Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW
2010-09-21 07:50:13 -07:00 · 2010-09-20 09:40:31 -07:00 · 2010-09-20 08:15:24 -07:00 · 2010-09-20 07:25:33 -07:00 · 2010-09-19 15:19:48 -07:00 · 2010-09-19 15:13:54 -07:00
120 changed files with 2759 additions and 768 deletions
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,6 +1,6 @@
 %define name shorewall-init
 %define version 4.4.13
-%define release 0Beta1
+%define release 0base

 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,6 +99,20 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
 %define version 4.4.13
-%define release 0Beta1
+%define release 0base

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,6 +102,20 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -86,7 +86,7 @@ sub process_accounting_rule( ) {
 	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	"-j $jumpchain";
+	$jumpchain;
    }

    my $target = '';
@@ -101,7 +101,7 @@ sub process_accounting_rule( ) {
    
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = '-j RETURN';
+	    $target = 'RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -58,7 +58,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_13';

 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -636,7 +636,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ? "-j $action" : '',
+		  $action ,
 		  $level ,
 		  $action ,
 		  '' );
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -68,6 +68,7 @@ our %EXPORT_TAGS = (
 				       SET
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
+				       DESTIFACE_DISALLOW
 				       INPUT_RESTRICT
 				       OUTPUT_RESTRICT
 				       POSTROUTE_RESTRICT
@@ -154,6 +155,7 @@ our %EXPORT_TAGS = (
 				       do_ipsec
 				       log_rule
 				       expand_rule
+				       promote_blacklist_rules
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
@@ -212,6 +214,7 @@ our $VERSION = '4.4_13';
 #                                                               ]
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
+#                                               blacklist    => <number of blacklist rules at the head of the rules array> ( 0 or 1 )
 #                                             } ,
 #                                <chain2> => ...
 #                              }
@@ -263,7 +266,8 @@ use constant { NO_RESTRICT        => 0,   # FORWARD chain rule     - Both -i and
 	       INPUT_RESTRICT      => 4,   # INPUT chain rule       - -o not allowed
 	       OUTPUT_RESTRICT     => 8,   # OUTPUT chain rule      - -i not allowed
 	       POSTROUTE_RESTRICT  => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
-	       ALL_RESTRICT       => 12   # fw->fw rule            - neither -i nor -o allowed
+	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
+	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface
 	       };

 our $iprangematch;
@@ -600,13 +604,26 @@ sub add_reference ( $$ ) {
    $toref->{references}{$fromref->{name}}++;
 }

+#
+# Delete a previously added reference
+#
+sub delete_reference( $$ ) {
+    my ( $fromref, $to ) = @_;
+
+    my $toref = reftype $to ? $to : $chain_table{$fromref->{table}}{$to};
+
+    delete $toref->{references}{$fromref->{name}} unless --$toref->{references}{$fromref->{name}} > 0;
+}
+
 #
 # Insert a rule into a chain. Arguments are:
 #
 #    Chain reference , Rule Number, Rule
 #
 # In the first function, the rule number is zero-relative. In the second function,
-# the rule number is one-relative.
+# the rule number is one-relative. In the first function, if the rule number is < 0, then
+# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be 
+# inserted at the front of the chain and the chain's 'blacklist' member incremented.
 #
 sub insert_rule1($$$)
 {
@@ -617,6 +634,11 @@ sub insert_rule1($$$)
    $rule .= "-m comment --comment \"$comment\"" if $comment;
    $rule  = join( ' ', '-A', $rule );

+    if ( $number < 0 ) {
+	$chainref->{blacklist}++;
+	$number = 0;
+    }
+
    splice( @{$chainref->{rules}}, $number, 0, $rule );

    trace( $chainref, 'I', ++$number, $rule ) if $debug;
@@ -634,12 +656,13 @@ sub insert_rule($$$) {

 #
 # Do final work to 'delete' a chain. We leave it in the chain table but clear
-# the 'referenced', 'rules' and 'references' members.
+# the 'referenced', 'rules', 'references' and 'blacklist' members.
 #
 sub delete_chain( $ ) {
    my $chainref = shift;

    $chainref->{referenced} = 0;
+    $chainref->{blacklist}  = 0;
    $chainref->{rules}      = [];
    $chainref->{references} = {};
    trace( $chainref, 'X', undef, '' ) if $debug;
@@ -682,8 +705,8 @@ sub increment_reference_count( $$ ) {
 #
 # The rules generated by interface options are added to the interfaces's input chain and
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
-# a zone-oriented chain, hence this function.
-#
+# the head of a rules chain (behind any blacklist rule already there).
+
 sub move_rules( $$ ) {
    my ($chain1, $chain2 ) = @_;

@@ -693,6 +716,7 @@ sub move_rules( $$ ) {
 	my $rules     = $chain2->{rules};
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
+	my $blacklist = $chain2->{blacklist};
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -703,18 +727,22 @@ sub move_rules( $$ ) {
 	}
 	
 	if ( $debug ) {
-	    my $rule = @{$chain1->{rules}};
+	    my $rule = $blacklist;
 	    trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
 	}

-	unshift @{$rules}, @{$chain1->{rules}};
+	splice @$rules, $blacklist, 0, @{$chain1->{rules}};
+
+	$chain2->{referenced} = 1;
+
+	unless ( $chain2->{blacklist} += $chain1->{blacklist} ) {
 	    #
 	    # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
 	    # This hack avoids that.
 	    #
 	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
+	}
 	    
-	$chain2->{referenced} = 1;
 	delete_chain $chain1;

 	$count;
@@ -731,8 +759,10 @@ sub copy_rules( $$ ) {
    my $name1      = $chain1->{name};
    my $name       = $name1;
    my $name2      = $chain2->{name};
-    my @rules     = @{$chain1->{rules}};
-    my $rules     = $chain2->{rules};
+    my $blacklist1 = $chain1->{blacklist};
+    my $blacklist2 = $chain2->{blacklist};
+    my @rules1     = @{$chain1->{rules}};
+    my $rules2     = $chain2->{rules};
    my $count      = @{$chain1->{rules}};
    my $tableref   = $chain_table{$chain1->{table}};
    #
@@ -740,20 +770,49 @@ sub copy_rules( $$ ) {
    #
    $name1 =~ s/\+/\\+/;

-    my $last = pop @$rules; # Delete the jump to chain1
+    my $last = pop @$rules2; # Delete the jump to chain1

-    if ( $debug ) {
-	my $rule = @$rules;
-	trace( $chain2, 'A', ++$rule, $_ ) for @rules;
+    if ( $blacklist2 && $blacklist1 ) {
+	#
+	# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
+	#
+	my $rule = shift @rules1;
+	
+	$rule =~ / -j ([^\s])/;
+
+	my $chainb = $1;
+
+	assert( $chainb =~ /^black/ );
+
+	delete_reference $chain1, $chainb;
+
+	assert( ! --$chain1->{blacklist} );
+	$blacklist1 = 0;
    }
    #
    # Chain2 is now a referent of all of Chain1's targets
    #
-    for ( @rules ) {
+    for ( @rules1 ) {
 	increment_reference_count( $tableref->{$1}, $name2 ) if / -[jg] ([^\s]+)/;
    }

-    push @$rules, @rules;
+    if ( $blacklist1 ) {
+	assert( $blacklist1 == 1 );
+
+	trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
+
+ 	unshift @$rules2, shift @rules1;
+	
+	$chain1->{blacklist} = 0;
+	$chain2->{blacklist} = 1;
+    }
+
+    if ( $debug ) {
+	my $rule = @$rules2;
+	trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
+    }
+    
+    push @$rules2, @rules1;

    progress_message "  $count rules from $chain1->{name} appended to $chain2->{name}";

@@ -992,7 +1051,8 @@ sub new_chain($$)
 		     loglevel   => '',
 		     log        => 1,
 		     cmdlevel   => 0,
-		     references => {} };
+		     references => {},
+		     blacklist  => 0 };

    trace( $chainref, 'N', undef, '' ) if $debug;

@@ -1077,7 +1137,7 @@ sub delete_jumps ( $$ ) {
    # deleting elements from the array over which we are iterating.
    #
    for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
-	if (  $rules->[$rule] =~ / -[gj] ${to}\s*$/ ) {
+	if (  $rules->[$rule] =~ / -[gj] ${to}(\s+-m comment .*)?\s*$/ ) {
 	    trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
 	    splice(  @$rules, $rule, 1 );
 	    last unless --$refs > 0;
@@ -2494,7 +2554,7 @@ sub get_set_flags( $$ ) {
 	$setname  = $1;
 	my $count = $2;
 	$options .= ",$option" while --$count > 0;
-    } elsif ( $setname =~ /^(.*)\[(src|dst)(,(src|dst))*\]$/ ) {
+    } elsif ( $setname =~ /^(.*)\[((src|dst)(,(src|dst))*)\]$/ ) {
 	$setname = $1;
 	$options = $2;
    }
@@ -2523,7 +2583,7 @@ sub match_source_net( $;$ ) {
    } elsif ( $net =~ /^!?~/ ) {
 	fatal_error "MAC address cannot be used in this context" if $restriction >= OUTPUT_RESTRICT;
 	mac_match $net;
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?/ ) {
+    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
    } elsif ( $net =~ s/^!// ) {
@@ -2547,7 +2607,7 @@ sub match_dest_net( $ ) {
 	$net =~ s/!// if my $invert = $1 ? '! ' : '';
 	validate_range $addr1, $addr2;
 	iprange_match . "${invert}--dst-range $net ";
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?$/ ) {
+    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
    } elsif ( $net =~ /^!/ ) {
@@ -3161,7 +3221,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	$source,       # SOURCE
 	$dest,         # DEST
 	$origdest,     # ORIGINAL DEST
-	$target,       # Target ('-j' part of the rule)
+	$target,       # Target ('-j' part of the rule - may be empty)
 	$loglevel ,    # Log level (and tag)
 	$disposition,  # Primtive part of the target (RETURN, ACCEPT, ...)
 	$exceptionrule,# Caller's matches used in exclusion case
@@ -3170,6 +3230,8 @@ sub expand_rule( $$$$$$$$$$;$ )

    my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl );
    my $chain = $chainref->{name};
+    my $table = $chainref->{table};
+    my $jump  = $target ? '-j ' . $target : '';

    our @ends = ();
    #
@@ -3213,17 +3275,6 @@ sub expand_rule( $$$$$$$$$$;$ )
    } elsif ( $disposition eq 'LOG' ) {
 	fatal_error "LOG requires a level";
    }
-    #
-    # Mark Target as referenced, if it's a chain
-    #
-    if ( $target =~ /-[jg]\s+([^\s]+)/ ) {
-	my $targetref = $chain_table{$chainref->{table}}{$1};
-	if ( $targetref ) {
-	    $targetref->{referenced} = 1;
-	    add_reference $chainref, $targetref;
-	}
-    }
-
    #
    # Isolate Source Interface, if any
    #
@@ -3269,7 +3320,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    fatal_error "Bridge ports may not appear in the SOURCE column of this file" if port_to_bridge( $iiface );

-	    if ( $chainref->{table} eq 'nat' ) {
+	    if ( $table eq 'nat' ) {
 		warning_message qq(Using an interface as the masq SOURCE requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount++;
 	    } else {
 		warning_message qq(Using an interface as the SOURCE in a T: rule requires the interface to be up and configured when $Product starts/restarts) unless $idiotcount1++;
@@ -3357,13 +3408,14 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Dest interface -- must use routing table
 	    #
+	    fatal_error "A DEST interface is not permitted in the PREROUTING chain" if $restriction & DESTIFACE_DISALLOW;
 	    fatal_error "Bridge port ($diface) not allowed" if port_to_bridge( $diface );
 	    push_command( $chainref , 'for dest in ' . get_interface_nets( $diface) . '; do', 'done' );
 	    $rule .= '-d $dest ';
 	} else {
-
 	    fatal_error "Bridge Port ($diface) not allowed in OUTPUT or POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT ) ) && port_to_bridge( $diface );
 	    fatal_error "Destination Interface ($diface) not allowed when the destination zone is the firewall zone" if $restriction & INPUT_RESTRICT;
+	    fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW;

 	    if ( $iiface ) {
 		my $bridge = port_to_bridge( $diface );
@@ -3493,34 +3545,58 @@ sub expand_rule( $$$$$$$$$$;$ )
    fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain"   if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
    fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT &&  $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);

+    my ( $fromref, $done );
+
    if ( $iexcl || $dexcl || $oexcl ) {
 	#
-	# We have non-trivial exclusion -- need to create an exclusion chain
+	# We have non-trivial exclusion
 	#
-	fatal_error "Exclusion is not possible in ACCEPT+/CONTINUE/NONAT rules" if $disposition eq 'RETURN';
+	if ( $disposition eq 'RETURN' || $disposition eq 'CONTINUE' ) {
+	    #
+	    # We can't use an exclusion chain -- we mark those packets to be excluded and then condition the rules generated in the block below on the mark value
+	    #
+	    require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' unless $table eq 'mangle';
+	    require_capability 'KLUDGEFREE' ,    'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' if $rule =~ / -m mark /;
+	    #
+	    # Clear the exclusion bit
+	    #
+	    add_rule $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
+	    #
+	    # Mark packet if it matches any of the exclusions
+	    #
+	    my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );

+	    add_rule $chainref, ( match_source_net $_ , $restriction ) . $exclude for ( mysplit $iexcl );
+	    add_rule $chainref, ( match_dest_net $_ )                  . $exclude for ( mysplit $dexcl );
+	    add_rule $chainref, ( match_orig_dest $_ )                 . $exclude for ( mysplit $oexcl );
+	    #
+	    # Augment the rule to include 'not excluded'
+	    #
+	    $rule .= '-m mark --mark 0/' . in_hex( $globals{EXCLUSION_MASK} ) . ' ';
+	} else {
 	    #
 	    # Create the Exclusion Chain
 	    #
 	    my $echain = newexclusionchain;

-	my $echainref = new_chain $chainref->{table}, $echain;
-
+	    my $echainref = new_chain $table, $echain;
 	    #
 	    # Use the current rule and send all possible matches to the exclusion chain
 	    #
 	    for my $onet ( mysplit $onets ) {
-	    $onet = match_orig_dest $onet;
-	    for my $inet ( mysplit $inets ) {
-		for my $dnet ( mysplit $dnets ) {
-		    #
-		    # We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
-		    #
-		    add_jump( $chainref, $echainref, 0, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet ), 1 );
-		}
-	    }
-	}

+		$onet = match_orig_dest $onet;
+
+		for my $inet ( mysplit $inets ) {
+
+		    my $source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
+
+		    for my $dnet ( mysplit $dnets ) {
+			$source_match = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
+			add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
+		    }
+		}
+	    }
 	    #
 	    # Generate RETURNs for each exclusion
 	    #
@@ -3530,14 +3606,27 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Log rule
 	    #
-	log_rule_limit $loglevel , $echainref , $chain, $disposition , '',  $logtag , 'add' , '' if $loglevel;
+	    log_rule_limit( $loglevel , 
+			    $echainref , 
+			    $chain, 
+			    $disposition eq 'reject' ? 'REJECT' : $disposition ,
+			    '' ,  
+			    $logtag , 
+			    'add' ,
+			    '' ) 
+		if $loglevel;
 	    #
 	    # Generate Final Rule
 	    #
-	add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
-    } else {
+	    add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
+
+	    $done = 1;
+	}
+    }
+
+    unless ( $done ) {
 	#
-	# No exclusions
+	# No non-trivial exclusions or we're using marks to handle them
 	#
 	for my $onet ( mysplit $onets ) {
 	    $onet = match_orig_dest $onet;
@@ -3553,13 +3642,13 @@ sub expand_rule( $$$$$$$$$$;$ )

