {
-	    my $wait = $interfaces{$interface}{options}{wait};
-
-	    if ( $wait ) {
-		my $physical = get_physical $interface;
-
-		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
-		    $physical =~ s/\+$/*/;
-
-		    emit( 'for interface in $(find_all_interfaces); do',
-			  '    case $interface in',
-			  "        $physical)",
-			  "            waittime=$wait",
-			  '            while [ $waittime -gt 0 ]; do',
-			  '                interface_is_usable $interface && break',
-			  '                waittime=$(($waittime - 1))',
-			  '            done',
-			  '            ;;',
-			  '    esac',
-			  'done',
-			  '',
-			);
-		} else {
-		    emit qq(if ! interface_is_usable $physical; then);
-		    emit qq(    waittime=$wait);
-		    emit  '';
-		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
-		    emit  q(        sleep 1);
-		    emit   '        waittime=$(($waittime - 1))';
-		    emit  q(    done);
-		    emit qq(fi\n);
-		}
-
-		$returnvalue = 1;
-	    }
-	}
-
-	emit( ";;\n" );
-	
-	pop_indent;
-	pop_indent;
-
-	emit( 'esac' );
-
-    }
-
-    $interfaces = find_interfaces_by_option 'required';
-
-    if ( @$interfaces ) {
-
-	if ( $generate_case ) {
-	    emit( 'case "$COMMAND" in' );
-	    push_indent;
-	    emit( 'start|restart|restore|refresh)' );
-	    push_indent;
-	}
-
-	for my $interface (@$interfaces ) {
-	    my $physical = get_physical $interface;
-
-	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
-
-		$physical =~ s/\+$/*/;
-
-		emit( "${base}_IS_UP=\n",
-		      'for interface in $(find_all_interfaces); do',
-		      '    case $interface in',
-		      "        $physical)",
-		      "            interface_is_usable \$interface && ${base}_IS_UP=Yes && break",
-		      '            ;;',
-		      '    esac',
-		      'done',
-		      '',
-		      "if [ -z \"\$${base}_IS_UP\" ]; then",
-		      "    startup_error \"None of the required interfaces $physical are available\"",
-		      "fi\n"
-		    );
-	    } else {
-		emit qq(if ! interface_is_usable $physical; then);
-		emit qq(    startup_error "Required interface $physical not available");
-		emit qq(fi\n);
-	    }
-	}
-
-	if ( $generate_case ) {
-	    emit( ';;' );
-	    pop_indent;
-	    pop_indent;
-	    emit( 'esac' );
-	}
-
-	$returnvalue = 1;
-    }
-
-    $returnvalue;
-}
-
-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  '' );
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore';
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
-
-	$interfaces =~ s/\+/*/;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/ );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall' );
-
-	if ( $wildcard ) {
-	    emit( '    elif [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall' );
-	} else {
-	    emit( '    else',
-		  '        COMMAND=stop',
-		  '        progress_message3 "$g_product attempting stop"',
-		  '        detect_configuration',
-		  '        stop_firewall' );
-	}
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
-
-	$interfaces =~ s/\+/*/;
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
-	      '        echo 0 > ${VARDIR}/${1}.state',
-	      '    else',
-	      '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
-	      '    if [ "$state" = started ]; then',
-	      '        COMMAND=restart',
-	      '        progress_message3 "$g_product attempting restart"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$state" = stopped ]; then',
-	      '        COMMAND=start',
-	      '        progress_message3 "$g_product attempting start"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    else',
-	      '        progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    fi',
-	      '    ;;',
-	    );
-    }
-
-    emit( "*)",
-	  '    case $state in',
-	  '        started)',
-	  '            COMMAND=restart',
-	  '            progress_message3 "$g_product attempting restart"',
-	  '            detect_configuration',
-	  '            define_firewall',
-	  '            ;;',
-	  '        *)',
-	  '            progress_message3 "$COMMAND on interface $1 ignored"',
-	  '            ;;',
-	  '    esac',
-	);
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 #
 # Process a record in the hosts file
 #
@@ -1598,7 +1209,7 @@ sub process_host( ) {
 	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
-    } 
+    }

    my $optionsref = { dynamic => 0 };

@@ -1615,15 +1226,12 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' option is no longer supported"
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}

-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
-
 	$optionsref = \%options;
    }

@@ -1643,7 +1251,6 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';

    if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = physical_name $interface;
 	$hosts = "+${zone}_${physical}";
@@ -1651,10 +1258,6 @@ sub process_host( ) {
 	$ipsets{"${zone}_${physical}"} = 1;

    }
-    #
-    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
-    #
-    $interface = '%vserver%' if $type == VSERVER;

    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,8 +5,8 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo 
    echo "Options are:"
    echo
    echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;
+			;;			
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do

 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)
+				*/*)		    
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
@@ -218,7 +218,6 @@ case "$COMMAND" in
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
 	fi

 	detect_configuration
@@ -256,9 +255,7 @@ case "$COMMAND" in
 	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	if [ -n "$SUBSYSLOCK" ]; then
-	    rm -f $SUBSYSLOCK
-	fi
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	progress_message3 "done."
 	;;
    status)
@@ -276,7 +273,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -286,13 +283,6 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
-	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -5,8 +5,8 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo 
    echo "Options are:"
    echo
    echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;
+			;;			
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do

 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)
+				*/*)		    
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
@@ -184,7 +184,7 @@ else
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
- 	reset)
+	reset)
 	    if ! shorewall6_is_started ; then
 		error_message "$g_product is not running"
 		status=2
@@ -219,7 +219,6 @@ else
 	    else
 		error_message "$g_product is not running"
 		progress_message3 "Starting $g_product...."
-		COMMAND=start
 	    fi

 	    detect_configuration
@@ -257,9 +256,7 @@ else
 	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
 	status)
@@ -287,13 +284,6 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
-	up|down)
-	    [ $# -eq 1 ] && exit 0
-	    shift
-	    [ $# -ne 1 ] && usage 2
-	    updown $1
-	    status=0
-	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
 	    echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -120,13 +120,6 @@ deleteallchains() {
    run_iptables -X
 }

-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
-}
-
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -663,7 +656,7 @@ fatal_error()
 {
    echo "   ERROR: $@" >&2

-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
@@ -679,12 +672,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
    case $COMMAND in
        start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -697,7 +684,7 @@ startup_error() # $* = Error Message
 	    ;;
    esac

-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "

 	case $COMMAND in
@@ -774,6 +761,34 @@ run_tc() {
    fi
 }

+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Get a list of all configured broadcast addresses on the system
 #
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -112,13 +112,6 @@ deleteallchains() {
    run_iptables -X
 }

-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
-}
-
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -185,7 +178,7 @@ find_default_interface() {
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }

 #
@@ -633,12 +626,6 @@ fatal_error()
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
    case $COMMAND in
        start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
@@ -728,6 +715,34 @@ run_tc() {
    fi
 }

+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,61 +1,3 @@
-Changes in Shorewall 4.4.11.1
-
-1)  Fix IPv6 shorecap program.
-
-2)  Eradicate incorrect IPv6 Multicast Network
-
-3)  Allow :random to work with REDIRECT
-
-4)  Don't slow down 'stop' with 'wait'.
-
-5)  Resolve mutex/nolock issues.
-
-Changes in Shorewall 4.4.11
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-3)  Fix start priority of shorewall-init on Debian
-
-4)  Make IPv6 log and connections output readable.
-
-5) Add REQUIRE_INTERFACE to shorewall*.conf
-
-6)  Avoid run-time warnings when options are not listed in
-    shorewall.conf.
-
-7)  Implement Vserver zones.
-
-8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
-    hosts file.
-
-9)  Add CLEAR_FORWARD_MARK option.
-
-10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
-
-11) Add PERL option.
-
-12) Fix nets= in Shorewall6
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
 Changes in Shorewall 4.4.9

 1)  Auto-detection of bridges.
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+#TYPE	NET1			INTERFACE	NET2
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -59,8 +59,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -196,10 +194,6 @@ OPTIMIZE_ACCOUNTING=No

 LOAD_HELPERS_ONLY=No

-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null

-#
-# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log}
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ;
+	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }

@@ -32,9 +32,9 @@ fi

 echo_notdone () {

-  if [ "$INITLOG" = "/dev/null" ] ; then
+  if [ "$INITLOG" = "/dev/null" ] ; then 
 	  echo "not done."
-  else
+  else 
 	  echo "not done (check $INITLOG)."
  fi

@@ -71,7 +71,7 @@ fi

 export SHOREWALL_INIT_SCRIPT

-# wait for an unconfigured interface
+# wait for an unconfigured interface 
 wait_for_pppd () {
 	if [ "$wait_interface" != "" ]
 	then
@@ -93,11 +93,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -124,7 +120,7 @@ case "$1" in
     ;;
  refresh)
     shorewall_refresh
-     ;;
+  	  ;;
  force-reload|restart)
     shorewall_restart
     ;;
--- a/Shorewall/init.slackware.firewall.sh
+++ b/Shorewall/init.slackware.firewall.sh
@@ -45,7 +45,7 @@ status() {

 export SHOREWALL_INIT_SCRIPT=1

-case $1 in
+case $1 in 
 	'start')
 	start
 	;;
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,50 +1 @@
-1)  In all versions of Shorewall6 lite, the 'shorecap' program is
-    using the 'iptables' program rather than the 'ip6tables' program.
-    This causes many capabilities that are not available in IPv6 to
-    be incorrectly reported as available.
-
-    This results in errors such as:
-
-    	 ip6tables-restore v1.4.2: Couldn't load match `addrtype':
-	   /lib/xtables/libip6t_addrtype.so: cannot open shared
-	   object file: No such file or directory
-
-    To work around this problem, on the administrative system:
-
-    a)  Remove the incorrect capabilties file.
-    b)  In shorewall6.conf, set the IP6TABLES option to the
-        path name of ip6tables on the firewall (example:
-	IP6TABLES=/sbin/ip6tables).
-    c)  'shorewall6 load <firewall>'.
-
-    Corrected in Shorewall 4.4.11.1
-
-2)  In a number of cases, Shorewall6 generates incorrect rules
-    involving the IPv6 multicast network. The rules specify
-    ff00::/10 where they should specify ff00::/8.  Also, rules
-    instantiated when the IPv6 firewall is stopped use ff80::/10 rather
-    than fe80::/10 (IPv6 link local network).
-
-    Corrected in Shorewall 4.4.11.1
-
-3)  Using a destination port-range with :random produces a fatal
-    compilation error in REDIRECT rules unless the firewall zone is
-    explicitly specified (e.g., $FW::2000-2010:random).
-
-    Corrected in Shorewall 4.4.11.1
-
-4)  /sbin/shorewall and /sbin/shorewall6 sometimes fail to honor the
-    'nolock' option. In other cases, this option is incorrectly passed
-    on to the compiled script, causing the script to issue a usage
-    synopsis and to terminate.
- 
-    Corrected in Shorewall 4.4.11.1
-
-5)  On systems that use the Upstart init system (such as Ubuntu and
-    Fedora), Shorewall-init is not reliable at starting the firewall
-    during boot when normal firewall startup is disabled and UPDOWN=1
-    is specified in /etc/default/shorewall-init.
-
-    Suggested workaround is to not disable normal startup (e.g., do not
-    set startup=0 on Debian-based systems and do not 'checkconfig
-    --del...' on Fedora).
+There are no known problems in Shorewall 4.4.9
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,7 +29,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40411
+SHOREWALL_CAPVERSION=40408

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -185,7 +185,7 @@ valid_address() {
 		;;
 	esac
    done
-
+    
    IFS=$ifs

    return 0
@@ -381,7 +381,7 @@ find_echo() {
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }

-    echo echo
+    echo echo 
 }

 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for
    else
 	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
-}
+}    

 #
 # Show traffic control information
@@ -298,7 +298,7 @@ do_save() {
 	status=1
    fi

-    case ${SAVE_IPSETS:=No} in
+    case ${SAVE_IPSETS:=No} in 
 	[Yy]es)
 	    case ${IPSET:=ipset} in
 		*/*)
@@ -345,7 +345,7 @@ save_config() {

    local result
    result=1
-
+    
    iptables_save=${IPTABLES}-save

    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
@@ -362,7 +362,17 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-		    do_save && rm -f ${VARDIR}/save
+
+		    if chain_exists dynamic; then
+			if $IPTABLES -L dynamic -n > ${VARDIR}/save; then
+			    echo "   Dynamic Rules Saved"
+			    do_save
+			else
+		            echo "Error Saving the Dynamic Rules" >&2
+			fi
+		    else
+			do_save && rm -f ${VARDIR}/save
+		    fi
 		    ;;
 	    esac
 	fi
@@ -485,7 +495,7 @@ show_command() {
 				    fatal_error "Invalid table name ($s)"
 				    ;;
 			    esac
-
+			    
 			    option=
 			    shift
 			    ;;
@@ -703,7 +713,7 @@ show_command() {
 			;;
 		esac
 	    fi
-
+	    

 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
@@ -719,7 +729,7 @@ show_command() {
 			exit 1
 		    fi
 		done
-
+		
 		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
@@ -790,7 +800,7 @@ dump_command() {
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
-
+    
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    $IPTABLES -L $g_ipt_options
@@ -834,7 +844,7 @@ dump_command() {
 	heading "PFKEY SPD"
 	setkey -DP
 	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
+	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys 
    fi

    heading "/proc"
@@ -1173,7 +1183,7 @@ add_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-
+	
 	host=${host#*:}

 	if $IPSET -A $ipset $host; then
@@ -1182,7 +1192,7 @@ add_command() {
 	    fatal_error "Unable to add $interface:$host to zone $zone"
 	fi
    done
-
+	
 }

 #
@@ -1232,7 +1242,7 @@ delete_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-
+	
 	host=${hostent#*:}

 	if $IPSET -D $ipset $host; then
@@ -1241,7 +1251,7 @@ delete_command() {
 	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	fi
    done
-
+	
 }

 #
@@ -1393,9 +1403,9 @@ logwatch_command() {
 	case $option in
 	    -*)
 		option=${option#-}
-
+		
 		[ -z "$option" ] && usage 1
-
+		
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -1426,7 +1436,7 @@ logwatch_command() {
 		;;
 	esac
    done
-
+    
    [ -n "$g_debugging" ] && set -x

    if [ $# -eq 1 ]; then
@@ -1449,10 +1459,6 @@ determine_capabilities() {
 	exit 1
    fi

-    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
-
-    [ -n "$IP" -a -x "$IP" ] || IP=
-
    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)

    [ -n "$TC" -a -x "$TC" ] || TC=
@@ -1504,7 +1510,6 @@ determine_capabilities() {
    LOG_TARGET=Yes
    PERSISTENT_SNAT=
    FLOW_FILTER=
-    FWMARK_RT_MASK=

    chain=fooX$$

@@ -1629,7 +1634,7 @@ determine_capabilities() {
    if [ -z "$HASHLIMIT_MATCH" ]; then
 	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi
+    fi	
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1645,7 +1650,6 @@ determine_capabilities() {
    qt $IPTABLES -X $chain1

    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1713,7 +1717,6 @@ report_capabilities() {
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1776,8 +1779,7 @@ report_capabilities1() {
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
-
+    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
 }
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -45,17 +45,17 @@ get_script_version() { # $1 = script
 	temp=$(echo $temp)
 	IFS=$ifs
 	digits=0
-
+	
 	for temp in $temp; do
 	    version=${version}$(printf '%02d' $temp)
 	    digits=$(($digits + 1))
 	    [ $digits -eq 3 ] && break
 	done
    fi
-
+    
    echo $version
 }
-
+ 
 #
 # Do required exports or create the required option string and run the passed script using
 # $SHOREWALL_SHELL
@@ -66,7 +66,7 @@ run_it() {
    local version

    export VARDIR
-
+	
    script=$1
    shift

@@ -82,7 +82,7 @@ run_it() {
 	export PURGE=$g_purge
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering
-
+ 
 	if [ "$g_product" != Shorewall ]; then
 	    #
 	    # Shorewall Lite
@@ -94,12 +94,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
+	options='-'

 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -110,7 +105,7 @@ run_it() {

 	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
    fi
-
+	
    $SHOREWALL_SHELL $script $options $@
 }

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                    S H O R E W A L L  4 . 4 . 1 1 . 1
+                       S H O R E W A L L  4 . 4 . 9
 ----------------------------------------------------------------------------

 I.    RELEASE 4.4 HIGHLIGHTS
@@ -7,7 +7,7 @@ II.   MIGRATION ISSUES
 III.  PROBLEMS CORRECTED IN THIS RELEASE
 IV.   KNOWN PROBLEMS REMAINING
 V.    NEW FEATURES IN THIS RELEASE
-VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
+VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 

 ----------------------------------------------------------------------------
             I.  R E L E A S E  4 . 4  H I G H L I G H T S
@@ -56,7 +56,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES

 11) Support for netfilter's TRACE facility has been added. TRACE allows
    you to trace selected packets through Netfilter, including marking
-    by tcrules.
+    by tcrules. 

