Remove extra logic

Move ipset-load code to Chains.pm. Better there than in Compiler.pm
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-06-08 15:57:45 -07:00 · 2010-06-08 15:33:09 -07:00 · 2010-06-08 15:18:22 -07:00 · 2010-06-08 12:49:58 -07:00 · 2010-06-08 12:35:33 -07:00 · 2010-06-08 11:37:17 -07:00
179 changed files with 1915 additions and 7575 deletions
--- a/Samples/Universal/interfaces
+++ b/Samples/Universal/interfaces
@@ -1,12 +0,0 @@
 #
 # Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 -	lo		-		ignore
 net	all		-		dhcp,physical=+,routeback,optional
--- a/Samples/Universal/policy
+++ b/Samples/Universal/policy
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
 net	all	DROP
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -1,17 +0,0 @@
 #
 # Shorewall version 4 - Rules File
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -1,213 +0,0 @@
 ###############################################################################
 #
 #  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
 LOGFILE=
 STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 LOG_MARTIANS=Yes
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 IPTABLES=
 IP=
 TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 DROP_DEFAULT="Drop"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 IP_FORWARDING=On
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 RETAIN_ALIASES=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=Yes
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=15
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=Yes
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/Universal/zones
+++ b/Samples/Universal/zones
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ip
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -68,8 +70,6 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -205,12 +205,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -68,8 +70,6 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -205,12 +205,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -49,7 +49,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -75,8 +77,6 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -212,12 +212,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/Universal/interfaces
+++ b/Samples6/Universal/interfaces
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 -	lo		-		ignore
 net	all		-		dhcp,physical=+,routeback
--- a/Samples6/Universal/policy
+++ b/Samples6/Universal/policy
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 fw	net	ACCEPT
 net	all	DROP
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -1,17 +0,0 @@
 #
 # Shorewall version 4 - Rules File
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -1,168 +0,0 @@
 ###############################################################################
 #
 #  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
 #  Manpage also online at
 #  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
 #			       L O G G I N G
 ###############################################################################
 LOGFILE=
 STARTUP_LOG=/var/log/shorewall6-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 IP6TABLES=
 IP=
 TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 MODULESDIR=
 CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 DROP_DEFAULT="Drop"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 IP_FORWARDING=Off
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=ko
 FASTACCEPT=Yes
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=15
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=Yes
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/Universal/zones
+++ b/Samples6/Universal/zones
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ip
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 IP6TABLES=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 IP6TABLES=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info
 IP6TABLES=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -153,12 +153,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -93,11 +93,7 @@ for PRODUCT in $PRODUCTS; do
    VARDIR=/var/lib/$PRODUCT
    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
    if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/$PRODUCT/lib.base
+	$VARDIR/firewall -V0 $COMMAND $IFACE
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
 	    mutex_off
 	  )
    fi
 done
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -84,20 +84,7 @@ shorewall_start () {
      VARDIR=/var/lib/$product
      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
      if [ -x ${VARDIR}/firewall ]; then
-	  #
+	  ${VARDIR}/firewall stop || echo_notdone
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
 	      . /usr/share/$product/lib.base
 	      #
 	      # Get mutex so the firewall state is stable
 	      #
 	      mutex_on
 	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
 		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
 	      mutex_off
 	  )
      fi
  done
@@ -116,11 +103,7 @@ shorewall_stop () {
      VARDIR=/var/lib/$product
      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
+	  ${VARDIR}/firewall clear || echo_notdone
 	    mutex_on
 	    ${VARDIR}/firewall clear || echo_notdone
 	    mutex_off
 	  )
      fi
  done
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -55,17 +55,15 @@ fi
 # Initialize the firewall
 shorewall_start () {
-  local PRODUCT
+  local product
-  local VARDIR
+  local vardir
  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
+  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
+      vardir=/var/lib/$product
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
+      if [ -x ${vardir}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	  ${vardir}/firewall stop || exit 1
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
@@ -74,15 +72,15 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
-  local PRODUCT
+  local product
-  local VARDIR
+  local vardir
  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
+  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
+      vardir=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
+      if [ -x ${vardir}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+	  ${vardir}/firewall clear || exit 1
      fi
  done
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
@@ -285,12 +285,7 @@ fi
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
+	    ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
 		insserv /etc/init.d/shorewall-init
 	    else
 		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
 	    fi
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.13
+%define version 4.4.10
-%define release 1
+%define release 0base
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,48 +99,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-1
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Mon Jun 07 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
@@ -354,13 +354,7 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-
+	    ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else
 		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    fi
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -628,12 +628,14 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $nolock $COMMAND
-	run_it $g_firewall $debugging $COMMAND
+	;;
-	[ -n "$nolock" ] || mutex_off
+    reset)
 	verify_firewall_script
 	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
 	;;
    restart)
 	shift
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
+%define version 4.4.10
-%define release 1
+%define release 0base
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,48 +102,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-1
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Mon Jun 07 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-#
+# 
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#
+#  
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities:
+capabilities: 
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean:
+clean: 
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4.7';
 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {
    our $jumpchainref;
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
    if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,16 +61,6 @@ sub process_accounting_rule( ) {
    our $disposition = '';
    sub reserved_chain_name($) {
 	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
    }
    sub ipsec_chain_name($) {
 	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
 	    $1;
 	}
    }
    sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -82,11 +72,10 @@ sub process_accounting_rule( ) {
    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
    }
    my $target = '';
@@ -97,19 +86,16 @@ sub process_accounting_rule( ) {
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
    my $rule2 = 0;
-    my $jump  = 0;
+
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
+	    $target = '-j RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
+		    $rule2=1;
-		} elsif ( $cmd eq 'JUMP' ) {
+		} elsif ( $cmd ne 'JUMP' ) {
 		    $jump = 1;
 		} else {
 		    accounting_error;
 		}
 	    }
@@ -151,31 +137,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }
-    my $chainref = $filter_table->{$chain};
+    my $chainref = ensure_accounting_chain $chain;
    my $dir;
    if ( ! $chainref ) {
 	$chainref = ensure_accounting_chain $chain, 0;
 	$dir      = ipsec_chain_name( $chain );
 	if ( $ipsec ne '-' ) {
 	    if ( $dir ) {
 		$rule .= do_ipsec( $dir, $ipsec );
 		$chainref->{ipsec} = $dir;
 	    } else {
 		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
 	} else {
 	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
 	    $chainref->{ipsec} = $dir;
 	}
    } elsif ( $ipsec ne '-' ) {
 	$dir = $chainref->{ipsec};
 	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
 	$rule .= do_ipsec( $dir , $ipsec );
    }
    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
    expand_rule
 	$chainref ,
@@ -189,22 +151,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
    if ( $rule2 || $jump ) {
 	if ( $chainref->{ipsec} ) {
 	    if ( $jumpchainref->{ipsec} ) {
 		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
 	    } else {
 		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
 		$jumpchainref->{ipsec} = $chainref->{ipsec};
 	    }
 	} elsif ( $jumpchainref->{ipsec} ) {
 	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
    }
    if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -232,6 +178,8 @@ sub setup_accounting() {
    $nonEmpty |= process_accounting_rule while read_a_line;
    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
    clear_comment;
    if ( have_bridges ) {
@@ -244,28 +192,13 @@ sub setup_accounting() {
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
-    } elsif ( $filter_table->{accounting} ) {
+    } else {
-	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	if ( $filter_table->{accounting} ) {
-	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
    }
    if ( $filter_table->{accipsecin} ) {
 	for my $chain ( qw/INPUT FORWARD/ ) {
 	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 	}
    }
    if ( $filter_table->{accipsecout} ) {
 	for my $chain ( qw/FORWARD OUTPUT/ ) {
 	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
 	}
    }
    for ( accounting_chainrefs ) {
 	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -28,7 +28,6 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use strict;
@@ -58,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_10';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -179,27 +178,9 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
    my $action = $_[0];
    my $target = '';
    my $max    = 3;
    #
    # The following rather grim RE, when matched, breaks the action into two parts:
    #
    #    basicaction(param)
    #    logging part (may be empty)
    #
    # The param may contain one or more ':' characters
    #
    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
 	$target = $1;
 	$action = $2 ? $3 : '';
 	$max    = 2;
    }
    my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
-    $target = shift @a unless $target;
+    ( shift @a, join ":", @a );
    ( $target, join ":", @a );
 }
 #
@@ -636,7 +617,7 @@ sub process_action( $$$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ,
+		  $action ? "-j $action" : '',
 		  $level ,
 		  $action ,
 		  '' );
@@ -795,8 +776,8 @@ sub dropBcast( $$$ ) {
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d ff00::/10 -j DROP ';
-	    }
+	    }		
 	}
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -820,7 +801,7 @@ sub dropBcast( $$$ ) {
    if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    } else {
-	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
+	add_rule $chainref, '-d ff00::/10 -j DROP';
    }
 }
@@ -852,8 +833,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
-	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_10';
 our $export;
@@ -87,22 +87,22 @@ sub generate_script_1( $ ) {
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;
-
+	    
 	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
+	    
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
-
+	    
 	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
-
+	
    }
    my $lib = find_file 'lib.private';
-
+	
    copy2( $lib, $debug ) if -f $lib;
    emit <<'EOF';
@@ -256,7 +256,7 @@ sub generate_script_2() {
    push_indent;
    if ( $global_variables ) {
-
+	
 	emit( 'case $COMMAND in' );
 	push_indent;
@@ -300,7 +300,7 @@ sub generate_script_2() {
    pop_indent;
    emit "\n}\n"; # End of detect_configuration()
-
+    
 }
 # Final stage of script generation.
@@ -384,7 +384,7 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
    } else {
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
 	save_dynamic_chains;
 	mark_firewall_not_started;
@@ -442,37 +442,32 @@ EOF
    setup_forwarding( $family , 1 );
    push_indent;
-    my $config_dir = $globals{CONFIGDIR};
+    emit<<'EOF';
-
+    set_state "Started"
    emit<<"EOF";
    set_state Started $config_dir 
    run_restored_exit
 else
-    if [ \$COMMAND = refresh ]; then
+    if [ $COMMAND = refresh ]; then
        chainlist_reload
 EOF
    setup_forwarding( $family , 0 );
-    emit<<"EOF";
+    emit<<'EOF';
        run_refreshed_exit
        do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
    else
        setup_netfilter
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
-    emit<<"EOF";
+    emit<<'EOF';
        run_start_exit
        do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
        run_started_exit
    fi
 EOF
    emit<<'EOF';
    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -114,7 +114,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $product
 				       $Product
 				       $toolname
 				       $command
 				       $doing
 				       $done
@@ -132,7 +131,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 Exporter::export_ok_tags('internal');