 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
-			    unless ( $logname || $target =~ /-j RETURN\b/ ) {
+			    unless ( $logname || $target =~ /^RETURN\b/ ) {
 				#
 				# Find/Create a chain that both logs and applies the target action
 				# and jump to the log chain if all of the rule's conditions are met
 				#
 				add_jump( $chainref,
-					  logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ),
+					  logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $jump ),
 					  $builtin_target{$disposition},
 					  $matches,
 					  1 );
@@ -3568,13 +3657,13 @@ sub expand_rule( $$$$$$$$$$;$ )
 					       $loglevel ,
 					       $chainref ,
 					       $logname || $chain,
-					       $disposition ,
+					       $disposition eq 'reject' ? 'REJECT' : $disposition ,
 					       '',
 					       $logtag,
 					       'add',
 					       $matches );

-				add_rule( $chainref, $matches . $target, 1 );
+				add_rule( $fromref = $chainref, $matches . $jump, 1 );
 			    }
 			} else {
 			    #
@@ -3584,7 +3673,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 					   $loglevel ,
 					   $chainref ,
 					   $chain,
-					   $disposition ,
+					   $disposition eq 'reject' ? 'REJECT' : $disposition ,
 					   '' ,
 					   $logtag ,
 					   'add' ,
@@ -3595,12 +3684,22 @@ sub expand_rule( $$$$$$$$$$;$ )
 			#
 			# No logging -- add the target rule with matches to the rule chain
 			#
-			add_rule( $chainref, $matches . $target , 1 );
+			add_rule( $fromref = $chainref, $matches . $jump , 1 );
 		    }
 		}
 	    }
 	}
    }
+    #
+    # Mark Target as referenced, if it's a chain
+    #
+    if ( $fromref && $target ) {
+	my $targetref = $chain_table{$table}{$target};
+	if ( $targetref ) {
+	    $targetref->{referenced} = 1;
+	    add_reference $fromref, $targetref;
+	}
+    }

    while ( @ends ) {
 	decr_cmd_level $chainref;
@@ -3610,6 +3709,59 @@ sub expand_rule( $$$$$$$$$$;$ )
    $diface;
 }

+#
+# Where a zone sharing a multi-zone interface has an 'in' blacklist rule, move the rule to the beginning of
+# the associated interface chain
+#
+sub promote_blacklist_rules() {
+    my $chainbref = $filter_table->{blacklst};
+
+    return 1 unless $chainbref;
+
+    my $promoted = 1;
+
+    while ( $promoted ) {
+	$promoted = 0;
+	#
+	# Copy 'blacklst''s references since they will change in the following loop
+	#
+	my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
+	
+	for my $chain1ref ( @references ) {
+	    assert( $chain1ref->{blacklist} == 1 );
+
+	    my $copied = 0;
+	    my $rule   = $chain1ref->{rules}[0];
+	    my $chain1 = $chain1ref->{name};
+	    
+	    for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
+		unless ( $chain2ref->{builtin} ) {
+		    #
+		    # This is not INPUT or FORWARD -- we wouldn't want to move the
+		    # rule to the head of one of those chains
+		    $copied++;
+		    #
+		    # Copy the blacklist rule to the head of the parent chain unless it
+		    # already has a blacklist rule.
+		    #
+		    unless ( $chain2ref->{blacklist} ) {
+			unshift @{$chain2ref->{rules}}, $rule;
+			add_reference $chain2ref, $chainbref;
+			$chain2ref->{blacklist} = 1;
+		    }
+		}
+	    }
+
+	    if ( $copied ) {
+		shift @{$chain1ref->{rules}};
+		$chain1ref->{blacklist} = 0;
+		delete_reference $chain1ref, $chainbref;
+		$promoted = 1;
+	    }
+	}
+    }
+}
+
 #
 # The following code generates the input to iptables-restore from the contents of the
 # @rules arrays in the chain table entries.
@@ -3775,8 +3927,15 @@ sub load_ipsets() {
 	       '        $IPSET -F' ,
 	       '        $IPSET -X' ,
 	       '        $IPSET -R < ${VARDIR}/ipsets.save' ,
-	       '    fi' ,
-	       'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
+	       '    fi' );
+
+	if ( @ipsets ) {
+	    emit ( '' );
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+	    emit ( '' );
+	}
+
+	emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
 	       '    if [ -f $(my_pathname)-ipsets ]; then' ,
 	       '        if chain_exists shorewall; then' ,
 	       '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
@@ -4007,6 +4166,7 @@ sub create_chainlist_reload($) {

    unless ( @chains ) {
 	@chains = qw( blacklst ) if $filter_table->{blacklst};
+	push @chains, 'blackout' if $filter_table->{blackout};
 	push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
 	$chains = join( ',', @chains ) if @chains;
    }
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -114,6 +114,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 				       $product
 				       $Product
+				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -131,7 +132,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -251,6 +252,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
+		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -345,8 +347,8 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13-Beta1",
-		    CAPVERSION => 40411 ,
+		    VERSION => "4.4.13",
+		    CAPVERSION => 40413 ,
 		  );

    #
@@ -676,6 +678,7 @@ sub initialize( $ ) {
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
 	       FWMARK_RT_MASK => undef,
+	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1476,10 +1479,12 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
+		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
+	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -2411,7 +2416,7 @@ sub IPSet_Match() {
 		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
-		have_capability 'OLD_IPSET_MATCH';
+		$result = have_capability 'OLD_IPSET_MATCH';
 	    }

 	    qt( "$ipset -X $sillyname" );
@@ -2473,6 +2478,10 @@ sub Fwmark_Rt_Mask() {
    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
 }

+sub Mark_Anywhere() {
+    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
+}
+
 our %detect_capability =
    ( ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
@@ -2500,6 +2509,7 @@ our %detect_capability =
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
+      MARK_ANYWHERE => \&Mark_Anywhere,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2643,6 +2653,8 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
+	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
+	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );


 	qt1( "$iptables -F $sillyname" );
@@ -3082,7 +3094,12 @@ sub get_configuration( $ ) {

    if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
+	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
+    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
+	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
+    } else {
+	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
    }

    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -445,7 +445,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );

 	$last++; #Increment last address for limit testing.
 	#
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -125,7 +125,7 @@ sub process_one_masq( )

    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = '-j MASQUERADE ';
+	my $target = 'MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -171,7 +171,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "-j SNAT --to-source $variable";
+		    $target = "SNAT --to-source $variable";

 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -181,13 +181,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = '-j RETURN';
+		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = '-j SNAT ';
+			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }

-    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

    my $physical    = get_physical $interface;
@@ -845,54 +845,99 @@ sub lookup_provider( $ ) {
 #
 sub handle_optional_interfaces( $ ) {

-    my $returnvalue = verify_required_interfaces( shift );
-    #
-    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
-    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that
-    # wildcard are returned.
-    #
-    my $interfaces = find_interfaces_by_option1 'optional';
+    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';

    if ( @$interfaces ) {
-	for my $interface ( @$interfaces ) {
+	my $require     = $config{REQUIRE_INTERFACE};
+	
+	verify_required_interfaces( shift );
+
+	emit( 'HAVE_INTERFACE=', '' ) if $require;
+	#
+	# Clear the '_IS_USABLE' variables
+	#
+	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+
+	if ( $wildcards ) {
+	    #
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+	    #
+	    emit( '', 
+		  'for interface in $(find_all_interfaces1); do',
+		);
+
+	    push_indent;
+	    emit ( 'case "$interface" in' );
+	    push_indent;
+	} else {
+	    emit '';
+	}
+
+	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
 	    my $provider    = $provider_interfaces{$interface};
 	    my $physical    = get_physical $interface;
 	    my $base        = uc chain_base( $physical );
-
-	    emit( '' );
-
-	    if ( $config{REQUIRE_INTERFACE} ) {
-		emit( 'HAVE_INTERFACE=' );
-		emit( '' );
-	    }
-
-	    if ( $provider ) {
-		#
-		# This interface is associated with a non-shared provider -- get the provider table entry
-		#
 	    my $providerref = $providers{$provider};

+	    emit( "$physical)" ), push_indent if $wildcards;
+
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		emit qq(if interface_is_usable $physical; then);
 	    }
-	    } else {
-		#
-		# Not a provider interface
-		#
-		emit qq(if interface_is_usable $physical; then);
-	    }

-	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
+	    emit( '    HAVE_INTERFACE=Yes' ) if $require;

 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
-		  'else' ,
-		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
+
+	    emit( ';;' ), pop_indent if $wildcards;
 	}

-	if ( $config{REQUIRE_INTERFACE} ) {
+	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	    my $physical    = get_physical $interface;
+	    my $base        = uc chain_base( $physical );
+	    my $case        = $physical;
+	    my $wild        = $case =~ s/\+$/*/;
+
+	    if ( $wildcards ) {
+		emit( "$case)" );
+		push_indent;
+		
+		if ( $wild ) {
+		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
+		    push_indent; 
+		    emit ( 'if interface_is_usable $interface; then' );
+		} else {
+		    emit ( "if interface_is_usable $physical; then" );
+		}
+	    } else {
+		emit ( "if interface_is_usable $physical; then" );
+	    }
+
+	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
+		   'fi' );
+
+	    if ( $wildcards ) {
+		pop_indent, emit( 'fi' ) if $wild;
+		emit( ';;' );
+		pop_indent;
+	    }
+	}
+
+	if ( $wildcards ) {
+	    emit( '*)' ,
+		  '    ;;'
+		);
+	    pop_indent;
+	    emit( 'esac' );
+	    pop_indent;
+	    emit('done' );
+	}
+
+	if ( $require ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
@@ -915,10 +960,10 @@ sub handle_optional_interfaces( $ ) {
 		);
 	}

-	$returnvalue = 1;
+	return 1;
    }

-    $returnvalue;
+    verify_required_interfaces( shift );
 }

 #
@@ -957,14 +1002,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
+			$rule2 = '';
 		    }

-		    $rule1 =~ s/-A tcpre //;
-
+		    assert ( $rule1 =~ s/^-A // );
 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			assert ( $rule2 =~ s/^-A // );
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -984,14 +1029,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
+			$rule2 = '';
 		    }

-		    $rule1 =~ s/-A tcout //;
-
+		    assert( $rule1 =~ s/-A // );
 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcout //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 		}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';

 #
 # Notrack
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'-j NOTRACK' ,
+	'NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -48,14 +48,10 @@ our @EXPORT = qw( process_tos
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
 our $VERSION = '4.4_13';

-#
-# Set to one if we find a SECTION
-#
 our $macro_nest_level;
 our $current_param;
 our @param_stack;
 our $family;
-
 #
 # When splitting a line in the rules file, don't pad out the columns with '-' if the first column contains one of these
 #
@@ -148,9 +144,9 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"-j TOS --set-tos $tos" ,
-		'' ,
+		"TOS --set-tos $tos" ,
 		'' ,
+		'TOS' ,
 		'';
 	}

@@ -217,16 +213,19 @@ sub add_rule_pair( $$$$ ) {

 sub setup_blacklist() {

-    my $hosts = find_hosts_by_option 'blacklist';
+    my $zones  = find_zones_by_option 'blacklist', 'in';
+    my $zones1 = find_zones_by_option 'blacklist', 'out';
    my $chainref;
+    my $chainref1;
    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
    my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
    #
-    # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
+    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
    # for 'refresh' to work properly.
    #
-    if ( @$hosts ) {
-	$chainref = dont_delete new_standard_chain 'blacklst';
+    if ( @$zones || @$zones1 ) {
+	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
+	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;

 	if ( defined $level && $level ne '' ) {
 	    my $logchainref = new_standard_chain 'blacklog';
@@ -250,8 +249,8 @@ sub setup_blacklist() {
 	    while ( read_a_line ) {

 		if ( $first_entry ) {
-		    unless  ( @$hosts ) {
-			warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' interfaces);
+		    unless  ( @$zones || @$zones1 ) {
+			warning_message qq(The entries in $fn have been ignored because there are no 'blacklist' zones);
 			close_file;
 			last BLACKLIST;
 		    }
@@ -261,53 +260,62 @@ sub setup_blacklist() {

 		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';

-		my $direction = 'from';
+		$options = 'src' if $options eq '-';

-		$options = 'from' if $options eq '-';
+		my ( $to, $from ) = ( 0, 0 );

 		for ( split /,/, $options ) {
-		    fatal_error "Invalid OPTION ($_)" unless /^(from|to)$/;
-		    $direction = $_;
-		}
-
+		    if ( $_ =~ /^(?:from|src)$/ ) {
+			if ( $from++ ) {
+			    warning_message "Duplicate 'src' ignored";
+			} else {
+			    if ( @$zones ) {
 				expand_rule(
 					    $chainref ,
 					    NO_RESTRICT ,
 					    do_proto( $protocol , $ports, '' ) ,
-			    $direction eq 'from' ? $networks : '',
-			    $direction eq 'to'   ? $networks : '',
+					    $networks,
 					    '',
-			    "-j $target" ,
 					    '' ,
-			    $disposition ,
+					    $target ,
+					    '' ,
+					    $target ,
 					    '' );
+			    } else {
+				warning_message '"src" entry ignored because there are no "blacklist in" zones';
+			    }
+			}
+		    } elsif ( $_ =~ /^(?:dst|to)$/ ) {
+			if ( $to++ ) {
+			    warning_message "Duplicate 'dst' ignored";
+			} else {
+			    if ( @$zones1 ) {
+				expand_rule(
+					    $chainref1 ,
+					    NO_RESTRICT ,
+					    do_proto( $protocol , $ports, '' ) ,
+					    '',
+					    $networks,
+					    '' ,
+					    $target ,
+					    '' ,
+					    $target ,
+					    '' );
+			    } else {
+				warning_message '"dst" entry ignored because there are no "blacklist out" zones';
+			    }
+			}
+		    } else {
+			fatal_error "Invalid blacklist option($_)";
+		    }
+		}

 		progress_message "  \"$currentline\" added to blacklist";
 	    }

-	    warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
-	} elsif ( @$hosts ) {
-	    warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
-	}
-
-	my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
-
-	for my $hostref ( @$hosts ) {
-	    my $interface  = $hostref->[0];
-	    my $ipsec      = $hostref->[1];
-	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
-	    my $network    = $hostref->[2];
-	    my $source     = match_source_net $network;
-	    my $target     = source_exclusion( $hostref->[3], $chainref );
-
-	    for my $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state}${policy}";
-	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-
-	    progress_message "  Blacklisting enabled on ${interface}:${network}";
+	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$zones;
+	} elsif ( @$zones || @$zones1 ) {
+	    warning_message q(There are interfaces or zones with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
 	}
    }
 }
@@ -441,7 +449,7 @@ sub add_common_rules() {
    my $list;
    my $chain;

-    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
+    my $state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "-m state --state NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = dont_move new_standard_chain 'reject';

@@ -519,7 +527,7 @@ sub add_common_rules() {
 	    add_jump( $chainref, $smurfdest, 1, '-s ' . IPv6_MULTICAST . ' ' );
 	}

-	my $state = $globals{UNTRACKED} ? 'NEW,INVALID,UNTRACKED' : 'NEW,INVALID';
+	my $state = $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : "$globals{STATEMATCH} NEW,INVALID ";

 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
@@ -528,7 +536,7 @@ sub add_common_rules() {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

 	    for $chain ( first_chains $interface ) {
-		add_jump $filter_table->{$chain} , $target, 0, join( '', "$globals{STATEMATCH} $state ", match_source_net( $hostref->[2] ),  $policy );
+		add_jump $filter_table->{$chain} , $target, 0, join( '', $state, match_source_net( $hostref->[2] ),  $policy );
 	    }

 	    set_interface_option $interface, 'use_input_chain', 1;
@@ -673,12 +681,12 @@ sub add_common_rules() {

 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_chain $interface};
-		my $base     = uc chain_base $interface;
+		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;

 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
-				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
+				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
 				  '    echo "-A ' . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT" >&3) ,
 				  qq(fi) );
 		} else {
@@ -808,20 +816,20 @@ sub setup_mac_lists( $ ) {
 	    my $policy     = have_ipsec ? "-m policy --pol $ipsec --dir in " : '';
 	    my $source     = match_source_net $hostref->[2];

-	    my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
+	    my $state = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED' : "$globals{STATEMATCH} NEW";