 12) You may now preview the generated ruleset by using the '-r' option
    to the 'check' command (e.g., "shorewall check -r").
@@ -155,7 +155,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 8)  The install.sh scripts in the Shorewall and Shorewall6 packages no
    longer create a backup copy of the existing configuration. If you
    want your configuration backed up prior to upgrading, you will
-    need to do that yourself.
+    need to do that yourself. 

    As part of this change, the fallback.sh scripts are no longer
    released.
@@ -182,7 +182,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    explicitly call the module's 'initialize' function after the module
    has been loaded.

-12) Checking for zone membership has been tighened up. Previously,
+12) Checking for zone membership has been tighened up. Previously, 
    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.
@@ -208,342 +208,16 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 	  iface_ADDRESSES                      SW_iface_ADDRESSES
 	  iface_NETWORKS                       SW_iface_NETWORKS
 	  iface_MAC                            SW_iface_MAC
-
+	  
 	  provider_IS_USABLE                   SW_provider_IS_USABLE

    where 'iface' is a capitalized interface name (e.g., ETH0) and
    'provider' is the capitalized name of a provider.
-
+	  
 ----------------------------------------------------------------------------
 I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

-4.4.11.1
-
-1)  Previously, the Shoreall6-lite version of shorecap was using
-    iptables rather than ip6tables, with the result that many capabilities
-    that are only available in IPv4 were being reported as available.
-
-2)  In a number of cases, Shorewall6 generated incorrect rules
-    involving the IPv6 multicast network. The rules specify
-    ff00::/10 where they should specify ff00::/8. Also, rules
-    instantiated when the IPv6 firewall is stopped used ff80::/10 rather
-    than fe80::/10 (Ipv6 Link Local network).
-
-3)  Previously, using a destination port-range with :random produced a
-    fatal compilation error in REDIRECT rules.
-
-4)  /sbin/shorewall and /sbin/shorewall6 sometimes failed to honor the
-    'nolock' option. In other cases, this option was incorrectly passed
-    on to the compiled script, causing the script to issue a usage
-    synopsis and to terminate.
- 
-4.4.11
-
-1)  The IPv6 allowBcast action generated an invalid rule.
-
-2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
-    ipset was used in a configuration file entry, the following
-    fatal compilation error occurred:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    If you applied the workaround given in the "Known Problems", then
-    you should remove /etc/shorewall/capabilities after installing
-    this fix.
-
-3)  The start priority of shorewall-init on Debian and Debian-based
-    distributions was previously too low, making it start too late.
-
-4)  The log output from IPv6 logs was almost unreadable due to display
-    of IPv6 addresses in uncompressed format. A similar problem
-    occurred with 'shorewall6 show connections'. This update makes the
-    displays much clearer at the expense of opening the slight
-    possibility of two '::' sequences being incorrectly shown in the
-    same address.
-
-5)  The new REQUIRE_INTERFACE was inadvertently omitted from
-    shorewall.conf and shorewall6.conf. It has been added.
-
-6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
-
-7) If the following options were specified in /etc/shorewall/interfaces
-   for an interface with '-' in the ZONE column, then these options
-   would be ignored if there was an entry in the hosts file for the
-   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
-   implied when the host list begins with '!').
-
-   	blacklist
-	maclist
-	nosmurfs
-	tcpflags
-
-   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
-
-8) The generated script was missing a closing quote when
-   REQUIRE_INTERFACE=Yes.
-
-9) Previously, if nets= was specified under Shorewall6, this error
-   would result:
-
-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
-                /etc/shorewall6/interfaces (line 16)
-
----------------------------------------------------------------------------
-           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------
-
-1)  On systems that use the Upstart init system (such as Ubuntu and
-    Fedora), Shorewall-init is not reliable at starting the firewall
-    during boot when normal firewall startup is disabled and UPDOWN=1
-    is specified in /etc/default/shorewall-init.
-
-    Suggested workaround is to not disable normal startup (e.g., do not
-    set startup=0 on Debian-based systems and do not 'checkconfig
-    --del...' on Fedora).
-
----------------------------------------------------------------------------
-         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
----------------------------------------------------------------------------
-
-1)  Beginning with this release, Shorewall supports a 'vserver'
-    zone type. This zone type is used with Shorewall running on a
-    Linux-vserver host system and allows you to define zones that
-    represent a set of Linux-vserver hosts.
-
-    See http://www.shorewall.net/Vserver.html for details.
-
-2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
-    and shorewall6.conf. 
-
-    Traditionally, Shorewall has cleared the packet mark in the first
-    rule in the mangle FORWARD chain. This behavior is maintained with
-    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
-    set to No, packet marks set in the PREROUTING chain are retained in
-    the FORWARD chains.
-
-    As part of this change, a new "fwmark route mask" capability has
-    been added. If your version of iproute2 supports this capability,
-    fwmark routing rules may specify a mask to be applied to the mark
-    prior to comparison with the mark value in the rule. The presence
-    of this capability allows Shorewall to relax the restriction that
-    small mark values may not be set in the PREROUTING chain when
-    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
-    capability, be sure that you logically OR mark values in PREROUTING
-    makring rules rather then simply setting them unless you are able
-    to set both the high and low bits in the mark in a single rule.
-
-    As always when a new capability has been introduced, be sure to
-    regenerate your capabilities file(s) after installing this release.
-
-3)  A new column (NET3) has been added to the /etc/shorewall/netmap
-    file. This new column can qualify the INTERFACE column by
-    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
-    associated with the interface.
-
-4)  To accomodate systems with more than one version of Perl installed,
-    the shorewall.conf and shorewall6.conf files now support a PERL
-    option. If the program specified by that option does not exist or
-    is not executable, Shorewall (and Shorewall6) fall back to
-    /usr/bin/perl.
-
----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
-      I N   P R I O R  R E L E A S E S
----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
----------------------------------------------------------------------------
-1)  Startup Errors (those that are detected before the state of the
-    system has been altered), were previously not sent to the
-    STARTUP_LOG.
-
-2)  A regression of sorts occurred in Shorewall 4.4.9. Previously, a
-    Perl extension script could end with a call to add_rule(). Such a
-    script fails under Shorewall 4.4.9 unless the 'trace' option is
-    specified on the run line.
-
-    While this issue has been corrected, users are advised to always
-    end their Perl extension scripts with the following line to insure
-    that the script returns a 'true' value:
-
-    	 1;
-
-3)  Under rare circumstances involving a complex configuration,
-    OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
-    input to be generated.
-
-    Sample error message:
-
-        iptables-restore v1.4.8: Couldn't load target
-        `sys2sys':/usr/local/libexec/xtables/libipt_sys2sys.so:
-	cannot open shared object file: No such file or directory
-
-4)  Previously, if the 'optional' option was given to an interface with
-    a wildcard physical name, specific instances of the interface were
-    never considered usable.
-
-    Example:
-
-    /etc/shorewall/interfaces:
-
-    #ZONE	INTERFACE	BROADCAST	OPTIONS
-    net		ppp+		-		optional
-
-    /etc/shorewall/providers:
-
-    #PROVIDER	NUMBER	MARK	DUPLICATE	INTERFACE	...
-    XYZTEL	1	-	main		ppp0
-
-    The XYZTEL provider was never usable.
-
-    This configuration now works correctly.
-
----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 0
----------------------------------------------------------------------------
-
-1)  Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
-    package provides two related features:
-
-    a)  It allows the firewall to be closed prior to bringing up
-        network devices. This insures that unwanted connections are not
-        allowed between the time that the network comes up and when the
-        firewall is started.
-
-    b)  It integrates with NetworkManager and distribution ifup/ifdown
-        systems to allow for 'event-driven' startup and shutdown.
-
-    The two facilities can be enabled separately.
-
-    When Shorewall-init is first installed, it does nothing until you
-    configure it.
-
-    The configuration file is /etc/default/shorewall-init on
-    Debian-based systems and /etc/sysconfig/shorewall-init otherwise.
-
-    There are two settings in the file:
-
-    	  PRODUCTS    - lists the Shorewall packages that you want to
-    	                integrate with Shorewall-init. Example:
-
-			    PRODUCTS="shorewall shorewall6"
-
-          IFUPDOWN      When set to 1, enables integration with
-                        NetworkManager and the ifup/ifdown scripts.
-
-    To close your firewall before networking starts:
-
-    a)  in the Shorewall-init configuration file, set PRODUCTS to the
-        firewall products installed on your system.
-
-    b)  be sure that your current firewall script(s) (normally in
-        /var/lib/<product>/firewall) is(are) compiled with the 4.4.10
-        compiler.
-
-	Shorewall and Shorewall6 users can execute these commands:
-
-	    shorewall compile
-            shorewall6 compile
-
-        Shorewall-lite and Shorewall6-lite users can execute these
-        commands on the administrative system.
-
-	    shorewall export <firewall-name-or-ip-address>
-	    shorewall6 export <firewall-name-or-ip-address>
-
-    That's all that is required.
-
-    To integrate with NetworkManager and ifup/ifdown, additional steps
-    are required. You probably don't want to enable this feature if you
-    run a link status monitor like swping or LSM.
-
-    a)  In the Shorewall-init configuration file, set IFUPDOWN=1.
-
-    b)  In your Shorewall interfaces file(s), set the 'required' option
-        on any interfaces that must be up in order for the firewall to
-        start. At least one interface must have the 'required' or
-        'optional' option if you perform the next optional step. If
-	'required' is specified on an interface with a wildcard name
-        (the physical name ends with '+'), then at least one interface
-        that matches the name must be in a usable state for the
-        firewall to start successfully.
-
-    c)  (Optional) -- If you have specified at least one 'required'
-        or 'optional interface, you can then disable automatic firewall
-        startup at boot time.
-
-	On Debian-based systems, set startup=0 in /etc/default/<product>.
-
-	On other systems, use your service startup configuration tool
-	(chkconfig, insserv, ...) to disable startup.
-
-    The following actions occur when an interface comes up:
-
-    	FIREWALL      INTERFACE     ACTION
-	STATE
-	----------------------------------
-	Any           Required      start
-        stopped       Optional      start
-        started	         -          restart
-
-    The following actions occur when an interface goes down:
-
-    In the INTERFACE column, '-' indicates neither required nor
-    optional
-
-    	FIREWALL      INTERFACE     ACTION
-	STATE
-	----------------------------------
-	Any           Required      stop
-        stopped       Optional      start
-	started	         -          restart
-
-    For optional interfaces, the /var/lib/<product>/<interface>.state
-    files are maintained to reflect the state of the interface.
-
-    Please note that the action is carried out using the current
-    compiled script; the configuration is not recompiled.
-
-    A new option has been added to shorewall.conf and
-    shorewall6.conf. The REQUIRE_INTERFACE option determines the
-    outcome when an attempt to start/restart/restore/refresh the
-    firewall is made and none of the optional interfaces are available.
-    With REQUIRE_INTERFACE=No (the default), the operation is
-    performed. If REQUIRE_INTERFACE=Yes, then the operation fails and
-    the firewall is placed in the stopped state. This option is
-    suitable for a laptop with both ethernet and wireless
-    interfaces. If either come up, the firewall starts. If neither
-    comes up, the firewall remains in the stopped state. Similarly, if
-    an optional interface goes down and there are no optional
-    interfaces remaining in the up state, then the firewall is stopped.
-
-    Shorewall-init may be installed on Debian-based systems, SuSE-based
-    systems and RedHat-based systems.
-
-    On Debian-based systems, during system shutdown the firewall is
-    opened prior to network shutdown (/etc/init.d/shorewall stop
-    performs a 'clear' operation rather than a 'stop'). This is
-    required by Debian standards. You can change this default behavior
-    by setting SAFESTOP=1 in /etc/default/shorewall
-    (/etc/default/shorewall6, ...).
-
-2)  All of the CLIs now support the -a option of the 'version' command.
-
-    Example:
-
-	gateway:~# shorewall6 version -a
-	4.4.10-RC1
-	shorewall: 4.4.10-RC1
-	shorewall-lite: 4.4.10-RC1
-	shorewall6-lite: 4.4.10-RC1
-	shorewall-init: 4.4.10-RC1
-	gateway:~#
-
----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
----------------------------------------------------------------------------
 1)  Logical interface names in the EXTERNAL column of
    /etc/shorewall/proxyarp were previously not mapped to their
    corresponding physical interface names. This could cause 'start' or
@@ -614,16 +288,19 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/masq:

    #INTERFACE	SOURCE		ADDRESS		PROTO	PORT
-    tun0	192.168.1.0/24
+    tun0	192.168.1.0/24	

    Use of tunN in the nat and netmap files also produced invalid
    iptables-restore input.

-2)  '/sbin/shorewall version -a' now shows the versions of all installed
-    Shorewall packages.
+----------------------------------------------------------------------------
+           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+None.

 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 9
+         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

 1)  The compiler now auto-detects bridges for the purpose of setting
@@ -656,7 +333,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	I - Inserted a rule into a chain.
 	T - Shell source text appended/inserted into a chain --
            converted into rules at run-time.
-	D - Deleted Rule from a chain; note that this causes the
+	D - Deleted Rule from a chain; note that this causes the 
 	    following rules to be renumbered.
 	X - Deleted a chain
 	P - Change a built-in chains policy. Chains in the filter table
@@ -671,7 +348,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    Netfilter trace records indicate the table and chain being
    changed. If the change involves a particular rule, then the rule
-    number is also included.
+    number is also included. 

    Example (append the first rule to the filter FORWARD chain):

@@ -701,7 +378,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/interfaces:
    #ZONE	INTERFACE	BROADCAST	OPTIONS
    dummy	br0		-		routeback
-
+    
    /etc/shorewall/policy:
    #SOURCE	DEST		POLICY
    dummy	all		DROP
@@ -724,10 +401,13 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    administrative system. Simply install using the tarball installer.

 ----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 8
 ----------------------------------------------------------------------------

-1)  A CONTINUE rule specifying a log level would cause the compiler to
+1)  A CONTINUE rule specifying a log level would cause the compiler to 
    generate an incorrect rule sequence. The packet would be logged
    but the CONTINUE action would not occur.

@@ -759,7 +439,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    1/2 of the values given in the rule.

 5)  Detection of the 'Old hashlimit match' capability was broken in
-    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
    shorecap.

 6)  On older distributions such as RHEL5 and derivatives, Shorewall
@@ -767,7 +447,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
    specified in /etc/shorewall/shorewall.conf.

-7)  The Debian init scripts are modified to include $remote_fs in the
+7)  The Debian init scripts are modified to include $remote_fs in the 
    Required-start and Required-stop specifications.

 8)  Previously, when a supported command failed, the Debian Shorewall
@@ -831,7 +511,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	VERBOSE
 	VERBOSE_OFFSET
 	VERSION
-
+	
    See Migration Issue 14 above for additional information.

 2)  The Shorewall and Shorewall6 installers now accept a '-s' (sparse)
@@ -855,7 +535,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    Resulting error message

-       ERROR: The separator for a port range is ':', not '-' (21-22) :
+       ERROR: The separator for a port range is ':', not '-' (21-22) : 
              /etc/shorewall/rules (line 3)

 5)  Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
@@ -866,7 +546,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    'status' command now gives the detailed status as 'Restored from
    <filename>' rather than 'Started'; <filename> is the saved script
    used to restore the configuration.
-
+ 
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------
@@ -875,7 +555,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    installer and are included in the rpm.