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 #
 # describe the current command, it's present progressive, and it's completion.
@@ -219,7 +218,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@@ -251,8 +249,6 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
 		 MARK_ANYWHERE   => 'Mark in any table',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -292,7 +288,6 @@ our $sillyname;               # Name of temporary filter chains for testing capa
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
 our $tc;                      # Path to tc
 our $ip;                      # Path to ip
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@@ -340,15 +335,14 @@ sub initialize( $ ) {
    #
    %globals  =   ( SHAREDIR => '/usr/share/shorewall' ,
 		    SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR =>  '/etc/shorewall',     # Run-time configuration directory
+		    CONFDIR =>  '/etc/shorewall',
 		    CONFIGDIR => '',                  # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS => '',
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13.1",
+		    VERSION => "4.4.10",
-		    CAPVERSION => 40413 ,
+		    CAPVERSION => 40408 ,
 		  );
    #
@@ -366,7 +360,6 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
 	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -385,7 +378,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
 	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -469,8 +461,6 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
 	      FORWARD_CLEAR_MARK => undef,
 	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -515,7 +505,6 @@ sub initialize( $ ) {
 	      LOGFILE => undef,
 	      LOGFORMAT => undef,
 	      LOGTAGONLY => undef,
 	      LOGLIMIT => undef,
 	      LOGRATE => undef,
 	      LOGBURST => undef,
 	      LOGALLNEW => undef,
@@ -531,7 +520,6 @@ sub initialize( $ ) {
 	      IP => undef,
 	      TC => undef,
 	      IPSET => undef,
 	      PERL => undef,
 	      #
 	      #PATH is inherited
 	      #
@@ -594,8 +582,6 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
 	      FORWARD_CLEAR_MARK => undef,
 	      COMPLETE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -645,7 +631,6 @@ sub initialize( $ ) {
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       IPSET_MATCH => undef,
 	       OLD_IPSET_MATCH => undef,
 	       CONNMARK => undef,
 	       XCONNMARK => undef,
 	       CONNMARK_MATCH => undef,
@@ -677,8 +662,6 @@ sub initialize( $ ) {
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
 	       FLOW_FILTER => undef,
 	       FWMARK_RT_MASK => undef,
 	       MARK_ANYWHERE => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1093,7 +1076,7 @@ sub progress_message2 {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1114,7 +1097,7 @@ sub progress_message3 {
 	@localtime = localtime unless $havelocaltime;
-	printf $log '%s %2d %2d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
+	printf $log '%s %2d %02d:%02d:%02d ', $abbr[$localtime[4]], @localtime[3,2,1,0];
 	print $log "@_\n";
    }
 }
@@ -1198,7 +1181,7 @@ sub copy1( $ ) {
 		    print $script $here_documents if $here_documents;
 		    print $script "\n";
 		}
-
+		
 		if ( $debug ) {
 		    print "GS-----> $here_documents" if $here_documents;
 		    print "GS----->\n";
@@ -1298,7 +1281,7 @@ EOF
 			s/^(\s*)/$indent1$1$indent2/;
 			s/        /\t/ if $indent2;
 		    }
-
+		    
 		    if ( $script ) {
 			print $script $_;
 			print $script "\n";
@@ -1312,9 +1295,9 @@ EOF
 		    $lastlineblank = 0;
 		}
 	    }
-
+	    
 	    close IF;
-
+	
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1479,12 +1462,10 @@ sub split_list1( $$ ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
 		push @list2 , $_;
 	    } else {
 		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
 	    s/\)//;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1783,9 +1764,7 @@ sub embedded_perl( $ ) {
 #   - Handle INCLUDE <filename>
 #
-sub read_a_line(;$) {
+sub read_a_line() {
    my $embedded_enabled = defined $_[0] ? shift : 1;
    while ( $currentfile ) {
 	$currentline = '';
@@ -1831,59 +1810,53 @@ sub read_a_line(;$) {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
+	    if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		embedded_shell( $1 );
-		    embedded_shell( $1 );
+	    } elsif ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
-		    next;
+		embedded_perl( $1 );
 		}
 		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
 		    embedded_perl( $1 );
 		    next;
 		}
 	    } 
 	    my $count = 0;
 	    #
 	    # Expand Shell Variables using %ENV
 	    #
 	    #                            $1      $2      $3           -     $4
 	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 		my $val = $ENV{$3};
 		unless ( defined $val ) {
 		    fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
 		    $val = '';
 		}
 		$currentline = join( '', $1 , $val , $4 );
 		fatal_error "Variable Expansion Loop" if ++$count > 100;
 	    }
 	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
 		my @line = split ' ', $currentline;
 		fatal_error "Invalid INCLUDE command"    if @line != 2;
 		fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
 		my $filename = find_file $line[1];
 		fatal_error "INCLUDE file $filename not found" unless -f $filename;
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 		if ( -s _ ) {
 		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
 		    $currentlinenumber = 0;
 		}
 		$currentline = '';
 	    } else {
-		print "IN===> $currentline\n" if $debug;
+		my $count = 0;
-		return 1;
+		#
 		# Expand Shell Variables using %ENV
 		#
 		#                            $1      $2      $3           -     $4
 		while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 		    my $val = $ENV{$3};
 		    unless ( defined $val ) {
 			fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
 			$val = '';
 		    }
 		    $currentline = join( '', $1 , $val , $4 );
 		    fatal_error "Variable Expansion Loop" if ++$count > 100;
 		}
 		if ( $currentline =~ /^\s*INCLUDE\s/ ) {
 		    my @line = split ' ', $currentline;
 		    fatal_error "Invalid INCLUDE command"    if @line != 2;
 		    fatal_error "INCLUDEs/Scripts nested too deeply" if @includestack >= 4;
 		    my $filename = find_file $line[1];
 		    fatal_error "INCLUDE file $filename not found" unless -f $filename;
 		    fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 		    if ( -s _ ) {
 			push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 			$currentfile = undef;
 			do_open_file $filename;
 		    } else {
 			$currentlinenumber = 0;
 		    }
 		    $currentline = '';
 		} else {
 		    print "IN===> $currentline\n" if $debug;
 		    return 1;
 		}
 	    }
 	}
@@ -1926,11 +1899,9 @@ sub default ( $$ ) {
 sub default_yes_no ( $$ ) {
    my ( $var, $val ) = @_;
-    my $curval = $config{$var};
+    my $curval = "\L$config{$var}";
    if ( defined $curval && $curval ne '' ) {
 	$curval = lc $curval;
 	if (  $curval eq 'no' ) {
 	    $config{$var} = '';
 	} else {
@@ -1953,7 +1924,7 @@ sub numeric_option( $$$ ) {
    my $value = $config{$option};
    my $val = $default;
-
+    
    if ( defined $value && $value ne '' ) {
 	$val = numeric_value $value;
 	fatal_error "Invalid value ($value) for '$option'" unless defined $val && $val <= 32;
@@ -1966,7 +1937,7 @@ sub numeric_option( $$$ ) {
 sub make_mask( $ ) {
    0xffffffff >> ( 32 - $_[0] );
-}
+}   
 my @suffixes = qw(group range threshold nlgroup cprange qthreshold);
@@ -2212,14 +2183,14 @@ sub Persistent_Snat() {
 	$result = qt1( "$iptables -t nat -A $sillyname -j SNAT --to-source 1.2.3.4 --persistent" );
 	qt1( "$iptables -t nat -F $sillyname" );
 	qt1( "$iptables -t nat -X $sillyname" );
-
+	
    }
    $result;
 }
 sub Mangle_Enabled() {
-    if ( qt1( "$iptables -t mangle -L -n" ) ) {
+    if ( qt1( "$iptables -t mangle -L -n" ) ) { 
 	system( "$iptables -t mangle -N $sillyname" ) == 0 || fatal_error "Cannot Create Mangle chain $sillyname";
    }
 }
@@ -2329,11 +2300,7 @@ sub Comments() {
 }
 sub Hashlimit_Match() {
-    if ( qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" ) ) {
+    have_capability 'OLD_HL_MATCH' || qt1( "$iptables -A $sillyname -m hashlimit --hashlimit-upto 3/min --hashlimit-burst 3 --hashlimit-name $sillyname --hashlimit-mode srcip -j ACCEPT" );
 	! ( $capabilities{OLD_HL_MATCH} = 0 );
    } else {
 	have_capability 'OLD_HL_MATCH';
    }
 }
 sub Old_Hashlimit_Match() {
@@ -2380,11 +2347,11 @@ sub Raw_Table() {
    qt1( "$iptables -t raw -L -n" );
 }
-sub Old_IPSet_Match() {
+sub IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
-    $ipset = which $ipset unless $ipset =~ '/';
+    $ipset = which $ipset unless $ipset =~ '//';
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
@@ -2392,31 +2359,7 @@ sub Old_IPSet_Match() {
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
-		$result = $capabilities{IPSET_MATCH} = 1;
+		$result = 1;
 	    }
 	    qt( "$ipset -X $sillyname" );
 	}
    }
    $result;
 }
 sub IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
    $ipset = which $ipset unless $ipset =~ '/';
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );
 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
 		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
 		$result = have_capability 'OLD_IPSET_MATCH';
 	    }
 	    qt( "$ipset -X $sillyname" );
@@ -2474,14 +2417,6 @@ sub Flow_Filter() {
    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
 }
 sub Fwmark_Rt_Mask() {
    $ip && system( "$ip rule add help 2>&1 | grep -q /MASK" ) == 0;
 }
 sub Mark_Anywhere() {
    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
 }
 our %detect_capability =
    ( ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
@@ -2493,7 +2428,6 @@ our %detect_capability =
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HELPER_MATCH => \&Helper_Match,
@@ -2501,7 +2435,6 @@ our %detect_capability =
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
      IPSET_MATCH => \&IPSet_Match,
      OLD_IPSET_MATCH => \&Old_IPSet_Match,
      KLUDGEFREE => \&Kludgefree,
      LENGTH_MATCH => \&Length_Match,
      LOGMARK_TARGET => \&Logmark_Target,
@@ -2509,7 +2442,6 @@ our %detect_capability =
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
      MARK_ANYWHERE => \&Mark_Anywhere,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
@@ -2552,7 +2484,7 @@ sub have_capability( $ ) {
    $capabilities{ $capability } = detect_capability( $capability ) unless defined $capabilities{ $capability };
-    $capabilities{ $capability };
+    $capabilities{ $capability }; 
 }
 #
@@ -2573,11 +2505,11 @@ sub determine_capabilities() {
    qt1( "$iptables -N $sillyname1" );
    fatal_error 'Your kernel/iptables do not include state match support. No version of Shorewall will run on this system'
-	unless
+	unless 
 	    qt1( "$iptables -A $sillyname -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT") ||
 	    qt1( "$iptables -A $sillyname -m state --state ESTABLISHED,RELATED -j ACCEPT");;
-
+	    
-
+  
    unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -2586,7 +2518,7 @@ sub determine_capabilities() {
 	$capabilities{NAT_ENABLED}     = detect_capability( 'NAT_ENABLED' );
 	$capabilities{PERSISTENT_SNAT} = detect_capability( 'PERSISTENT_SNAT' );
 	$capabilities{MANGLE_ENABLED}  = detect_capability( 'MANGLE_ENABLED' );
-
+	
 	if ( $capabilities{CONNTRACK_MATCH} = detect_capability( 'CONNTRACK_MATCH' ) ) {
 	    $capabilities{NEW_CONNTRACK_MATCH} = detect_capability( 'NEW_CONNTRACK_MATCH' );
 	    $capabilities{OLD_CONNTRACK_MATCH} = detect_capability( 'OLD_CONNTRACK_MATCH' );
@@ -2599,7 +2531,7 @@ sub determine_capabilities() {
 	     $capabilities{KLUDGEFREE}  = Kludgefree1;
 	}
-	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' );
+	$capabilities{XMULTIPORT}   = detect_capability( 'XMULTIPORT' ); 
 	$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
 	if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
@@ -2653,8 +2585,6 @@ sub determine_capabilities() {
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
 	$capabilities{MARK_ANYWHERE}   = detect_capability( 'MARK_ANYWHERE' );
 	qt1( "$iptables -F $sillyname" );
@@ -2732,15 +2662,12 @@ sub process_shorewall_conf() {
    my $file = find_file "$product.conf";
    if ( -f $file ) {
 	$globals{CONFIGDIR} =  $file;
 	$globals{CONFIGDIR} =~ s/$product.conf//;
 	if ( -r _ ) {
 	    open_file $file;
 	    first_entry "Processing $file...";
-	    while ( read_a_line(0) ) {
+	    while ( read_a_line ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
 		    unless ( exists $config{$var} ) {
@@ -2815,18 +2742,12 @@ sub get_capabilities( $ ) {
 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
-	$tc = $config{TC} || which 'tc';
+	$tc = $config{TC};
 	if ( $tc ) {
 	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
 	}
 	$ip = $config{IP} || which 'ip';
 	if ( $ip ) {
 	    fatal_error "IP=$ip does not exist or is not executable" unless -x $ip;
 	}
 	load_kernel_modules;
 	if ( open_file 'capabilities' ) {
@@ -2899,60 +2820,7 @@ sub get_configuration( $ ) {
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
-    if ( my $rate = $config{LOGLIMIT} ) {
+    if ( $config{LOGRATE} || $config{LOGBURST} ) {
 	my $limit;
 	if ( $rate =~ /^[sd]:/ ) {
 	    require_capability 'HASHLIMIT_MATCH', 'Per-ip log rate limiting' , 's';
 	    $limit = "-m hashlimit ";
 	    my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
 	    my $units;
 	    if ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		fatal_error "Invalid burst value ($5)" unless $5;
 		$limit .= "--$match $1 --hashlimit-burst $5 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
 	    } elsif ( $rate =~ /^[sd]:((\d+)(\/(sec|min|hour|day))?)$/ ) {
 		fatal_error "Invalid rate ($1)" unless $2;
 		$limit .= "--$match $1 --hashlimit-name lograte --hashlimit-mode ";
 		$units = $4;
 	    } else {
 		fatal_error "Invalid rate ($rate)";
 	    }
 	    $limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
 	    if ( $units && $units ne 'sec' ) {
 		my $expire = 60000; # 1 minute in milliseconds
 		if ( $units ne 'min' ) {
 		    $expire *= 60; #At least an hour
 		    $expire *= 24 if $units eq 'day';
 		}
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
 	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
 	    fatal_error "Invalid rate ($1)" unless $2;
 	    fatal_error "Invalid burst value ($5)" unless $5;
 	    $limit = "-m limit --limit $1 --limit-burst $5 ";
 	} elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
 	    fatal_error "Invalid rate (${1}${2})" unless $1;
 	    $limit = "-m limit --limit $rate ";
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}
 	$globals{LOGLIMIT} = $limit;
 	warning_message "LOGRATE Ignored when LOGLIMIT is specified"  if $config{LOGRATE};
 	warning_message "LOGBURST Ignored when LOGLIMIT is specified" if $config{LOGBURST};
    } elsif ( $config{LOGRATE} || $config{LOGBURST} ) {
 	if ( defined $config{LOGRATE} ) {
 	    fatal_error"Invalid LOGRATE ($config{LOGRATE})" unless $config{LOGRATE}  =~ /^\d+\/(second|minute)$/;
 	}
@@ -2969,7 +2837,7 @@ sub get_configuration( $ ) {
    }
    check_trivalue ( 'IP_FORWARDING', 'on' );
-
+    
    my $val;
    if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
@@ -2988,7 +2856,7 @@ sub get_configuration( $ ) {
    }
    if ( $family == F_IPV6 ) {
-	$val = $config{ROUTE_FILTER};
+	$val = $config{ROUTE_FILTER};	
 	fatal_error "ROUTE_FILTER=$val is not supported in IPv6" if $val && $val ne 'off';
    }
@@ -3071,7 +2939,7 @@ sub get_configuration( $ ) {
    default_yes_no 'AUTO_COMMENT'               , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