 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );

 		for my $chain ( first_chains $interface ) {
-		    add_jump $filter_table->{$chain} , $chainref, 0, "${source}$globals{STATEMATCH} ${state} ${policy}";
+		    add_jump $filter_table->{$chain} , $chainref, 0, "${source}${state} ${policy}";
 		}

 		set_interface_option $interface, 'use_input_chain', 1;
 		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
-		add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}$globals{STATEMATCH} ${state} ${policy}";
+		add_jump $mangle_table->{PREROUTING}, $chainref, 0, match_source_dev( $interface ) . "${source}${state} ${policy}";
 	    }
 	}
    } else {
@@ -890,6 +898,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {

    my $format = 1;

+    my $generated = 0;
+
    macro_comment $macro;

    my $macrofile = $macros{$macro};
@@ -961,7 +971,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 	    $mdest = '';
 	}

-	process_rule1(
+	$generated |= process_rule1(
 				    $mtarget,
 				    $msource,
 				    $mdest,
@@ -986,6 +996,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {

    clear_comment unless $nocomment;

+    return $generated;
+
 }
 #
 # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
@@ -1023,7 +1035,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    $current_param = $param;
 	}

-	process_macro( $basictarget,
+	my $generated = process_macro( $basictarget,
 				       $target ,
 				       $current_param,
 				       $source,
@@ -1043,7 +1055,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

 	$current_param = pop @param_stack if $param ne '';

-	return;
+	return $generated;

    } elsif ( $actiontype & NFQ ) {
 	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
@@ -1173,7 +1185,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	#
 	if ( $destref->{type} == BPORT ) {
 	    unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
-		return 1 if $wildcard;
+		return 0 if $wildcard;
 		fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
 	    }
 	}
@@ -1186,7 +1198,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$policy   = $chainref->{policy};

 	if ( $policy eq 'NONE' ) {
-	    return 1 if $wildcard;
+	    return 0 if $wildcard;
 	    fatal_error "Rules may not override a NONE policy";
 	}
 	#
@@ -1195,9 +1207,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	if ( $optimize > 0 ) {
 	    my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 	    if ( $loglevel ne '' ) {
-		return 1 if $target eq "${policy}:$loglevel}";
+		return 0 if $target eq "${policy}:$loglevel}";
 	    } else {
-		return 1 if $basictarget eq $policy;
+		return 0 if $basictarget eq $policy;
 	    }
 	}
 	#
@@ -1295,7 +1307,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target  = '-j REDIRECT ';
+	    $target  = 'REDIRECT ';
 	    $target .= "--to-port $serverport " if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
@@ -1319,7 +1331,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }

 	    if ( $action eq 'DNAT' ) {
-		$target = '-j DNAT ';
+		$target = 'DNAT ';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
@@ -1425,7 +1437,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 			     '', # Source
 			     '', # Dest
 			     '', # Original dest
-			     '-j ACCEPT',
+			     'ACCEPT',
 			     $loglevel,
 			     $log_action,
 			     '',
@@ -1443,7 +1455,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     $source ,
 		     $dest ,
 		     $origdest ,
-		     "-j $tgt",
+		     $tgt,
 		     $loglevel ,
 		     $log_action ,
 		     '' ,
@@ -1489,11 +1501,13 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		     $source ,
 		     $dest ,
 		     $origdest ,
-		     $action ? "-j $action " : '' ,
+		     $action ,
 		     $loglevel ,
 		     $log_action ,
 		     '' );
    }
+
+    return 1;
 }

 #
@@ -1524,8 +1538,8 @@ sub process_section ($) {
 #
 # Build a source or destination zone list
 #
-sub build_zone_list( $$$\$ ) {
-    my ($fw, $input, $which, $intrazoneref ) = @_;
+sub build_zone_list( $$$\$\$ ) {
+    my ($fw, $input, $which, $intrazoneref, $wildref ) = @_;
    my $any = ( $input =~ s/^any/all/ );
    my $exclude;
    my $rest;
@@ -1539,6 +1553,8 @@ sub build_zone_list( $$$\$ ) {
 	$exclude = $2;
 	$rest    = $3;

+	$$wildref = 1;
+
 	if ( defined $exclude ) {
 	    $exclude =~ s/!//;
 	    fatal_error "Invalid exclusion list (!$exclude)" if $exclude =~ /^,|!|,,|,$/;
@@ -1568,6 +1584,7 @@ sub build_zone_list( $$$\$ ) {
    } elsif ( $input =~ /^([^:]+,[^:]+)(:.*)?$/ ) {
 	$input    = $1;
 	$rest     = $2;
+	$$wildref = 1;

 	$$intrazoneref = ( $input =~ s/\+$// );

@@ -1607,28 +1624,26 @@ sub process_rule ( ) {
    my $thisline  = $currentline; #We must save $currentline because it is overwritten by macro expansion
    my $action    = isolate_basic_target $target;
    my $fw        = firewall_zone;
-    my @source;
-    my @dest;
+    my @source    = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
+    my @dest      = build_zone_list ( $fw, $dest,   'DEST'  , $intrazone, $wild );
+    my $generated = 0;

    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;

-    @source = build_zone_list ( $fw, $source, 'SOURCE', $intrazone );
-    @dest   = build_zone_list ( $fw, $dest,   'DEST'  , $intrazone );
-
-    $wild = ( @source > 1 ) || ( @dest > 1 );
-
    for $source ( @source ) {
 	for $dest ( @dest ) {
 	    my $sourcezone = (split( /:/, $source, 2 ) )[0];
 	    my $destzone   = (split( /:/, $dest,   2 ) )[0];
 	    $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
 	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
-		process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
+		$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
 	    }
 	}
    }

-    progress_message "   Rule \"$thisline\" $done";
+    warning_message  qq(Entry generated no $toolname rules) unless $generated;
+
+    progress_message qq(   Rule "$thisline" $done);
 }

 #
@@ -1836,6 +1851,7 @@ sub generate_matrix() {
    my $preroutingref = ensure_chain 'nat', 'dnat';
    my $fw = firewall_zone;
    my $notrackref = $raw_table->{notrack_chain $fw};
+    my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? "-m state --state NEW,INVALID,UNTRACKED " : "$globals{STATEMATCH} NEW,INVALID " : '';
    my @zones = off_firewall_zones;
    my @vservers = vserver_zones;
    my $interface_jumps_added = 0;
@@ -1856,6 +1872,26 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

+	if ( $zoneref->{options}{in}{blacklist} ) {
+	    my $blackref = $filter_table->{blacklst};
+	    add_jump $frwd_ref , $blackref, 0, $state, 0, -1;
+	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+	}
+
+	if ( $zoneref->{options}{out}{blacklist} ) {
+	    my $blackref = $filter_table->{blackout};
+	    add_jump ensure_filter_chain( rules_chain( firewall_zone, $zone ), 1 ) , $blackref , 0, $state, 0, -1;
+
+	    for my $zone1 ( @zones, @vservers ) {
+		my $ruleschain    = rules_chain( $zone1, $zone );
+		my $ruleschainref = $filter_table->{$ruleschain};
+
+		if ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) {
+		    add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		} 
+	    }
+	}
+
 	if ( have_ipsec ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
@@ -2042,6 +2078,7 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my $interfacematch = '';
 			my $use_input;
+			my $blacklist = $zoneref->{options}{in}{blacklist};

 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -2250,6 +2287,8 @@ sub generate_matrix() {

    add_interface_jumps @interfaces unless $interface_jumps_added;

+    promote_blacklist_rules;
+
    my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
@@ -2350,22 +2389,38 @@ EOF
    $output->{policy} = 'ACCEPT' if $config{ADMINISABSENTMINDED};

    if ( $family == F_IPV4 ) {
-	emit( '    deletechain() {',
-	      '        qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1' );
-    } else {
-	emit( '    deletechain() {',
-	      '         qt $IP6TABLES -L $1 -n && qt $IP6TABLES -F $1 && qt $IP6TABLES -X $1' );
-    }
-
 	emit <<'EOF';
+    deletechain() {
+        qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
    }

    case $COMMAND in
        stop|clear|restore)
+            if chain_exists dynamic; then
+                ${IPTABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+            fi
            ;;
        *)
            set +x
+EOF
+    } else {
+	emit <<'EOF';
+    deletechain() {
+        qt $IPTABLES -L $1 -n && qt $IPTABLES -F $1 && qt $IPTABLES -X $1
+    }

+    case $COMMAND in
+        stop|clear|restore)
+            if chain_exists dynamic; then
+                ${IP6TABLES}-save -t filter | grep '^-A dynamic' > ${VARDIR}/.dynamic
+            fi
+            ;;
+        *)
+            set +x
+EOF
+    }
+
+    emit <<'EOF';
            case $COMMAND in
 	        start)
 	            logger -p kern.err "ERROR:$g_product start failed"
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,37 +40,44 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_11';
+our $VERSION = '4.4_13';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1
+		    fw       => 1,
+		    fwi      => 0,
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
+		    fwi      => 0,
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1
+		    fw       => 1 ,
+		    fwi      => 1 ,
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0
+		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
+		    fwi      => 0 ,
 		    } ,
 	    );

@@ -158,6 +165,7 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
+		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );

 our $family;
@@ -218,12 +226,23 @@ sub process_tc_rule( ) {
 	}
    }

+    if ( $dest ) {
+	if ( $dest eq $fw ) {
+	    $chain = 'tcin';
+	    $dest  = '';
+	} else {
+	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	}
+    }
+
    if ( $designator ) {
 	$tcsref = $tcs{$designator};

 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
+	    } elsif ( $chain eq 'tcin' ) {
+		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }

 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -250,6 +269,8 @@ sub process_tc_rule( ) {

    $list = '';

+    my $restriction = 0;
+
    unless ( $classid ) {
      MARK:
 	{
@@ -259,7 +280,7 @@ sub process_tc_rule( ) {

 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};

-		    $target      = "$tccmd->{target} ";
+		    $target      = $tccmd->{target};
 		    my $marktype = $tccmd->{mark};

 		    if ( $marktype == NOMARK ) {
@@ -275,6 +296,10 @@ sub process_tc_rule( ) {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}

+			$restriction = DESTIFACE_DISALLOW;
+			
+			ensure_mangle_chain($target);
+
 			$sticky++;
 		    } elsif ( $target eq 'IPMARK' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
@@ -380,7 +405,7 @@ sub process_tc_rule( ) {
    }

    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} ,
+				     $restrictions{$chain} | $restriction,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -391,9 +416,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "-j $target $mark" ,
-				     '' ,
+				     $mark ? "$target $mark" : $target,
 				     '' ,
+				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -410,11 +435,11 @@ sub rate_to_kbit( $ ) {
    my $rate = $_[0];

    return 0           if $rate eq '-';
-    return $1          if $rate =~ /^(\d+)kbit$/i;
-    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
-    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
-    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
-    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
+    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
+    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
+    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
    fatal_error "Invalid Rate ($rate)";
 }

@@ -433,8 +458,6 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
    my $flow = shift;

-    $flow =~ s/^\(// if $flow =~ s/\)$//;
-
    my @flow = split /,/, $flow;

    for ( @flow ) {
@@ -445,7 +468,7 @@ sub process_flow($) {
 }

 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth ) = split_line 1, 3, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';

    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -465,7 +488,21 @@ sub process_simple_device() {
 	}
    }

+    my $in_burst = '10kb';
+
+    if ( $in_bandwidth =~ /:/ ) {
+	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
+
+	if ( defined $burst && $burst ne '' ) {
+	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $in_burst = $burst;
+	}
+
+	$in_bandwidth = rate_to_kbit( $in_band );
+    } else {
 	$in_bandwidth = rate_to_kbit( $in_bandwidth );
+    }

    emit "if interface_is_up $physical; then";

@@ -477,10 +514,50 @@ sub process_simple_device() {
 	 );

    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst 10k drop flowid :1\n"
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
 	 ) if $in_bandwidth;

+    if ( $out_part ne '-' ) {
+	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
+
+	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
+
+	$out_bandwidth = rate_to_kbit( $out_bandwidth );
+
+	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
+
+	if ( defined $burst && $burst ne '' ) {
+	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " burst $burst";
+	} else {
+	    $command .= ' burst 10kb';
+	}
+
+	if ( defined $latency && $latency ne '' ) {
+	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
+	    $command .= " latency $latency";
+	} else {
+	    $command .= ' latency 200ms';
+	}
+
+	if ( defined $peak && $peak ne '' ) {
+	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " peakrate $peak";
+	}
+
+	if ( defined $minburst && $minburst ne '' ) {
+	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $command .= " minburst $minburst";
+	}
+
+	emit $command;
+
+	my $id = $number; $number = in_hexp( $devnum | 0x100 );
+
+	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    } else {
 	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
+    }

    for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -1230,11 +1307,26 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}

-	my $inband = rate_to_kbit $devref->{in_bandwidth};
+	my $in_burst = '10kb';
+	my $inband;
+
+	if ( $devref->{in_bandwidth} =~ /:/ ) {
+	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
+
+	    if ( defined $burst && $burst ne '' ) {
+		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+		$in_burst = $burst;
+	    }
+
+	    $inband = rate_to_kbit( $in_band );
+	} else {
+	    $inband = rate_to_kbit $devref->{in_bandwidth};
+	}

 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
 		   );
 	}

@@ -1352,6 +1444,68 @@ sub setup_traffic_shaping() {
    }
 }

+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+
+    if ( $secmark eq 'COMMENT' ) {
+	process_comment;
+	return;
+    }
+
+    my %chns = ( T => 'tcpost'  ,
+		 P => 'tcpre'   ,
+		 F => 'tcfor'   ,
+		 I => 'tcin'    ,
+		 O => 'tcout'   , );
+
+    my %state = ( N =>  'NEW' ,
+		  E =>  'ESTABLISHED' , 
+		  ER => 'ESTABLISHED,RELATED' );
+
+    my ( $chain , $state, $rest) = split ':', $chainin , 3;
+
+    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
+
+    my $chain1= $chns{$chain};
+    
+    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
+    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
+
+    if ( ( $state ||= '' ) ne '' ) {
+	my $state1;
+	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
+	$state = "$globals{STATEMATCH} $state1 ";
+    }
+
+    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
+	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
+		 "SECMARK --selctx $secmark";
+
+    my $disposition = $target;
+
+    $disposition =~ s/ .*//;
+
+    expand_rule( ensure_mangle_chain( $chain1 ) , 
+		 $restrictions{$chain1} ,
+		 $state .
+		 do_proto( $proto, $dport, $sport ) .
+		 do_user( $user ) .
+		 do_test( $mark, $globals{TC_MASK} ) ,
+		 $source , 
+		 $dest , 
+		 '' , 
+		 $target , 
+		 '' , 
+		 $disposition,
+		 '' );
+
+    progress_message "Secmarks rule \"$currentline\" $done";
+		 
+}
+
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1364,6 +1518,7 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
+	    ensure_mangle_chain 'tcin';
 	}

 	my $mark_part = '';
@@ -1390,6 +1545,7 @@ sub setup_tc() {
 	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
+	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
    }

@@ -1460,9 +1616,20 @@ sub setup_tc() {
 	}
    }

+    if ( $config{MANGLE_ENABLED} ) {
+	if ( my $fn = open_file 'secmarks' ) {
+
+	    first_entry "$doing $fn...";
+
+	    process_secmark_rule while read_a_line;
+	
+	    clear_comment;
+	}
+
 	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;

 	handle_stickiness( $sticky );
    }
+}

 1;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_13';

 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}

-	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";

 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -78,12 +78,13 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
+		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_13';

 #
 # IPSEC Option types
@@ -94,7 +95,6 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
-
 #
 # Zone Table.
 #
@@ -155,16 +155,23 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
+#                                     base        => <shell variable base representing this interface>
 #                                   }
 #                 }
 #
+#    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
+#    the same order as the interfaces are encountered in the configuration files. 
+#
 our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
 our %physical;
+our %basemap;
+our %mapbase;
 our $family;
 our $have_ipsec;
+our $baseseq;