 2)  An invalid octal number (e.g., 080) appearing in a port list
-    resulted in a perl error message.
+    resulted in a perl error message. 

    As part of this fix, both hex and octal numbers are now accepted
    for protocol and port numbers.
@@ -940,7 +620,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      f) If a chain ends with an unconditional branch to a second chain
         (other than to 'reject'), then the branch is deleted from the
         first chain and the rules from the second chain are appended
-         to it.
+         to it. 

      The following chains are exempted from optimization 4:

@@ -997,7 +677,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol
    helpers. These cannot be autoloaded.
-
+    
    In addition, the nf_conntrack_sip module is loaded with
    sip_direct_media=0. This setting is slightly less secure than
    sip_direct_media=1, but it solves many VOIP problems that users
@@ -1030,7 +710,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    the setting of net.ipv4.config.all.rp_filter.

    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
-    those two values.
+    those two values. 

    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
    there are any interfaces specifying 'routefilter', specifying
@@ -1062,7 +742,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	Keep	 - Shorewall does not change the setting of
 	           net.ipv4.config.all.rp_filter if the kernel version
 		   is 2.6.31 or later.
-
+        
 	The default remains Keep.

    e)  The 'routefilter' interface option can have values 0,1 or 2. If
@@ -1137,7 +817,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 2)  If any interfaces had the 'bridge' option specified, compilation
    failed with the error:

-    Undefined subroutine &Shorewall::Rules::match_source_interface called
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.

 3)  The compiler now flags port number 0 as an error in all
@@ -1165,7 +845,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

 9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
    shorewall.conf. The 'reload' command without '-c' worked as
-    expected.
+    expected. 

 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 5
@@ -1251,7 +931,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    /etc/shorewall/zones:

-       #ZONE		TYPE
+       #ZONE		TYPE	
       fw		firewall
       world		ipv4
       z1:world		bport4
@@ -1384,7 +1064,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    	STARTUP_LOG=/var/log/shorewall-init.log
 	LOG_VERBOSITY=2

-    The effect is much the same as the old defaults, with the exception
+    The effect is much the same as the old defaults, with the exception 
    that:

 	a) Start, stop, etc. commands issued through /sbin/shorewall
@@ -1392,7 +1072,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	b) Logging will occur at maximum verbosity.
 	c) Log entries will be date/time stamped.

-    On non-Debian systems, new installs will now log all Shorewall
+    On non-Debian systems, new installs will now log all Shorewall 
    commands to /var/log/shorewall-init.log.

 2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
@@ -1410,9 +1090,9 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
 ----------------------------------------------------------------------------

-1)  Detection of Persistent SNAT was broken in the rules compiler.
+1)  Detection of Persistent SNAT was broken in the rules compiler. 

-2)  Initialization of the compiler's chain table was occurring before
+2)  Initialization of the compiler's chain table was occurring before 
    shorewall.conf had been read and before the capabilities had been
    determined. This could lead to incorrect rules and Perl runtime
    errors.
@@ -1464,14 +1144,14 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
                N E W   F E A T U R E S   I N   4 . 4 . 2
 ----------------------------------------------------------------------------

-1)  Prior to this release, line continuation has taken precedence over
+1)  Prior to this release, line continuation has taken precedence over 
    #-style comments. This prevented us from doing the following:

    	    ACCEPT    net:206.124.146.176,\   #Gateway
 	    	          206.124.146.177,\   #Mail
 			  206.124.146.178\    #Server
 			  		      ...
-
+    
    Now, unless a line ends with '\', any trailing comment is stripped
    off (including any white-space preceding the '#'). Then if the line
    ends with '\', it is treated as a continuation line as normal.
@@ -1523,7 +1203,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 7)  MULTICAST=Yes generates an incorrect rule that limits its
    effectiveness to a small part of the multicast address space.

-8)  Checking for zone membership has been tighened up. Previously,
+8)  Checking for zone membership has been tighened up. Previously, 
    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.
@@ -1547,7 +1227,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent

    This feature requires Persistent SNAT support in your kernel and
-    iptables.
+    iptables. 

    If you use a capabilities file, you will need to create a new one
    as a result of this feature.
@@ -1560,7 +1240,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    iptables when asked.

 2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~).
+    files (*~ and .*~). 

 3)  The meaning of 'full' has been redefined when used in the context
    of a traffic shaping sub-class. Previously, 'full' always meant the
@@ -1696,7 +1376,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    As always, /var/lib/shorewall[6] is the default directory which may
    be overridden using the /etc/shorewall[6]/vardir file.

-5)  Dynamic zone support is once again available for IPv4. This support
+5)  Dynamic zone support is once again available for IPv4. This support 
    is built on top of ipsets so you must have the xtables-addons
    installed on the firewall system.

@@ -1714,7 +1394,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    - By specifying <interface>:dynamic in the HOST(S) column of an
      entry for the zone in /etc/shorewall/hosts.

-    When there are any dynamic zones present in your configuration,
+    When there are any dynamic zones present in your configuration, 
    Shorewall (Shorewall-lite) will:

    a) Execute the following commands during 'shorewall start' or
@@ -1723,7 +1403,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
           ipset -U :all: :all:
 	   ipset -U :all: :default:
 	   ipset -F
-	   ipset -X
+	   ipset -X   
 	   ipset -R < ${VARDIR}/ipsets.save

       where $VARDIR normally contains /var/lib/shorewall
@@ -1816,7 +1496,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    	 gateway:~ # shorewall restart
    	 Restarting Shorewall....
    	 done.
-    	 gateway:~ #
+    	 gateway:~ # 

    In other words, you can compile the current configuration then
    install it at a later time.
@@ -1866,8 +1546,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    This previously generated these two rules (long rules folded):

 	 -A loc2net -p 6 --dport 25 -j LOG --log-level 6
-	    --log-prefix "Shorewall:loc2net:reject:"
-	 -A loc2net -p 6 --dport 25 -j reject
+	    --log-prefix "Shorewall:loc2net:reject:" 
+	 -A loc2net -p 6 --dport 25 -j reject 

    It now generates these rules:

@@ -1876,8 +1556,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	 -A loc2net -p 6 --dport 25 -g log0
 	 ...
 	 -A log0 -j LOG --log-level 6
-	    --log-prefix "Shorewall:loc2net:REJECT:"
-	 -A log0 -j reject
+	    --log-prefix "Shorewall:loc2net:REJECT:" 
+	 -A log0 -j reject 

    Notice that now there is only a single rule generated in the
    'loc2net' chain where before there were two. Packets for other than
@@ -1977,7 +1657,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    It is important to realize that, while class IDs are composed of a
    <major> and a <minor> value, the set of <minor> values must be
    unique. You must keep this in mind when deciding how to map IP
-    addresses to class IDs.
+    addresses to class IDs. 

    For example, suppose that your internal network is 192.168.1.0/29
    (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
@@ -2090,7 +1770,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    1:100	-	16mbit		20mbit		2
    1:100:101	-	 8mbit		20mbit		3	default
    1:100:102	-	 8mbit		20mbit		3
-
+     
    /etc/shorewall/tcrules

    #MARK	SOURCE		DEST
@@ -2106,7 +1786,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    Local traffic (that coming from the firewall and from the DMZ
    server) is placed in the effectively unrestricted class 1:10. The
    default class is guaranteed half of the download capacity and my
-    work system (172.20.1.107) is guarandeed the other half.
+    work system (172.20.1.107) is guarandeed the other half.	

 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
    discipline has been added. HFSC is claimed to be superior to the
@@ -2134,7 +1814,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	         in the class should experience. The delay is expressed
 	         in milliseconds and may be followed by 'ms' (e.g.,
 	      	 10ms. Note that there may be no white space between the
-	      	 number and 'ms').
+	      	 number and 'ms'). 
              3. The maximum transmission unit (UMAX) for this class of
 	         traffic. If not specified, the MTU of the interface is
 		 used. The length is specified in bytes and may be
@@ -2217,7 +1897,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

 25) A new extension script, 'lib.private' has been added. This file is
    intended to include declarations of shell functions that will be
-    called by the other run-time extension scripts.
+    called by the other run-time extension scripts. 

 26) Paul Gear has contributed the following macros:

@@ -2294,7 +1974,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    If flow is not supported, you will see:

       Unknown filter "flow", hence option "help" is unparsable
-
+    
    If your kernel supports module autoloading, just type (as root):

       modprobe cls_flow
@@ -2303,7 +1983,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    see:

       FATAL: Module cls_flow not found.
-
+    
    If your kernel is not modularized or does not support module
     autoloading, look at your kernel configuration (either
    /proc/config.gz or the .config file in
@@ -2311,7 +1991,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    If 'flow' is supported, you will see:

-       NET_CLS_FLOW=m
+       NET_CLS_FLOW=m 

    or

@@ -2319,4 +1999,4 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    For modularized kernels, Shorewall will attempt to load
    /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.
-
+       
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -32,7 +32,7 @@
 #     $1 = Yes: read the params file
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
-#
+#     
 get_config() {
    local prog

@@ -47,7 +47,7 @@ get_config() {
    fi

    config=$(find_file shorewall.conf)
-
+    
    if [ -f $config ]; then
 	if [ -r $config ]; then
 	    . $config
@@ -61,7 +61,7 @@ get_config() {
    fi

    ensure_config_path
-
+    
    if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
 	#
 	# This block is avoided for compile for export and when the user isn't root
@@ -109,7 +109,7 @@ get_config() {
 		    IP=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    IP='ip'
 	fi

@@ -130,7 +130,7 @@ get_config() {
 		    IPSET=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    IPSET='ipset'
 	fi

@@ -151,7 +151,7 @@ get_config() {
 		    TC=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    TC='tc'
 	fi
 	#
@@ -196,7 +196,7 @@ get_config() {
 		;;
 	esac

-	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
+	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' 

 	[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"

@@ -222,7 +222,7 @@ get_config() {
    else
 	STARTUP_LOG=
 	LOG_VERBOSITY=-1
-    fi
+    fi   

    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
@@ -313,7 +313,7 @@ startup_error() {
 # Run the compiler
 #
 compiler() {
-
+   
    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
 	    startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@@ -338,10 +338,10 @@ compiler() {
    [ -n "$g_profile" ] && debugflags='-wd:DProf'

    # Perl compiler only takes the output file as a argument
-
+	    
    [ "$1" = debug -o "$1" = trace ]  && shift;
    [ "$1" = nolock ] && shift;
-    shift
+    shift 

    options="--verbose=$VERBOSITY"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@@ -356,20 +356,11 @@ compiler() {
    #
    # Run the appropriate params file
    #
-    set -a;
+    set -a; 
    run_user_exit params
    set +a

-    if [ -n "$PERL" ]; then
-	if [ ! -x "$PERL" ]; then
-	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
-	    PERL=/usr/bin/perl
-	fi
-    else
-	PERL=/usr/bin/perl
-    fi
-
-    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
+    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
 }

 #
@@ -546,7 +537,7 @@ compile_command() {
 			t*)
 			    g_test=Yes
 			    option=${option#t}
-			    ;;
+			    ;;			    
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -764,7 +755,7 @@ restart_command() {
 	fi
    fi

-    if [ -z "$g_fast" ]; then
+    if [ -z "$g_fast" ]; then  
 	progress_message3 "Compiling..."

 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
@@ -783,7 +774,7 @@ restart_command() {
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    fi
-
+    
    return $rc
 }

@@ -967,7 +958,7 @@ safe_commands() {
 	    else
 		${VARDIR}/.$command clear
 	    fi
-
+	    
 	    [ -n "$nolock" ] || mutex_off

 	    echo "New configuration has been rejected and the old one restored"
@@ -998,7 +989,7 @@ try_command() {
 		echo "Directory $1 does not exist" >&2 && exit 2
 	    fi
 	fi
-
+	
 	SHOREWALL_DIR=$(resolve_file $1)
    }

@@ -1041,7 +1032,7 @@ try_command() {
 	2)
 	    handle_directory $1
 	    timeout=$2
-	    case $timeout in
+	    case $timeout in 
 		*[!0-9]*)
                    echo "   ERROR: Invalid timeout ($timeout)" >&2;
 		    exit 1
@@ -1093,12 +1084,12 @@ try_command() {

    if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout
-
+	    
 	if [ "$command" = "restart" ]; then
 	    ${VARDIR}/.try restore
 	else
 	    ${VARDIR}/.$command clear
-	fi
+	fi	    
    fi

    [ -n "$nolock" ] || mutex_off
@@ -1115,7 +1106,7 @@ rsh_command() {
 rcp_command() {
    files="$1"
    destination=$2
-
+    
    eval $RCP_COMMAND
 }

@@ -1256,12 +1247,12 @@ reload_command() # $* = original arguments less the command.
 export_command() # $* = original arguments less the command.
 {
    local verbose
-    verbose=$(make_verbose)
+    verbose=$(make_verbose) 
    local file
-    file=
+    file= 
    local finished
-    finished=0
-    local directory
+    finished=0 
+    local directory 
    local target

    while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -1335,7 +1326,7 @@ usage() # $1 = exit status
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   drop <address> ..."
@@ -1378,7 +1369,7 @@ usage() # $1 = exit status
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
    echo "   status"
    echo "   try <directory> [ <timeout> ]"
    echo "   version [ -a ]"
@@ -1464,7 +1455,7 @@ while [ $finished -eq 0 ]; do
 			;;
 		    v*)
 			option=${option#v}
-			case $option in
+			case $option in 
 			    -1*)
 				g_use_verbosity=-1
 				option=${option#-1}
@@ -1517,7 +1508,6 @@ version_command() {
    finished=0
    local all
    all=
-    local product

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1552,13 +1542,6 @@ version_command() {

    echo $SHOREWALL_VERSION

-    if [ -n "$all" ]; then
-	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
 }

 if [ $# -eq 0 ]; then
@@ -1579,7 +1562,7 @@ g_timestamp=
 [ -n "${VARDIR:=/var/lib/shorewall}" ]

 if [ ! -f ${VARDIR}/firewall ]; then
-    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
+    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi

 g_firewall=${VARDIR}/firewall
@@ -1631,17 +1614,17 @@ case "$COMMAND" in
 	get_config
 	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_on
+	run_it $g_firewall $g_debugging $nolock $COMMAND
+	mutex_off
 	;;
    reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	run_it $g_firewall $g_debugging reset $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $g_debugging $nolock reset $@
+	mutex_off
 	;;
    compile)
 	get_config Yes
@@ -1695,7 +1678,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -1838,7 +1821,6 @@ case "$COMMAND" in
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
@@ -1930,7 +1912,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;
+	;;	
     noiptrace)
 	get_config
 	shift
@@ -1940,7 +1922,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;
+	;;	
    *)
 	usage 1
 	;;
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.11
-%define release 1
+%define version 4.4.9
+%define release 0base

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
 Obsoletes: shorewall-common shorewall-perl shorewall-shell

 %description
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -76,6 +75,7 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall/configfiles
 %attr(0700,root,root) %dir /var/lib/shorewall
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
+%attr(0600,root,root) /etc/shorewall/Makefile

 %attr(0644,root,root) /etc/logrotate.d/shorewall

@@ -103,39 +103,11 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/configfiles/*

 %attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
+%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz

-%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
+%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
 fi

 if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
+    FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall
 fi
--- a/Shorewall/wait4ifup
+++ b/Shorewall/wait4ifup
@@ -33,7 +33,7 @@
 #

 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }

 case $# in
@@ -57,4 +57,4 @@ done

 exit 1

-
+    
--- a/Shorewall6-lite/default.debian
+++ b/Shorewall6-lite/default.debian
@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null

-#
-# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -88,11 +88,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 Lite firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6-lite"
 fi

+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@@ -126,12 +129,11 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
-INSTALLD='-D'
-T='-T'
+DEBIAN=

 case $(uname) in
    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -139,10 +141,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-     Darwin)
-	INSTALLD=
-	T=
-	;;	   
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -151,14 +149,14 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -180,183 +178,169 @@ echo "Installing Shorewall6 Lite Version $VERSION"
 #
 # Check for /etc/shorewall6-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall6-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall6-lite ]; then
    [ -f /etc/shorewall6-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall6-lite/shorewall.conf /etc/shorewall6-lite/shorewall6-lite.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall6-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
+    rm -rf ${PREFIX}/etc/shorewall6-lite
+    rm -rf ${PREFIX}/usr/share/shorewall6-lite
+    rm -rf ${PREFIX}/var/lib/shorewall6-lite
 fi

 #
 # Check for /sbin/shorewall6-lite
 #
-if [ -f ${DESTDIR}/sbin/shorewall6-lite ]; then
+if [ -f ${PREFIX}/sbin/shorewall6-lite ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall6-lite/xmodules

-install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
+install_file shorewall6-lite ${PREFIX}/sbin/shorewall6-lite 0544 ${PREFIX}/var/lib/shorewall6-lite-${VERSION}.bkout

-echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
+echo "Shorewall6 Lite control program installed in ${PREFIX}/sbin/shorewall6-lite"

 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall6-lite 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout

 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 fi

-echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall6 Lite script installed in ${PREFIX}${DEST}/$INIT"

 #
 # Create /etc/shorewall6-lite, /usr/share/shorewall6-lite and /var/lib/shorewall6-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
+mkdir -p ${PREFIX}/etc/shorewall6-lite
+mkdir -p ${PREFIX}/usr/share/shorewall6-lite
+mkdir -p ${PREFIX}/var/lib/shorewall6-lite

-chmod 755 ${DESTDIR}/etc/shorewall6-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall6-lite
+chmod 755 ${PREFIX}/etc/shorewall6-lite
+chmod 755 ${PREFIX}/usr/share/shorewall6-lite

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
-   install_file shorewall6-lite.conf ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall6-lite.conf ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf"
 fi

 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6-lite/shorewall.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall6-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall6-lite/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6-lite/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6-lite/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6-lite/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall6-lite/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall6-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall6-lite/shorecap"

 #
 # Install wait4ifup
 #

-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6-lite/wait4ifup 0755

-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6-lite/wait4ifup"

-if [ -f modules ]; then
-    #
-    # Install the Modules file
-    #
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
-fi
+#
+# Install the Modules file
+#
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6-lite/modules"

-if [ -d manpages ]; then
-    #
-    # Install the Man Pages
-    #
+#
+# Install the Man Pages
+#

-    cd manpages
+cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done

-    for f in *.5; do
-	gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+for f in *.8; do
+    gzip -c $f > $f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done

-    for f in *.8; do
-	gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
-    
-    cd ..
+cd ..