-    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
+    default_yes_no 'MANGLE_ENABLED'             , 'Yes';
    default_yes_no 'NULL_ROUTE_RFC1918'         , '';
    default_yes_no 'USE_DEFAULT_RT'             , '';
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
@@ -3082,24 +2950,15 @@ sub get_configuration( $ ) {
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
    numeric_option 'PROVIDER_BITS' ,   8, 0;
    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
-
+    
    if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
+	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 32;
 	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
 	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
    } else {
 	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
    }
    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
@@ -3107,12 +2966,6 @@ sub get_configuration( $ ) {
    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
    } else {
 	$globals{USER_MASK} = 0;
    }
    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
 	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
    } else {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_7';
 #
 # Some IPv4/6 useful stuff
@@ -87,19 +87,18 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
 our $family;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
-	       IPv6_LINKLOCAL      => 'fe80::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
-	       IPv6_SITELOCAL      => 'feC0::/10' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
@@ -124,8 +123,8 @@ sub valid_4address( $ ) {
    my @address = split /\./, $address;
    return 0 unless @address == 4;
-    for ( @address ) {
+    for my $a ( @address ) {
-	return 0 unless /^\d+$/ && $_ < 256;
+	return 0 unless $a =~ /^\d+$/ && $a < 256;
    }
    1;
@@ -158,8 +157,8 @@ sub decodeaddr( $ ) {
    my $result = shift @address;
-    for ( @address ) {
+    for my $a ( @address ) {
-	$result = ( $result << 8 ) | $_;
+	$result = ( $result << 8 ) | $a;
    }
    $result;
@@ -293,11 +292,6 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 65535 ? $number : undef;
    } else {
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
 	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
    }
 }
@@ -338,7 +332,7 @@ sub validate_portpair( $$ ) {
    my @ports = split /:/, $portpair, 2;
-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    $_ = validate_port( $proto, $_) for ( @ports );
    if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -445,7 +439,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
@@ -507,7 +501,7 @@ sub valid_6address( $ ) {
    unless ( $address =~ /::$/  ) {
 	return 0 if $address =~ /:$/;
    }
-
+		 
    for my $a ( @address ) {
 	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
    }
@@ -576,7 +570,7 @@ sub normalize_6addr( $ ) {
 	1 while $addr =~ s/::/:0:/;
 	$addr =~ s/^0+:/0:/;
-
+	
 	$addr;
    }
 }
@@ -688,7 +682,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family = shift;
+    my $family = shift;
    if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,6 +49,56 @@ sub initialize() {
    %addresses_to_add = ();
 }
 #
 # Handle IPSEC Options in a masq record
 #
 sub do_ipsec_options($)
 {
    my %validoptions = ( strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
 			 spi          => NUMERIC,
 			 proto        => IPSECPROTO,
 			 mode         => IPSECMODE,
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
    my $list=$_[0];
    my $options = '-m policy --pol ipsec --dir out ';
    my $fmt;
    for my $e ( split_list $list, 'option' ) {
 	my $val    = undef;
 	my $invert = '';
 	if ( $e =~ /([\w-]+)!=(.+)/ ) {
 	    $val    = $2;
 	    $e      = $1;
 	    $invert = '! ';
 	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
 	    $val = $2;
 	    $e   = $1;
 	}
 	$fmt = $validoptions{$e};
 	fatal_error "Invalid Option ($e)" unless $fmt;
 	if ( $fmt eq NOTHING ) {
 	    fatal_error "Option \"$e\" does not take a value" if defined $val;
 	} else {
 	    fatal_error "Missing value for option \"$e\""        unless defined $val;
 	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	}
 	$options .= $invert;
 	$options .= "--$e ";
 	$options .= "$val " if defined $val;
    }
    $options;
 }
 #
 # Process a single rule from the the masq file
 #
@@ -103,11 +153,11 @@ sub process_one_masq( )
 	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	    $baserule .= '-m policy --pol ipsec --dir out ';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
+	    $baserule .= '-m policy --pol none --dir out ';
 	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	    $baserule .= do_ipsec_options $ipsec;
 	}
    } elsif ( have_ipsec ) {
 	$baserule .= '-m policy --pol none --dir out ';
@@ -125,7 +175,7 @@ sub process_one_masq( )
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -171,7 +221,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "SNAT --to-source $variable";
+		    $target = "-j SNAT --to-source $variable";
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -181,13 +231,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = 'RETURN';
+		    $target = '-j RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
+			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -398,9 +448,7 @@ sub setup_netmap() {
    while ( read_a_line ) {
-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
 	$net3 = ALLIP if $net3 eq '-';
 	for my $interface ( split_list $interfacelist, 'interface' ) {
@@ -411,15 +459,15 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
+		$rulein  = match_source_dev $interface;
-		$ruleout = match_dest_dev( $interface );
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }
 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_9';
 # @policy_chains is a list of references to policy chains in the filter table
@@ -246,7 +246,7 @@ sub process_a_policy() {
 	$chainref->{synchain}  = $chain
    }
-    $chainref->{default} = $default if $default;
+    $chainref->{default}   = $default if $default;
    if ( $clientwild ) {
 	if ( $serverwild ) {
@@ -286,7 +286,7 @@ sub save_policies() {
 	    }
 	}
    }
-}
+}	    
 sub validate_policy()
 {
@@ -307,7 +307,6 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
    my $zone;
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -333,15 +332,13 @@ sub validate_policy()
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
-	my $zoneref = find_zone( $zone );
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }		
+	    }
 	}
    }
@@ -418,14 +415,13 @@ sub apply_policy_rules() {
    for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
 	my $loglevel    = $chainref->{loglevel};
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
 	my $synparms    = $chainref->{synparms};
-	unless ( $policy eq 'NONE' ) {
+	if ( $policy ne 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
@@ -496,14 +492,7 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level , 
+	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
 			    $synchainref , 
 			    $chainref->{name} , 
 			    'DROP', 
 			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
 			    '' , 
 			    'add' , 
 			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -58,7 +58,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'arp_filter';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
@@ -74,7 +74,7 @@ sub setup_arp_filtering() {
 	for my $interface ( @$interfaces1 ) {
 	    my $value = get_interface_option $interface, 'arp_ignore';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
@@ -118,7 +118,7 @@ sub setup_route_filtering() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'routefilter';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
@@ -169,7 +169,7 @@ sub setup_martian_logging() {
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'logmartians';
 	    my $optional = interface_is_optional $interface;
-
+                           
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_10';
 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -158,7 +158,7 @@ sub copy_and_edit_table( $$$$ ) {
    my ( $duplicate, $number, $copy, $realm) = @_;
    #
    # Hack to work around problem in iproute
-    #
+    #    
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
    #
    # Map physical names in $copy to logical names
@@ -275,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }
-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
+    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;
    my $physical    = get_physical $interface;
@@ -295,7 +295,7 @@ sub add_a_provider( ) {
 	$gateway = '';
    }
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) = 
 	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
    unless ( $options eq '-' ) {
@@ -340,7 +340,7 @@ sub add_a_provider( ) {
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if$config{USE_DEFAULT_RT}; 
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -435,12 +435,10 @@ sub add_a_provider( ) {
    }
    if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
-
+	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
 	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
 	     );
    }
@@ -548,7 +546,7 @@ sub start_new_if( $ ) {
    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
    push_indent;
 }
-
+  
 #
 # Complete any current 'if' statement in the output script
 #
@@ -845,100 +843,55 @@ sub lookup_provider( $ ) {
 #
 sub handle_optional_interfaces( $ ) {
-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my $returnvalue = verify_required_interfaces( shift );
    #
    # find_interfaces_by_option1() does not return wildcard interfaces. If an interface is defined
    # as a wildcard in /etc/shorewall/interfaces, then only specific interfaces matching that 
    # wildcard are returned.
    #
    my $interfaces = find_interfaces_by_option1 'optional';
    if ( @$interfaces ) {
-	my $require     = $config{REQUIRE_INTERFACE};
+	for my $interface ( @$interfaces ) {
-	
+	    my $provider = $provider_interfaces{$interface};
-	verify_required_interfaces( shift );
+	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );
-	emit( 'HAVE_INTERFACE=', '' ) if $require;
+	    emit( '' );
 	#
 	# Clear the '_IS_USABLE' variables
 	#
 	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
-	if ( $wildcards ) {
+	    if ( $config{REQUIRE_INTERFACE} ) {
-	    #
+		emit( 'HAVE_INTERFACE=' );
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+		emit( '' );
-	    #
+	    }
 	    emit( '', 
 		  'for interface in $(find_all_interfaces1); do',
 		);
-	    push_indent;
+	    if ( $provider ) {
-	    emit ( 'case "$interface" in' );
+		#
-	    push_indent;
+		# This interface is associated with a non-shared provider -- get the provider table entry
-	} else {
+		#
-	    emit '';
+		my $providerref = $providers{$provider};
 	}
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+		if ( $providerref->{gatewaycase} eq 'detect' ) {
-	    my $provider    = $provider_interfaces{$interface};
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
-	    my $physical    = get_physical $interface;
+		} else {
-	    my $base        = uc chain_base( $physical );
+		    emit qq(if interface_is_usable $physical; then);
-	    my $providerref = $providers{$provider};
+		}
 	    emit( "$physical)" ), push_indent if $wildcards;
 	    if ( $providerref->{gatewaycase} eq 'detect' ) {
 		emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 	    } else {
 		#
 		# Not a provider interface
 		#
 		emit qq(if interface_is_usable $physical; then);
 	    }
-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
+	    emit( '    HAVE_INTERFACE=Yes' ) if $config{REQUIRE_INTERFACE};
 	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
 		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	    emit( ';;' ), pop_indent if $wildcards;
 	}
-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
+	if ( $config{REQUIRE_INTERFACE} ) {
-	    my $physical    = get_physical $interface;
+	    emit( '', 
 	    my $base        = uc chain_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
 		if ( $wild ) {
 		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
 		    push_indent; 
 		    emit ( 'if interface_is_usable $interface; then' );
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
 		}
 	    } else {
 		emit ( "if interface_is_usable $physical; then" );
 	    }
 	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
 	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
 		   'fi' );
 	    if ( $wildcards ) {
 		pop_indent, emit( 'fi' ) if $wild;
 		emit( ';;' );
 		pop_indent;
 	    }
 	}
 	if ( $wildcards ) {
 	    emit( '*)' ,
 		  '    ;;'
 		);
 	    pop_indent;
 	    emit( 'esac' );
 	    pop_indent;
 	    emit('done' );
 	}
 	if ( $require ) {
 	    emit( '',
 		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
 		  '    case "$COMMAND" in',
 		  '        start|restart|restore|refresh)'
@@ -949,10 +902,10 @@ sub handle_optional_interfaces( $ ) {
 	    } else {
 		emit( '            if shorewall6_is_started; then' );
 	    }
-
+	
 	    emit( '                fatal_error "No network interface available"',
 		  '            else',
-		  '                startup_error "No network interface available"',
+		  '                startup_error "No network interface available',
 		  '            fi',
 		  '            ;;',
 		  '    esac',
@@ -960,10 +913,10 @@ sub handle_optional_interfaces( $ ) {
 		);
 	}
-	return 1;
+	$returnvalue = 1;
    }
-    verify_required_interfaces( shift );
+    $returnvalue;
 }
 #
@@ -1002,14 +955,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 			$rule2 = '';
 		    }
-		    assert ( $rule1 =~ s/^-A // );
+		    $rule1 =~ s/-A tcpre //;
 		    add_rule $chainref, $rule1;
 		    if ( $rule2 ) {
-			assert ( $rule2 =~ s/^-A // );
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -1029,14 +982,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 			$rule2 = '';
 		    }
-		    assert( $rule1 =~ s/-A // );
+		    $rule1 =~ s/-A tcout //;
 		    add_rule $chainref, $rule1;
 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
 		}
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.3_7';
 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
    ( my $zone, $source) = split /:/, $source, 2;
    my $zoneref  = find_zone $zone;
    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'NOTRACK' ,
+	'-j NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,44 +40,37 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1,
+		    fw       => 1
 		    fwi      => 0,
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
+		    fw       => 1
 		    fwi      => 0,
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
+		    fw       => 1
 		    fwi      => 1 ,
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
+		    fw       => 0
 		    fwi      => 0 ,
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0 ,
+		    fw       => 0
 		    fwi      => 0 ,
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
+		    fw       => 0
 		    fwi      => 0 ,
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
 		    fwi      => 0 ,
 		    } ,
 	    );
@@ -165,7 +158,6 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
 		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );
 our $family;
@@ -226,23 +218,12 @@ sub process_tc_rule( ) {
 	}
    }
    if ( $dest ) {
 	if ( $dest eq $fw ) {
 	    $chain = 'tcin';
 	    $dest  = '';
 	} else {
 	    $chain = 'tcin' if $dest =~ s/^($fw)://;
 	}
    }
    if ( $designator ) {
 	$tcsref = $tcs{$designator};
 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
 	    } elsif ( $chain eq 'tcin' ) {
 		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }
 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