 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -217,6 +224,9 @@ sub initialize( $ ) {
    @bport_zones = ();
    %ipsets = ();
    %physical = ();
+    %basemap = ();
+    %mapbase = ();
+    $baseseq = 0;

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -289,6 +299,7 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
    my %validoptions = ( mss          => NUMERIC,
+			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -298,10 +309,12 @@ sub parse_zone_option_list($$)
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
+
+    use constant { UNRESTRICTED => 1, NOFW => 2 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => 'mss' );
+    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );

    my ( $list, $zonetype ) = @_;
    my %h;
@@ -334,7 +347,8 @@ sub parse_zone_option_list($$)
 	    }

 	    if ( $key{$e} ) {
-		$h{$e} = $val;
+		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -425,7 +439,7 @@ sub process_zone( \$ ) {
 	}
    }

-    $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
@@ -440,6 +454,16 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };

+    if ( $zoneref->{options}{in_out}{blacklist} ) {
+	for ( qw/in out/ ) {
+	    unless ( $zoneref->{options}{$_}{blacklist} ) {
+		$zoneref->{options}{$_}{blacklist} = 1;
+	    } else {
+		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
+	    }
+	}
+    }
+
    return $zone;

 }
@@ -665,7 +689,7 @@ sub add_group_to_zone($$$$$)
 		    # Make 'find_hosts_by_option()' work correctly for this zone
 		    #
 		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
-			$options->{$_} = 1 if $interfaceref->{options}{$_};
+			$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
 		    }

 		    $allip = 1;
@@ -771,11 +795,48 @@ sub is_a_bridge( $ ) {
 #
 sub chain_base($) {
    my $chain = $_[0];
-
-    $chain =~ s/^@/at_/;
-    $chain =~ tr/[.\-%@]/_/;
+    my $name  = $basemap{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value 
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
    $chain =~ s/\+$//;
-    $chain;
+    $chain =~ tr/./_/;
+
+    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap{$key} = $name;
 }

 #
@@ -842,6 +903,8 @@ sub process_interface( $$ ) {
 	$root = $interface;
    }

+    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
+
    my $physical = $interface;
    my $broadcasts;

@@ -896,8 +959,16 @@ sub process_interface( $$ ) {

 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
+		if ( $option eq 'blacklist' ) {
+		    if ( $zone ) {
+			$zoneref->{options}{in}{blacklist} = 1;
+		    } else {
+			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
+		    }
+		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
+		}
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@@ -905,8 +976,8 @@ sub process_interface( $$ ) {
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
+		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -929,10 +1000,6 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
-		# Remove parentheses from address list if present
-		#
-		$value =~ s/\)$// if $value =~ s/^\(//;
-		#
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
@@ -965,7 +1032,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;

 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value =~ /^[\w.@%-]*\+?$/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;

 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );

@@ -995,7 +1062,6 @@ sub process_interface( $$ ) {

 	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};

-
 	$hostoptionsref = \%hostoptions;
    } else {
 	#
@@ -1012,7 +1078,8 @@ sub process_interface( $$ ) {
 						       broadcasts => $broadcasts ,
 						       options    => \%options ,
 						       zone       => '',
-						       physical   => $physical
+						       physical   => $physical ,
+						       base       => chain_base( $physical )
 						     };

    if ( $zone ) {
@@ -1108,28 +1175,35 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# %interfaces.
 #
-sub known_interface($)
+sub known_interface($;$)
 {
-    my $interface = $_[0];
+    my ( $interface, $cache ) = @_;
    my $interfaceref = $interfaces{$interface};

    return $interfaceref if $interfaceref;

+    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
+
    for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
-	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
-	    #
-	    return $interfaces{$interface} = { options  => $interfaceref->{options},
+	    my $physical = map_physical( $interface, $interfaceref );
+	    
+	    my $copyref = { options  => $interfaceref->{options},
 			    bridge   => $interfaceref->{bridge} ,
 			    name     => $i ,
 			    number   => $interfaceref->{number} ,
-					       physical => map_physical( $interface, $interfaceref )
+			    physical => $physical ,
+			    base     => chain_base( $physical ) ,
 			  };
+
+	    $interfaces{$interface} = $copyref if $cache;
+
+	    return $copyref;
 	}
    }

@@ -1240,25 +1314,33 @@ sub find_interfaces_by_option( $ ) {
 }

 #
-# Returns reference to array of interfaces with the passed option
+# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+#
+# - All entries in %interfaces are searched.
+# - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
    my $option = $_[0];
    my @ints = ();
+    my $wild = 0;

-    for my $interface ( keys %interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
+			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
-	next if $interfaceref->{physical} =~ /\+/;

 	my $optionsref = $interfaceref->{options};
+
 	if ( $optionsref && defined $optionsref->{$option} ) {
+	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
    }

-    \@ints;
+    return unless defined wantarray;
+
+    wantarray ? ( \@ints, $wild ) : \@ints;
 }

 #
@@ -1373,16 +1455,16 @@ sub verify_required_interfaces( $ ) {

 		$physical =~ s/\+$/*/;

-		emit( "${base}_IS_UP=\n",
+		emit( "SW_${base}_IS_UP=\n",
 		      'for interface in $(find_all_interfaces); do',
 		      '    case $interface in',
 		      "        $physical)",
-		      "            interface_is_usable \$interface && ${base}_IS_UP=Yes && break",
+		      "            interface_is_usable \$interface && SW_${base}_IS_UP=Yes && break",
 		      '            ;;',
 		      '    esac',
 		      'done',
 		      '',
-		      "if [ -z \"\$${base}_IS_UP\" ]; then",
+		      "if [ -z \"\$SW_${base}_IS_UP\" ]; then",
 		      "    startup_error \"None of the required interfaces $physical are available\"",
 		      "fi\n"
 		    );
@@ -1621,7 +1703,9 @@ sub process_host( ) {
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
-		warning_message "The 'norfc1918' option is no longer supported"
+		warning_message "The 'norfc1918' host option is no longer supported"
+	    } elsif ( $option eq 'blacklist' ) {
+		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1726,6 +1810,21 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }

+#
+# Returns a reference to a list of zones with the passed in/out option
+#
+
+sub find_zones_by_option( $$ ) {
+    my ($option, $in_out ) = @_;
+    my @zns;
+
+    for my $zone ( @zones ) {
+	push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
+    }
+
+    \@zns;
+}
+
 sub all_ipsets() {
    sort keys %ipsets;
 }
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -88,43 +88,18 @@ setpolicy() # $1 = name of chain, $2 = policy
    run_iptables -P $1 $2
 }

-#
-# Set a standard chain to enable established and related connections
-#
-setcontinue() # $1 = name of chain
-{
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-}
-
-#
-# Flush one of the NAT table chains
-#
-flushnat() # $1 = name of chain
-{
-    run_iptables -t nat -F $1
-}
-
-#
-# Flush one of the Mangle table chains
-#
-flushmangle() # $1 = name of chain
-{
-    run_iptables -t mangle -F $1
-}
-
-#
-# Flush and delete all user-defined chains in the filter table
-#
-deleteallchains() {
-    run_iptables -F
-    run_iptables -X
-}
-
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv4 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }

 #
@@ -533,11 +508,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
+    local result
+    
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
-	local result
 	result=1

 	while read route ; do
@@ -622,9 +598,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
-    fi

 	rm -f ${VARDIR}/proxyarp
+    fi
 }

 #
@@ -638,6 +614,7 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT

    run_iptables -F
+    qt $IPTABLES -t raw -F

    echo 1 > /proc/sys/net/ipv4/ip_forward

--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -88,35 +88,18 @@ setpolicy() # $1 = name of chain, $2 = policy
    run_iptables -P $1 $2
 }

-#
-# Set a standard chain to enable established and related connections
-#
-setcontinue() # $1 = name of chain
-{
-    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
-}
-
-#
-# Flush one of the Mangle table chains
-#
-flushmangle() # $1 = name of chain
-{
-    run_iptables -t mangle -F $1
-}
-
-#
-# Flush and delete all user-defined chains in the filter table
-#
-deleteallchains() {
-    run_iptables -F
-    run_iptables -X
-}
-
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipv6 address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }

 #
@@ -513,11 +496,12 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
+    local result
+    
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
-	local result
 	result=1

 	while read route ; do
@@ -600,6 +584,7 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT

    run_iptables -F
+    qt $IP6TABLES -t raw -F

    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -2,6 +2,41 @@ Changes in Shorewall 4.4.13

 1)  Allow zone lists in rules SOURCE and DEST.

+2)  Fix exclusion in the blacklist file.
+
+3)  Correct several old exclusion bugs.
+
+4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
+
+5)  Re-implement optional interface handling.
+
+6)  Add secmark config file.
+
+7)  Split in and out blacklisting.
+
+8)  Correct handling of [{src|dst},...] in ipset invocation
+
+9)  Correct SAME.
+
+10) TC Enhancements:
+
+    <burst> in IN-BANDWIDTH columns.
+    OUT-BANDWIDTH column in tcinterfaces.
+
+11) Create dynamic zone ipsets on 'start'.
+
+12) Remove new blacklisting implementation.
+
+13) Implement an alternative blacklisting scheme.
+
+14) Use '-m state' for UNTRACKED.
+
+15) Clear raw table on 'clear'
+
+16) Correct port-range check in tcfilters.
+
+17) Disallow '*' in interface names.
+
 Changes in Shorewall 4.4.12

 1)  Fix IPv6 shorecap program.
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -0,0 +1,13 @@
+#
+# Shorewall version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
+#				STATE						PORT(S)	PORT(S) GROUP
+
+
+
+
+								
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -8,4 +8,3 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
-
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -586,6 +586,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
    echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi

+#
+# Install the secmarks file
+#
+run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
+    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
+fi
+
 #
 # Install the default config path file
 #
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1 +1,2 @@
-There are no known problems in Shorewall 4.4.13-Beta1
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,7 +29,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40412
+SHOREWALL_CAPVERSION=40413

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -1576,6 +1576,7 @@ determine_capabilities() {
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
+    MARK_ANYWHERE=

    chain=fooX$$

@@ -1713,6 +1714,7 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes

    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
@@ -1792,6 +1794,7 @@ report_capabilities() {
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "Mark in any table" $MARK_ANYWHERE
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1856,6 +1859,7 @@ report_capabilities1() {
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
+    report_capability1 MARK_ANYWHERE

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -13,12 +13,116 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

-None.
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored. 
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+    
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually. 
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error is now generated if '*' appears in an interface name.
+
 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------

-None.
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.

 ----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
@@ -63,10 +167,10 @@ None.
    - The one rooted in the 'accounting' chain.
    - The one rooted in the 'accipsecin' chain. This tree handles
      traffic that has been decrypted on the firewall. Rules in this
-    - tree cannot specify an interface name in the DEST column.
+      tree cannot specify an interface name in the DEST column.
    - The one rooted in the 'accipsecout' chain. This tree handles
      traffic that will be encrypted on the firewall. Rules in this
-    - tree cannot specify an interface name in the SOURCE column.
+      tree cannot specify an interface name in the SOURCE column.

    In reality, when there are bridges defined in the configuration,
    there is a fourth tree rooted in the 'accountout' chain. That chain
@@ -85,6 +189,76 @@ None.
      The named chain contains accounting rules but no JUMP or COUNT
      specifies that chain as the target.

+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
@@ -296,11 +470,16 @@ None.
    where 'iface' is a capitalized interface name (e.g., ETH0) and
    'provider' is the capitalized name of a provider.

+15) Support for the OPTIONS column in /etc/shorewall/blacklist
+    (/etc/shorewall6/blacklist) has been removed. Blacklisting by
+    destination IP address will be included in a later Shorewall
+    release.
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------

 1)  Previously, the Shorewall6-lite version of shorecap was using
@@ -345,62 +524,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    correctly.

 ----------------------------------------------------------------------------
-         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
----------------------------------------------------------------------------
-
-1)  The IPv6 allowBcast action generated an invalid rule.
-
-2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
-    ipset was used in a configuration file entry, the following
-    fatal compilation error occurred:
-
-    ERROR: ipset names in Shorewall configuration files require Ipset
-    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
-
-    If you applied the workaround given in the "Known Problems", then
-    you should remove /etc/shorewall/capabilities after installing
-    this fix.
-
-3)  The start priority of shorewall-init on Debian and Debian-based
-    distributions was previously too low, making it start too late.
-
-4)  The log output from IPv6 logs was almost unreadable due to display
-    of IPv6 addresses in uncompressed format. A similar problem
-    occurred with 'shorewall6 show connections'. This update makes the
-    displays much clearer at the expense of opening the slight
-    possibility of two '::' sequences being incorrectly shown in the
-    same address.
-
-5)  The new REQUIRE_INTERFACE was inadvertently omitted from
-    shorewall.conf and shorewall6.conf. It has been added.
-
-6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
-
-7) If the following options were specified in /etc/shorewall/interfaces
-   for an interface with '-' in the ZONE column, then these options
-   would be ignored if there was an entry in the hosts file for the
-   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
-   implied when the host list begins with '!').
-
-   	blacklist
-	maclist
-	nosmurfs
-	tcpflags
-
-   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
-
-8) The generated script was missing a closing quote when
-   REQUIRE_INTERFACE=Yes.
-
-9) Previously, if nets= was specified under Shorewall6, this error
-   would result:
-
-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
-                /etc/shorewall6/interfaces (line 16)
-
----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 1
+               N E W   F E A T U R E S   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------

 1)  Support has been added for ADD and DEL rules in
@@ -495,6 +619,106 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

 	gateway:/etc/shorewall# 

+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
+
+1)  The IPv6 allowBcast action generated an invalid rule.
+
+2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
+    ipset was used in a configuration file entry, the following
+    fatal compilation error occurred:
+
+    ERROR: ipset names in Shorewall configuration files require Ipset
+    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
+
+    If you applied the workaround given in the "Known Problems", then
+    you should remove /etc/shorewall/capabilities after installing
+    this fix.
+
+3)  The start priority of shorewall-init on Debian and Debian-based
+    distributions was previously too low, making it start too late.
+
+4)  The log output from IPv6 logs was almost unreadable due to display
+    of IPv6 addresses in uncompressed format. A similar problem
+    occurred with 'shorewall6 show connections'. This update makes the
+    displays much clearer at the expense of opening the slight
+    possibility of two '::' sequences being incorrectly shown in the
+    same address.
+
+5)  The new REQUIRE_INTERFACE was inadvertently omitted from
+    shorewall.conf and shorewall6.conf. It has been added.
+
+6)  Under some versions of Perl, a Perl run-time diagnostic was produced
+    when options were omitted from shorewall.conf or shorewall6.conf. 
+
+7) If the following options were specified in /etc/shorewall/interfaces
+   for an interface with '-' in the ZONE column, then these options
+   would be ignored if there was an entry in the hosts file for the
+   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
+   implied when the host list begins with '!').
+
+   	blacklist
+	maclist
+	nosmurfs
+	tcpflags
+
+   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
+
+8) The generated script was missing a closing quote when
+   REQUIRE_INTERFACE=Yes.
+
+9) Previously, if nets= was specified under Shorewall6, this error
+   would result:
+
+   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
+                /etc/shorewall6/interfaces (line 16)
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 1
+----------------------------------------------------------------------------
+
+1)  Beginning with this release, Shorewall supports a 'vserver'
+    zone type. This zone type is used with Shorewall running on a
+    Linux-vserver host system and allows you to define zones that
+    represent a set of Linux-vserver hosts.
+
+    See http://www.shorewall.net/Vserver.html for details.
+
+2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
+    and shorewall6.conf. 
+
+    Traditionally, Shorewall has cleared the packet mark in the first
+    rule in the mangle FORWARD chain. This behavior is maintained with
+    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
+    set to No, packet marks set in the PREROUTING chain are retained in
+    the FORWARD chains.
+
+    As part of this change, a new "fwmark route mask" capability has
+    been added. If your version of iproute2 supports this capability,
+    fwmark routing rules may specify a mask to be applied to the mark
+    prior to comparison with the mark value in the rule. The presence
+    of this capability allows Shorewall to relax the restriction that
+    small mark values may not be set in the PREROUTING chain when
+    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
+    capability, be sure that you logically OR mark values in PREROUTING
+    makring rules rather then simply setting them unless you are able
+    to set both the high and low bits in the mark in a single rule.
+
+    As always when a new capability has been introduced, be sure to
+    regenerate your capabilities file(s) after installing this release.
+
+3)  A new column (NET3) has been added to the /etc/shorewall/netmap
+    file. This new column can qualify the INTERFACE column by
+    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
+    associated with the interface.
+
+4)  To accomodate systems with more than one version of Perl installed,
+    the shorewall.conf and shorewall6.conf files now support a PERL
+    option. If the program specified by that option does not exist or
+    is not executable, Shorewall (and Shorewall6) fall back to
+    /usr/bin/perl.
+
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
@@ -543,51 +767,6 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

    This configuration now works correctly.