-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"

-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
 fi

 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall6-lite/version
 #
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    rm -f /usr/share/shorewall6-lite/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall6-lite/init
 fi

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    touch /var/log/shorewall6-lite-init.log

    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall6-lite
-	    else
-		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
-
+	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -58,7 +58,7 @@ g_product="Shorewall Lite"

 SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)

-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)

 VERBOSITY=0
 load_kernel_modules No
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -349,7 +349,7 @@ usage() # $1 = exit status
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
    echo "where <command> is one of:"
    echo "   allow <address> ..."
-    echo "   clear"
+    echo "   clear [ -f ]"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
    echo "   forget [ <file name> ]"
@@ -366,62 +366,13 @@ usage() # $1 = exit status
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
    echo "   start [ -f ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
    echo "   status"
    echo "   version [ -a ]"
    echo
    exit $1
 }

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -615,9 +566,7 @@ case "$COMMAND" in
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $nolock $COMMAND
 	;;
    restart)
 	shift
@@ -643,7 +592,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -664,8 +613,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	shift
-	version_command $@
+	echo $SHOREWALL_VERSION Lite
 	;;
    logwatch)
 	logwatch_command $@
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.11
-%define release 1
+%define version 4.4.9
+%define release 0base

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}

 %description

@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall6-based firewalls.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -93,34 +92,6 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -67,7 +67,7 @@ if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
 fi

 if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6-lite/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall6-lite
 fi
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -28,11 +28,6 @@ Auth(REJECT)
 #
 AllowICMPs	-	-	ipv6-icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -20,16 +20,10 @@
 #
 Auth(REJECT)
 #
-# Drop Multicasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
+# ACCEPT critical ICMP types
 #
 AllowICMPs	-	-	ipv6-icmp
 #
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall6/default.debian
+++ b/Shorewall6/default.debian
@@ -21,16 +21,4 @@ startup=0

 OPTIONS=""

-#
-# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
-#
-INITLOG=/dev/null
-
-#
-# Set this to 1 to cause '/etc/init.d/shorewall6 stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -93,11 +93,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
-      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -85,13 +85,12 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6"
 fi

+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 DEBIAN=
 CYGWIN=
 MAC=
@@ -113,7 +116,7 @@ INSTALLD='-D'

 case $(uname) in
    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -124,15 +127,15 @@ case $(uname) in
 	SPARSE=Yes
 	;;
    Darwin)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
-	    SPARSE=Yes
 	fi

 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
+	SPARSE=Yes
 	INSTALLD=
 	;;	
    *)
@@ -169,7 +172,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #

-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
    if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
@@ -177,8 +180,8 @@ if [ -n "$DESTDIR" ]; then
 	fi    
    fi
 	
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
   
    CYGWIN=
    MAC=
@@ -218,18 +221,18 @@ echo "Installing Shorewall6 Version $VERSION"
 #
 # Check for /sbin/shorewall6
 #
-if [ -f ${DESTDIR}/sbin/shorewall6 ]; then
+if [ -f ${PREFIX}/sbin/shorewall6 ]; then
    first_install=""
 else
    first_install="Yes"
 fi

 if [ -z "$CYGWIN" ]; then
-   install_file shorewall6 ${DESTDIR}/sbin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/sbin/shorewall6"
+   install_file shorewall6 ${PREFIX}/sbin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/sbin/shorewall6"
 else
-   install_file shorewall6 ${DESTDIR}/bin/shorewall6 0755 ${DESTDIR}/var/lib/shorewall6-${VERSION}.bkout
-   echo "shorewall6 control program installed in ${DESTDIR}/bin/shorewall6"
+   install_file shorewall6 ${PREFIX}/bin/shorewall6 0755 ${PREFIX}/var/lib/shorewall6-${VERSION}.bkout
+   echo "shorewall6 control program installed in ${PREFIX}/bin/shorewall6"
 fi


@@ -237,451 +240,451 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$SLACKWARE" ]; then
-    install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.slackware.shorewall6.sh ${PREFIX}${DEST}/rc.shorewall6 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$INIT" ]; then
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-${VERSION}.bkout
 fi

-[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"
+[ -n "$INIT" ] && echo  "Shorewall6 script installed in ${PREFIX}${DEST}/$INIT"

 #
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6
-mkdir -p ${DESTDIR}/usr/share/shorewall6/configfiles
-mkdir -p ${DESTDIR}/var/lib/shorewall6
+mkdir -p ${PREFIX}/etc/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6
+mkdir -p ${PREFIX}/usr/share/shorewall6/configfiles
+mkdir -p ${PREFIX}/var/lib/shorewall6

-chmod 755 ${DESTDIR}/etc/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6
-chmod 755 ${DESTDIR}/usr/share/shorewall6/configfiles
+chmod 755 ${PREFIX}/etc/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6
+chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi

 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf

-perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
-perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${DESTDIR}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall6/configfiles:/usr/share/shorewall6|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf
+perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall6-lite-init.log|;' ${PREFIX}/usr/share/shorewall6/configfiles/shorewall6.conf

-if [ ! -f ${DESTDIR}/etc/shorewall6/shorewall6.conf ]; then
-   run_install $OWNERSHIP -m 0644 shorewall6.conf ${DESTDIR}/etc/shorewall6/shorewall6.conf
+if [ ! -f ${PREFIX}/etc/shorewall6/shorewall6.conf ]; then
+   run_install $OWNERSHIP -m 0644 shorewall6.conf ${PREFIX}/etc/shorewall6/shorewall6.conf

   if [ -n "$DEBIAN" ] && mywhich perl; then
       #
       # Make a Debian-like shorewall6.conf
       #
-       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${DESTDIR}/etc/shorewall6/shorewall6.conf
+       perl -p -w -i -e 's|^STARTUP_ENABLED=.*|STARTUP_ENABLED=Yes|;' ${PREFIX}/etc/shorewall6/shorewall6.conf
   fi

-   echo "Config file installed as ${DESTDIR}/etc/shorewall6/shorewall6.conf"
+   echo "Config file installed as ${PREFIX}/etc/shorewall6/shorewall6.conf"
 fi


 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6/shorewall6.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6/shorewall6.conf
 fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones
+run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall6/configfiles/zones

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
-    echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/zones ]; then
+    run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall6/zones
+    echo "Zones file installed as ${PREFIX}/etc/shorewall6/zones"
 fi

-delete_file ${DESTDIR}/usr/share/shorewall6/compiler
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.dynamiczones
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.maclist
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.nat
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.providers
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
-delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
+delete_file ${PREFIX}/usr/share/shorewall6/compiler
+delete_file ${PREFIX}/usr/share/shorewall6/lib.accounting
+delete_file ${PREFIX}/usr/share/shorewall6/lib.actions
+delete_file ${PREFIX}/usr/share/shorewall6/lib.dynamiczones
+delete_file ${PREFIX}/usr/share/shorewall6/lib.maclist
+delete_file ${PREFIX}/usr/share/shorewall6/lib.nat
+delete_file ${PREFIX}/usr/share/shorewall6/lib.providers
+delete_file ${PREFIX}/usr/share/shorewall6/lib.proxyarp
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tc
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tcrules
+delete_file ${PREFIX}/usr/share/shorewall6/lib.tunnels
+delete_file ${PREFIX}/usr/share/shorewall6/prog.header
+delete_file ${PREFIX}/usr/share/shorewall6/prog.footer

 #
 # Install wait4ifup
 #

-install_file wait4ifup ${DESTDIR}/usr/share/shorewall6/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6/wait4ifup 0755

 echo
-echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6/wait4ifup"
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6/wait4ifup"

 #
 # Install the policy file
 #
-run_install $OWNERSHIP -m 0644 policy ${DESTDIR}/usr/share/shorewall6/configfiles/policy
+run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall6/configfiles/policy

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/policy ]; then
-    run_install $OWNERSHIP -m 0600 policy ${DESTDIR}/etc/shorewall6/policy
-    echo "Policy file installed as ${DESTDIR}/etc/shorewall6/policy"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/policy ]; then
+    run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall6/policy
+    echo "Policy file installed as ${PREFIX}/etc/shorewall6/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 interfaces ${DESTDIR}/usr/share/shorewall6/configfiles/interfaces
+run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall6/configfiles/interfaces

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 interfaces ${DESTDIR}/etc/shorewall6/interfaces
-    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall6/interfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/interfaces ]; then
+    run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall6/interfaces
+    echo "Interfaces file installed as ${PREFIX}/etc/shorewall6/interfaces"
 fi

 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 hosts ${DESTDIR}/usr/share/shorewall6/configfiles/hosts
+run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall6/configfiles/hosts

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/hosts ]; then
-    run_install $OWNERSHIP -m 0600 hosts ${DESTDIR}/etc/shorewall6/hosts
-    echo "Hosts file installed as ${DESTDIR}/etc/shorewall6/hosts"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/hosts ]; then
+    run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall6/hosts
+    echo "Hosts file installed as ${PREFIX}/etc/shorewall6/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 rules ${DESTDIR}/usr/share/shorewall6/configfiles/rules
+run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall6/configfiles/rules

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/rules ]; then
-    run_install $OWNERSHIP -m 0600 rules ${DESTDIR}/etc/shorewall6/rules
-    echo "Rules file installed as ${DESTDIR}/etc/shorewall6/rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/rules ]; then
+    run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall6/rules
+    echo "Rules file installed as ${PREFIX}/etc/shorewall6/rules"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 params ${DESTDIR}/usr/share/shorewall6/configfiles/params
+run_install $OWNERSHIP -m 0644 params ${PREFIX}/usr/share/shorewall6/configfiles/params

-if [ -f ${DESTDIR}/etc/shorewall6/params ]; then
-    chmod 0644 ${DESTDIR}/etc/shorewall6/params
+if [ -f ${PREFIX}/etc/shorewall6/params ]; then
+    chmod 0644 ${PREFIX}/etc/shorewall6/params
 else
-    run_install $OWNERSHIP -m 0644 params ${DESTDIR}/etc/shorewall6/params
-    echo "Parameter file installed as ${DESTDIR}/etc/shorewall6/params"
+    run_install $OWNERSHIP -m 0644 params ${PREFIX}/etc/shorewall6/params
+    echo "Parameter file installed as ${PREFIX}/etc/shorewall6/params"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 routestopped ${DESTDIR}/usr/share/shorewall6/configfiles/routestopped
+run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall6/configfiles/routestopped

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped ${DESTDIR}/etc/shorewall6/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall6/routestopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/routestopped ]; then
+    run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall6/routestopped
+    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall6/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 maclist ${DESTDIR}/usr/share/shorewall6/configfiles/maclist
+run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall6/configfiles/maclist

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/maclist ]; then
-    run_install $OWNERSHIP -m 0600 maclist ${DESTDIR}/etc/shorewall6/maclist
-    echo "MAC list file installed as ${DESTDIR}/etc/shorewall6/maclist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/maclist ]; then
+    run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall6/maclist
+    echo "MAC list file installed as ${PREFIX}/etc/shorewall6/maclist"
 fi
 #
 # Install the Modules file
 #
-run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6/modules
-echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6/modules"
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6/modules"

 #
 # Install the Module Helpers file
 #
-run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall6/helpers
-echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall6/helpers"
+run_install $OWNERSHIP -m 0600 helpers ${PREFIX}/usr/share/shorewall6/helpers
+echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"

 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}/usr/share/shorewall6/configfiles/tcrules
+run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall6/configfiles/tcrules

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 tcrules ${DESTDIR}/etc/shorewall6/tcrules
-    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall6/tcrules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
+    run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall6/tcrules
+    echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi

 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 tcinterfaces ${DESTDIR}/usr/share/shorewall6/configfiles/tcinterfaces
+run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 tcinterfaces ${DESTDIR}/etc/shorewall6/tcinterfaces
-    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall6/tcinterfaces"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
+    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
 fi

 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 tcpri ${DESTDIR}/usr/share/shorewall6/configfiles/tcpri
+run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 tcpri ${DESTDIR}/etc/shorewall6/tcpri
-    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall6/tcpri"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
+    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
 fi

 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 tos ${DESTDIR}/usr/share/shorewall6/configfiles/tos
+run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall6/configfiles/tos

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tos ]; then
-    run_install $OWNERSHIP -m 0600 tos ${DESTDIR}/etc/shorewall6/tos
-    echo "TOS file installed as ${DESTDIR}/etc/shorewall6/tos"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tos ]; then
+    run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall6/tos
+    echo "TOS file installed as ${PREFIX}/etc/shorewall6/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 tunnels ${DESTDIR}/usr/share/shorewall6/configfiles/tunnels
+run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall6/configfiles/tunnels

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 tunnels ${DESTDIR}/etc/shorewall6/tunnels
-    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall6/tunnels"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tunnels ]; then
+    run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall6/tunnels
+    echo "Tunnels file installed as ${PREFIX}/etc/shorewall6/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 blacklist ${DESTDIR}/usr/share/shorewall6/configfiles/blacklist
+run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall6/configfiles/blacklist

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist ${DESTDIR}/etc/shorewall6/blacklist
-    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/blacklist ]; then
+    run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall6/blacklist
+    echo "Blacklist file installed as ${PREFIX}/etc/shorewall6/blacklist"
 fi
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 providers ${DESTDIR}/usr/share/shorewall6/configfiles/providers
+run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall6/configfiles/providers

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/providers ]; then
-    run_install $OWNERSHIP -m 0600 providers ${DESTDIR}/etc/shorewall6/providers
-    echo "Providers file installed as ${DESTDIR}/etc/shorewall6/providers"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/providers ]; then
+    run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall6/providers
+    echo "Providers file installed as ${PREFIX}/etc/shorewall6/providers"
 fi

 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 route_rules ${DESTDIR}/usr/share/shorewall6/configfiles/route_rules
+run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall6/configfiles/route_rules

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 route_rules ${DESTDIR}/etc/shorewall6/route_rules
-    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall6/route_rules"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/route_rules ]; then
+    run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall6/route_rules
+    echo "Routing rules file installed as ${PREFIX}/etc/shorewall6/route_rules"
 fi