@@ -269,8 +250,6 @@ sub process_tc_rule( ) {
    $list = '';
    my $restriction = 0;
    unless ( $classid ) {
      MARK:
 	{
@@ -280,7 +259,7 @@ sub process_tc_rule( ) {
 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
-		    $target      = $tccmd->{target};
+		    $target      = "$tccmd->{target} ";
 		    my $marktype = $tccmd->{mark};
 		    if ( $marktype == NOMARK ) {
@@ -289,19 +268,15 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
-		    if ( $target eq 'sticky' ) {
+		    if ( $target eq 'sticky ' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 			$restriction = DESTIFACE_DISALLOW;
 			ensure_mangle_chain($target);
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
+		    } elsif ( $target eq 'IPMARK ' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -338,11 +313,11 @@ sub process_tc_rule( ) {
 			}
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
+		    } elsif ( $target eq 'TPROXY ' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
+			
 			$chain = 'tcpre';
 			$cmd =~ /TPROXY\((.+?)\)$/;
@@ -362,15 +337,15 @@ sub process_tc_rule( ) {
 			}
 			$target .= "--on-port $port";
-
+			
 			if ( defined $ip && $ip ne '' ) {
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}
-			$target .= ' --tproxy-mark';
+			$target .= ' --tproxy-mark';	
 		    }
-
+			
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -396,16 +371,14 @@ sub process_tc_rule( ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
 		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
+		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 		}
 	    }
 	}
    }
    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
+				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
@@ -416,9 +389,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     $mark ? "$target $mark" : $target,
+				     "-j $target $mark" ,
 				     '' ,
 				     '' ,
 				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -435,11 +408,11 @@ sub rate_to_kbit( $ ) {
    my $rate = $_[0];
    return 0           if $rate eq '-';
-    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
+    return $1          if $rate =~ /^(\d+)kbit$/i;
-    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
+    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
-    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
+    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
-    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
+    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
-    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
+    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
    fatal_error "Invalid Rate ($rate)";
 }
@@ -458,6 +431,8 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
    my $flow = shift;
    $flow =~ s/^\(// if $flow =~ s/\)$//;
    my @flow = split /,/, $flow;
    for ( @flow ) {
@@ -468,7 +443,7 @@ sub process_flow($) {
 }
 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
@@ -488,21 +463,7 @@ sub process_simple_device() {
 	}
    }
-    my $in_burst = '10kb';
+    $bandwidth = rate_to_kbit( $bandwidth );
    if ( $in_bandwidth =~ /:/ ) {
 	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
 	if ( defined $burst && $burst ne '' ) {
 	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $in_burst = $burst;
 	}
 	$in_bandwidth = rate_to_kbit( $in_band );
    } else {
 	$in_bandwidth = rate_to_kbit( $in_bandwidth );
    }
    emit "if interface_is_up $physical; then";
@@ -510,54 +471,14 @@ sub process_simple_device() {
    emit ( "${dev}_exists=Yes",
 	   "qt \$TC qdisc del dev $physical root",
-	   "qt \$TC qdisc del dev $physical ingress\n"
+	   "qt \$TC qdisc del dev $physical ingress\n"	   
 	 );
    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
-	 ) if $in_bandwidth;
+	 ) if $bandwidth;
-
+	  
-    if ( $out_part ne '-' ) {
+    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
 	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
 	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
 	$out_bandwidth = rate_to_kbit( $out_bandwidth );
 	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
 	if ( defined $burst && $burst ne '' ) {
 	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " burst $burst";
 	} else {
 	    $command .= ' burst 10kb';
 	}
 	if ( defined $latency && $latency ne '' ) {
 	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
 	    $command .= " latency $latency";
 	} else {
 	    $command .= ' latency 200ms';
 	}
 	if ( defined $peak && $peak ne '' ) {
 	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " peakrate $peak";
 	}
 	if ( defined $minburst && $minburst ne '' ) {
 	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
 	    $command .= " minburst $minburst";
 	}
 	emit $command;
 	my $id = $number; $number = in_hexp( $devnum | 0x100 );
 	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
    } else {
 	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
    }
    for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
@@ -567,7 +488,7 @@ sub process_simple_device() {
    }
    save_progress_message_short qq("   TC Device $physical defined.");
-
+    
    pop_indent;
    emit 'else';
    push_indent;
@@ -576,9 +497,9 @@ sub process_simple_device() {
    emit "${dev}_exists=";
    pop_indent;
    emit "fi\n";
-
+ 
    progress_message "  Simple tcdevice \"$currentline\" $done.";
-}
+}    
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
@@ -1173,14 +1094,14 @@ sub process_tc_priority() {
 		  1 );
    } else {
 	my $postref = $mangle_table->{tcpost};
-
+	
 	if ( $address ne '-' ) {
 	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
 	    add_rule( $postref ,
 		      join( '', match_source_net( $address) , $rule ) ,
 		      1 );
 	} else {
-	    add_rule( $postref ,
+	    add_rule( $postref , 
 		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
 		      1 );
@@ -1192,7 +1113,7 @@ sub process_tc_priority() {
 		    $ipp2p = 1;
 		}
-		add_rule( $postref ,
+		add_rule( $postref , 
 			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
 			  1 )
 		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
@@ -1218,8 +1139,8 @@ sub setup_simple_traffic_shaping() {
    my $fn1 = open_file 'tcpri';
    if ( $fn1 ) {
-	first_entry
+	first_entry 
-	    sub {
+	    sub { 
 		progress_message2 "$doing $fn1...";
 		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
 	    };
@@ -1307,26 +1228,11 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}
-	my $in_burst = '10kb';
+	my $inband = rate_to_kbit $devref->{in_bandwidth};
 	my $inband;
 	if ( $devref->{in_bandwidth} =~ /:/ ) {
 	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
 	    if ( defined $burst && $burst ne '' ) {
 		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
 		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
 		$in_burst = $burst;
 	    }
 	    $inband = rate_to_kbit( $in_band );
 	} else {
 	    $inband = rate_to_kbit $devref->{in_bandwidth};
 	}
 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
 		   );
 	}
@@ -1444,68 +1350,6 @@ sub setup_traffic_shaping() {
    }
 }
 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
    if ( $secmark eq 'COMMENT' ) {
 	process_comment;
 	return;
    }
    my %chns = ( T => 'tcpost'  ,
 		 P => 'tcpre'   ,
 		 F => 'tcfor'   ,
 		 I => 'tcin'    ,
 		 O => 'tcout'   , );
    my %state = ( N =>  'NEW' ,
 		  E =>  'ESTABLISHED' , 
 		  ER => 'ESTABLISHED,RELATED' );
    my ( $chain , $state, $rest) = split ':', $chainin , 3;
    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
    my $chain1= $chns{$chain};
    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
    if ( ( $state ||= '' ) ne '' ) {
 	my $state1;
 	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
 	$state = "$globals{STATEMATCH} $state1 ";
    }
    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
 	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
 		 "SECMARK --selctx $secmark";
    my $disposition = $target;
    $disposition =~ s/ .*//;
    expand_rule( ensure_mangle_chain( $chain1 ) , 
 		 $restrictions{$chain1} ,
 		 $state .
 		 do_proto( $proto, $dport, $sport ) .
 		 do_user( $user ) .
 		 do_test( $mark, $globals{TC_MASK} ) ,
 		 $source , 
 		 $dest , 
 		 '' , 
 		 $target , 
 		 '' , 
 		 $disposition,
 		 '' );
    progress_message "Secmarks rule \"$currentline\" $done";
 }
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -1518,7 +1362,6 @@ sub setup_tc() {
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
 	    ensure_mangle_chain 'tcin';
 	}
 	my $mark_part = '';
@@ -1540,12 +1383,9 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
 	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
 	}
    }
@@ -1594,7 +1434,7 @@ sub setup_tc() {
 			  mark      => HIGHMARK ,
 			  mask      => '' } ,
 			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
+			  target    => 'MARK --and-mark ' ,
 			  mark      => HIGHMARK ,
 			  mask      => '' ,
 			  connmark  => 0
@@ -1616,20 +1456,9 @@ sub setup_tc() {
 	}
    }
-    if ( $config{MANGLE_ENABLED} ) {
+    add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
 	if ( my $fn = open_file 'secmarks' ) {
-	    first_entry "$doing $fn...";
+    handle_stickiness( $sticky );
 	    process_secmark_rule while read_a_line;
 	    clear_comment;
 	}
 	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
 	handle_stickiness( $sticky );
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_9';
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? "$globals{STATEMATCH} NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -37,7 +37,6 @@ our @EXPORT = qw( NOTHING
 		  IPSECPROTO
 		  IPSECMODE
 		  FIREWALL
 		  VSERVER
 		  IP
 		  BPORT
 		  IPSEC
@@ -53,8 +52,6 @@ our @EXPORT = qw( NOTHING
 		  all_zones
 		  all_parent_zones
 		  complex_zones
 		  vserver_zones
 		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
 		  chain_base
@@ -78,13 +75,12 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
 		 );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_10';
 #
 # IPSEC Option types
@@ -95,6 +91,7 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
 #
 # Zone Table.
 #
@@ -155,29 +152,21 @@ our %reservedName = ( all => 1,
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                   }
 #                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files. 
 #
 our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
 our %physical;
 our %basemap;
 our %mapbase;
 our $family;
 our $have_ipsec;
 our $baseseq;
 use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 3,
-	       IPSEC    => 4,
+	       IPSEC    => 4 };
 	       VSERVER  => 5 };
 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -191,7 +180,6 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
 	       IF_OPTION_VSERVER  => 32,
 	   };
 our %validinterfaceoptions;
@@ -224,9 +212,6 @@ sub initialize( $ ) {
    @bport_zones = ();
    %ipsets = ();
    %physical = ();
    %basemap = ();
    %mapbase = ();
    $baseseq = 0;
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -237,13 +222,13 @@ sub initialize( $ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
-				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 				  norfc1918   => OBSOLETE_IF_OPTION,
 				  nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -268,12 +253,12 @@ sub initialize( $ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
+				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
@@ -299,7 +284,6 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
    my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -309,12 +293,10 @@ sub parse_zone_option_list($$)
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
    use constant { UNRESTRICTED => 1, NOFW => 2 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
+    my %key = ( mss => 'mss' );
    my ( $list, $zonetype ) = @_;
    my %h;
@@ -347,8 +329,7 @@ sub parse_zone_option_list($$)
 	    }
 	    if ( $key{$e} ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$h{$e} = $val;
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -395,7 +376,6 @@ sub process_zone( \$ ) {
 	    fatal_error "Invalid Parent List ($2)" unless $p;
 	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
 	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
 	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
 	    push @{$zones{$p}{children}}, $zone;
 	}
    }
@@ -422,14 +402,11 @@ sub process_zone( \$ ) {
 	$firewall_zone = $zone;
 	$ENV{FW} = $zone;
 	$type = FIREWALL;
    } elsif ( $type eq 'vserver' ) {
 	fatal_error 'Vserver zones may not be nested' if @parents;
 	$type = VSERVER;
    } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
    } else {
-	fatal_error "Invalid zone type ($type)";
+	fatal_error "Invalid zone type ($type)" ;
    }
    if ( $type eq IPSEC ) {
@@ -439,30 +416,20 @@ sub process_zone( \$ ) {
 	}
    }
-    my $zoneref = $zones{$zone} = { type       => $type,
+    $zones{$zone} = { type       => $type,
-				    parents    => \@parents,
+		      parents    => \@parents,
-				    bridge     => '',
+		      bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+				      in      => parse_zone_option_list( $in_options || '', $type ) ,
-						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+				      out     => parse_zone_option_list( $out_options || '', $type ) ,
-						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
-						    nested  => @parents > 0 ,
+				      nested  => @parents > 0 ,
-						    super   => 0 ,
+				      super   => 0 ,
-						  } ,
+				    } ,
-				    interfaces => {} ,
+		      interfaces => {} ,
-				    children   => [] ,
+		      children   => [] ,
-				    hosts      => {}
+		      hosts      => {}
-				  };
+		    };
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
 	    } else {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
    }
    return $zone;
@@ -528,9 +495,9 @@ sub zone_report()
    my @translate;
    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
+	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
+	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
    }
    for my $zone ( @zones )
@@ -557,7 +524,7 @@ sub zone_report()
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
-
+		
 			    if ( $family == F_IPV4 ) {
 				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
@@ -587,9 +554,9 @@ sub dump_zone_contents()
    my @xlate;
    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
+	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4' );
    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
+	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6' );
    }
    for my $zone ( @zones )
@@ -666,9 +633,7 @@ sub add_group_to_zone($$$$$)
    my $allip    = 0;
    for my $host ( @$networks ) {
-	$interfaceref = $interfaces{$interface};
+	$interfaces{$interface}{nets}++;
 	$interfaceref->{nets}++;
 	fatal_error "Invalid Host List" unless defined $host and $host ne '';
@@ -685,13 +650,6 @@ sub add_group_to_zone($$$$$)
 		if ( $host eq ALLIP ) {
 		    fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if @newnetworks;
 		    $interfaces{$interface}{zone} = $zone;
 		    #
 		    # Make 'find_hosts_by_option()' work correctly for this zone
 		    #
 		    for ( qw/blacklist maclist nosmurfs tcpflags/ ) {
 			$options->{$_} = $interfaceref->{options}{$_} if $interfaceref->{options}{$_};
 		    }
 		    $allip = 1;
 		}
 	    }
@@ -755,30 +713,18 @@ sub all_zones() {
    @zones;
 }
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
 }
 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( $zones{$_}{type} != FIREWALL ,  @zones );
 }
 sub all_parent_zones() {
-    #
+   grep ( ! @{$zones{$_}{parents}} ,  @zones );