----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 1
----------------------------------------------------------------------------
-
-1)  Beginning with this release, Shorewall supports a 'vserver'
-    zone type. This zone type is used with Shorewall running on a
-    Linux-vserver host system and allows you to define zones that
-    represent a set of Linux-vserver hosts.
-
-    See http://www.shorewall.net/Vserver.html for details.
-
-2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
-    and shorewall6.conf. 
-
-    Traditionally, Shorewall has cleared the packet mark in the first
-    rule in the mangle FORWARD chain. This behavior is maintained with
-    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
-    set to No, packet marks set in the PREROUTING chain are retained in
-    the FORWARD chains.
-
-    As part of this change, a new "fwmark route mask" capability has
-    been added. If your version of iproute2 supports this capability,
-    fwmark routing rules may specify a mask to be applied to the mark
-    prior to comparison with the mark value in the rule. The presence
-    of this capability allows Shorewall to relax the restriction that
-    small mark values may not be set in the PREROUTING chain when
-    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
-    capability, be sure that you logically OR mark values in PREROUTING
-    makring rules rather then simply setting them unless you are able
-    to set both the high and low bits in the mark in a single rule.
-
-    As always when a new capability has been introduced, be sure to
-    regenerate your capabilities file(s) after installing this release.
-
-3)  A new column (NET3) has been added to the /etc/shorewall/netmap
-    file. This new column can qualify the INTERFACE column by
-    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
-    associated with the interface.
-
-4)  To accomodate systems with more than one version of Perl installed,
-    the shorewall.conf and shorewall6.conf files now support a PERL
-    option. If the program specified by that option does not exist or
-    is not executable, Shorewall (and Shorewall6) fall back to
-    /usr/bin/perl.
-
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
 %define version 4.4.13
-%define release 0Beta1
+%define release 0base

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -108,6 +108,20 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples

 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
 %define version 4.4.13
-%define release 0Beta1
+%define release 0base

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,6 +93,20 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -311,8 +311,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6

 #
 # Install wait4ifup
@@ -507,6 +507,16 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
 fi
+
+#
+# Install the Secmarks file
+#
+run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
+    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
+    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
+fi
 #
 # Install the default config path file
 #
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40412
+SHOREWALL_CAPVERSION=40413

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -1263,6 +1263,7 @@ determine_capabilities() {
    LOG_TARGET=Yes
    FLOW_FILTER=
    FWMARK_RT_MASK=
+    MARK_ANYWHERE=

    chain=fooX$$

@@ -1404,6 +1405,7 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes

    qt $IP6TABLES -F $chain
    qt $IP6TABLES -X $chain
@@ -1480,6 +1482,7 @@ report_capabilities() {
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "Mark in any table" $MARK_ANYWHERE
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1541,6 +1544,7 @@ report_capabilities1() {
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
+    report_capability1 MARK_ANYWHERE
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/secmarks
+++ b/Shorewall6/secmarks
@@ -0,0 +1,8 @@
+#
+# Shorewall6 version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
+#										PORT(S)	PORT(S)
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
 %define version 4.4.13
-%define release 0Beta1
+%define release 0base

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,6 +98,20 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13-Beta1
+VERSION=4.4.13

 usage() # $1 = exit status
 {
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2006-2007</year>
+      <year>2006-2010</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1188,6 +1188,18 @@ to debug/develop the newnat interface.</programlisting></para>
  <section id="Logging">
    <title>Logging</title>

+    <section id="faq91">
+      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
+      spit out logs to /var/log/shorewall.log and it's not happening after I
+      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
+      the correct line, right? </title>
+
+      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
+      The LOGFILE setting tells Shorewall where to find the log; it does not
+      determine where messages are written. See <link linkend="faq6">the next
+      FAQ</link>.</para>
+    </section>
+
    <section id="faq6">
      <title>(FAQ 6) Where are the log messages written and how do I change
      the destination?</title>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -129,6 +129,9 @@
        <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
        Specify exceptions to policies, including DNAT and REDIRECT.</member>

+        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
+        - Attach an SELinux context to a packet.</member>
+
        <member><ulink
        url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
        classes for traffic shaping.</member>
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -114,6 +114,10 @@
        <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
        Specify exceptions to policies, including DNAT and REDIRECT.</member>

+        <member><ulink
+        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
+        an SELinux context to a packet.</member>
+
        <member><ulink
        url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
        htb classes for traffic shaping.</member>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1561,7 +1561,7 @@ connection {

 connection {
    name=Comcast
-    checkip=${ETH0_GATEWAY:-71.231.152.1}
+    checkip=${SW_ETH0_GATEWAY:-71.231.152.1}
    device=$COM_IF
    ttl=1
 }
@@ -1577,9 +1577,14 @@ EOF
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>

-        <para>eth3 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        value to be used in the event that detection fails.</para>
+        <para>eth0 has a dynamic IP address so I need to use the
+        Shorewall-detected gateway address ($SW_ETH1_GATEWAY). I supply a
+        default value to be used in the event that detection fails.</para>
+
+        <note>
+          <para>In Shorewall 4.4.7 and earlier, the variable name is
+          ETH1_GATEWAY.</para>
+        </note>

        <para><filename>/etc/shorewall/started</filename>:</para>

--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -331,7 +331,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
          <row>
            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>

-            <entry>TC_BITS=8, PROVIDER_BITS=0, PROVIDER_OFFSET=0,
+            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
            MASK_BITS=8</entry>
          </row>

@@ -365,6 +365,10 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=

    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
    PROVIDER_OFFSET can be used for any purpose you want.</para>
+
+    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
+    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
+    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
  </section>

  <section id="Shorewall">
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -134,7 +134,7 @@ vpn             ipv4            #OpenVPN clients
    <para><filename>/etc/shorewall/hosts</filename>:</para>

    <programlisting>#ZONE   HOST(S)                                 OPTIONS
-drct    eth3:dynamic
+drct    eth4:dynamic
 <emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>

    <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -36,6 +36,13 @@
    </legalnotice>
  </articleinfo>

+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
+  </caution>
+
  <section id="Intro">
    <title>Introduction</title>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -213,6 +213,12 @@
          shaping.</para>
        </listitem>

+        <listitem>
+          <para><filename>/etc/shorewall/secmarks</filename> - Added in
+          Shorewall 4.4.13. Attach an SELinux context to selected
+          packets.</para>
+        </listitem>
+
        <listitem>
          <para><filename>/etc/shorewall/vardir</filename> - Determines the
          directory where Shorewall maintains its state.</para>
@@ -343,6 +349,10 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
        <para><filename>/etc/shorewall/rules</filename></para>
      </listitem>

+      <listitem>
+        <para><filename>/etc/shorewall/secmarks</filename></para>
+      </listitem>
+
      <listitem>
        <para><filename>/etc/shorewall/tcrules</filename></para>
      </listitem>
--- a/docs/images/MarkGeometry.dia
+++ b/docs/images/MarkGeometry.dia
--- a/docs/images/MarkGeometry.png
+++ b/docs/images/MarkGeometry.png
--- a/docs/images/Network2010a.dia
+++ b/docs/images/Network2010a.dia
--- a/docs/images/Network2010a.png
+++ b/docs/images/Network2010a.png
--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -41,7 +41,7 @@
  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5 then please see the documentation appropriate for your
+    4.4.0 then please see the documentation appropriate for your
    version.</emphasis></para>
  </caution>

@@ -71,13 +71,6 @@
        contents of an ipset</ulink>. Again, you can then add or delete
        addresses to the ipset without restarting Shorewall.</para>
      </listitem>
-
-      <listitem>
-        <para>Triggers. Using an iptree ipset with a timeout together with the
-        ADD and DEL commands in <ulink
-        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) allows
-        you to implement triggers.</para>
-      </listitem>
    </orderedlist>

    <para>See the ipsets site (URL above) for additional information about
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2009</year>
+      <year>2001-2010</year>

      <holder>Thomas M Eastep</holder>
    </copyright>
@@ -246,6 +246,37 @@
        <para><ulink url="IPv6Support.html"><emphasis
        role="bold">IPv6</emphasis> Support</ulink></para>
      </listitem>
+
+      <listitem>
+        <para>Works with a wide range of <emphasis
+        role="bold">Virtualization</emphasis> Solutions:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para><ulink url="KVM.html"><emphasis
+            role="bold">KVM</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para><ulink url="XenMyWay-Routed.html"><emphasis
+            role="bold">Xen</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para><ulink url="Vserver.html"><emphasis
+            role="bold">Linux-Vserver</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para><ulink url="OpenVZ.html"><emphasis
+            role="bold">OpenVZ</emphasis></ulink></para>
+          </listitem>
+
+          <listitem>
+            <para>VirtualBox</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
    </itemizedlist>
  </section>
 </article>
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -62,7 +62,7 @@

    <para>Assuming that your external interface is eth0:</para>

-    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
+    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH        OUT-BANDWIDTH
 eth0                   External</programlisting>

    <note>
@@ -214,13 +214,13 @@ eth0                   External</programlisting>
    is NO space between the number and the unit (it is 100kbit not 100 kbit).
    <emphasis role="bold">mbit</emphasis>, <emphasis
    role="bold">mbps</emphasis> or a raw number (which means bytes) can be
-    used, but note that only integer numbers are supported (0.5 is not valid).
-    To pick an appropriate setting, we recommend that you start by setting
-    IN-BANDWIDTH significantly below your measured download bandwidth (20% or
-    so). While downloading, measure the ping response time from the firewall
-    to the upstream router as you gradually increase the setting. The optimal
-    setting is at the point beyond which the ping time increases sharply as
-    you increase the setting.</para>
+    used, but note that before Shorewall 4.4.13 only integer numbers were
+    supported (0.5 was not valid). To pick an appropriate setting, we
+    recommend that you start by setting IN-BANDWIDTH significantly below your
+    measured download bandwidth (20% or so). While downloading, measure the
+    ping response time from the firewall to the upstream router as you
+    gradually increase the setting. The optimal setting is at the point beyond
+    which the ping time increases sharply as you increase the setting.</para>

    <para>Simple Traffic Shaping is only appropriate on interfaces where
    output queuing occurs. As a consequence, you usually only use it on
@@ -231,6 +231,19 @@ eth0                   External</programlisting>

    <programlisting>#INTERFACE             TYPE          IN-BANDWIDTH
 tun0                   Internal</programlisting>
+
+    <para>For fast lines, the actual download rate may be significantly less
+    than the specified IN-BANDWIDTH. Beginning with Shoreall 4.4.13, you can
+    specify an optional burst </para>
+
+    <para>Also beginning with Shorewall 4.4.13, an OUT-BANDWIDTH column is
+    available in <ulink
+    url="manpages/shorewall-tcpri.html">shorewall-tcpri</ulink>(5). Limiting
+    to outgoing bandwidth can have a positive effect on latency for
+    applications like VOIP. We recommend that you begin with a setting that is
+    at least 20% less than your measured upload rate and then gradually
+    increase it until latency becomes unacceptable. Then reduce it back to the
+    point where latency is acceptable.</para>
  </section>

  <section>
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -35,7 +35,8 @@
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">COUNT</emphasis>|<emphasis
        role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
-        role="bold">COUNT</emphasis>]}</term>
+        role="bold">{COUNT</emphasis>:JUMP}]|COUNT
+        <emphasis>comment</emphasis>}</term>

        <listitem>
          <para>What to do when a matching packet is found.</para>
@@ -76,6 +77,15 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis>chain</emphasis>:JUMP</term>
+
+              <listitem>
+                <para>Like the previous option without the <emphasis
+                role="bold">:COUNT</emphasis> part.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>COMMENT</term>

@@ -476,7 +486,8 @@
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-actions.xml
+++ b/manpages/shorewall-actions.xml
@@ -54,7 +54,7 @@
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -74,40 +74,56 @@
      </varlistentry>

      <varlistentry>
-        <term>OPTIONS (Optional - Added in 4.4.12) - {-|to|from|}</term>
+        <term>OPTIONS (Optional - Added in 4.4.12) -
+        {-|{dst|src}[,...]}</term>

        <listitem>
-          <para>If specified, indicates whether traffic <emphasis
-          role="bold">to</emphasis> or <emphasis role="bold">from</emphasis>
-          the ADDRESS/SUBNET should be blacklisted. The default is <emphasis
-          role="bold">from</emphasis>. If the ADDRESS/SUBNET column is empty,
-          then this column has no effect on the generated rule.</para>
+          <para>If specified, indicates whether traffic
+          <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
+          role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
+          ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
+          blacklisted. The default is <emphasis role="bold">src</emphasis>. If
+          the ADDRESS/SUBNET column is empty, then this column has no effect
+          on the generated rule.</para>

          <note>
-            <para>Blacklisting is still restricted to traffic
-            <emphasis>arriving</emphasis> on an interface that has the
-            'blacklist' option set. So to block traffic from your local
-            network to an internet host, you must specify
+            <para>In Shorewall 4.4.12, the keywords from and to were used in
+            place of src and dst respectively. Blacklisting was still
+            restricted to traffic <emphasis>arriving</emphasis> on an
+            interface that has the 'blacklist' option set. So to block traffic
+            from your local network to an internet host, you had to specify
            <option>blacklist</option> on your internal interface in <ulink
            url="shorewall-interfaces.html">shorewall-interfaces</ulink>
            (5).</para>
          </note>
+
+          <note>
+            <para>Beginning with Shorewall 4.4.13, entries are applied based
+            on the <emphasis role="bold">blacklist</emphasis> setting in
+            <ulink
+            url="shorewall-zones.html">shorewall-zones</ulink>(5):</para>
+
+            <orderedlist>
+              <listitem>
+                <para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
+                from this zone is passed against the entries in this file that
+                have the <emphasis role="bold">src</emphasis> option
+                (specified or defaulted).</para>
+              </listitem>
+
+              <listitem>
+                <para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
+                Trafficto this zone is passed against the entries in this file
+                that have the <emphasis role="bold">dst</emphasis>
+                option.</para>
+              </listitem>
+            </orderedlist>
+          </note>
        </listitem>
      </varlistentry>
    </variablelist>

-    <para>When a packet arrives on an interface that has the <emphasis
-    role="bold">blacklist</emphasis> option specified in <ulink
-    url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its
-    source IP address and MAC address is checked against this file and
-    disposed of according to the <emphasis
-    role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
-    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
-    url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis
-    role="bold">PROTOCOL</emphasis> or <emphasis
-    role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
-    are supplied, only packets matching the protocol (and one of the ports if
-    <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>
+    <para></para>
  </refsect1>

  <refsect1>
@@ -157,7 +173,8 @@
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-ecn.xml
+++ b/manpages/shorewall-ecn.xml
@@ -68,7 +68,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-exclusion.xml
+++ b/manpages/shorewall-exclusion.xml
@@ -155,7 +155,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@@ -139,8 +139,15 @@
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
+                <para>This option only makes sense for ports on a bridge. As
+                of Shoreawall 4.4.13, ithe option is no longer supported and
+                is ignored with a warning:</para>
+
+                <blockquote>
+                  <para><emphasis role="bold">WARNING: The "blacklist" host
+                  option is no longer supported and will be
+                  ignored.</emphasis></para>
+                </blockquote>