 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 tcclasses ${DESTDIR}/usr/share/shorewall6/configfiles/tcclasses
+run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall6/configfiles/tcclasses

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 tcclasses ${DESTDIR}/etc/shorewall6/tcclasses
-    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall6/tcclasses"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclasses ]; then
+    run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall6/tcclasses
+    echo "TC Classes file installed as ${PREFIX}/etc/shorewall6/tcclasses"
 fi

 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 tcdevices ${DESTDIR}/usr/share/shorewall6/configfiles/tcdevices
+run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall6/configfiles/tcdevices

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 tcdevices ${DESTDIR}/etc/shorewall6/tcdevices
-    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall6/tcdevices"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
+    run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall6/tcdevices
+    echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
 fi

 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 notrack ${DESTDIR}/usr/share/shorewall6/configfiles/notrack
+run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
-    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
+    run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
+    echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
 fi
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6/configpath"
 #
 # Install the init file
 #
-run_install $OWNERSHIP -m 0644 init ${DESTDIR}/usr/share/shorewall6/configfiles/init
+run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall6/configfiles/init

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/init ]; then
-    run_install $OWNERSHIP -m 0600 init ${DESTDIR}/etc/shorewall6/init
-    echo "Init file installed as ${DESTDIR}/etc/shorewall6/init"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/init ]; then
+    run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall6/init
+    echo "Init file installed as ${PREFIX}/etc/shorewall6/init"
 fi
 #
 # Install the start file
 #
-run_install $OWNERSHIP -m 0644 start ${DESTDIR}/usr/share/shorewall6/configfiles/start
+run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall6/configfiles/start

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/start ]; then
-    run_install $OWNERSHIP -m 0600 start ${DESTDIR}/etc/shorewall6/start
-    echo "Start file installed as ${DESTDIR}/etc/shorewall6/start"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/start ]; then
+    run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall6/start
+    echo "Start file installed as ${PREFIX}/etc/shorewall6/start"
 fi
 #
 # Install the stop file
 #
-run_install $OWNERSHIP -m 0644 stop ${DESTDIR}/usr/share/shorewall6/configfiles/stop
+run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall6/configfiles/stop

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stop ]; then
-    run_install $OWNERSHIP -m 0600 stop ${DESTDIR}/etc/shorewall6/stop
-    echo "Stop file installed as ${DESTDIR}/etc/shorewall6/stop"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stop ]; then
+    run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall6/stop
+    echo "Stop file installed as ${PREFIX}/etc/shorewall6/stop"
 fi
 #
 # Install the stopped file
 #
-run_install $OWNERSHIP -m 0644 stopped ${DESTDIR}/usr/share/shorewall6/configfiles/stopped
+run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall6/configfiles/stopped

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/stopped ]; then
-    run_install $OWNERSHIP -m 0600 stopped ${DESTDIR}/etc/shorewall6/stopped
-    echo "Stopped file installed as ${DESTDIR}/etc/shorewall6/stopped"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stopped ]; then
+    run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall6/stopped
+    echo "Stopped file installed as ${PREFIX}/etc/shorewall6/stopped"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 accounting ${DESTDIR}/usr/share/shorewall6/configfiles/accounting
+run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall6/configfiles/accounting

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/accounting ]; then
-    run_install $OWNERSHIP -m 0600 accounting ${DESTDIR}/etc/shorewall6/accounting
-    echo "Accounting file installed as ${DESTDIR}/etc/shorewall6/accounting"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/accounting ]; then
+    run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall6/accounting
+    echo "Accounting file installed as ${PREFIX}/etc/shorewall6/accounting"
 fi
 #
 # Install the Started file
 #
-run_install $OWNERSHIP -m 0644 started ${DESTDIR}/usr/share/shorewall6/configfiles/started
+run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall6/configfiles/started

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/started ]; then
-    run_install $OWNERSHIP -m 0600 started ${DESTDIR}/etc/shorewall6/started
-    echo "Started file installed as ${DESTDIR}/etc/shorewall6/started"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/started ]; then
+    run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall6/started
+    echo "Started file installed as ${PREFIX}/etc/shorewall6/started"
 fi
 #
 # Install the Restored file
 #
-run_install $OWNERSHIP -m 0644 restored ${DESTDIR}/usr/share/shorewall6/configfiles/restored
+run_install $OWNERSHIP -m 0644 restored ${PREFIX}/usr/share/shorewall6/configfiles/restored

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/restored ]; then
-    run_install $OWNERSHIP -m 0600 restored ${DESTDIR}/etc/shorewall6/restored
-    echo "Restored file installed as ${DESTDIR}/etc/shorewall6/restored"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/restored ]; then
+    run_install $OWNERSHIP -m 0600 restored ${PREFIX}/etc/shorewall6/restored
+    echo "Restored file installed as ${PREFIX}/etc/shorewall6/restored"
 fi
 #
 # Install the Clear file
 #
-run_install $OWNERSHIP -m 0644 clear ${DESTDIR}/usr/share/shorewall6/configfiles/clear
+run_install $OWNERSHIP -m 0644 clear ${PREFIX}/usr/share/shorewall6/configfiles/clear

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/clear ]; then
-    run_install $OWNERSHIP -m 0600 clear ${DESTDIR}/etc/shorewall6/clear
-    echo "Clear file installed as ${DESTDIR}/etc/shorewall6/clear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/clear ]; then
+    run_install $OWNERSHIP -m 0600 clear ${PREFIX}/etc/shorewall6/clear
+    echo "Clear file installed as ${PREFIX}/etc/shorewall6/clear"
 fi
 #
 # Install the Isusable file
 #
-run_install $OWNERSHIP -m 0644 isusable ${DESTDIR}/usr/share/shorewall6/configfiles/isusable
+run_install $OWNERSHIP -m 0644 isusable ${PREFIX}/usr/share/shorewall6/configfiles/isusable

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/isusable ]; then
-    run_install $OWNERSHIP -m 0600 isusable ${DESTDIR}/etc/shorewall6/isusable
-    echo "Isusable file installed as ${DESTDIR}/etc/shorewall/isusable"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/isusable ]; then
+    run_install $OWNERSHIP -m 0600 isusable ${PREFIX}/etc/shorewall6/isusable
+    echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
 #
 # Install the Refresh file
 #
-run_install $OWNERSHIP -m 0644 refresh ${DESTDIR}/usr/share/shorewall6/configfiles/refresh
+run_install $OWNERSHIP -m 0644 refresh ${PREFIX}/usr/share/shorewall6/configfiles/refresh

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refresh ]; then
-    run_install $OWNERSHIP -m 0600 refresh ${DESTDIR}/etc/shorewall6/refresh
-    echo "Refresh file installed as ${DESTDIR}/etc/shorewall6/refresh"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refresh ]; then
+    run_install $OWNERSHIP -m 0600 refresh ${PREFIX}/etc/shorewall6/refresh
+    echo "Refresh file installed as ${PREFIX}/etc/shorewall6/refresh"
 fi
 #
 # Install the Refreshed file
 #
-run_install $OWNERSHIP -m 0644 refreshed ${DESTDIR}/usr/share/shorewall6/configfiles/refreshed
+run_install $OWNERSHIP -m 0644 refreshed ${PREFIX}/usr/share/shorewall6/configfiles/refreshed

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/refreshed ]; then
-    run_install $OWNERSHIP -m 0600 refreshed ${DESTDIR}/etc/shorewall6/refreshed
-    echo "Refreshed file installed as ${DESTDIR}/etc/shorewall6/refreshed"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refreshed ]; then
+    run_install $OWNERSHIP -m 0600 refreshed ${PREFIX}/etc/shorewall6/refreshed
+    echo "Refreshed file installed as ${PREFIX}/etc/shorewall6/refreshed"
 fi
 #
 # Install the Tcclear file
 #
-run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/tcclear
+run_install $OWNERSHIP -m 0644 tcclear ${PREFIX}/usr/share/shorewall6/configfiles/tcclear

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
-    run_install $OWNERSHIP -m 0600 tcclear ${DESTDIR}/etc/shorewall6/tcclear
-    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclear ]; then
+    run_install $OWNERSHIP -m 0600 tcclear ${PREFIX}/etc/shorewall6/tcclear
+    echo "Tcclear file installed as ${PREFIX}/etc/shorewall6/tcclear"
 fi
 #
 # Install the Standard Actions file
 #
-install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall6/actions.std"
+install_file actions.std ${PREFIX}/usr/share/shorewall6/actions.std 0644
+echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall6/actions.std"

 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/usr/share/shorewall6/configfiles/actions
+run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall6/configfiles/actions

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/actions ]; then
-    run_install $OWNERSHIP -m 0644 actions ${DESTDIR}/etc/shorewall6/actions
-    echo "Actions file installed as ${DESTDIR}/etc/shorewall6/actions"
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/actions ]; then
+    run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall6/actions
+    echo "Actions file installed as ${PREFIX}/etc/shorewall6/actions"
 fi

 #
 # Install the  Makefiles
 #
-run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}/usr/share/shorewall6/configfiles/Makefile
+run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall6/configfiles/Makefile

 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6/Makefile
-    echo "Makefile installed as ${DESTDIR}/etc/shorewall6/Makefile"
+    run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6/Makefile
+    echo "Makefile installed as ${PREFIX}/etc/shorewall6/Makefile"
 fi
 #
 # Install the Action files
 #
 for f in action.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Action ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Action ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done

 # Install the Macro files
 #
 for f in macro.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-    echo "Macro ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+    install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+    echo "Macro ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
 done
 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6/$f"
    fi
 done
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6/version
+chmod 644 ${PREFIX}/usr/share/shorewall6/version
 #
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    rm -f /usr/share/shorewall6/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall6/init
 fi
@@ -692,39 +695,33 @@ fi

 cd manpages

-[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
+[ -n "$INSTALLD" ] || mkdir -p ${PREFIX}${MANDIR}/man5/ ${PREFIX}${MANDIR}/man8/

 for f in *.5; do
    gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
+    run_install $INSTALLD  -m 0644 $f.gz ${PREFIX}${MANDIR}/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man5/$f.gz"
 done

 for f in *.8; do
    gzip -c $f > $f.gz
-    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
-    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
+    run_install $INSTALLD  -m 0644 $f.gz ${PREFIX}${MANDIR}/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}${MANDIR}/man8/$f.gz"
 done

 cd ..

 echo "Man Pages Installed"

-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
 fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-
-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall6
-	else
-	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
-	fi
-
+	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40411
+SHOREWALL_CAPVERSION=40408

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
 }

 search_log() # $1 = IP address to search for
 {
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
 }    

@@ -439,7 +439,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -747,7 +747,7 @@ dump_command() {
    report_capabilities

    echo
-    netstat -6tunap
+    netstat -tunap

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -1190,7 +1190,6 @@ determine_capabilities() {
    IPMARK_TARGET=
    LOG_TARGET=Yes
    FLOW_FILTER=
-    FWMARK_RT_MASK=

    chain=fooX$$

@@ -1205,10 +1204,6 @@ determine_capabilities() {

    [ -n "$IP" -a -x "$IP" ] || IP=

-    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
-
-    [ -n "$TC" -a -x "$TC" ] || TC=
-
    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

    qt $IP6TABLES -F $chain
@@ -1338,8 +1333,7 @@ determine_capabilities() {
    qt $IP6TABLES -F $chain1
    qt $IP6TABLES -X $chain1

-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1404,7 +1398,6 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1464,7 +1457,6 @@ report_capabilities1() {
    report_capability1 LOG_TARGET
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -92,12 +92,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
+	options='-'

 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -299,16 +299,7 @@ compiler() {
 	set +a
    fi

-    if [ -n "$PERL" ]; then
-	if [ ! -x "$PERL" ]; then
-	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
-	    PERL=/usr/bin/perl
-	fi
-    else
-	PERL=/usr/bin/perl
-    fi
-
-    $command $PERL $debugflags $pc $options $@
+    $command perl $debugflags $pc $options $@
 }    

 #
@@ -1270,7 +1261,7 @@ usage() # $1 = exit status
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   check [ -e ] [ -r ] [ <directory> ]"
-    echo "   clear"
+    echo "   clear [ -f ]"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   drop <address> ..."
@@ -1293,7 +1284,7 @@ usage() # $1 = exit status
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
    echo "   start [ -f ] [ -n ] [ <directory> ]"
-    echo "   stop"
+    echo "   stop [ -f ]"
    echo "   status"
    echo "   try <directory> [ <timeout> ]"
    echo "   version [ -a ]"
@@ -1467,11 +1458,9 @@ version_command() {
    echo $SHOREWALL_VERSION

    if [ -n "$all" ]; then
-	for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
+	if [ -f /usr/share/shorewall/version ]; then
+	    echo "Shorewall $(cat /usr/share/shorewall/version)"
+	fi
    fi
 }

@@ -1544,17 +1533,17 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_on
+	run_it $g_firewall $g_debugging $nolock $COMMAND
+	mutex_off
 	;;
    reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	run_it $g_firewall $g_debugging reset $@
-	[ -n "$nolock" ] || mutex_off
+	run_it $g_firewall $g_debugging $nolock reset $@
+	mutex_off
 	;;
    compile)
 	get_config Yes
@@ -1608,7 +1597,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -56,8 +56,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -153,8 +151,6 @@ DYNAMIC_BLACKLIST=Yes

 LOAD_HELPERS_ONLY=No

-FORWARD_CLEAR_MARK=yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.11
-%define release 1
+%define version 4.4.9
+%define release 0base

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute shorewall >= 4.3.5
-Provides: shoreline_firewall = %{version}-%{release}

 %description

@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -98,34 +97,6 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
-* Wed Jul 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.11.1
+VERSION=4.4.9

 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
 fi

 if [ -L /usr/share/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall6
 fi
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -72,10 +72,6 @@
        <listitem>
          <para>Shorewall6-lite</para>
        </listitem>
-
-        <listitem>
-          <para>Shorewall-init</para>
-        </listitem>
      </itemizedlist>

      <para>There are also several other directories which are described in
@@ -84,18 +80,20 @@
      <section>
        <title>trunk/docs</title>

-        <para>The stable release XML documents. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML documents. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version. In that case, there is no docs directory in that
+        release's directory in <emphasis
+        role="bold">branches</emphasis>.</para>
      </section>

      <section>
        <title>trunk/manpages, trunk/manpages6, trunk/manpages-lite and
        trunk/manpages6-lite</title>

-        <para>The stable release XML manpages. Depending on the point in the
-        release cycle, these documents may also apply to the current
-        development version.</para>
+        <para>The development release XML manpages. Depending on the point in
+        the release cycle, these documents may also apply to the current
+        stable version.</para>
      </section>
    </section>

@@ -158,8 +156,7 @@
    <section>
      <title>build44</title>

-      <para>This is the script that builds Shorewall 4.4 packages from
-      Git.</para>
+      <para>This is the script that builds Shorewall packages from Git.</para>

      <para>The script copies content from Git using the <command>git
      archive</command> command. It then uses that content to build the
@@ -168,7 +165,7 @@

      <variablelist>
        <varlistentry>
-          <term>rpmbuild</term>
+          <term>rpmbuild (I use rpm version 4.4.2.3-20.3)</term>

          <listitem>
            <para>Required to build the RPM packages.</para>
@@ -176,7 +173,7 @@
        </varlistentry>

        <varlistentry>
-          <term>xsltproc (libxslt)</term>
+          <term>xsltproc (libxslt -- I use version 1.1.24-19.1)</term>

          <listitem>
            <para>Required to convert the XML documents to other
@@ -185,7 +182,8 @@
        </varlistentry>

        <varlistentry>
-          <term>Docbook XSL Stylesheets</term>
+          <term>Docbook XSL Stylesheets (I use docbook-xsl-stylesheets version
+          1.74.0-1.35)</term>

          <listitem>
            <para>Required to convert the XML documents to other
@@ -194,7 +192,7 @@
        </varlistentry>

        <varlistentry>
-          <term>Perl</term>
+          <term>Perl (I use Perl 5.10.0-62.17.1)</term>

          <listitem>
            <para>Required to massage some of the config files.</para>
@@ -202,21 +200,25 @@
        </varlistentry>