    # Although the firewall zone is technically a parent zone, we let the caller decide
    # if it is to be included or not.
    #
    grep ( ! @{$zones{$_}{parents}} , off_firewall_zones );
 }
 sub complex_zones() {
    grep( $zones{$_}{options}{complex} , @zones );
 }
 sub vserver_zones() {
    grep ( $zones{$_}{type} == VSERVER, @zones );
 }
 sub firewall_zone() {
    $firewall_zone;
 }
@@ -788,55 +734,18 @@ sub firewall_zone() {
 #
 sub is_a_bridge( $ ) {
    which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
-}
+} 
 #
 # Transform the passed interface name into a legal shell variable name.
 #
 sub chain_base($) {
    my $chain = $_[0];
    my $name  = $basemap{$chain};
    #
    # Return existing mapping, if any
    #
    return $name if $name;
    #
    # Remember initial value 
    #
    my $key = $chain;
    #
    # Handle VLANs and wildcards
    #
    $chain =~ s/\+$//;
    $chain =~ tr/./_/;
-    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    $chain =~ s/^@/at_/;
-	#
+    $chain =~ tr/[.\-%@]/_/;
-	# Must map. Remove all illegal characters
+    $chain =~ s/\+$//;
-	#
+    $chain;
 	$chain =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
 	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
 	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
    } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
 	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
    }
    #
    # Store the reverse mapping
    #
    $mapbase{$name} = $key;
    #
    # Store the mapping
    #
    $basemap{$key} = $name;
 }
 #
@@ -879,8 +788,6 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
 	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}
 	$bridge = $interface;
@@ -888,8 +795,6 @@ sub process_interface( $$ ) {
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
 	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
 	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
 	$bridge = $interface;
    }
@@ -903,8 +808,6 @@ sub process_interface( $$ ) {
 	$root = $interface;
    }
    fatal_error "Invalid interface name ($interface)" if $interface =~ /\*/;
    my $physical = $interface;
    my $broadcasts;
@@ -928,11 +831,7 @@ sub process_interface( $$ ) {
    my $hostoptionsref = {};
-    if ( $options eq 'ignore' ) {
+    $options{ignore} = 1, $options = '-' if $options eq 'ignore';
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
 	$options{ignore} = 1;
 	$options = '-';
    }
    if ( $options ne '-' ) {
@@ -945,11 +844,7 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};
-	    if ( $zone ) {
+	    fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY && ! $zone;
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else { 
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
 	    my $hostopt = $type & IF_OPTION_HOST;
@@ -959,16 +854,8 @@ sub process_interface( $$ ) {
 	    if ( $type == SIMPLE_IF_OPTION ) {
 		fatal_error "Option $option does not take a value" if defined $value;
-		if ( $option eq 'blacklist' ) {
+		$options{$option} = 1;
-		    if ( $zone ) {
+		$hostoptions{$option} = 1 if $hostopt;
 			$zoneref->{options}{in}{blacklist} = 1;
 		    } else {
 			warning_message "The 'blacklist' option is ignored on multi-zone interfaces";
 		    }
 		} else {
 		    $options{$option} = 1;
 		    $hostoptions{$option} = 1 if $hostopt;
 		}
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
@@ -976,8 +863,8 @@ sub process_interface( $$ ) {
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
 		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    fatal_error q(The 'arp_ignore' option may not be used with a wild-card interface name) if $wildcard;
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
 			    $options{arp_ignore} = $value;
@@ -1000,6 +887,10 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
 		# Remove parentheses from address list if present
 		#
 		$value =~ s/\)$// if $value =~ s/^\(//;
 		#
 		# Add all IP to the front of a list if the list begins with '!'
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;
@@ -1032,7 +923,7 @@ sub process_interface( $$ ) {
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		if ( $option eq 'physical' ) {
-		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
@@ -1062,13 +953,14 @@ sub process_interface( $$ ) {
 	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
 	$hostoptionsref = \%hostoptions;
    } else {
 	#
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
-    }
+    }	
    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
@@ -1078,19 +970,18 @@ sub process_interface( $$ ) {
 						       broadcasts => $broadcasts ,
 						       options    => \%options ,
 						       zone       => '',
-						       physical   => $physical ,
+						       physical   => $physical
 						       base       => chain_base( $physical )
 						     };
    if ( $zone ) {
 	$netsref ||= [ allip ];
 	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
-	add_group_to_zone( $zone,
+	add_group_to_zone( $zone, 
-			   $zoneref->{type},
+			   $zoneref->{type}, 
-			   $interface,
+			   $interface, 
-			   $family == F_IPV4 ? [ IPv4_MULTICAST ] : [ IPv6_MULTICAST ] ,
+			   [ IPv4_MULTICAST ], 
 			   { destonly => 1 } ) if $hostoptionsref->{multicast} && $interfaces{$interface}{zone} ne $zone;
-    }
+    } 
    progress_message "  Interface \"$currentline\" Validated";
@@ -1135,27 +1026,6 @@ sub validate_interfaces_file( $ ) {
    # Be sure that we have at least one interface
    #
    fatal_error "No network interfaces defined" unless @interfaces;
    if ( vserver_zones ) {
 	#
 	# While the user thinks that vservers are associated with a particular interface, they really are not.
 	# We create an interface to associated them with.
 	#
 	my $interface = '%vserver%';
 	$interfaces{$interface} = { name       => $interface ,
 				    bridge     => $interface ,
 				    nets       => 0 ,
 				    number     => $nextinum ,
 				    root       => $interface ,
 				    broadcasts => undef ,
 				    options    => {} ,
 				    zone       => '',
 				    physical   => 'lo',
 				  };
 	push @interfaces, $interface;
    }
 }
 #
@@ -1164,46 +1034,39 @@ sub validate_interfaces_file( $ ) {
 sub map_physical( $$ ) {
    my ( $name, $interfaceref ) = @_;
    my $physical = $interfaceref->{physical};
-
+    
    return $physical if $name eq $interfaceref->{name};
    $physical =~ s/\+$//;
    $physical . substr( $name, length  $interfaceref->{root} );
-}
+}  
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# If the passed name matches a wildcard, an entry for the name is added in %interfaces to speed up validation of other references to that name.
 # %interfaces.
 #
-sub known_interface($;$)
+sub known_interface($)
 {
-    my ( $interface, $cache ) = @_;
+    my $interface = $_[0];
    my $interfaceref = $interfaces{$interface};
    return $interfaceref if $interfaceref;
    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
    for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
-	    my $physical = map_physical( $interface, $interfaceref );
+	    #
-	    
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
-	    my $copyref = { options  => $interfaceref->{options},
+	    #
-			    bridge   => $interfaceref->{bridge} ,
+	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
-			    name     => $i ,
+					       bridge   => $interfaceref->{bridge} , 
-			    number   => $interfaceref->{number} ,
+					       name     => $i , 
-			    physical => $physical ,
+					       number   => $interfaceref->{number} ,
-			    base     => chain_base( $physical ) ,
+					       physical => map_physical( $interface, $interfaceref )
-			  };
+					     };
 	    $interfaces{$interface} = $copyref if $cache;
 	    return $copyref;
 	}
    }
@@ -1301,7 +1164,7 @@ sub find_interfaces_by_option( $ ) {
    for my $interface ( @interfaces ) {
 	my $interfaceref = $interfaces{$interface};
-
+	
 	next unless $interfaceref->{root};
 	my $optionsref = $interfaceref->{options};
@@ -1314,33 +1177,25 @@ sub find_interfaces_by_option( $ ) {
 }
 #
-# Returns reference to array of interfaces with the passed option. Unlike the preceding function, this one:
+# Returns reference to array of interfaces with the passed option
 #
 # - All entries in %interfaces are searched.
 # - Returns a two-element list; the second element indicates whether any members of the list have wildcard physical names
 #
 sub find_interfaces_by_option1( $ ) {
    my $option = $_[0];
    my @ints = ();
    my $wild = 0;
-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
+    for my $interface ( keys %interfaces ) {
 			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
 	next if $interfaceref->{physical} =~ /\+/;
 	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    $wild ||= ( $interfaceref->{physical} =~ /\+$/ );
 	    push @ints , $interface
 	}
    }
-    return unless defined wantarray;
+    \@ints;
    wantarray ? ( \@ints, $wild ) : \@ints;
 }
 #
@@ -1367,32 +1222,20 @@ sub set_interface_option( $$$ ) {
 sub verify_required_interfaces( $ ) {
    my $generate_case = shift;
-
+    
    my $returnvalue = 0;
-
+   
    my $interfaces = find_interfaces_by_option 'wait';
    if ( @$interfaces ) {
-	my $first = 1;
+	emit "local waittime\n";
 	emit( "local waittime\n" );
 	emit( 'case "$COMMAND" in' );
 	push_indent;
 	emit( 'start|restart|restore)' );
 	push_indent;
 	for my $interface (@$interfaces ) {
 	    my $wait = $interfaces{$interface}{options}{wait};
 	    emit q() unless $first-- > 0;
 	    if ( $wait ) {
 		my $physical = get_physical $interface;
-
+	    
 		if ( $physical =~ /\+$/ ) {
 		    my $base = uc chain_base $physical;
@@ -1420,20 +1263,12 @@ sub verify_required_interfaces( $ ) {
 		    emit  q(        sleep 1);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
-		    emit  q(fi);
+		    emit qq(fi\n);
 		}
 		$returnvalue = 1;
 	    }
 	}
 	emit( ";;\n" );
 	pop_indent;
 	pop_indent;
 	emit( "esac\n" );
    }
    $interfaces = find_interfaces_by_option 'required';
@@ -1455,16 +1290,16 @@ sub verify_required_interfaces( $ ) {
 		$physical =~ s/\+$/*/;
-		emit( "SW_${base}_IS_UP=\n",
+		emit( "${base}_IS_UP=\n",
 		      'for interface in $(find_all_interfaces); do',
 		      '    case $interface in',
 		      "        $physical)",
-		      "            interface_is_usable \$interface && SW_${base}_IS_UP=Yes && break",
+		      "            interface_is_usable \$interface && ${base}_IS_UP=Yes && break",
 		      '            ;;',
 		      '    esac',
 		      'done',
 		      '',
-		      "if [ -z \"\$SW_${base}_IS_UP\" ]; then",
+		      "if [ -z \"\$${base}_IS_UP\" ]; then",
 		      "    startup_error \"None of the required interfaces $physical are available\"",
 		      "fi\n"
 		    );
@@ -1474,7 +1309,7 @@ sub verify_required_interfaces( $ ) {
 		emit qq(fi\n);
 	    }
 	}
-
+	
 	if ( $generate_case ) {
 	    emit( ';;' );
 	    pop_indent;
@@ -1506,9 +1341,6 @@ sub compile_updown() {
 	  'state=cleared',
 	  '' );
    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
    emit '';
    if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
    } else {
@@ -1547,7 +1379,6 @@ sub compile_updown() {
 	$interfaces =~ s/\+/*/;
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
@@ -1571,24 +1402,21 @@ sub compile_updown() {
 	    emit( '        COMMAND=start' );
 	}
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
+	emit( '        detect_configuration',
 	      '        detect_configuration',
 	      '        define_firewall' );
-
+	
 	if ( $wildcard ) {
 	    emit( '    elif [ "$state" = started ]; then',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall' );
 	} else {
-	    emit( '    else',
+	    emit( '    else', 
 		  '        COMMAND=stop',
 		  '        progress_message3 "$g_product attempting stop"',
 		  '        detect_configuration',
 		  '        stop_firewall' );
 	}
-
+	
 	emit( '    fi',
 	      '    ;;'
 	    );
@@ -1608,16 +1436,12 @@ sub compile_updown() {
 	      '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$state" = stopped ]; then',
 	      '        COMMAND=start',
 	      '        progress_message3 "$g_product attempting start"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    else',
 	      '        progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    fi',
 	      '    ;;',
 	    );
@@ -1627,18 +1451,14 @@ sub compile_updown() {
 	  '    case $state in',
 	  '        started)',
 	  '            COMMAND=restart',
 	  '            progress_message3 "$g_product attempting restart"',
 	  '            detect_configuration',
 	  '            define_firewall',
 	  '            ;;',
-	  '        *)',
+	  '    esac',  
 	  '            progress_message3 "$COMMAND on interface $1 ignored"',
 	  '            ;;',
 	  '    esac',
 	);
    pop_indent;
-
+    
    emit( 'esac' );
    pop_indent;
@@ -1646,7 +1466,7 @@ sub compile_updown() {
    emit( '}',
 	  '',
 	);
-}
+}  
 #
 # Process a record in the hosts file
@@ -1688,7 +1508,7 @@ sub process_host( ) {
 	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
-    } 
+    }
    my $optionsref = { dynamic => 0 };
@@ -1703,19 +1523,14 @@ sub process_host( ) {
 		$zoneref->{options}{complex} = 1;
 		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
-		warning_message "The 'norfc1918' host option is no longer supported"
+		warning_message "The 'norfc1918' option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
 	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
 	$optionsref = \%options;
    }
@@ -1735,7 +1550,6 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = physical_name $interface;
 	$hosts = "+${zone}_${physical}";
@@ -1743,10 +1557,6 @@ sub process_host( ) {
 	$ipsets{"${zone}_${physical}"} = 1;
    }
    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
    $interface = '%vserver%' if $type == VSERVER;
    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);
@@ -1810,21 +1620,6 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }
 #
 # Returns a reference to a list of zones with the passed in/out option
 #
 sub find_zones_by_option( $$ ) {
    my ($option, $in_out ) = @_;
    my @zns;
    for my $zone ( @zones ) {
 	push @zns, $zone if $zones{$zone}{options}{$in_out}{$option};
    }
    \@zns;
 }
 sub all_ipsets() {
    sort keys %ipsets;
 }
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -6,7 +6,7 @@
 #
 usage() {
    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
+    echo 
    echo "Options are:"
    echo
    echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;
+			;;			
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)
+				*/*)		    
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -6,7 +6,7 @@
 #
 usage() {
    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
+    echo 
    echo "Options are:"
    echo
    echo "   -v and -q        Standard Shorewall verbosity controls"
@@ -85,7 +85,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
-			;;
+			;;			
 		    p*)
 			g_purge=Yes
 			option=${option#p}
@@ -126,7 +126,7 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 			if [ -n "$option" ]; then
 			    case $option in
-				*/*)
+				*/*)		    
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -89,17 +89,42 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
+setcontinue() # $1 = name of chain
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+{
    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 #
-# Generate a list of all network interfaces on the system that have an ipv4 address
+# Flush one of the NAT table chains
 #
-find_all_interfaces1() {
+flushnat() # $1 = name of chain
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+{
    run_iptables -t nat -F $1
 }
 #
 # Flush one of the Mangle table chains
 #
 flushmangle() # $1 = name of chain
 {
    run_iptables -t mangle -F $1
 }
 #
 # Flush and delete all user-defined chains in the filter table
 #
 deleteallchains() {
    run_iptables -F
    run_iptables -X
 }
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'    
 }
 #
@@ -508,12 +533,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
    local result
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	local result
 	result=1
 	while read route ; do
@@ -598,9 +622,9 @@ delete_proxyarp() {
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
 	rm -f ${VARDIR}/proxyarp
    fi
    rm -f ${VARDIR}/proxyarp
 }
 #
@@ -614,7 +638,6 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
@@ -674,7 +697,7 @@ startup_error() # $* = Error Message
 	    ;;
    esac
-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
 	case $COMMAND in
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -89,17 +89,34 @@ setpolicy() # $1 = name of chain, $2 = policy
 }
 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
+setcontinue() # $1 = name of chain
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+{
    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }
 #
-# Generate a list of all network interfaces on the system that have an ipv6 address
+# Flush one of the Mangle table chains
 #
-find_all_interfaces1() {
+flushmangle() # $1 = name of chain
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+{
    run_iptables -t mangle -F $1
 }
 #
 # Flush and delete all user-defined chains in the filter table
 #
 deleteallchains() {
    run_iptables -F
    run_iptables -X
 }
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed 's/:$//'    
 }
 #
@@ -496,12 +513,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
    local result
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	local result
 	result=1
 	while read route ; do
@@ -584,7 +600,6 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,108 +1,3 @@
 Changes in Shorewall 4.4.13.1
 1)  Make log messages uniform.