                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
@@ -261,7 +268,8 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-init.xml
+++ b/manpages/shorewall-init.xml
@@ -167,7 +167,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -228,8 +228,31 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>Check packets arriving on this interface against the
                <ulink
-                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
+                url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
                file.</para>
+
+                <para>Beginning with Shorewall 4.4.13:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If a <replaceable>zone</replaceable> is given in the
+                    ZONES column, then the behavior is as if <emphasis
+                    role="bold">blacklist</emphasis> had been specified in the
+                    IN_OPTIONS column of <ulink
+                    url="shorewall-zones.html">shorewall-zones</ulink>(5).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise, the option is ignored with a
+                    warning:</para>
+
+                    <blockquote>
+                      <para><emphasis role="bold">WARNING: The 'blacklist'
+                      option is ignored on mult-zone
+                      interfaces</emphasis></para>
+                    </blockquote>
+                  </listitem>
+                </itemizedlist>
              </listitem>
            </varlistentry>

@@ -422,17 +445,6 @@ loc     eth2            -</programlisting>

                <para>May not be specified with <emphasis
                role="bold">required</emphasis>.</para>
-
-                <caution>
-                  <para>Use <option>optional</option> at your own risk. If you
-                  [re]start Shorewall when an 'optional' interface is not
-                  available and then do a <command>shorewall save</command>,
-                  subsequent <command>shorewall restore</command> and
-                  <command>shorewall -f start</command> operations will
-                  instantiate a ruleset that does not support that interface,
-                  even if it is available at the time of the
-                  restore/start.</para>
-                </caution>
              </listitem>
            </varlistentry>

@@ -697,7 +709,8 @@ net     ppp0      -</programlisting>
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-maclist.xml
+++ b/manpages/shorewall-maclist.xml
@@ -106,7 +106,7 @@
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -484,12 +484,7 @@
          DSL or cable modem and eth1 connects to your local network with
          subnet 192.168.0.0/24.</para>

-          <para>Your entry in the file can be either:</para>
-
-          <programlisting>        #INTERFACE   SOURCE
-        eth0         eth1</programlisting>
-
-          <para>or</para>
+          <para>Your entry in the file will be:</para>

          <programlisting>        #INTERFACE   SOURCE
        eth0    192.168.0.0/24</programlisting>
@@ -541,14 +536,15 @@
        <firstterm>interface</firstterm> name in the SOURCE column):</term>

        <listitem>
-          <para>You want all outgoing SMTP traffic entering the firewall on
-          eth1 to be sent from eth0 with source IP address 206.124.146.177.
-          You want all other outgoing traffic from eth1 to be sent from eth0
-          with source IP address 206.124.146.176.</para>
+          <para>You want all outgoing SMTP traffic entering the firewall from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.177. You want all other outgoing traffic from
+          172.20.1.0/29 to be sent from eth0 with source IP address
+          206.124.146.176.</para>

          <programlisting>        #INTERFACE   SOURCE           ADDRESS         PROTO   PORT(S)
-        eth0         eth1    206.124.146.177 tcp     smtp
-        eth0         eth1    206.124.146.176</programlisting>
+        eth0         172.20.1.0/29    206.124.146.177 tcp     smtp
+        eth0         172.20.1.0/29    206.124.146.176</programlisting>

          <warning>
            <para>The order of the above two rules is significant!</para>
@@ -573,7 +569,8 @@
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-modules.xml
+++ b/manpages/shorewall-modules.xml
@@ -18,14 +18,25 @@
    <cmdsynopsis>
      <command>/usr/share/shorewall/modules</command>
    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>/usr/share/shorewall/helpers</command>
+    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>This file specifies which kernel modules Shorewall will load before
-    trying to determine your iptables/kernel's capabilities. Each record in
-    the file has the following format:</para>
+    <para>These files specify which kernel modules Shorewall will load before
+    trying to determine your iptables/kernel's capabilities.</para>
+
+    <para>The <filename>modules</filename> file is used when
+    LOAD_HELPERS_ONLY=No in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink>(8); the
+    <filename>helpers</filename> file is used when
+    LOAD_HELPERS_ONLY=Yes</para>
+
+    <para>Each record in the files has the following format:</para>

    <cmdsynopsis>
      <command>loadmodule</command>
@@ -45,7 +56,8 @@

    <para>The /usr/share/shorewall/modules file contains a large number of
    modules. Users are encouraged to copy the file to /etc/shorewall/modules
-    and modify the copy to load only the modules required.<note>
+    and modify the copy to load only the modules required or to use
+    LOAD_HELPERS_ONLY=Yes.<note>
        <para>If you build monolithic kernels and have not installed
        module-init-tools, then create an empty /etc/shorewall/modules file;
        that will prevent Shorewall from trying to load modules at all.</para>
@@ -63,7 +75,11 @@

    <para>/usr/share/shorewall/modules</para>

+    <para>/usr/share/shorewall/helpers</para>
+
    <para>/etc/shorewall/modules</para>
+
+    <para>/etc/shorewall/helpers</para>
  </refsect1>

  <refsect1>
@@ -75,7 +91,8 @@
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-nat.xml
+++ b/manpages/shorewall-nat.xml
@@ -142,7 +142,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-nesting.xml
+++ b/manpages/shorewall-nesting.xml
@@ -208,7 +208,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-netmap.xml
+++ b/manpages/shorewall-netmap.xml
@@ -118,7 +118,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -151,7 +151,7 @@
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-params.xml
+++ b/manpages/shorewall-params.xml
@@ -132,7 +132,7 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-policy.xml
+++ b/manpages/shorewall-policy.xml
@@ -317,7 +317,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@@ -344,7 +344,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-proxyarp.xml
+++ b/manpages/shorewall-proxyarp.xml
@@ -136,7 +136,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-route_rules.xml
+++ b/manpages/shorewall-route_rules.xml
@@ -169,7 +169,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-routestopped.xml
+++ b/manpages/shorewall-routestopped.xml
@@ -204,7 +204,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -1374,7 +1374,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall.conf(5), shorewall-tcclasses(5),
+    shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-secmarks.xml
+++ b/manpages/shorewall-secmarks.xml
@@ -0,0 +1,387 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-secmarks</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>secmarks</refname>
+
+    <refpurpose>Shorewall file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/secmarks</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>The secmarks file is used to associate an SELinux context with
+    packets. It was added in Shorewall version 4.4.13.</para>
+
+    <para>The columns in the file are as follows.</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">SECMARK -
+        {SAVE|RESTORE|<replaceable>context</replaceable>|COMMENT
+        <replaceable>comment</replaceable>}</emphasis></term>
+
+        <listitem>
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">SAVE</emphasis></term>
+
+              <listitem>
+                <para>If an SELinux context is associated with the packet, the
+                context is saved in the connection. Normally, the remaining
+                columns should be left blank.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">RESTORE</emphasis></term>
+
+              <listitem>
+                <para>If an SELinux context is not currently associated with
+                the packet, then the saved context (if any) is associated with
+                the packet. Normally, the remaining columns should be left
+                blank.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable role="bold">context</replaceable></term>
+
+              <listitem>
+                <para>An SELinux context.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>COMMENT</term>
+
+              <listitem>
+                <para>The remainder of the line is treated as a comment which
+                is attached to subsequent rules until another COMMENT line is
+                found or until the end of the file is reached. To stop adding
+                comments to rules, use a line with only the word
+                COMMENT.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">CHAIN:STATE -
+        {P|I|F|O|T}[:{N|E|ER}]</emphasis></term>
+
+        <listitem>
+          <para>This column determines the CHAIN where the SElinux context is
+          to be applied:</para>
+
+          <simplelist>
+            <member>P - PREROUTING</member>
+
+            <member>I - INPUT</member>
+
+            <member>F - FORWARD</member>
+
+            <member>O - OUTPUT</member>
+
+            <member>T - POSTROUTING</member>
+          </simplelist>
+
+          <para>It may be optionally followed by a colon and an indication of
+          the connection state(s) at which the context is to be
+          applied:</para>
+
+          <simplelist>
+            <member>:N - NEW connection</member>
+
+            <member>:E - ESTABLISHED connection</member>
+
+            <member>:ER - ESTABLISHED or RELATED connection</member>
+          </simplelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> - {<emphasis
+        role="bold">-</emphasis><emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>May be:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>An interface name - matches traffic entering the firewall
+              on the specified interface. May not be used in classify rules or
+              in rules using the T in the CHAIN column.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses or
+              MAC addresses.</para>
+            </listitem>
+
+            <listitem>
+              <para>An interface name followed by a colon (":") followed by a
+              comma-separated list of host or network IP addresses or MAC
+              addresses.</para>
+            </listitem>
+          </orderedlist>
+
+          <para>MAC addresses must be prefixed with "~" and use "-" as a
+          separator.</para>
+
+          <para>Example: ~00-A0-C9-15-39-78</para>
+
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+
+          <para>Addresses may be specified using an ipset name preceded by
+          '+'.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>May be:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>An interface name. May not be used in the PREROUTING or
+              INPUT chains. The interface name may be optionally followed by a
+              colon (":") and an IP address list.</para>
+            </listitem>
+
+            <listitem>
+              <para>A comma-separated list of host or network IP addresses.
+              The list may include ip address ranges if your kernel and
+              iptables include iprange support.</para>
+            </listitem>
+          </orderedlist>
+
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+
+          <para>Addresses may be specified using an ipset name preceded by
+          '+'.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
+        role="bold">-</emphasis>|<emphasis
+        role="bold">tcp:syn</emphasis>|<emphasis
+        role="bold">ipp2p</emphasis>|<emphasis
+        role="bold">ipp2p:udp</emphasis>|<emphasis
+        role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
+        role="bold">all}</emphasis></term>
+
+        <listitem>
+          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
+          ipp2p match support in your kernel and iptables.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
+
+        <listitem>
+          <para>Destination Ports. A comma-separated list of Port names (from
+          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
+          range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>This column is ignored if PROTOCOL = all but must be entered
+          if any of the following field is supplied. In that case, it is
+          suggested that this field contain "-"</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        [<emphasis
+        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
+        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>
+
+        <listitem>
+          <para>Source port(s). If omitted, any source port is acceptable.
+          Specified as a comma-separated list of port names, port numbers or
+          port ranges.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
+
+        <listitem>
+          <para>This column may only be non-empty if the SOURCE is the
+          firewall itself.</para>
+
+          <para>When this column is non-empty, the rule applies only if the
+          program generating the output is running under the effective
+          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
+          specified (or is NOT running under that id if "!" is given).</para>
+
+          <para>Examples:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>joe</term>
+
+              <listitem>
+                <para>program must be run by joe</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>:kids</term>
+
+              <listitem>
+                <para>program must be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>!:kids</term>
+
+              <listitem>
+                <para>program must not be run by a member of the 'kids'
+                group</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">MARK</emphasis> - [<emphasis
+        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
+        role="bold">:C</emphasis>]</term>
+
+        <listitem>
+          <para>Defines a test on the existing packet or connection mark. The
+          rule will match only if the test returns true.</para>
+
+          <para>If you don't want to define a test but need to specify
+          anything in the following columns, place a "-" in this field.</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>!</term>
+
+              <listitem>
+                <para>Inverts the test (not equal)</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>value</emphasis></term>
+
+              <listitem>
+                <para>Value of the packet or connection mark.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis>mask</emphasis></term>
+
+              <listitem>
+                <para>A mask to be applied to the mark before testing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">:C</emphasis></term>
+
+              <listitem>
+                <para>Designates a connection mark. If omitted, the packet
+                mark's value is tested.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>EXAMPLE</title>
+
+    <para>Mark the first incoming packet of a connection on the loopback
+    interface and destined for address 127.0.0.1 and tcp port 3306 with
+    context system_u:object_r:mysqld_t:s0 and save that context in the
+    conntrack table. On subsequent input packets in the connection, set the
+    context from the conntrack table.</para>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE      INTERFACE      BROADCAST       OPTIONS
+-          lo             -               ignore</programlisting>
+
+    <para><filename>/etc/shorewall/secmarks</filename>:</para>
+
+    <programlisting>#SECMARK                              CHAIN:     SOURCE  DEST       PROTO   DEST       SOURCE      USER/     MARK
+#                                     STATE                                 PORT(S)    PORT(S)     GROUP
+system_u:object_r:mysqld_packet_t:s0  I:N        lo      127.0.0.1  tcp     3306
+SAVE                                  I:N        lo      127.0.0.1  tcp     3306
+RESTORE                               I:ER</programlisting>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/secmarks</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/manpages/shorewall-tcclasses.xml
+++ b/manpages/shorewall-tcclasses.xml
@@ -504,7 +504,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tcdevices.xml
+++ b/manpages/shorewall-tcdevices.xml
@@ -223,7 +223,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tcfilters.xml
+++ b/manpages/shorewall-tcfilters.xml
@@ -208,7 +208,7 @@
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tcinterfaces.xml
+++ b/manpages/shorewall-tcinterfaces.xml
@@ -80,6 +80,22 @@
              <para>Bytes per second.</para>
            </listitem>
          </varlistentry>
+
+          <varlistentry>
+            <term>k or kb</term>
+
+            <listitem>
+              <para>Kilo bytes.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>m or mb</term>
+
+            <listitem>
+              <para>Megabytes.</para>
+            </listitem>
+          </varlistentry>
        </variablelist>
      </listitem>

@@ -123,7 +139,8 @@
      </varlistentry>

      <varlistentry>
-        <term>IN-BANDWIDTH - [<replaceable>rate</replaceable>]</term>
+        <term>IN-BANDWIDTH -
+        [<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>

        <listitem>
          <para>Optional. If specified, enables ingress policing on the
@@ -140,6 +157,34 @@
          firewall to the upstream router as you gradually increase the
          setting.The optimal setting is at the point beyond which the ping
          time increases sharply as you increase the setting.</para>
+
+          <para>The <replaceable>burst</replaceable> option was added in
+          Shorewall 4.4.13. If not supplied, 10kb is assumed. A larger
+          <replaceable>burst</replaceable> size can help make the
+          <replaceable>rate</replaceable> estimate more accurate on fast
+          lines. The default <replaceable>burst</replaceable> often make the
+          enforced rate mush less that the specified
+          <replaceable>rate</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OUT-BANDWIDTH -
+        [<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.13. The terms are defined in
+          tc-tbf(8).</para>
+
+          <para>Shorewall provides defaults as follows:</para>
+
+          <simplelist>
+            <member><replaceable>burst</replaceable> - 10kb</member>
+
+            <member><replaceable>latency</replaceable> - 200ms</member>
+          </simplelist>
+
+          <para>The remaining options are defaulted by tc(8).</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -154,13 +199,16 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcpri(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-tcpri.xml
+++ b/manpages/shorewall-tcpri.xml
@@ -153,7 +153,7 @@
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -58,7 +58,8 @@
        role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
        role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
        role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
-        role="bold">CP</emphasis>|<emphasis role="bold">CT</emphasis>}]</term>
+        role="bold">CP</emphasis>|<emphasis
+        role="bold">CT</emphasis>|I:CI}]</term>

        <listitem>
          <para>May assume one of the following values.</para>
@@ -83,12 +84,14 @@
              or <emphasis role="bold">:T</emphasis> where<emphasis
              role="bold"> :P</emphasis> indicates that marking should occur
              in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
-              indicates that marking should occur in the FORWARD chain and
-              <emphasis role="bold">:T</emphasis> indicates that marking
-              should occur in the POSTROUTING chain. If neither <emphasis
-              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
-              nor <emphasis role="bold">:T</emphasis> follow the mark value
-              then the chain is determined as follows:</para>
+              indicates that marking should occur in the FORWARD chain, :I
+              indicates that marking should occur in the INPUT chain (added in
+              Shorewall 4.4.13), and <emphasis role="bold">:T</emphasis>
+              indicates that marking should occur in the POSTROUTING chain. If
+              neither <emphasis role="bold">:P</emphasis>, <emphasis
+              role="bold">:F</emphasis> nor <emphasis
+              role="bold">:T</emphasis> follow the mark value then the chain
+              is determined as follows:</para>