        <varlistentry>
-          <term>xmlto</term>
+          <term>xmlto (I use version 0.0.18-182.27)</term>

          <listitem>
-            <para>Required to convert the XML manpages to manpages. Be sure
-            that you have a recent version; I use 0.0.23.</para>
+            <para>Required to convert the XML manpages to manpages. Note that
+            not all versions of xmlto will work (those released by Debian and
+            Ubuntu, for example, do <emphasis>not</emphasis> work). If you
+            find that xmlto fails, install
+            tools<filename>/build/xmlto</filename> in <filename
+            class="directory">/usr/local/bin</filename>.</para>
          </listitem>
        </varlistentry>
      </variablelist>

-      <para>You should ensure that you have the latest scripts. The scripts
+      <para>You should ensure that you have the latest script. The scripts
      change periodically as we move through the release cycles.</para>

-      <para>The build44 script may need to be modified to fit your particular
-      environment. There are a number of variables that are set near the top
-      of the file:</para>
+      <para>The scripts may need to be modified to fit your particular
+      environment. There are a number of variables that are set near the front
+      of the script:</para>

      <variablelist>
        <varlistentry>
@@ -258,7 +260,7 @@
          <term>GIT</term>

          <listitem>
-            <para>Shorewall GIT repository.</para>
+            <para>Shorewall GIT repository</para>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -282,8 +284,8 @@
          <term>opt<emphasis>i</emphasis>ons</term>

          <listitem>
-            <para>are one or more of the following. If no options are given
-            then all options are assumed</para>
+            <para>are one of the following. If no options are given then all
+            options are assumed</para>

            <variablelist>
              <varlistentry>
@@ -310,14 +312,6 @@
                </listitem>
              </varlistentry>

-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Build the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
              <varlistentry>
                <term>l</term>

@@ -390,7 +384,7 @@
      against 4.2.7:</para>

      <blockquote>
-        <para><command>build44 -trc 4.3.7.1 4.3.7</command></para>
+        <para><command>build44 -trSc 4.3.7.1 4.3.7</command></para>
      </blockquote>
    </section>

@@ -435,14 +429,6 @@
                </listitem>
              </varlistentry>

-              <varlistentry>
-                <term>i</term>
-
-                <listitem>
-                  <para>Upload the shorewall-init package.</para>
-                </listitem>
-              </varlistentry>
-
              <varlistentry>
                <term>6</term>

@@ -483,55 +469,5 @@
        <para><command>upload44 -c 4.3.7.3</command></para>
      </blockquote>
    </section>
-
-    <section>
-      <title>install.sh files</title>
-
-      <para>Each product includes an install script
-      (<filename>install.sh</filename>) that may be used to install the
-      product on a machine or into a directory.</para>
-
-      <para>By default, the scripts install the corresponding product into
-      "/'; you can direct them to install into an empty existing directory by
-      setting an environmental variable:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DESTDIR (release 4.4.10 and later)</para>
-        </listitem>
-
-        <listitem>
-          <para>PREFIX (all releases)</para>
-        </listitem>
-      </itemizedlist>
-
-      <para>There are a number of other environmental variables that you can
-      set to cause the directory to be populated for a particular target
-      environment:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>DEBIAN - Debian-based systems (Debian, Ubuntu, etc.)</para>
-        </listitem>
-
-        <listitem>
-          <para>SUSE - SEL and OpenSuSE</para>
-        </listitem>
-
-        <listitem>
-          <para>REDHAT - RHEL, CentOS, Foobar, etc.</para>
-        </listitem>
-
-        <listitem>
-          <para>MAC - Apple MacIntosh (Shorewall and Shorewall6 packages
-          only)</para>
-        </listitem>
-
-        <listitem>
-          <para>CYGWIN - Cygwin under Windows (Shorewall and Shorewall6
-          packages only)</para>
-        </listitem>
-      </itemizedlist>
-    </section>
  </section>
 </article>
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -184,7 +184,8 @@
        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
        Install from a shell prompt <ulink url="Install.htm">using the
-        install.sh script</ulink>.</para>
+        install.sh script</ulink> (Mac supported was added in Shorewall
+        4.4.9).</para>
      </listitem>

      <listitem>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -5,7 +5,7 @@
  <!--/$Id$-->

  <articleinfo>
-    <title>Shorewall 4.4 Documentation</title>
+    <title>Shorewall 4.4/4.5 Documentation</title>

    <authorgroup>
      <author>
@@ -57,9 +57,11 @@
          <row>
            <entry></entry>

-            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
+            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
+            Machine)</ulink></entry>

-            <entry></entry>
+            <entry><ulink url="Shorewall-perl.html">Shorewall
+            Perl</ulink></entry>
          </row>

          <row>
@@ -68,8 +70,8 @@
            <entry><ulink url="ConnectionRate.html">Limiting Connection
            Rates</ulink></entry>

-            <entry><ulink url="Shorewall-perl.html">Shorewall
-            Perl</ulink></entry>
+            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
+            Guide</ulink></entry>
          </row>

          <row>
@@ -77,8 +79,7 @@

            <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>

-            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
-            Guide</ulink></entry>
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
          </row>

          <row>
@@ -86,7 +87,9 @@

            <entry><ulink url="Macros.html">Macros</ulink></entry>

-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
          </row>

          <row>
@@ -96,9 +99,8 @@
            <entry><ulink url="MAC_Validation.html">MAC
            Verification</ulink></entry>

-            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
-            (<firstterm>Source Network Address
-            Translation</firstterm>)</entry>
+            <entry><ulink url="SplitDNS.html">Split DNS the Easy
+            Way</ulink></entry>
          </row>

          <row>
@@ -107,8 +109,8 @@

            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>

-            <entry><ulink url="SplitDNS.html">Split DNS the Easy
-            Way</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
+            Shorewall</ulink></entry>
          </row>

          <row>
@@ -118,8 +120,9 @@
            <entry><ulink url="ManualChains.html">Manual
            Chains</ulink></entry>

-            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
-            Shorewall</ulink></entry>
+            <entry><ulink
+            url="starting_and_stopping_shorewall.htm">Starting/stopping the
+            Firewall</ulink></entry>
          </row>

          <row>
@@ -130,9 +133,8 @@
            <entry><ulink
            url="two-interface.htm#SNAT">Masquerading</ulink></entry>

-            <entry><ulink
-            url="starting_and_stopping_shorewall.htm">Starting/stopping the
-            Firewall</ulink></entry>
+            <entry><ulink url="NAT.htm">Static (one-to-one)
+            NAT</ulink></entry>
          </row>

          <row>
@@ -143,8 +145,7 @@
            from a Single Firewall</ulink> (<ulink
            url="MultiISP_ru.html">Russian</ulink>)</entry>

-            <entry><ulink url="NAT.htm">Static (one-to-one)
-            NAT</ulink></entry>
+            <entry><ulink url="support.htm">Support</ulink></entry>
          </row>

          <row>
@@ -154,7 +155,8 @@
            <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
            Interface</ulink></entry>

-            <entry><ulink url="support.htm">Support</ulink></entry>
+            <entry><ulink url="configuration_file_basics.htm">Tips and
+            Hints</ulink></entry>
          </row>

          <row>
@@ -164,8 +166,8 @@
            <entry><ulink url="MyNetwork.html">My Shorewall
            Configuration</ulink></entry>

-            <entry><ulink url="configuration_file_basics.htm">Tips and
-            Hints</ulink></entry>
+            <entry><ulink url="Accounting.html">Traffic
+            Accounting</ulink></entry>
          </row>

          <row>
@@ -175,8 +177,8 @@
            <entry><ulink url="NetfilterOverview.html">Netfilter
            Overview</ulink></entry>

-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry><ulink url="simple_traffic_shaping.html">Traffic
+            Shaping/QOS - Simple</ulink></entry>
          </row>

          <row>
@@ -185,8 +187,9 @@

            <entry><ulink url="netmap.html">Network Mapping</ulink></entry>

-            <entry><ulink url="simple_traffic_shaping.html">Traffic
-            Shaping/QOS - Simple</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
+            Complex</ulink> (<ulink
+            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
          </row>

          <row>
@@ -196,9 +199,8 @@
            <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
            NAT)</entry>

-            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink> (<ulink
-            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
+            Proxy</ulink></entry>
          </row>

          <row>
@@ -207,8 +209,7 @@
            <entry><ulink url="Multiple_Zones.html"><ulink
            url="OPENVPN.html">OpenVPN</ulink></ulink></entry>

-            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
-            Proxy</ulink></entry>
+            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
          </row>

          <row>
@@ -218,7 +219,8 @@

            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>

-            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
          </row>

          <row>
@@ -227,7 +229,8 @@
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>

-            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
          </row>

          <row>
@@ -237,8 +240,7 @@
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>

-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>

          <row>
@@ -249,7 +251,7 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>

-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
          </row>

          <row>
@@ -258,7 +260,8 @@

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="whitelisting_under_shorewall.htm">White List
+            Creation</ulink></entry>
          </row>

          <row>
@@ -267,8 +270,8 @@
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>

-            <entry><ulink url="whitelisting_under_shorewall.htm">White List
-            Creation</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
          </row>

          <row>
@@ -277,8 +280,8 @@

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
          </row>

          <row>
@@ -288,8 +291,7 @@
            <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
            of the 'Recent Match'</ulink></entry>

-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry></entry>
          </row>

          <row>
@@ -369,8 +371,8 @@
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="Laptop.html">Shorewall on a
+            Laptop</ulink></entry>

            <entry></entry>
          </row>
@@ -384,16 +386,6 @@

            <entry></entry>
          </row>
-
-          <row>
-            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
-            Machine)</ulink></entry>
-
-            <entry><ulink url="Laptop.html">Shorewall on a
-            Laptop</ulink></entry>
-
-            <entry></entry>
-          </row>
        </tbody>
      </tgroup>
    </informaltable>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -20,7 +20,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2010</year>
+      <year>2001-2009</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -506,6 +506,11 @@ net        eth0          detect               <emphasis role="bold">routeback</e
        <para>And in <filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>

+        <para>And finally, in
+        <filename>/etc/shorewall/shorewall.conf</filename> you need:</para>
+
+        <programlisting>IP_FORWARDING=On</programlisting>
+
        <para>Like the hack in FAQ 2, this one results in all forwarded
        connections looking to the server (66.249.93.11) as if they originated
        on your firewall (206.124.146.176).</para>
@@ -2061,18 +2066,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
          <para>Be sure to secure the script for execute access.</para>
        </listitem>
      </itemizedlist>
-
-      <variablelist>
-        <varlistentry>
-          <term>Update:</term>
-
-          <listitem>
-            <para>Beginning with Shorewall 4.4.10, there is a new <ulink
-            url="Manpages/shorewall-init.html">Shorewall Init Package</ulink>
-            that is designed to handle this case.</para>
-          </listitem>
-        </varlistentry>
-      </variablelist>
    </section>

    <section id="faq87">
@@ -2324,13 +2317,9 @@ We have an error talking to the kernel
      subzones? I've got a system with Linux-VServers, it's one interface
      (eth0) with multiple IPs</title>

-      <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
-      4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
-      zones</ulink> that are nested within the firewall zone. </para>
-
-      <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
-      firewall zone. But you can use shell variables to make vservers easier
-      to deal with.</para>
+      <para><emphasis role="bold">Answer</emphasis>: There is no way to create
+      sub-zones of the firewall zone. But you can use shell variables to make
+      vservers easier to deal with.</para>

      <para><filename>/etc/shorewall/params</filename>:</para>

@@ -2714,8 +2703,6 @@ Shorewall has detected the following iptables/netfilter capabilities:
   LOG Target: Available
   Persistent SNAT: Available
 gateway:~# </programlisting>
-
-      <para></para>
    </section>

    <section id="faq19">
@@ -2745,74 +2732,5 @@ loc                $FW                     ACCEPT           </programlisting>
      <emphasis>inline</emphasis> more with Shorewall, but no HOWTO exists at
      this time.</para>
    </section>
-
-    <section id="faq89">
-      <title>(FAQ 89) How do I connect to the web server in my aDSL modem from
-      my local LAN?</title>
-
-      <para>Answer: Here's what I did:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>My local network is 172.20.1.0/24, so I set the IP address in
-          the modem to 172.20.1.2.</para>
-        </listitem>
-
-        <listitem>
-          <para>The IP address of my firewall's interface to the LAN is
-          172.20.1.254. The logical name of the DSL interface is EXT_IF and my
-          LAN interface is INT_IF.</para>
-
-          <para>I added the following two configuration entries:</para>
-
-          <para><filename>/etc/shorewall/masq:</filename></para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
-</programlisting>
-
-          <para><filename>/etc/shorewall/proxyarp</filename>:</para>
-
-          <programlisting>#ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
-172.20.1.2	EXT_IF		INT_IF		no		yes
-</programlisting>
-        </listitem>
-      </itemizedlist>
-
-      <para>If you can't change the IP address of your modem and its current
-      address isn't in your local network, then you need to change this
-      slightly; assuming that the modem IP address is 192.168.1.1:</para>
-
-      <itemizedlist>
-        <listitem>
-          <para>Do not include an entry in
-          <filename>/etc/shorewall/proxyarp</filename>.</para>
-        </listitem>
-
-        <listitem>
-          <para>Add an IP address in 192.168.1.0/24 to your external interface
-          using your configuration's network management tools. For
-          Debian-based systems, that means adding this to the interface's
-          stanza in <filename>/etc/network/interfaces</filename>:</para>
-
-          <programlisting>    post-up /sbin/ip addr add 192.168.1.254/24 dev <replaceable>external-interface</replaceable></programlisting>
-        </listitem>
-
-        <listitem>
-          <para>Your entry in <filename>/etc/shorewall/masq</filename> would
-          then be:</para>
-
-          <programlisting>#INTERFACE			SOURCE			ADDRESS
-
-COMMENT DSL Modem
-
-EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
-</programlisting>
-        </listitem>
-      </itemizedlist>
-    </section>
  </section>
 </article>
--- a/docs/LennyToSqueeze.xml
+++ b/docs/LennyToSqueeze.xml
@@ -165,9 +165,9 @@
        not feasible to install Perl on your firewall, then you should
        consider installing Shorewall on another system in your network (may
        be a <trademark>Windows</trademark> system running
-        <trademark>Cygwin</trademark> or an <trademark>Apple</trademark>
-        <trademark>MacIntosh</trademark> running OS X) and installing
-        Shorewall-lite on your firewall.</para>
+        <trademark>Cygwin</trademark> or, beginnins with Shorewall 4.4.9, an
+        <trademark>Apple</trademark> <trademark>MacIntosh</trademark> running
+        OS X) and installing Shorewall-lite on your firewall.</para>
      </footnote>. While the two compilers are highly compatible, there are
    some differences. Those differences are detailed in the following
    sections.</para>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -137,11 +137,6 @@
        url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
        speed of devices for traffic shaping.</member>

-        <member><ulink
-        url="manpages/shorewall-tcfilters.html">tcfilters</ulink> - Classify
-        traffic for shaping; often used with an IFB to shape ingress
-        traffic.</member>
-
        <member><ulink
        url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
        Specify devices for simplified traffic shaping.</member>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1214,13 +1214,6 @@ net      eth1         detect          <emphasis role="bold">optional</emphasis><
          they offer you a place to start.</para>
        </important>

-        <important>
-          <para>If you have installed Shorewall-init, you should disable its
-          ifup/ifdown/NetworkManager integration (set IFUPDOWN=0 in the <ulink
-          url="Manpages/shorewall-init.html">Shorewall-init configuration
-          file</ulink>).</para>
-        </important>
-
        <para>The script should be copied to a directory on root's PATH such
        as <filename>/usr/local/sbin/</filename>.</para>

@@ -1383,13 +1376,6 @@ fi</programlisting></para>
        more sophisticated monitoring than the simple swping script described
        in the preceding section.</para>

-        <important>
-          <para>If you have installed Shorewall-init, you should disable its
-          ifup/ifdown/NetworkManager integration (set IFUPDOWN=0 in the <ulink
-          url="Manpages/shorewall-init.html">Shorewall-init configuration
-          file</ulink>) before installing LSM.</para>
-        </important>
-
        <para>Like many Open Source products, LSM is poorly documented. It's
        main configuration file is normally kept in
        <filename>/etc/lsm/lsm.conf</filename>, but the file's name is passed
--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -498,202 +498,6 @@ DNAT	172.20.1.0/24		tun1		192.168.1.0/24
    the right as 172.20.1.0/24.</para>
  </section>