 2)  Fix blacklisting in simple configurations.
 Changes in Shorewall 4.4.13
 1)  Allow zone lists in rules SOURCE and DEST.
 2)  Fix exclusion in the blacklist file.
 3)  Correct several old exclusion bugs.
 4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
 5)  Re-implement optional interface handling.
 6)  Add secmark config file.
 7)  Split in and out blacklisting.
 8)  Correct handling of [{src|dst},...] in ipset invocation
 9)  Correct SAME.
 10) TC Enhancements:
    <burst> in IN-BANDWIDTH columns.
    OUT-BANDWIDTH column in tcinterfaces.
 11) Create dynamic zone ipsets on 'start'.
 12) Remove new blacklisting implementation.
 13) Implement an alternative blacklisting scheme.
 14) Use '-m state' for UNTRACKED.
 15) Clear raw table on 'clear'
 16) Correct port-range check in tcfilters.
 17) Disallow '*' in interface names.
 Changes in Shorewall 4.4.12
 1)  Fix IPv6 shorecap program.
 2)  Eradicate incorrect IPv6 Multicast Network
 3)  Add ADD/DEL support.
 4)  Allow :random to work with REDIRECT
 5)  Add per-ip log rate limiting.
 6)  Use new hashlimit match syntax if available.
 7)  Add Universal sample.
 8)  Add COMPLETE option.
 9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
 10) Support new set match syntax.
 11) Blacklisting by DEST IP.
 12) Fix duplicate rule generation with 'any'.
 13) Fix port range editing problem.
 14) Display the .conf file directory in response to the status command.
 15)  Correct AUTOMAKE
 Changes in Shorewall 4.4.11
 1)  Apply patch from Gabriel.
 2)  Fix IPSET match detection when a pathname is specified for IPSET.
 3)  Fix start priority of shorewall-init on Debian
 4)  Make IPv6 log and connections output readable.
 5)  Add REQUIRE_INTERFACE to shorewall*.conf
 6)  Avoid run-time warnings when options are not listed in
    shorewall.conf.
 7)  Implement Vserver zones.
 8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
    hosts file.
 9)  Add CLEAR_FORWARD_MARK option.
 10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
 11) Add PERL option.
 12) Fix nets= in Shorewall6
 Changes in Shorewall 4.4.10
 1)  Fix regression with scripts.
--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################################
+#####################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -7,5 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
+#ADDRESS/SUBNET		PROTOCOL	PORT
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+#TYPE	NET1			INTERFACE	NET2
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Secmarks File
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
 ############################################################################################################
 #SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
 #				STATE						PORT(S)	PORT(S) GROUP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -31,7 +31,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -57,8 +59,6 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -194,12 +194,6 @@ OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=No
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -8,3 +8,4 @@
 #
 ###############################################################################
 #INTERFACE	TYPE		IN-BANDWIDTH
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -20,7 +20,7 @@ test -n ${INITLOG:=/var/log/shorewall-init.log}
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ;
+	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -32,9 +32,9 @@ fi
 echo_notdone () {
-  if [ "$INITLOG" = "/dev/null" ] ; then
+  if [ "$INITLOG" = "/dev/null" ] ; then 
 	  echo "not done."
-  else
+  else 
 	  echo "not done (check $INITLOG)."
  fi
@@ -71,7 +71,7 @@ fi
 export SHOREWALL_INIT_SCRIPT
-# wait for an unconfigured interface
+# wait for an unconfigured interface 
 wait_for_pppd () {
 	if [ "$wait_interface" != "" ]
 	then
--- a/Shorewall/init.slackware.firewall.sh
+++ b/Shorewall/init.slackware.firewall.sh
@@ -45,7 +45,7 @@ status() {
 export SHOREWALL_INIT_SCRIPT=1
-case $1 in
+case $1 in 
 	'start')
 	start
 	;;
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
@@ -133,7 +133,7 @@ case $(uname) in
 	MAC=Yes
 	INSTALLD=
 	T=
-	;;
+	;;	
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -178,7 +178,7 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
+    
    CYGWIN=
    MAC=
 else
@@ -194,7 +194,7 @@ else
    if [ -n "$CYGWIN" ]; then
 	echo "Installing Cygwin-specific configuration..."
    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
+	echo "Installing Mac-specific configuration..."	
    else
 	if [ -f /etc/debian_version ]; then
 	    echo "Installing Debian-specific configuration..."
@@ -270,7 +270,7 @@ if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
-
+    
 #
 # Install the config file
 #
@@ -586,16 +586,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
    echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi
 #
 # Install the secmarks file
 #
 run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
 fi
 #
 # Install the default config path file
 #
@@ -755,7 +745,7 @@ fi
 #
 # Install the  Makefiles
 #
-install_file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
+install-file Makefile-lite ${DESTDIR}/usr/share/shorewall/configfiles/Makefile 0644
 if [ -z "$SPARSE" ]; then
    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall
@@ -877,13 +867,7 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
-
+	ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
 	if [ -x /sbin/insserv ]; then
 	    insserv /etc/init.d/shorewall
 	else
 	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
 	fi
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,11 +1 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
+There are no known problems in Shorewall 4.4.10
    firewall before interfaces are brought up.
 2)  The date/time formatting in the STARTUP_LOG is not uniform.
    Fixed in 4.4.13.1
 3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
    configurations with the effect that blacklisting was not enabled.
    Fixed in 4.4.13.1
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,7 +29,7 @@
 #
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40408
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -185,7 +185,7 @@ valid_address() {
 		;;
 	esac
    done
-
+    
    IFS=$ifs
    return 0
@@ -381,7 +381,7 @@ find_echo() {
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
-    echo echo
+    echo echo 
 }
 # Determine which version of mktemp is present (if any) and set MKTEMP accortingly:
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -166,7 +166,7 @@ search_log() # $1 = IP address to search for
    else
 	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
-}
+}    
 #
 # Show traffic control information
@@ -226,18 +226,6 @@ show_classifiers() {
 logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')
@@ -310,7 +298,7 @@ do_save() {
 	status=1
    fi
-    case ${SAVE_IPSETS:=No} in
+    case ${SAVE_IPSETS:=No} in 
 	[Yy]es)
 	    case ${IPSET:=ipset} in
 		*/*)
@@ -357,7 +345,7 @@ save_config() {
    local result
    result=1
-
+    
    iptables_save=${IPTABLES}-save
    [ -x $iptables_save ] || echo "$iptables-save does not exist or is not executable" >&2
@@ -497,7 +485,7 @@ show_command() {
 				    fatal_error "Invalid table name ($s)"
 				    ;;
 			    esac
-
+			    
 			    option=
 			    shift
 			    ;;
@@ -553,20 +541,6 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    if [ -z "$LOGFILE" ]; then
 		LOGFILE=/var/log/messages
 		if [ -n "$(syslog_circular_buffer)" ]; then
 		    g_logread="logread | tac"
 		elif [ -r $LOGFILE ]; then
 		    g_logread="tac $LOGFILE"
 		else
 		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		    exit 2
 		fi
 	    fi
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -729,7 +703,7 @@ show_command() {
 			;;
 		esac
 	    fi
-
+	    
 	    if [ $# -gt 0 ]; then
 		if [ $1 = dynamic -a $# -gt 1 ]; then
@@ -745,7 +719,7 @@ show_command() {
 			exit 1
 		    fi
 		done
-
+		
 		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
@@ -807,19 +781,6 @@ dump_command() {
 	esac
    done
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    g_ipt_options="$g_ipt_options $g_ipt_options1"
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -829,7 +790,7 @@ dump_command() {
    clear_term
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
-
+    
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    $IPTABLES -L $g_ipt_options
@@ -873,7 +834,7 @@ dump_command() {
 	heading "PFKEY SPD"
 	setkey -DP
 	heading "PFKEY SAD"
-	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys
+	setkey -D | grep -Ev '^[[:space:]](A:|E:)'  # Don't divulge the keys 
    fi
    heading "/proc"
@@ -1066,10 +1027,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    chain=$1
    local finished
    finished=$2
    local which
    which='-s'
    local range
    range='--src-range'
    if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -1081,31 +1038,19 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    while [ $# -gt 0 ]; do
 	case $1 in
 	    from)
 		which='-s'
 		range='--src-range'
 		shift
 		continue
 		;;
 	    to)
 		which='-d'
 		range='--dst-range'
 		shift
 		continue
 		;;
 	    *-*)
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j reject
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject
-		qt $IPTABLES -D dynamic -m iprange $range  $1 -j DROP
+		qt $IPTABLES -D dynamic -m iprange --src-range  $1 -j DROP
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
-		qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop
+		qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop
-		$IPTABLES -A dynamic -m iprange $range $1 -j $chain || break 1
+		$IPTABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IPTABLES -D dynamic $which $1 -j reject
+		qt $IPTABLES -D dynamic -s $1 -j reject
-		qt $IPTABLES -D dynamic $which $1 -j DROP
+		qt $IPTABLES -D dynamic -s $1 -j DROP
-		qt $IPTABLES -D dynamic $which $1 -j logreject
+		qt $IPTABLES -D dynamic -s $1 -j logreject
-		qt $IPTABLES -D dynamic $which $1 -j logdrop
+		qt $IPTABLES -D dynamic -s $1 -j logdrop
-		$IPTABLES -A dynamic $which $1 -j $chain || break 1
+		$IPTABLES -A dynamic -s $1 -j $chain || break 1
 		;;
 	esac
@@ -1228,7 +1173,7 @@ add_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-
+	
 	host=${host#*:}
 	if $IPSET -A $ipset $host; then
@@ -1237,7 +1182,7 @@ add_command() {
 	    fatal_error "Unable to add $interface:$host to zone $zone"
 	fi
    done
-
+	
 }
 #
@@ -1287,7 +1232,7 @@ delete_command() {
 	if ! qt $IPSET -L $ipset -n; then
 	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi
-
+	
 	host=${hostent#*:}
 	if $IPSET -D $ipset $host; then
@@ -1296,7 +1241,7 @@ delete_command() {
 	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	fi
    done
-
+	
 }
 #
@@ -1395,11 +1340,6 @@ allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall_is_started ; then
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1409,21 +1349,11 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
 		from)
 		    which='-s'
 		    range='--src-range'
 		    continue
 		    ;;
 		to)
 		    which='-d'
 		    range='--dst-range'
 		    continue
 		    ;;
 		*-*)
-		    if  qt $IPTABLES -D dynamic -m iprange $range $1 -j reject    ||\
+		    if  qt $IPTABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic -m iprange $range $1 -j logreject
+			qt $IPTABLES -D dynamic -m iprange --src-range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1431,10 +1361,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IPTABLES -D dynamic $which $1 -j reject    ||\
+		    if  qt $IPTABLES -D dynamic -s $1 -j reject    ||\
-			qt $IPTABLES -D dynamic $which $1 -j DROP      ||\
+			qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
-			qt $IPTABLES -D dynamic $which $1 -j logdrop   ||\
+			qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
-			qt $IPTABLES -D dynamic $which $1 -j logreject
+			qt $IPTABLES -D dynamic -s $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1463,9 +1393,9 @@ logwatch_command() {
 	case $option in
 	    -*)
 		option=${option#-}
-
+		
 		[ -z "$option" ] && usage 1
-
+		
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
@@ -1496,7 +1426,7 @@ logwatch_command() {
 		;;
 	esac
    done
-
+    
    [ -n "$g_debugging" ] && set -x
    if [ $# -eq 1 ]; then
@@ -1519,10 +1449,6 @@ determine_capabilities() {
 	exit 1
    fi
    [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip)
    [ -n "$IP" -a -x "$IP" ] || IP=
    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
    [ -n "$TC" -a -x "$TC" ] || TC=
@@ -1542,7 +1468,6 @@ determine_capabilities() {
    RECENT_MATCH=
    OWNER_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
@@ -1575,8 +1500,6 @@ determine_capabilities() {
    LOG_TARGET=Yes
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    chain=fooX$$
@@ -1686,13 +1609,9 @@ determine_capabilities() {
 	qt ipset -X $chain # Just in case something went wrong the last time
 	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
+	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 	    elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
 	    qt ipset -X $chain
 	fi
@@ -1705,7 +1624,7 @@ determine_capabilities() {
    if [ -z "$HASHLIMIT_MATCH" ]; then
 	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
 	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi
+    fi	
    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
@@ -1714,7 +1633,6 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
@@ -1722,7 +1640,6 @@ determine_capabilities() {
    qt $IPTABLES -X $chain1
    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1758,10 +1675,7 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match" $IPSET_MATCH