              <para>- If the SOURCE is <emphasis
              role="bold">$FW</emphasis>[<emphasis
@@ -444,7 +447,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> - {<emphasis
-        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|[<emphasis>interface</emphasis>:]<emphasis>address-or-range</emphasis>[<emphasis
+        role="bold">-</emphasis>|{<emphasis>interface</emphasis>|$FW}|[<emphasis>{interface</emphasis>|$FW}:]<emphasis>address-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address-or-range</emphasis>]...}[<emphasis>exclusion</emphasis>]</term>

        <listitem>
@@ -465,6 +468,12 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              The list may include ip address ranges if your kernel and
              iptables include iprange support.</para>
            </listitem>
+
+            <listitem>
+              <para>Beginning with Shorewall 4.4.13, $FW may be specified by
+              itself or qualified by an address list. This causes marking to
+              occur in the INPUT chain.</para>
+            </listitem>
          </orderedlist>

          <para>You may exclude certain hosts from the set already defined
@@ -801,7 +810,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-template.xml
+++ b/manpages/shorewall-template.xml
@@ -56,7 +56,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tos.xml
+++ b/manpages/shorewall-tos.xml
@@ -164,7 +164,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tunnels.xml
+++ b/manpages/shorewall-tunnels.xml
@@ -279,7 +279,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-vardir.xml
+++ b/manpages/shorewall-vardir.xml
@@ -58,7 +58,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@@ -200,6 +200,30 @@ c:a,b     ipv4</programlisting>
          <option>ipsec</option> zones.</para>

          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">blacklist</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.13. May not be specified for
+                <emphasis role="bold">firewall</emphasis> or <emphasis
+                role="bold">vserver</emphasis> zones.</para>
+
+                <para>When specified in the IN_OPTIONS column, causes all
+                traffic from this zone to be passed against the <emphasis
+                role="bold">src</emphasis> entries in s<ulink
+                url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
+
+                <para>When specified in the OUT_OPTIONS column, causes all
+                traffic to this zone to be passed against the <emphasis
+                role="bold">dst</emphasis> entries in s<ulink
+                url="shorewall-blacklist.html">horewall-blacklist</ulink>(5).</para>
+
+                <para>Specifying this option in the OPTIONS column is
+                equivalent to entering it in both of the IN_OPTIONS and
+                OUT_OPTIONS column.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
@@ -319,7 +343,8 @@ c:a,b     ipv4</programlisting>
    shorewall-nesting(8), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)</para>
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@@ -1484,7 +1484,7 @@
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@@ -35,7 +35,7 @@
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">COUNT</emphasis>|<emphasis
        role="bold">DONE</emphasis>|<emphasis>chain</emphasis>[:<emphasis
-        role="bold">COUNT</emphasis>]|COMMENT}</term>
+        role="bold">{COUNT|JUMP}</emphasis>]|COMMENT}</term>

        <listitem>
          <para>What to do when a matching packet is found.</para>
@@ -76,6 +76,15 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis>chain</emphasis>:JUMP</term>
+
+              <listitem>
+                <para>Like the previous option without the <emphasis
+                role="bold">:COUNT</emphasis> part.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>COMMENT</term>

@@ -473,8 +482,8 @@
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-actions.xml
+++ b/manpages6/shorewall6-actions.xml
@@ -53,7 +53,7 @@
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
    shorewall6-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@@ -75,25 +75,51 @@
      </varlistentry>

      <varlistentry>
-        <term>OPTIONS (Optional - Added in Shorewall 4.4.12) -
-        {-|to|from|}</term>
+        <term>OPTIONS (Optional - Added in 4.4.12) -
+        {-|{dst|src}[,...]}</term>

        <listitem>
-          <para>If specified, indicates whether traffic <option>to</option> or
-          <option>from</option> the ADDRESS/SUBNET should be blacklisted. The
-          default is <emphasis role="bold">from</emphasis>. If the
-          ADDRESS/SUBNET column is empty, then this column has no effect on
-          the generated rule.</para>
+          <para>If specified, indicates whether traffic
+          <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
+          role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
+          ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
+          blacklisted. The default is <emphasis role="bold">src</emphasis>. If
+          the ADDRESS/SUBNET column is empty, then this column has no effect
+          on the generated rule.</para>

          <note>
-            <para>Blacklisting is still restricted to traffic
-            <emphasis>arriving</emphasis> on an interface that has the
-            'blacklist' option set. So to block traffic from your local
-            network to an internet host, you must specify
+            <para>In Shorewall 4.4.12, the keywords from and to were used in
+            place of src and dst respectively. Blacklisting was still
+            restricted to traffic <emphasis>arriving</emphasis> on an
+            interface that has the 'blacklist' option set. So to block traffic
+            from your local network to an internet host, you had to specify
            <option>blacklist</option> on your internal interface in <ulink
            url="shorewall6-interfaces.html">shorewall6-interfaces</ulink>
            (5).</para>
          </note>
+
+          <note>
+            <para>Beginning with Shorewall 4.4.13, entries are applied based
+            on the <emphasis role="bold">blacklist</emphasis> setting in
+            <ulink
+            url="shorewall-zones.html">shorewall6-zones</ulink>(5):</para>
+
+            <orderedlist>
+              <listitem>
+                <para>'blacklist' in the OPTIONS or IN_OPTIONS column. Traffic
+                from this zone is passed against the entries in this file that
+                have the <emphasis role="bold">src</emphasis> option
+                (specified or defaulted).</para>
+              </listitem>
+
+              <listitem>
+                <para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
+                Trafficto this zone is passed against the entries in this file
+                that have the <emphasis role="bold">dst</emphasis>
+                option.</para>
+              </listitem>
+            </orderedlist>
+          </note>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -158,8 +184,8 @@
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-exclusion.xml
+++ b/manpages6/shorewall6-exclusion.xml
@@ -105,7 +105,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/manpages6/shorewall6-hosts.xml
+++ b/manpages6/shorewall6-hosts.xml
@@ -83,7 +83,8 @@
            <listitem>
              <para>An IP address range of the form
              <emphasis>low.address</emphasis>-<emphasis>high.address</emphasis>.
-              Your kernel and ip6tables must have iprange match support.</para>
+              Your kernel and ip6tables must have iprange match
+              support.</para>
            </listitem>

            <listitem>
@@ -126,8 +127,15 @@
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
+                <para>This option only makes sense for ports on a bridge. As
+                of Shorewall 4.4.13, its is ignored with a warning
+                message:</para>
+
+                <blockquote>
+                  <para><emphasis role="bold">WARNING: The "blacklist" host
+                  option is no longer supported and will be
+                  ignored.</emphasis></para>
+                </blockquote>

                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall6-blacklist</ulink>(5)
@@ -178,8 +186,8 @@
    shorewall6-blacklist(5), shorewall6-interfaces(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-interfaces.xml
+++ b/manpages6/shorewall6-interfaces.xml
@@ -122,6 +122,29 @@ loc     eth2            -</programlisting>
                <ulink
                url="shorewall6-blacklist.html">shorewall6-blacklist</ulink>(5)
                file.</para>
+
+                <para>Beginning with Shorewall 4.4.13:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If a <replaceable>zone</replaceable> is given in the
+                    ZONES column, then the behavior is as if <emphasis
+                    role="bold">blacklist</emphasis> had been specified in the
+                    IN_OPTIONS column of <ulink
+                    url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise, the option is ignored with a
+                    warning:</para>
+
+                    <blockquote>
+                      <para><emphasis role="bold">WARNING: The 'blacklist'
+                      option is ignored on mult-zone
+                      interfaces</emphasis></para>
+                    </blockquote>
+                  </listitem>
+                </itemizedlist>
              </listitem>
            </varlistentry>

@@ -359,8 +382,8 @@ dmz     eth2      -</programlisting>
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-maclist(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
-    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
+    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
+    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-maclist.xml
+++ b/manpages6/shorewall6-maclist.xml
@@ -105,7 +105,7 @@
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
--- a/manpages6/shorewall6-modules.xml
+++ b/manpages6/shorewall6-modules.xml
@@ -18,14 +18,23 @@
    <cmdsynopsis>
      <command>/usr/share/shorewall6/modules</command>
    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>/usr/share/shorewall6/helpers</command>
+    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>This file specifies which kernel modules shorewall6 will load before
-    trying to determine your ip6tables/kernel's capabilities. Each record in
-    the file has the following format:</para>
+    <para>These files specify which kernel modules shorewall6 will load before
+    trying to determine your ip6tables/kernel's capabilities. The
+    <filename>modules</filename> file is used when LOAD_HELPERS_ONLY=No in
+    <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(8); the
+    <filename>helpers</filename> file is used when
+    LOAD_HELPERS_ONLY=Yes.</para>
+
+    <para>Each record in the files has the following format:</para>

    <cmdsynopsis>
      <command>loadmodule</command>
@@ -45,7 +54,8 @@

    <para>The /usr/share/shorewall6/modules file contains a large number of
    modules. Users are encouraged to copy the file to /etc/shorewall6/modules
-    and modify the copy to load only the modules required.<note>
+    and modify the copy to load only the modules required or use
+    LOAD_HELPERS_ONLY=Yes.<note>
        <para>If you build monolithic kernels and have not installed
        module-init-tools, then create an empty /etc/shorewall6/modules file;
        that will prevent shorewall6 from trying to load modules at
@@ -64,7 +74,11 @@

    <para>/usr/share/shorewall6/modules</para>

+    <para>/usr/share/shorewall6/helpers</para>
+
    <para>/etc/shorewall6/modules</para>
+
+    <para>/etc/shorewall6/helpers</para>
  </refsect1>