-  <section>
-    <title>Roadwarrior with IPv6</title>
-
-    <para>While OpenVPN supports tunneling of IPv6 packets, the version of the
-    code that I run under OS X on my Macbook Pro does not support that option.
-    Nevertheless, I am able to take IPv6 on the road with me by creating a
-    6to4 tunnel through the OpenVPN IPv6 tunnel. In this configuration, the
-    IPv4 address pair (172.20.0.10,172.20.0.11) is used for the OpenVPN tunnel
-    and (2001:470:e857:2::1,2001:470:e857:2::2) is used for the 6to4
-    tunnel.</para>
-
-    <para>Here are my config files:</para>
-
-    <para>Server (conventional routed server config):</para>
-
-    <blockquote>
-      <programlisting>dev tun
-
-local 70.90.191.121
-
-server 172.20.0.0 255.255.255.128
-
-dh dh1024.pem
-
-ca /etc/certs/cacert.pem
-
-crl-verify /etc/certs/crl.pem
-
-cert /etc/certs/gateway.pem
-key /etc/certs/gateway_key.pem
-
-port 1194
-
-comp-lzo
-
-user nobody
-group nogroup
-
-keepalive 15 45
-ping-timer-rem
-persist-tun
-persist-key
-
-client-config-dir /etc/openvpn/clients
-ccd-exclusive
-client-to-client
-
-push "route 172.20.1.0 255.255.255.0"
-
-verb 3</programlisting>
-
-      <para>In the CCD file for the Macbook Pro:</para>
-
-      <programlisting>ifconfig-push <emphasis role="bold">172.20.0.11 172.20.0.10</emphasis></programlisting>
-
-      <para>From <filename>/etc/network/interfaces</filename> (very standard
-      <ulink url="6to4.htm#SixInFour">6to4 tunnel
-      configuration</ulink>):</para>
-
-      <programlisting>auto mac
-iface mac inet6 v4tunnel
-      address <emphasis role="bold">2001:470:e857:2::1</emphasis>
-      netmask 64
-      endpoint <emphasis role="bold">172.20.0.11</emphasis>
-      local <emphasis role="bold">172.20.1.254</emphasis></programlisting>
-
-      <para>Note that while the remote endpoint (172.20.0.11) is also the
-      remote endpoint of the OpenVPN tunnel, the local endpoint (172.20.1.254)
-      of the 6to4 tunnel is not the local endpoint of the OpenVPN tunnel
-      (that;s 172.20.0.10). 172.20.1.254 is the IPv4 address of the Shorewall
-      firewall's LAN interface.</para>
-
-      <para>The following excerpts from the Shorewall configuration show the
-      parts of that configuration that are relevant to these two tunnels (bold
-      font). <emphasis role="bold">This is not a complete
-      configuration.</emphasis></para>
-
-      <para><filename>/etc/shorewall/zones</filename>:</para>
-
-      <programlisting>#ZONE           TYPE
-fw              firewall
-loc             ip              #Local Zone
-drct:loc        ipv4            #Direct internet access
-net             ipv4            #Internet
-<emphasis role="bold">vpn             ipv4 </emphasis>           #OpenVPN clients</programlisting>
-
-      <para><filename>/etc/shorewall/interfaces</filename>:</para>
-
-      <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
-loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
-net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
-<emphasis role="bold">vpn    TUN_IF+    detect    physical=tun+,routeback</emphasis>
-      sit1       -         ignore
-<emphasis role="bold">-      mac        -         ignore</emphasis>
-      EXT_IF     -         ignore
-      lo         -         ignore</programlisting>
-
-      <para><filename>/etc/shorewall/tunnels</filename>:</para>
-
-      <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
-#                                               ZONE
-<emphasis role="bold">openvpnserver:udp       net</emphasis>
-6to4                    net
-<emphasis role="bold">6to4                    vpn</emphasis></programlisting>
-
-      <para>Similarly, here are exerpts from the Shorewall6
-      configuration.</para>
-
-      <para><filename>/etc/shorewall6/zones</filename>:</para>
-
-      <programlisting>#ZONE     TYPE     OPTIONS        IN            OUT
-#                                 OPTIONS       OPTIONS
-fw        firewall
-net       ipv6
-<emphasis role="bold">loc       ipv6</emphasis>
-rest      ipv6</programlisting>
-
-      <para><filename>/etc/shorewall6/interfaces</filename>:</para>
-
-      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
-net     sit1            detect          tcpflags,forward=1,nosmurfs,routeback
-loc     eth4            detect          tcpflags,forward=1
-<emphasis role="bold">loc     mac             detect          tcpflags,forward=1</emphasis>
-rest    eth+</programlisting>
-
-      <para>Note that in the IPv6 firewall configuration, the remove Macbook
-      Pro is considered to be part of the local zone (loc).</para>
-    </blockquote>
-
-    <para>Client (conventional routed client config):</para>
-
-    <blockquote>
-      <programlisting>client
-
-dev tun
-
-proto udp
-
-remote gateway.shorewall.net 1194
-
-resolv-retry infinite
-
-nobind
-
-persist-key
-persist-tun
-
-mute-replay-warnings
-
-ca ca.crt
-cert mac.crt
-key mac.key
-
-ns-cert-type server
-
-comp-lzo
-
-verb 3
-
-up /Users/teastep/bin/up
-down /Users/teastep/bin/down
-</programlisting>
-
-      <para><filename>/Users/teastep/bin/up</filename>:</para>
-
-      <programlisting>#!/bin/bash
-LOCAL_IP=<emphasis role="bold">172.20.0.11</emphasis>
-LOCAL_IPV6=<emphasis role="bold">2001:470:e857:2::2</emphasis>
-REMOTE_IP=<emphasis role="bold">172.20.1.254</emphasis>
-REMOTE_IPV6=<emphasis role="bold">2001:470:e857:2::1</emphasis>
-TUNNEL_IF=gif0
-
-if [ $(ifconfig gif0 | wc -l ) -eq 1 ]; then
-    #
-    # Tunnel interface is not configured yet
-    #
-    /sbin/ifconfig $TUNNEL_IF tunnel $LOCAL_IP $REMOTE_IP
-    /sbin/ifconfig $TUNNEL_IF inet6 $LOCAL_IPV6 $REMOTE_IPV6 prefixlen 128
-else
-    /sbin/ifconfig $TUNNEL_IF up
-fi
-
-/sbin/route -n add -inet6 default $REMOTE_IPV6 &gt; /dev/null 2&gt;&amp;1</programlisting>
-
-      <para><filename>/Users/teastep/bin/down</filename>:</para>
-
-      <programlisting>#!/bin/bash
-
-TUNNEL_IF=gif0
-
-/sbin/ifconfig $TUNNEL_IF down
-/sbin/route -n delete -inet6 default &gt; /dev/null 2&gt;&amp;1
-</programlisting>
-    </blockquote>
-  </section>
-
  <section>
    <title>Bridged Roadwarrior</title>

--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -151,7 +151,7 @@ vz       ipv4</programlisting>
      <programlisting>###############################################################################
 #ZONE    INTERFACE          BROADCAST      OPTIONS
 net      eth0               -              proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,rp_filter=0</emphasis></programlisting>
+vz       venet0             -              routeback,rp_filter=0</programlisting>
    </section>

    <section>
--- a/docs/Shorewall-init.xml
+++ b/docs/Shorewall-init.xml
@@ -1,284 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id$-->
-
-  <articleinfo>
-    <title>Shorewall Init</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2010</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <section>
-    <title>Introduction</title>
-
-    <para>The Shorewall init scripts released from shorewall.net and by most
-    distributions start Shorewall after networking. This allows Shorewall to
-    detect the network configuration and taylor itself accordingly. It is
-    possible to start Shorewall prior to networking but doing so limits the
-    set of Shorewall features that can be used.</para>
-
-    <para>When Shorewall starts after networking, there is the possibility of
-    unwanted connections being accepted between the time that an interface
-    comes up and the time that Shorewall has finished starting up. Also,
-    Shorewall has had no means of reacting when interfaces are brought up and
-    down.</para>
-
-    <para>Beginning with Shorewall 4.4.10, a new package, <firstterm>Shorewall
-    Init</firstterm>, is available. Shorewall Init serves two purposes:</para>
-
-    <orderedlist>
-      <listitem>
-        <para>It can 'close' the firewall before the network interfaces are
-        brought up during boot.</para>
-      </listitem>
-
-      <listitem>
-        <para>It can change the firewall state as the result of interfaces
-        being brought up or taken down.</para>
-      </listitem>
-    </orderedlist>
-
-    <para>These two features can be controlled independently. Shorewall Init
-    can be used together with any combination of the other Shorewall packages.
-    Shorewall-init works on RedHat-based, SuSE-based and Debian-based
-    distributions.</para>
-  </section>
-
-  <section id="Close">
-    <title>Closing the Firewall before the Network Interfaces are brought
-    up</title>
-
-    <para> When Shorewall-init is first installed, it does nothing until you
-    configure it.</para>
-
-    <para>The configuration file is <filename>/etc/default/shorewall-init
-    </filename>on Debian-based systems and
-    <filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
-    two settings in the file: </para>
-
-    <variablelist>
-      <varlistentry>
-        <term>PRODUCTS</term>
-
-        <listitem>
-          <para>Lists the Shorewall packages that you want to integrate with
-          Shorewall-init.</para>
-
-          <para>Example: PRODUCTS="shorewall shorewall6"</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>IFUPDOWN</term>
-
-        <listitem>
-          <para>When set to 1, enables integration with NetworkManager and the
-          ifup/ifdown scripts.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>To close your firewall before networking starts:</para>
-
-    <orderedlist numeration="loweralpha">
-      <listitem>
-        <para>In the Shorewall-init configuration file, set PRODUCTS to the
-        firewall products installed on your system.</para>
-      </listitem>
-
-      <listitem>
-        <para>Be sure that your current firewall script(s) (normally in
-        <filename>/var/lib/&lt;product&gt;/firewall</filename>) is(are)
-        compiled with the 4.4.10 compiler. </para>
-
-        <para>Shorewall and Shorewall6 users can execute these
-        commands:</para>
-
-        <simplelist>
-          <member>shorewall compile</member>
-
-          <member><command>shorewall6 compile</command></member>
-        </simplelist>
-
-        <para>Shorewall-lite and Shorewall6-lite users can execute these
-        commands on the administrative system:</para>
-
-        <simplelist>
-          <member><command>shorewall export
-          <replaceable>firewall-name-or-ip-address</replaceable></command></member>
-
-          <member><command>shorewall6 export
-          <replaceable>firewall-name-or-ip-address</replaceable></command></member>
-        </simplelist>
-      </listitem>
-    </orderedlist>
-
-    <para>That's all that is required. </para>
-  </section>
-
-  <section id="NM">
-    <title>Integration with NetworkManager and ifup/ifdown Scripts</title>
-
-    <para>To integrate with NetworkManager and ifup/ifdown, additional steps
-    are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM. </para>
-
-    <orderedlist numeration="loweralpha">
-      <listitem>
-        <para>In the Shorewall-init configuration file, set IFUPDOWN=1.</para>
-      </listitem>
-
-      <listitem>
-        <para>In your Shorewall interfaces file(s), set the
-        <option>required</option> option on any interfaces that must be up in
-        order for the firewall to start. At least one interface must have the
-        <option>required</option> or <option>optional</option> option if you
-        perform the next optional step.</para>
-      </listitem>
-
-      <listitem>
-        <para>Optional) -- If you have specified at least one
-        <option>required</option> or <option>optional</option> interface, you
-        can then disable automatic firewall startup at boot time. On
-        Debian-based systems, set startup=0 in
-        <filename>/etc/default/<replaceable>product</replaceable></filename>.
-        On other systems, use your service startup configuration tool
-        (chkconfig, insserv, ...) to disable startup. </para>
-      </listitem>
-    </orderedlist>
-
-    <para>The following actions occur when an interface comes up: </para>
-
-    <informaltable>
-      <tgroup cols="3">
-        <tbody>
-          <row>
-            <entry><emphasis role="bold">FIREWALL STATE</emphasis></entry>
-
-            <entry><emphasis role="bold">INTERFACE</emphasis></entry>
-
-            <entry><emphasis role="bold">ACTION</emphasis></entry>
-          </row>
-
-          <row>
-            <entry>Any</entry>
-
-            <entry>Required</entry>
-
-            <entry>start</entry>
-          </row>
-
-          <row>
-            <entry>stopped</entry>
-
-            <entry>Optional</entry>
-
-            <entry>start</entry>
-          </row>
-
-          <row>
-            <entry>started</entry>
-
-            <entry>Any</entry>
-
-            <entry>restart</entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-
-    <para>The following actions occur when an interface goes down:</para>
-
-    <informaltable>
-      <tgroup cols="3">
-        <tbody>
-          <row>
-            <entry><emphasis role="bold">FIREWALL STATE</emphasis></entry>
-
-            <entry><emphasis role="bold">INTERFACE</emphasis></entry>
-
-            <entry><emphasis role="bold">ACTION</emphasis></entry>
-          </row>
-
-          <row>
-            <entry>Any</entry>
-
-            <entry>Required</entry>
-
-            <entry>stop</entry>
-          </row>
-
-          <row>
-            <entry>stopped</entry>
-
-            <entry>Optional</entry>
-
-            <entry>start</entry>
-          </row>
-
-          <row>
-            <entry>started</entry>
-
-            <entry>Any</entry>
-
-            <entry>restart</entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-
-    <para> For optional interfaces, the
-    <filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
-    files are maintained to reflect the state of the interface so that they
-    may be used by the standard <firstterm>isusable</firstterm> script. Please
-    note that the action is carried out using the current compiled script; the
-    configuration is not recompiled.</para>
-
-    <para>A new option has been added to <filename>shorewall.conf</filename>
-    and <filename>shorewall6.conf</filename>. The REQUIRE_INTERFACE option
-    determines the outcome when an attempt to start/restart/restore/refresh
-    the firewall is made and none of the optional interfaces are available.
-    With REQUIRE_INTERFACE=No (the default), the operation is performed. If
-    REQUIRE_INTERFACE=Yes, then the operation fails and the firewall is placed
-    in the stopped state. This option is suitable for a laptop with both
-    ethernet and wireless interfaces. If either come up, the firewall starts.
-    If neither comes up, the firewall remains in the stopped state.</para>
-
-    <para>Similarly, if an optional interface goes down and there are no
-    optional interfaces remaining in the up state, then the firewall is
-    stopped. </para>
-
-    <para>On Debian-based systems, during system shutdown the firewall is
-    opened prior to network shutdown (<command>/etc/init.d/shorewall
-    stop</command> performs a 'clear' operation rather than a 'stop'). This is
-    required by Debian standards. You can change this default behavior by
-    setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
-    (<filename>/etc/default/shorewall6</filename>, ...). </para>
-  </section>
-</article>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -584,9 +584,9 @@ DNAT-              net                192.168.1.3      tcp          21</programl
      Shorewall-perl on an administrative system and employ Shorewall-lite on
      your embedded systems. Shorewall-perl will run on Windows under <ulink
      url="http://www.cygwin.com/">Cygwin</ulink> and on an <ulink
-      url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
-      Install from a shell prompt <ulink url="Install.htm">using the
-      install.sh script</ulink>.</para>
+      url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X
+      (Mac support was added in Shorewall 4.4.9). Install from a shell prompt
+      <ulink url="Install.htm">using the install.sh script</ulink>.</para>
    </section>
  </section>

--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -320,7 +320,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>

    <para>The following configuration works with Squid running on the firewall
-    itself (assume that Squid is listening on port 3128).</para>
+    itself.</para>

    <para><filename>/etc/shorewall/interfaces:</filename></para>

@@ -332,7 +332,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
 Tproxy    1        1        -           lo        -            local</programlisting>

-    <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
+    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
    eth1):</para>

    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
@@ -341,7 +341,7 @@ TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
    <para>/etc/shorewall/rules:</para>