 	    report_capability "Ipset Match" $IPSET_MATCH
 	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
 	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1793,8 +1707,6 @@ report_capabilities() {
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1826,7 +1738,6 @@ report_capabilities1() {
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
@@ -1858,9 +1769,7 @@ report_capabilities1() {
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
-    report_capability1 FWMARK_RT_MASK
+    
    report_capability1 MARK_ANYWHERE
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
 }
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -45,17 +45,17 @@ get_script_version() { # $1 = script
 	temp=$(echo $temp)
 	IFS=$ifs
 	digits=0
-
+	
 	for temp in $temp; do
 	    version=${version}$(printf '%02d' $temp)
 	    digits=$(($digits + 1))
 	    [ $digits -eq 3 ] && break
 	done
    fi
-
+    
    echo $version
 }
-
+ 
 #
 # Do required exports or create the required option string and run the passed script using
 # $SHOREWALL_SHELL
@@ -66,7 +66,7 @@ run_it() {
    local version
    export VARDIR
-
+	
    script=$1
    shift
@@ -82,7 +82,7 @@ run_it() {
 	export PURGE=$g_purge
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering
-
+ 
 	if [ "$g_product" != Shorewall ]; then
 	    #
 	    # Shorewall Lite
@@ -94,12 +94,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	options='-'
 	    options="$1 -"
 	    shift;
 	else
 	    options='-'
 	fi
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -110,7 +105,7 @@ run_it() {
 	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
    fi
-
+	
    $SHOREWALL_SHELL $script $options $@
 }
@@ -514,13 +509,9 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2 
+set_state () # $1 = state
 {
-    if [ $# -gt 1 ]; then
+    echo "$1 ($(date))" > ${VARDIR}/state
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
 	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,275 +1,16 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 3 . 1
+                      S H O R E W A L L  4 . 4 . 1 0
 ----------------------------------------------------------------------------
-I.    PROBLEMS CORRECTED IN THIS RELEASE
+I.    RELEASE 4.4 HIGHLIGHTS
-II.   KNOWN PROBLEMS REMAINING
+II.   MIGRATION ISSUES
-III.  NEW FEATURES IN THIS RELEASE
+III.  PROBLEMS CORRECTED IN THIS RELEASE
-IV.   RELEASE 4.4 HIGHLIGHTS
+IV.   KNOWN PROBLEMS REMAINING
-V.    MIGRATION ISSUES
+V.    NEW FEATURES IN THIS RELEASE
-VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
+VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 
 ----------------------------------------------------------------------------
-  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
+             I.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 4.4.13.1
 1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
 2)  The blacklisting change in 4.4.13 was broken in some simple
    configurations with the effect that blacklisting was not enabled.
 4.4.13
 1)  Under rare circumstances where COMMENT is used to attach comments
    to rules, OPTIMIZE 8 through 15 could result in invalid
    iptables-restore (ip6tables-restore) input.
 2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
    could result in invalid iptables-restore (ip6tables-restore) input.
 3)  The change in 4.4.12 to detect and use the new ipset match syntax
    broke the ability to detect the old ipset match capability. Now,
    both versions of the capability can be correctly detected.
 4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
    if the last optional interface tested was not available.
 5)  Exclusion in the blacklist file was correctly validated but was then
    ignored when generating iptables (ip6tables) rules.
 6)  Previously, non-trivial exclusion (more than one excluded
    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
    valid but incorrect iptables input. This has been corrected but
    requires that your iptables/kernel support marking rules in any
    Netfilter table (CONTINUE in the tcrules file does not require this
    support).
    This fix implements a new 'Mark in any table' capability; those
    who utilize a capabilities file should re-generate the file using
    this release.
 7)  Interface handling has been extensively modified in this release
    to correct a number of problems with the earlier
    implementation. Among those problems:
    - Invalid shell variable names could be generated in the firewall
      script. The generated firewall script uses shell variables to
      track the availability of optional and required interfaces and
      to record detected gateways, detected addresses, etc.
    - The same shell variable name could be generated by two different
      interface names.
    - Entries in the interfaces file with a wildcard physical name
      (physical name ends with "+") and with the 'optional' option were
      handled strangely.
      o If there were references to specific interfaces that matched
        the wildcard, those entries were handled as if they had been
        defined as optional in the interfaces file.
      o If there were no references matching the wildcard, then the
        'optional' option was effectively ignored. 
    The new implementation:
    - Insures valid shell variable names.
    - Insures that shell variable names are unique.
    - Handles interface names appearing in the INTERFACE column of the
      providers file as a special case for 'optional'. If the name
      matches a wildcard entry in the interfaces file then the
      usability of the specific interface is tracked individually. 
    - Handles the availabilty of other interfaces matching a wildcard
      as a group; if there is one useable interface in the group then
      the wildcard itself is considered usable.
      The following example illustrates this use case:
      /etc/shorewall/interfaces
 	net	ppp+	-	optional
      /etc/shorewall/shorewall.conf
 	REQUIRE_INTERFACE=Yes
      If there is any usable PPP interface then the firewall will be
      allowed to start. Previously, the firewall would never be allowed
      to start.
 8)  When a comma-separated list of 'src' and/or 'dst' was specified in
    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
    or 'dst' was previously ignored when generating the resulting
    iptables rule.
 9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
    generated invalid iptables (ip6tables) input. That target now
    generates correct input.
 10) Ipsets associated with 'dynamic' zones were being created during
    'restart' but not during 'start'.
 11) To work around an issue in Netfilter/iptables, Shorewall now uses
    state match rather than conntrack match for UNTRACKED state
    matching.
 12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
    did not clear the raw table.
 13) An error message was incorrectly generated if a port range of the
    form :<port> (e.g., :22) appeared.
 14) An error is now generated if '*' appears in an interface name.
 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 1)  On systems running Upstart, shorewall-init cannot reliably start the
    firewall before interfaces are brought up.
 ----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Entries in the rules file (both Shorewall and Shorewall6) may now
    contain zone lists in the SOURCE and DEST column. A zone list is a
    comma-separated list of zone names where each name appears in the
    zones file. A zone list may be optionally followed by a plus sign
    ("+") to indicate that the rule should apply to intra-zone traffic
    as well as to inter-zone traffic.
    Zone lists behave like 'all' and 'any' with respect to Optimization
    1. If the rule matches the applicable policy for a given (source
    zone, dest zone), then the rule will be suppessed for that pair of
    zones unless overridden by the '!' suffix on the target in the
    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
    Additionally, 'any', 'all' and zone lists may be qualified in the
    same way as a single zone.
    Examples:
 	fw,dmz:90.90.191.120/29
 	all:+blacklist
    The 'all' and 'any' keywords now support exclusion in the form of a
    comma-separated list of excluded zones.
    Examples: 
    	     all!fw         (same as all-).
 	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
 	     		     include intra-zone rules).
 2)  An IPSEC column has been added to the accounting file, allowing you
    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
    shorewall-accounting' (man shorewall6-accounting) for details.
    With this change, there are now three trees of accounting chains:
    - The one rooted in the 'accounting' chain.
    - The one rooted in the 'accipsecin' chain. This tree handles
      traffic that has been decrypted on the firewall. Rules in this
      tree cannot specify an interface name in the DEST column.
    - The one rooted in the 'accipsecout' chain. This tree handles
      traffic that will be encrypted on the firewall. Rules in this
      tree cannot specify an interface name in the SOURCE column.
    In reality, when there are bridges defined in the configuration,
    there is a fourth tree rooted in the 'accountout' chain. That chain
    handles traffic that originates on the firewall (both IPSEC and
    non-IPSEC).
    This change also implements a couple of new warnings:
    - WARNING: Adding rule to unreferenced accounting chain <name>
      The first reference to user-defined accounting chain <name> is
      not a JUMP or COUNT from an already-defined chain.
    - WARNING: Accounting chain <name> has o references
      The named chain contains accounting rules but no JUMP or COUNT
      specifies that chain as the target.
 3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
    manipulating the SELinux context of packets.
    See the shorewall-secmarks and shorewall6-secmarks manpages for
    details.
    As part of this change, the tcrules file now accepts $FW in the
    DEST column for marking packets in the INPUT chain.
 4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
    a) Blacklisting is now based on zones rather than on interfaces and
       host groups.
    b) Near compatibility with earlier releases is maintained.
    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
       respectively. The old keywords are still supported.
    d) The 'blacklist' keyword may now appear in the OPTIONS,
       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
       i)  In the IN_OPTIONS column, it indicates that packets received
           on the interface are checked against the 'src' entries in
           /etc/shorewall/blacklist.
       ii) In the OUT_OPTIONS column, it indicates that packets being
           sent to the interface are checked against the 'dst' entries.
       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
    e) The 'blacklist' option in the OPTIONS column of
       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
       equivalent to placing it in the IN_OPTIONS column of the
       associates record in /etc/shorewall/zones. If no zone is given
       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
       option is ignored with a warning (it was previously ignored
       silently).
    f) The 'blacklist' option in the /etc/shorewall/interfaces and
       /etc/shorewall/hosts files is now deprecated but will continue
       to be supported for several releases. A warning will be added at
       least one release before support is removed.
 5)  There is now an OUT-BANDWIDTH column in
    /etc/shorewall/tcinterfaces.
    The format of this column is:
    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
    These terms are described in tc-tbf(8). Shorewall supplies default
    values as follows:
    	   <burst>   = 10kb
 	   <latency> = 200ms
    The remaining options are defaulted by tc.
 6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
        <rate>[:<burst>]
    The default <burst> is 10kb. A larger <burst> can help make the
    <rate> more accurate; often for fast lines, the enforced rate is
    well below the specified <rate>.
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -315,7 +56,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 11) Support for netfilter's TRACE facility has been added. TRACE allows
    you to trace selected packets through Netfilter, including marking
-    by tcrules.
+    by tcrules. 
 12) You may now preview the generated ruleset by using the '-r' option
    to the 'check' command (e.g., "shorewall check -r").
@@ -326,14 +67,8 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 15) TPROXY support has been added.
 16) Explicit support for Linux-vserver has been added. It is now
    possible to define sub-zones of $FW.
 17) A 'Universal' sample configuration is now availale for a
    'plug-and-play' firewall.
 ----------------------------------------------------------------------------
-                   V.  M I G R A T I O N   I S S U E S
+                  I I.  M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
 1)  If you are currently using Shorewall-shell:
@@ -420,7 +155,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 8)  The install.sh scripts in the Shorewall and Shorewall6 packages no
    longer create a backup copy of the existing configuration. If you
    want your configuration backed up prior to upgrading, you will
-    need to do that yourself.
+    need to do that yourself. 
    As part of this change, the fallback.sh scripts are no longer
    released.
@@ -447,7 +182,7 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
    explicitly call the module's 'initialize' function after the module
    has been loaded.