  <refsect1>
@@ -75,7 +89,8 @@
    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-route_rules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6-nesting.xml
+++ b/manpages6/shorewall6-nesting.xml
@@ -111,7 +111,7 @@
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-route_rules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
--- a/manpages6/shorewall6-notrack.xml
+++ b/manpages6/shorewall6-notrack.xml
@@ -134,7 +134,7 @@
    shorewall6-ipsec(5), shorewall6-params(5), shorewall6-policy(5),
    shorewall6-providers(5), shorewall6-proxyarp(5),
    shorewall6-route_rules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
    shorewall6-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	a258de3c9d	Update known problems Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-21 07:50:13 -07:00
Tom Eastep	a796623dde	Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-20 09:40:31 -07:00
Tom Eastep	f6f840bebf	Misc cleanup for 4.4.13 1. Replace statement with equivalent function call in promote_blacklist_rules() 2. Bump version of Tunnels.pm 3. Fix typo in comment in Zones.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-20 08:15:24 -07:00
Tom Eastep	59905e8744	Set version to 4.4.13	2010-09-20 07:25:33 -07:00
Tom Eastep	7d2f6379e0	Document fix for '*' in interface names. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-19 15:19:48 -07:00
Tom Eastep	8bdd9828fd	Don't allow '*' in interface names	2010-09-19 15:13:54 -07:00
Tom Eastep	c7fc4ce1f5	Correct order of release note entries	2010-09-19 12:54:54 -07:00
Tom Eastep	35a686eaa1	Add delete_reference() function. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-19 08:28:29 -07:00
Tom Eastep	9ba82bec1f	Add warning about redundant 'blacklist' option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-19 08:28:05 -07:00
Tom Eastep	e06ca34298	Add redundancy warning re 'blacklst'	2010-09-19 08:03:01 -07:00
Tom Eastep	b3d6ae78ba	Add redundancy warning re 'blacklst'	2010-09-19 07:57:36 -07:00
Tom Eastep	940ccf2c34	Document for tcfilter port ranges Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 15:11:41 -07:00
Tom Eastep	c0382b8cb9	Adjust reference count in move rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 15:11:17 -07:00
Tom Eastep	ce9b5ee944	Make blacklist rule promotion much more effecient. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 13:35:24 -07:00
Tom Eastep	74abd4ad54	In copy_rules(), handle the unlikely case where both chains have blacklist jumps. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 12:26:07 -07:00
Tom Eastep	f7db24f756	Merge branch '4.4.13' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 09:29:50 -07:00
Tom Eastep	f25b9e1967	Allow :<port> in tcfilters Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 09:26:29 -07:00
Tom Eastep	0e9c704069	Don't scan the filter table for jumps to 'blacklst' if the 'blacklst' chain does not exist Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 08:42:21 -07:00
Tom Eastep	c3299d5f89	Enable blacklist rule promotion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 08:38:22 -07:00
Tom Eastep	6f0893cd7a	Correct Chains::promote_blacklist_rules() - Interate through chains that jump to 'blacklst' until no rule is promoted This is required to promote jumps past exclusion chains - Correct reference counting; the first cut was horribly wrong Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 08:38:14 -07:00
Tom Eastep	c040344bc1	Promote 'in' blacklist rules to the head of the interface chain - Added Chains::promote_blacklist_rules() - Called the function from Rules::generate_matrix() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 08:38:02 -07:00
Tom Eastep	2fa16f6d08	Enable blacklist rule promotion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 08:36:59 -07:00
Tom Eastep	578fc6c521	Correct Chains::promote_blacklist_rules() - Interate through chains that jump to 'blacklst' until no rule is promoted This is required to promote jumps past exclusion chains - Correct reference counting; the first cut was horribly wrong Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 08:36:35 -07:00
Tom Eastep	fd6ff1849a	Promote 'in' blacklist rules to the head of the interface chain - Added Chains::promote_blacklist_rules() - Called the function from Rules::generate_matrix() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-18 07:37:42 -07:00
Tom Eastep	801c1cb6b3	Update release docs	2010-09-17 17:44:05 -07:00
Tom Eastep	fd568ece47	Clear raw table on 'clear'	2010-09-17 17:43:57 -07:00
Tom Eastep	1588c700c5	Fix blacklisting vs vservers	2010-09-17 17:43:40 -07:00
Tom Eastep	6106dd3ada	Zero out {frozen} in a deleted chain entry	2010-09-17 17:43:04 -07:00
Tom Eastep	9946fbd3b5	Update release docs	2010-09-17 17:37:07 -07:00
Tom Eastep	580c561a51	Clear raw table on 'clear'	2010-09-17 17:12:34 -07:00
Tom Eastep	a42576aef8	Fix blacklisting vs vservers	2010-09-17 16:38:34 -07:00
Tom Eastep	79bb47582a	Zero out {frozen} in a deleted chain entry	2010-09-17 16:00:36 -07:00
Tom Eastep	596d207dfc	Simplify a test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-17 15:43:56 -07:00
Tom Eastep	8cdbe5f88d	Fix an optimization bug with the new blacklisting code	2010-09-17 15:43:47 -07:00
Tom Eastep	402b3b929e	Restore trace output in move_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-17 15:43:03 -07:00
Tom Eastep	c5bb3ecfac	Simplify a test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-17 15:42:05 -07:00
Tom Eastep	c9e876fcf5	Fix an optimization bug with the new blacklisting code	2010-09-17 15:10:02 -07:00
Tom Eastep	85430e459c	Restore trace output in move_rules() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-17 14:35:25 -07:00
Tom Eastep	ad660d7fe5	Simplify move_rules()	2010-09-17 13:53:10 -07:00
Tom Eastep	3d0f8e962e	Simplify move_rules()	2010-09-17 13:49:32 -07:00
Tom Eastep	7a6943fa54	Disallow mss and blacklist on firewall and vserver zones	2010-09-17 12:54:58 -07:00
Tom Eastep	b76ee408a5	Emit clearer error messages	2010-09-17 12:54:54 -07:00
Tom Eastep	2e3635ff50	Be sure that {frozen} is defined	2010-09-17 12:54:44 -07:00
Tom Eastep	28aa7b8267	Re-add OPTIONS column to blacklist templates	2010-09-17 12:54:38 -07:00
Tom Eastep	ab78aac3a4	Disallow mss and blacklist on firewall and vserver zones	2010-09-17 12:46:38 -07:00
Tom Eastep	330afe1701	Emit clearer error messages	2010-09-17 12:35:34 -07:00
Tom Eastep	239b4a2356	Be sure that {frozen} is defined	2010-09-17 12:08:48 -07:00
Tom Eastep	65de1e4e6e	Re-add OPTIONS column to blacklist templates	2010-09-17 11:56:47 -07:00
Tom Eastep	7175f8a63e	Revert versions on Rules and Zones modules	2010-09-17 11:08:45 -07:00
Tom Eastep	d898c87617	Eliminate a parameter to add_jump()	2010-09-17 11:08:12 -07:00
Tom Eastep	07930fc535	Revert versions on Rules and Zones modules	2010-09-17 11:06:32 -07:00
Tom Eastep	5357f4c347	Eliminate a parameter to add_jump()	2010-09-17 11:05:35 -07:00
Tom Eastep	c7373ada46	Add advice about SAVE/RESTORE	2010-09-17 09:22:48 -07:00
Tom Eastep	af24baaecd	Update version to RC1 (one more time)	2010-09-17 09:14:56 -07:00
Tom Eastep	e61230a3db	Update version to Beta 6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-17 08:23:24 -07:00
Tom Eastep	8e2c8e5a8f	Document use of state match for NOTRACK Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-17 08:21:16 -07:00
Tom Eastep	882970a598	Use state match for UNTRACKED	2010-09-17 07:58:21 -07:00
Tom Eastep	2ce3c8aa88	Ensure that blacklist rules are before the other interface-oriented rules	2010-09-16 18:19:16 -07:00
Tom Eastep	27c445381e	Treat 'blacklist' uniformly in hosts and zones	2010-09-16 15:48:12 -07:00
Tom Eastep	67b9ae0d2c	Update release documents	2010-09-16 15:47:05 -07:00
Tom Eastep	1c870b532a	Preserve dynamic blacklist during stop/clear/restore	2010-09-16 12:17:04 -07:00
Tom Eastep	44665775b2	Documentation corrections to the blacklist files	2010-09-16 09:46:46 -07:00
Tom Eastep	a8c9fc1859	Implement new Blacklisting Scheme	2010-09-16 09:40:28 -07:00
Tom Eastep	3c1cff0794	First steps toward zone-based blacklisting	2010-09-16 06:55:48 -07:00
Tom Eastep	1d650b41cd	Remove blacklisting by destination IP address support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-15 15:24:58 -07:00
Tom Eastep	bea4ce4ca6	Add tc-tbf link to tcinterfaces manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-15 14:07:42 -07:00
Tom Eastep	3ad3f0d9e0	Allow floating point numbers in tcinterfaces fields other than <rate> Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-15 14:07:21 -07:00
Tom Eastep	ba89ec39b5	Add :<burst> to /etc/shorewall/tcdevices	2010-09-15 11:56:14 -07:00
Tom Eastep	69a2fa1907	Replace to/from with dst/src	2010-09-15 11:25:46 -07:00
Tom Eastep	8147671eb2	Document JUMP	2010-09-15 09:49:37 -07:00
Tom Eastep	f925b335ef	Ignore the 'blacklist' host option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-15 08:10:57 -07:00
Tom Eastep	373fc87165	More blacklisting wrapup - Deprecate 'blacklist' in the hosts file - Base blacklisting on interfaces alone Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-15 07:38:20 -07:00
Tom Eastep	4d0e8d129b	Add dup blacklist message	2010-09-14 18:04:27 -07:00
Tom Eastep	10a9ae496a	More manpage updates for 4.4.13	2010-09-14 16:47:45 -07:00
Tom Eastep	94cdc73ec2	Restore setpolicy() to prog.header* Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-14 13:50:22 -07:00
Tom Eastep	c4a40d8c7b	Set version to RC1 (again)	2010-09-14 13:09:50 -07:00
Tom Eastep	2ff06f5f0a	Update simple TC doc	2010-09-14 07:59:01 -07:00
Tom Eastep	c6960f1ac2	Edit release notes	2010-09-14 07:36:29 -07:00
Tom Eastep	1f2691b052	Another fix for blacklisting; correct composition of $hosts1	2010-09-14 06:47:29 -07:00
Tom Eastep	0f913fca2f	Don't create blackout unnecessarily	2010-09-13 18:15:50 -07:00
Tom Eastep	82bccf16b5	Avoid internal error when there are no 'to' entries	2010-09-13 17:55:20 -07:00
Tom Eastep	bb38ed16b0	Document ipset creation fix	2010-09-13 15:54:44 -07:00
Tom Eastep	b1e9bff382	Create new ipsets on 'start'	2010-09-13 15:46:04 -07:00
Tom Eastep	a6194fabd2	Delete blank line	2010-09-13 14:15:47 -07:00
Tom Eastep	33adbe7a27	Update documentation for net TC features	2010-09-13 13:51:25 -07:00
Tom Eastep	3f93ebdda8	Update blacklist manpages	2010-09-13 13:23:32 -07:00
Tom Eastep	1729da87f1	Allow both 'to' and 'from' in blacklist	2010-09-13 12:51:10 -07:00
Tom Eastep	9b4c3e22dd	Allow floating point numbers in TC rates	2010-09-13 12:50:50 -07:00
Tom Eastep	cb1f7adea3	Add :<burst> to IN-BANDWIDTH	2010-09-13 11:23:37 -07:00
Tom Eastep	283eda2fa5	Cosmetic change to OUT-BANDWIDTH code	2010-09-12 16:33:19 -07:00
Tom Eastep	bd9041306c	Add undocumented OUT-BANDWIDTH column to tcinterfaces	2010-09-12 16:25:45 -07:00
Tom Eastep	a3b7b9c11b	Delete unused functions from prog.header* Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-12 10:07:26 -07:00
Tom Eastep	52592b4cfb	Remove prog.*6 during installation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-12 10:07:07 -07:00
Tom Eastep	47ad42659c	Mention ipsets in the secmarks manpage	2010-09-12 08:12:41 -07:00
Tom Eastep	9f786b7c59	Delete mention of triggers in ipset doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-12 08:01:54 -07:00
Tom Eastep	b937290740	Add version cautions to blacklisting doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-12 07:58:13 -07:00
Tom Eastep	931c5a8d0a	Add an assertion	2010-09-11 16:24:27 -07:00
Tom Eastep	50fc972d2a	Fix another SAME defect :-(	2010-09-11 16:15:09 -07:00
Tom Eastep	512cd7b08e	Bump version to 4.4.13 RC 1	2010-09-11 15:46:14 -07:00
Tom Eastep	aad7b70e18	Rename constant	2010-09-11 15:31:43 -07:00
Tom Eastep	c6c6503d83	Clean up a remaining issue with SAME	2010-09-11 15:24:01 -07:00
Tom Eastep	f004916055	Disallow a DEST interface in mangle OUTPUT rules	2010-09-11 14:10:05 -07:00
Tom Eastep	3ea7808b38	Disallow a DEST interface in mangle PREROUTING rules	2010-09-11 14:02:09 -07:00
Tom Eastep	37a5a01185	Correct INPUT marking documentation	2010-09-11 12:47:32 -07:00
Tom Eastep	e93a7fe9df	Avoid recent problems by not padding $target in process_tc_rule()	2010-09-11 11:03:28 -07:00
Tom Eastep	d9ced1051a	One more fix for SAME	2010-09-11 10:35:45 -07:00
Tom Eastep	367fc041b8	Correct handling of SAME -- Take 2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-11 09:36:19 -07:00
Tom Eastep	83ae6d6eba	Document fix for 'SAME' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-11 09:04:42 -07:00
Tom Eastep	dbc9f6ac8f	Correct handling of SAME Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-11 08:56:22 -07:00
Tom Eastep	05b6947aac	Document fix for ipset invocation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-11 08:55:35 -07:00
Tom Eastep	8dd42c9e19	Correct handling of dst/src list in ipset invocation	2010-09-11 07:41:01 -07:00
Tom Eastep	99f8f84024	Fix name of F chain in secmarks	2010-09-10 16:45:22 -07:00
Tom Eastep	69817007bf	Some more fixes for blacklisting	2010-09-09 14:53:12 -07:00
Tom Eastep	50300a60b7	A number of corrections to split blacklisting. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-09 11:20:49 -07:00
Tom Eastep	64544f4ab5	Correct comparison in 'blacklist' handling	2010-09-09 10:22:48 -07:00
Tom Eastep	cd4b5d80ed	Reduce patch footprint by two lines	2010-09-09 09:00:28 -07:00
Tom Eastep	df1e17eaa8	Re-enable 'blacklist' on bridge ports	2010-09-09 07:09:08 -07:00
Tom Eastep	7e8979157c	Update Features Page re: Virtualization Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-08 15:47:23 -07:00
Tom Eastep	2cb5aaeb07	Correct interface reference	2010-09-08 13:12:19 -07:00
Tom Eastep	a4606bee80	Pretty up Network Diagram -- exchange caption location	2010-09-08 12:57:35 -07:00
Tom Eastep	bbe5dae9b0	Pretty up Network Diagram some more	2010-09-08 12:44:40 -07:00
Tom Eastep	0907a7b6c2	Pretty up Network Diagram	2010-09-08 12:38:14 -07:00
Tom Eastep	7f72d66b90	A couple of documentation updates	2010-09-08 11:55:16 -07:00
Tom Eastep	b091169ed9	Remove deprecated syntax from examples	2010-09-08 06:04:57 -07:00
Tom Eastep	828d190436	Change example	2010-09-07 19:14:43 -07:00
Tom Eastep	8853de0c2e	Fix links to secmark manpages	2010-09-07 15:03:05 -07:00
Tom Eastep	46bbb26b6b	Tweak secmarks example to use ESTABLISHED,RELATED	2010-09-07 13:59:33 -07:00
Tom Eastep	ee83b7f022	Add link to James Morris blog re SECMARK	2010-09-07 13:52:43 -07:00
Tom Eastep	ab87d8800a	List secmarks as SEE ALSO	2010-09-07 12:27:39 -07:00
Tom Eastep	7dbd994f51	Update installers for secmarks	2010-09-07 07:56:11 -07:00
Tom Eastep	8d63e04926	Yet more docunentation updates	2010-09-06 20:37:34 -07:00
Tom Eastep	50b4bd8dfe	More Blacklist and Secmark documentation updates Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-06 17:26:49 -07:00
Tom Eastep	f3255cd83a	Rework blacklisting Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-06 15:29:20 -07:00
Tom Eastep	c6f58ba924	Enhance SELinux support: - Add state match - Add user/group match - Add examples to the man pages	2010-09-06 09:06:40 -07:00
Tom Eastep	33dc8de8fb	Allow dash's in ipset names	2010-09-05 11:41:35 -07:00
Tom Eastep	23e94e136c	Allow COMMENT, SAVE and RESTORE to work correctly in secmarks Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-05 08:17:58 -07:00
Tom Eastep	629290259d	Allow secmarks without TC_ENABLED Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-05 07:49:03 -07:00
Tom Eastep	b139ff7e90	Update docs and implementation of SECMARK	2010-09-04 16:08:29 -07:00
Tom Eastep	28ff3548ff	Bump version to 4.4.13-Beta4	2010-09-04 15:30:02 -07:00
Tom Eastep	15d8d6d8b7	Add SECMARK and CONNSECMARK support	2010-09-04 15:12:08 -07:00
Tom Eastep	6caff51c98	Modify a comment are delete a silly identity assignment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-01 11:24:19 -07:00
Tom Eastep	62fcf1ae8b	Adjust version of Raw.pm	2010-08-31 16:52:48 -07:00
Tom Eastep	dfebe5a35e	Correct error message	2010-08-31 16:33:15 -07:00
Tom Eastep	f93413b2a7	Update Multi-ISP doc for variable name change in 4.4.8. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-31 15:33:22 -07:00
Tom Eastep	8f94137007	Fix last change	2010-08-30 16:47:45 -07:00
Tom Eastep	1da6d51d1a	Reduce the Beta3 patch footprint by making the second arg to known_interface() optional	2010-08-30 16:43:30 -07:00
Tom Eastep	add76ed14e	Bump version to 4.4.13 Beta 3 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-30 12:33:10 -07:00
Tom Eastep	7f0f4516d7	Rework handle_optional_interfaces() somewhat Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-30 12:29:39 -07:00
Tom Eastep	8077c9e1c3	Add FAQ 91	2010-08-30 11:07:37 -07:00
Tom Eastep	c18d206726	Use a function to generate the list of interfaces with an L3 address	2010-08-29 20:13:56 -07:00
Tom Eastep	57c54af6ed	Re-implement optional interface handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-29 12:32:44 -07:00
Tom Eastep	d94f2cc86d	Insure that the mapping to base names is deterministic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-29 07:28:06 -07:00
Tom Eastep	be0231578f	Insure uniqueness of chain_base mapping	2010-08-28 20:47:39 -07:00
Tom Eastep	95a09b996f	Fix test for KLUDGEFREE	2010-08-28 20:47:15 -07:00
Tom Eastep	1531ad3bcd	Re-implement interface->shell-variable mapping	2010-08-28 15:15:41 -07:00
Tom Eastep	3a36a9de4b	Fix shell-variable creation	2010-08-28 14:48:47 -07:00
Tom Eastep	d8846b92d8	Fix optional 'upnpclient' interfaces - take 2	2010-08-28 14:46:29 -07:00
Tom Eastep	a440e7023e	Fix optional 'upnpclient' interfaces	2010-08-28 14:18:48 -07:00
Tom Eastep	f45879c4f4	split_list1 removes () -- take 2	2010-08-28 13:40:44 -07:00
Tom Eastep	2a54e8cd24	split_list1 removes ()	2010-08-28 13:37:19 -07:00
Tom Eastep	c2558af9c8	Document and correct implementation of EXCLUSION_MASK 1. Require KLUDGEFREE if existing rule uses mark match 2. Pretty up the code 3. Use MASK_BITS rather than TC_BITS when calculating the offset of EXCLUSION_MASK Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-28 08:29:47 -07:00
Tom Eastep	c98cf8aea6	Re-implement exclusion in CONTINUE/NONAT/ACCEPT+ rules Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-27 10:09:42 -07:00
Tom Eastep	57bcfee559	Add 'Mark in any table' capability	2010-08-27 08:35:33 -07:00
Tom Eastep	a1cd2ba0f3	Bring 'multiple space before comment' fix forward to master Probably unneeded but better be safe Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-27 06:59:52 -07:00
Tom Eastep	12f48e1b97	Don't pass '-j' in target arg to expand_rule() - use the target to locate chain for reference tracking Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-26 10:37:07 -07:00
Tom Eastep	15fbbdaac7	Fix exclusion in blacklist Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-26 10:33:57 -07:00
Tom Eastep	bd8bcabdf0	Use the 'disposition' argument to expand_rule() to specify the target chain Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-26 08:40:24 -07:00
Tom Eastep	dc74b88445	Fix typo in release notes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-26 07:16:28 -07:00
Tom Eastep	75e12148ac	Bump version to Beta 2	2010-08-25 09:58:07 -07:00
Tom Eastep	4a865e0a6d	Pretty up some come	2010-08-24 13:08:21 -07:00
Tom Eastep	91c5a2f80b	Fix old ipset detection bug	2010-08-24 13:08:06 -07:00
Tom Eastep	5c49aa843c	Generate warning when a rules file entry generates no iptables-restore input Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-08-24 08:38:49 -07:00
Tom Eastep	383e792807	Restore wildcard properties to zone lists	2010-08-24 06:52:53 -07:00
Tom Eastep	5a92c3262f	Fix REQUIRE_INTERFACE=Yes	2010-08-23 17:19:41 -07:00
Tom Eastep	d74af30368	Fix zone-exclusion bug	2010-08-23 16:31:46 -07:00
Tom Eastep	8f94240e8f	Fix a couple of optimization bugs	2010-08-23 16:00:40 -07:00
Tom Eastep	160ad231df	Fix an old optimization bug	2010-08-23 15:14:09 -07:00
Tom Eastep	ec09b92c4c	Correct Release Notes	2010-08-23 12:38:58 -07:00