    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
-ACCEPT    loc      $FW    tcp     3128
+ACCEPT    Z        $FW    tcp     SP
 ACCEPT    $FW      net    tcp     80</programlisting>
  </section>
 </article>
--- a/docs/UPnP.xml
+++ b/docs/UPnP.xml
@@ -109,11 +109,6 @@ forwardUPnP        net     loc</programlisting>
      this route during <command>start</command> and deletes it during
      <command>stop</command>.</para>
    </note>
-
-    <caution>
-      <para>Shorewall versions prior to 4.4.10 do not retain the dynamic rules
-      added by linux-idg over a <command>shorewall restart</command>.</para>
-    </caution>
  </section>

  <section>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -1,172 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id$-->
-
-  <articleinfo>
-    <title>Shorewall and Linux-vserver</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2010</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <section>
-    <title>Introduction</title>
-
-    <para>Formal support for Linux-vserver was added in Shorewall 4.4.11
-    Beta2. The centerpiece of that support is the
-    <firstterm>vserver</firstterm> zone type. Vserver zones have the following
-    characteristics:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>They are defined on the Linux-vserver host.</para>
-      </listitem>
-
-      <listitem>
-        <para>The $FW zone is their implicit parent.</para>
-      </listitem>
-
-      <listitem>
-        <para>Their contents must be defined using the <ulink
-        url="manpages/shorewall-hosts.html">shorewall-hosts </ulink>(5) file.
-        The <emphasis role="bold">ipsec</emphasis> option may not be
-        specified.</para>
-      </listitem>
-
-      <listitem>
-        <para>They may not appear in the ZONE column of the <ulink
-        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
-        (5) file.</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>If you use these zones, keep in mind that Linux-vserver implements a
-    very weak form of network virtualization:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>From a networking point of view, vservers live on the host
-        system. So if you don't use care, Vserver traffic to/from zone z will
-        be controlled by the fw-&gt;z and z-&gt;fw rules and policies rather
-        than by vserver-&gt;z and z-&gt;vserver rules and policies.</para>
-      </listitem>
-
-      <listitem>
-        <para>Outgoing connections from a vserver will not use the Vserver's
-        address as the SOURCE IP address unless you configure applications
-        running in the Vserver properly. This is especially true for IPv6
-        applications. Such connections will appear to come from the $FW zone
-        rather than the intended Vserver zone.</para>
-      </listitem>
-
-      <listitem>
-        <para>While you can define the vservers to be associated with the
-        network interface where their IP addresses are added at vserver
-        startup time, Shorewall internally associates all vservers with the
-        loopback interface (<emphasis role="bold">lo</emphasis>). Here's an
-        example of how that association can show up:</para>
-
-        <programlisting>gateway:~# shorewall show zones
-Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul  2 12:26:30 PDT 2010
-
-fw (firewall)
-drct (ipv4)
-   eth4:+drct_eth4
-loc (ipv4)
-   eth4:0.0.0.0/0
-net (ipv4)
-   eth1:0.0.0.0/0
-vpn (ipv4)
-   tun+:0.0.0.0/0
-dmz (<emphasis role="bold">vserver</emphasis>)
-   <emphasis role="bold">lo</emphasis>:70.90.191.124/31
-
-gateway:~#</programlisting>
-      </listitem>
-    </itemizedlist>
-  </section>
-
-  <section>
-    <title>Vserver Zones</title>
-
-    <para>Here is a diagram of the network configuration here at Shorewall.net
-    during the summer of 2010:</para>
-
-    <graphic align="center" fileref="images/Network2010a.png" />
-
-    <para>I created a zone for the vservers as follows:</para>
-
-    <para><filename>/etc/shorewall/zones</filename>:</para>
-
-    <programlisting>#ZONE           TYPE            OPTIONS            ...
-fw              firewall
-loc             ip              #Local Zone
-drct:loc        ipv4            #Direct internet access
-net             ipv4            #Internet
-vpn             ipv4            #OpenVPN clients
-<emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>
-
-    <para><filename>/etc/shorewall/hosts</filename>:</para>
-
-    <programlisting>#ZONE   HOST(S)                                 OPTIONS
-drct    eth3:dynamic
-<emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>
-
-    <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
-    configured on eth1, the actual interface name is irrelevate so long as the
-    interface is defined in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
-    Shorewall will consider all vserver zones to be associated with the
-    loopback interface (<emphasis role="bold">lo</emphasis>).</para>
-
-    <para>Once a vserver zone is defined, it can be used like any other zone
-    type.</para>
-
-    <para>Here is the corresponding IPv6 configuration.</para>
-
-    <para><filename>/etc/shorewall6/zones</filename></para>
-
-    <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ipv6
-loc	ipv6
-vpn	ipv6
-<emphasis role="bold">dmz	vserver</emphasis>
-</programlisting>
-
-    <para><filename>/etc/shorewall6/hosts</filename>:</para>
-
-    <programlisting>#ZONE   HOST(S)                                 OPTIONS
-dmz	sit1:[2001:470:e857:1::/64]</programlisting>
-
-    <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
-    interface) rather than on eth1. Again, it really doesn't matter
-    much.</para>
-  </section>
-</article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -188,11 +188,6 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
        <para>save - save the dynamic blacklisting configuration so that it
        will be automatically restored the next time that the firewall is
        restarted.</para>
-
-        <para><emphasis role="bold">Update:</emphasis> Beginning with
-        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
-        <command>stop/start</command> sequences and over
-        <command>restart</command>.</para>
      </listitem>

      <listitem>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -48,17 +48,6 @@
    before you use them with Shorewall.</para>
  </caution>

-  <section>
-    <title id="Intro">Introduction</title>
-
-    <para>This article offers hints about how to accomplish common tasks with
-    Shorewall. The <ulink url="Introduction.html">Introduction to
-    Shorewall</ulink> is required reading for being able to use this article
-    effectively. For information about setting up your first Shorewall-based
-    firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
-  </section>
-
  <section id="Files">
    <title>Files</title>

@@ -122,9 +111,8 @@
        </listitem>

        <listitem>
-          <para><filename>/etc/shorewall/tcrules </filename>- The file has a
-          rather unfortunate name because it is used to define marking of
-          packets for later use by both traffic control/shaping and policy
+          <para><filename>/etc/shorewall/tcrules </filename>- defines marking
+          of packets for later use by traffic control/shaping or policy
          routing.</para>
        </listitem>

@@ -622,8 +610,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
    <title>Using Shell Variables</title>

    <para>You may use the <filename>/etc/shorewall/params</filename> file to
-    set shell variables that you can then use in the other configuration
-    files.</para>
+    set shell variables that you can then use in some of the other
+    configuration files.</para>

    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
--- a/docs/images/Network2010a.dia
+++ b/docs/images/Network2010a.dia
--- a/docs/images/Network2010a.png
+++ b/docs/images/Network2010a.png
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -88,7 +88,8 @@
            <para>Shorewall installed on a single administrative system. May
            be a <trademark>Windows</trademark> PC running
            <trademark>Cygwin</trademark> or an <trademark>Apple
-            MacIntosh</trademark> running OS X.</para>
+            MacIntosh</trademark> running OS X (Mac support was added in
+            Shorewall 4.4.9).</para>
          </listitem>

          <listitem>
--- a/docs/shorewall_setup_guide.xml
+++ b/docs/shorewall_setup_guide.xml
@@ -363,7 +363,7 @@ all              all                 REJECT     info</programlisting>
    class="devicefile">ppp0</filename> or <filename
    class="devicefile">ippp0</filename> then you will want to set CLAMPMSS=yes
    in <filename><ulink
-    url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink></filename>.</para>
+    url="manpages/shorewall.conf.htmlig">/etc/shorewall/shorewall.conf</ulink></filename>.</para>

    <para>Your <emphasis>Local Interface</emphasis> will be an Ethernet
    adapter (<filename class="devicefile">eth0</filename>,
--- a/docs/standalone.xml
+++ b/docs/standalone.xml
@@ -41,6 +41,12 @@
    release.</emphasis></para>
  </caution>

+  <caution>
+    <para><emphasis role="bold">Do not attempt to install Shorewall on a
+    remote system. You are virtually assured to lock yourself out of that
+    system.</emphasis></para>
+  </caution>
+
  <section id="Introduction">
    <title>Introduction</title>

@@ -577,23 +583,6 @@ SSH(ACCEPT) net       $FW           </programlisting>
    other connections as desired.</para>
  </section>

-  <section>
-    <title>Disabling your existing Firewall</title>
-
-    <para>Before starting Shorewall for the first time, it's a good idea to
-    stop your existing firewall. On Redhat/CentOS/Fedora:</para>
-
-    <programlisting><command>service iptables stop</command></programlisting>
-
-    <para>If you are running SuSE, use Yast or Yast2 to stop
-    SuSEFirewall.</para>
-
-    <para>Once you have Shorewall running to your satisfaction, you should
-    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
-
-    <programlisting><command>chkconfig --del iptables</command></programlisting>
-  </section>
-
  <section id="Starting">
    <title>Starting and Stopping Your Firewall</title>

@@ -610,7 +599,7 @@ SSH(ACCEPT) net       $FW           </programlisting>
    <important>
      <para>Users of the .deb package must edit
      <filename>/etc/default/shorewall</filename> and set
-      <varname>startup=1.</varname></para>
+      <varname>STARTUP=1.</varname></para>
    </important>

    <important>
@@ -648,13 +637,6 @@ SSH(ACCEPT) net       $FW           </programlisting>
      url="starting_and_stopping_shorewall.htm"><quote><command>shorewall
      try</command></quote></ulink> command.</para>
    </warning>
-
-    <para>The firewall will start after your network interface has been
-    brought up. This leaves a small window between the time that the network
-    interface is working and when the firewall is controlling connections
-    through that interface. If this is a concern, you can close that window by
-    installing the <ulink url="Shorewall-init.html">Shorewall Init
-    Package</ulink>.</para>
  </section>

  <section id="Problems">
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@@ -190,15 +190,6 @@
    <filename>/sbin/shorewall</filename> (or
    <filename>/sbin/shorewall-lite</filename>) and your init scripts unless
    you got your Shorewall package from shorewall.net.</para>
-
-    <para><emphasis role="bold">Update:</emphasis><blockquote>
-        <para>In Shorewall 4.4.0 and later, the tarballs from shorewall.net
-        follow the Debian convention when installed on a Debian or Ubuntu
-        system. Beginning with Shorewall 4.4.10, you can revert to the prior
-        behavior by setting SAFESTOP=1 in
-        <filename>/etc/default/shorewall</filename>,
-        <filename>/etc/default/shorewall6</filename>, etc.</para>
-      </blockquote></para>
  </section>

  <section id="Trace">
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -428,9 +428,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
    below).</para>

    <para>For <emphasis role="bold">quick questions</emphasis>, there is also
-    a #shorewall channel at irc.freenode.net. <emphasis role="bold">You must
-    have a registered Nic on freenode in order to post on the
-    channel.</emphasis></para>
+    a #shorewall channel at irc.freenode.net.</para>
  </section>

  <section id="Users">
--- a/docs/three-interface.xml
+++ b/docs/three-interface.xml
@@ -41,6 +41,12 @@
    release.</emphasis></para>
  </caution>

+  <caution>
+    <para><emphasis role="bold">Do not attempt to install Shorewall on a
+    remote system. You are virtually assured to lock yourself out of that
+    system.</emphasis></para>
+  </caution>
+
  <section id="Intro">
    <title>Introduction</title>

@@ -1092,23 +1098,6 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
    </itemizedlist>
  </section>

-  <section>
-    <title>Disabling your existing Firewall</title>
-
-    <para>Before starting Shorewall for the first time, it's a good idea to
-    stop your existing firewall. On Redhat/CentOS/Fedora:</para>
-
-    <programlisting><command>service iptables stop</command></programlisting>
-
-    <para>If you are running SuSE, use Yast or Yast2 to stop
-    SuSEFirewall.</para>
-
-    <para>Once you have Shorewall running to your satisfaction, you should
-    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
-
-    <programlisting><command>chkconfig --del iptables</command></programlisting>
-  </section>
-
  <section id="Starting">
    <title>Starting and Stopping Your Firewall</title>

@@ -1162,13 +1151,6 @@ ACCEPT    net       $FW                 tcp        80       </programlisting><it
        url="starting_and_stopping_shorewall.htm"><command>shorewall
        try</command> command</ulink>.</para>
      </warning></para>
-
-    <para>The firewall will start after your network interfaces have been
-    brought up. This leaves a small window between the time that the network
-    interface are working and when the firewall is controlling connections
-    through those interfaces. If this is a concern, you can close that window
-    by installing the <ulink url="Shorewall-init.html">Shorewall Init
-    Package</ulink>.</para>
  </section>

  <section id="Trouble">
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -148,7 +148,7 @@
    linkend="tcclasses">below</link>.</para>

    <para>You can shape incoming traffic through use of an
-    <firstterm>Intermediate Functional Block</firstterm> (IFB) device. <link
+    <firstterm>Intermediate Frame Block</firstterm> (IFB) device. <link
    linkend="IFB">See below</link>. <emphasis role="bold">But beware: using an
    IFB can result in queues building up both at your ISPs router and at your
    own.</emphasis></para>
@@ -428,7 +428,7 @@
        <listitem>
          <para>REDIRECTED INTERFACES — Entries are appropriate in this column
          only if the device in the INTERFACE column names a <link
-          linkend="IFB">Intermediate Functional Block (IFB)</link>. It lists the
+          linkend="IFB">Intermediate Frame Block (IFB)</link>. It lists the
          physical interfaces that will have their input shaped using classes
          defined on the IFB. Neither the IFB nor any of the interfaces listed
          in this column may have an IN-BANDWIDTH specified. You may specify
@@ -1783,7 +1783,7 @@ eth1            4       94mbit          full            4           default #for
  </section>

  <section id="IFB">
-    <title>Intermediate Functional Block (IFB) Devices</title>
+    <title>Intermediate Frame Block (IFB) Devices</title>

    <para>The principles behind an IFB is fairly simple:</para>

--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -38,6 +38,12 @@
    release.</emphasis></para>
  </caution>

+  <caution>
+    <para><emphasis role="bold">Do not attempt to install Shorewall on a
+    remote system. You are virtually assured to lock yourself out of that
+    system.</emphasis></para>
+  </caution>
+
  <section id="Intro">
    <title>Introduction</title>

@@ -1012,23 +1018,6 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
    </itemizedlist>
  </section>

-  <section>
-    <title>Disabling your existing Firewall</title>
-
-    <para>Before starting Shorewall for the first time, it's a good idea to
-    stop your existing firewall. On Redhat/CentOS/Fedora:</para>
-
-    <programlisting><command>service iptables stop</command></programlisting>
-
-    <para>If you are running SuSE, use Yast or Yast2 to stop
-    SuSEFirewall.</para>
-
-    <para>Once you have Shorewall running to your satisfaction, you should
-    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
-
-    <programlisting><command>chkconfig --del iptables</command></programlisting>
-  </section>
-
  <section id="Starting">
    <title>Starting and Stopping Your Firewall</title>

@@ -1079,13 +1068,6 @@ ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</progra
        configuration and test it using the <quote><command>shorewall
        try</command></quote> command.</para>
      </warning></para>
-
-    <para>The firewall will start after your network interfaces have been
-    brought up. This leaves a small window between the time that the network
-    interfaces are working and when the firewall is controlling connections
-    through those interfaces. If this is a concern, you can close that window
-    by installing the <ulink url="Shorewall-init.html">Shorewall Init
-    Package</ulink>.</para>
  </section>

  <section id="Trouble">
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	6b1d24f626	Add IP_FORWARDING=On to FAQ 1g	2010-05-07 08:48:26 -07:00
Tom Eastep	1de2e68bb7	Clarify that Mac support requires Shorewall 4.4.9)	2010-05-06 12:47:13 -07:00
Tom Eastep	c7af716920	Modify first attempts to allow installaton on a Mac Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-05-06 11:23:14 -07:00
Tom Eastep	2ab9cc3c58	Document OS X as an Administrative system Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-05-06 09:01:26 -07:00
Tom Eastep	a3b998d934	Allow OS X to be an Administrative System Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-05-06 08:17:17 -07:00
				`@@ -1 +0,0 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`