-12) Checking for zone membership has been tighened up. Previously,
+12) Checking for zone membership has been tighened up. Previously, 
    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.
@@ -473,264 +208,16 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 	  iface_ADDRESSES                      SW_iface_ADDRESSES
 	  iface_NETWORKS                       SW_iface_NETWORKS
 	  iface_MAC                            SW_iface_MAC
-
+	  
 	  provider_IS_USABLE                   SW_provider_IS_USABLE
    where 'iface' is a capitalized interface name (e.g., ETH0) and
    'provider' is the capitalized name of a provider.
-
+	  
 15) Support for the OPTIONS column in /etc/shorewall/blacklist
    (/etc/shorewall6/blacklist) has been removed. Blacklisting by
    destination IP address will be included in a later Shorewall
    release.
 ----------------------------------------------------------------------------
-V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 1)  Previously, the Shorewall6-lite version of shorecap was using
    iptables rather than ip6tables, with the result that many capabilities
    that are only available in IPv4 were being reported as available.
 2)  In a number of cases, Shorewall6 generated incorrect rules
    involving the IPv6 multicast network. The rules specified
    ff00::/10 where they should have specified ff00::/8. Also, rules
    instantiated when the firewall was stopped used ff80::/10 rather
    than fe80::/10 (IPv6 Link Local network).
 3)  Previously, using a destination port-range with :random produced a
    fatal compilation error in REDIRECT rules.
 4)  A number of problems associated with Shorewall-init and Upstart
    have been corrected. 
    If you use Shorewall-init, then when upgrading to this version, be
    sure to recompile all firewall scripts before you take interfaces
    down or reboot.
 5)  Previously, the Shorewall installer (install.sh) failed to install
    /usr/share/shorewall/configfiles/Makefile and rather issued the
    following message:
    	      install-file: command not found 
    This caused the Makefile to be omitted from RPMs as well.
 6)  When 'any' was used in the SOURCE column, a duplicate rule was
    generated in all "fw2*" ("fw-* if ZONE2ZONE="-"). If 'any' was used
    in the DEST column, then a duplicate rule appeared in all "*2fw"
    (*-fw) chains.
 7)  A port range that omitted the first port number (e.g., ":80") was
    rejected with the following error:
    	 ERROR: Invalid/Unknown tcp port/service (0) : ......
 8)  AUTOMAKE=Yes has been broken for some time. It is now working
    correctly.
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
 1)  Support has been added for ADD and DEL rules in
    /etc/shorewall/rules. ADD allows either the SOURCE or DESTINATION
    IP address to be added to an ipset; DEL deletes an address
    previously added.
 2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
    option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
    LOGBURST are ignored. 
    LOGRATE and LOGBURST are now deprecated.
    LOGLIMIT value format is [{s|d}:]<rate>[/<unit>][:<burst>]
    If the value starts with 's:' then logging is limited per source
    IP. If the value starts with 'd:', then logging is limited per
    destination IP. Otherwise, the overall logging rate is limited.
    <unit> is one of sec, min, hour, day.
    If <burst> is not specified, then a value of 5 is assumed.
 3)  The sample configurations now include a 'Universal' configuration
    that will start on any system and protect that system while
    allowing the system to forward traffic.
    As part of this change, several additional features were added:
    - You may now specify "physical=+" in the interfaces file.
    - A 'COMPLETE' option is added to shorewall.conf and
      shorewall6.conf. When you set this option to Yes, you are
      asserting that the configuration is complete so that your set of
      zones encompasses any hosts that can send or receive traffic
      to/from/through the firewall. This causes Shorewall to omit the
      rules that catch packets in which the source or destination IP
      address is outside of any of your zones. Default is No.  It is
      recommended that this option only be set to Yes if:
      o You have defined an interface whose effective physical setting
        is '+'
      o That interface is assigned to a zone.
      o You have no CONTINUE policies or rules.
 4)  'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
    compilations.
 5)  Shorewall now detects the presence of a recent ipset iptables
    module and uses its new syntax. This avoids a warning on iptables
    1.4.9. This change involves a new capabilities file version so if
    you use a capabilities file, be sure to regenerate it with 4.4.12
    shorewall-lite or shorewall6-lite.
 6)  Blacklisting can now be done by destination IP address as well as
    by source address.
    The /etc/shorewall/blacklist and /etc/shorewall6/blacklist files
    now have an optional OPTIONS column. Initially, this column can
    contain either 'from' (the default) or 'to'; the latter causes the
    address(es) in the ADDRESS/SUBNET column to be interpreted as a
    DESTINATION address rather than a source address.
    Note that static blacklisting is still restricted to traffic
    ARRIVING on an interface that has the 'blacklist' option set. So to
    block traffic from your local network to an internet host, you must
    specify 'blacklist' on your internal interface.
    Similarly, dynamic blacklisting has been enhanced to recognize the
    'from' and 'to' keywords.
    Example:
 	shorewall drop to 1.2.3.4
    This command will silently drop connection requests to1.2.3.4.
    The reciprocal of that command would be:
    	shorewall allow to 1.2.3.4
 7)  The status command now displays the directory containing the .conf
    file (shorewall.conf or shorewall6.conf) when the running
    configuration was compiled.
    Example:
        gateway:/etc/shorewall# shorewall status
 	Shorewall-4.4.12-RC1 Status at gateway - Thu Aug 12 19:41:51 PDT 2010
 	Shorewall is running
 	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/
 	gateway:/etc/shorewall# 
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  The IPv6 allowBcast action generated an invalid rule.
 2)  If IPSET=<pathname> was specified in shorewall.conf, then when an
    ipset was used in a configuration file entry, the following
    fatal compilation error occurred:
    ERROR: ipset names in Shorewall configuration files require Ipset
    Match in your kernel and iptables : /etc/shorewall/rules (line nn)
    If you applied the workaround given in the "Known Problems", then
    you should remove /etc/shorewall/capabilities after installing
    this fix.
 3)  The start priority of shorewall-init on Debian and Debian-based
    distributions was previously too low, making it start too late.
 4)  The log output from IPv6 logs was almost unreadable due to display
    of IPv6 addresses in uncompressed format. A similar problem
    occurred with 'shorewall6 show connections'. This update makes the
    displays much clearer at the expense of opening the slight
    possibility of two '::' sequences being incorrectly shown in the
    same address.
 5)  The new REQUIRE_INTERFACE was inadvertently omitted from
    shorewall.conf and shorewall6.conf. It has been added.
 6)  Under some versions of Perl, a Perl run-time diagnostic was produced
    when options were omitted from shorewall.conf or shorewall6.conf. 
 7) If the following options were specified in /etc/shorewall/interfaces
   for an interface with '-' in the ZONE column, then these options
   would be ignored if there was an entry in the hosts file for the
   interface with an explicit or implicit 0.0.0.0/0 (0.0.0.0/0 is
   implied when the host list begins with '!').
   	blacklist
 	maclist
 	nosmurfs
 	tcpflags
   Note: for IPv6, the network is ::/0 rather than 0.0.0.0/0.
 8) The generated script was missing a closing quote when
   REQUIRE_INTERFACE=Yes.
 9) Previously, if nets= was specified under Shorewall6, this error
   would result:
   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
                /etc/shorewall6/interfaces (line 16)
 ----------------------------------------------------------------------------
               N E W   F E A T U R E S   I N   4 . 4 . 1 1
 ----------------------------------------------------------------------------
 1)  Beginning with this release, Shorewall supports a 'vserver'
    zone type. This zone type is used with Shorewall running on a
    Linux-vserver host system and allows you to define zones that
    represent a set of Linux-vserver hosts.
    See http://www.shorewall.net/Vserver.html for details.
 2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
    and shorewall6.conf. 
    Traditionally, Shorewall has cleared the packet mark in the first
    rule in the mangle FORWARD chain. This behavior is maintained with
    the default setting (FORWARD_CLEAR_MARK=Yes). If the new option is
    set to No, packet marks set in the PREROUTING chain are retained in
    the FORWARD chains.
    As part of this change, a new "fwmark route mask" capability has
    been added. If your version of iproute2 supports this capability,
    fwmark routing rules may specify a mask to be applied to the mark
    prior to comparison with the mark value in the rule. The presence
    of this capability allows Shorewall to relax the restriction that
    small mark values may not be set in the PREROUTING chain when
    HIGH_ROUTE_MARKS is in effect. If you take advantage of this
    capability, be sure that you logically OR mark values in PREROUTING
    makring rules rather then simply setting them unless you are able
    to set both the high and low bits in the mark in a single rule.
    As always when a new capability has been introduced, be sure to
    regenerate your capabilities file(s) after installing this release.
 3)  A new column (NET3) has been added to the /etc/shorewall/netmap
    file. This new column can qualify the INTERFACE column by
    specifying a SOURCE network (DNAT rule) or DEST network (SNAT rule)
    associated with the interface.
 4)  To accomodate systems with more than one version of Perl installed,
    the shorewall.conf and shorewall6.conf files now support a PERL
    option. If the program specified by that option does not exist or
    is not executable, Shorewall (and Shorewall6) fall back to
    /usr/bin/perl.
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 0
 ----------------------------------------------------------------------------
 1)  Startup Errors (those that are detected before the state of the
    system has been altered), were previously not sent to the
    STARTUP_LOG.
@@ -748,7 +235,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 3)  Under rare circumstances involving a complex configuration,
    OPTIMIZE=13 and OPTIMIZE=15 could cause invalid iptables-restore
-    input to be generated.
+    input to be generated. 
    Sample error message:
@@ -776,8 +263,16 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    This configuration now works correctly.
 5)  The 'forget' command now correctly removes saved ipsets.
 ----------------------------------------------------------------------------
-               N E W   F E A T U R E S   I N   4 . 4 . 1 0
+           I V.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------
 None.
 ----------------------------------------------------------------------------
         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------
 1)  Shorewall 4.4.10 includes a new 'Shorewall Init' package. This new
@@ -816,7 +311,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    b)  be sure that your current firewall script(s) (normally in
        /var/lib/<product>/firewall) is(are) compiled with the 4.4.10
-        compiler.
+        compiler. 
 	Shorewall and Shorewall6 users can execute these commands:
@@ -853,8 +348,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	On Debian-based systems, set startup=0 in /etc/default/<product>.
 	On other systems, use your service startup configuration tool
-	(chkconfig, insserv, ...) to disable startup.
+	(chkconfig, insserv, ...) to disable startup. 
-
+ 
    The following actions occur when an interface comes up:
    	FIREWALL      INTERFACE     ACTION
@@ -915,8 +410,16 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	shorewall-lite: 4.4.10-RC1
 	shorewall6-lite: 4.4.10-RC1
 	shorewall-init: 4.4.10-RC1
-	gateway:~#
+	gateway:~# 
 3)  Beginning with this release, the 'restart' and 'refresh' commands
    now retain the contents of the dynamic blacklist as well as the
    current UPnP rules. The dynamic blacklist is also preserved over
    stop/start.
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
 ----------------------------------------------------------------------------
@@ -990,7 +493,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/masq:
    #INTERFACE	SOURCE		ADDRESS		PROTO	PORT
-    tun0	192.168.1.0/24
+    tun0	192.168.1.0/24	
    Use of tunN in the nat and netmap files also produced invalid
    iptables-restore input.
@@ -1032,7 +535,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	I - Inserted a rule into a chain.
 	T - Shell source text appended/inserted into a chain --
            converted into rules at run-time.
-	D - Deleted Rule from a chain; note that this causes the
+	D - Deleted Rule from a chain; note that this causes the 
 	    following rules to be renumbered.
 	X - Deleted a chain
 	P - Change a built-in chains policy. Chains in the filter table
@@ -1047,7 +550,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    Netfilter trace records indicate the table and chain being
    changed. If the change involves a particular rule, then the rule
-    number is also included.
+    number is also included. 
    Example (append the first rule to the filter FORWARD chain):
@@ -1077,7 +580,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/interfaces:
    #ZONE	INTERFACE	BROADCAST	OPTIONS
    dummy	br0		-		routeback
-
+    
    /etc/shorewall/policy:
    #SOURCE	DEST		POLICY
    dummy	all		DROP
@@ -1103,7 +606,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 9
 ----------------------------------------------------------------------------
-1)  A CONTINUE rule specifying a log level would cause the compiler to
+1)  A CONTINUE rule specifying a log level would cause the compiler to 
    generate an incorrect rule sequence. The packet would be logged
    but the CONTINUE action would not occur.
@@ -1135,7 +638,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    1/2 of the values given in the rule.
 5)  Detection of the 'Old hashlimit match' capability was broken in
-    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of
+    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
    shorecap.
 6)  On older distributions such as RHEL5 and derivatives, Shorewall
@@ -1143,7 +646,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
    specified in /etc/shorewall/shorewall.conf.
-7)  The Debian init scripts are modified to include $remote_fs in the
+7)  The Debian init scripts are modified to include $remote_fs in the 
    Required-start and Required-stop specifications.
 8)  Previously, when a supported command failed, the Debian Shorewall
@@ -1207,7 +710,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	VERBOSE
 	VERBOSE_OFFSET
 	VERSION
-
+	
    See Migration Issue 14 above for additional information.
 2)  The Shorewall and Shorewall6 installers now accept a '-s' (sparse)
@@ -1231,7 +734,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    Resulting error message
-       ERROR: The separator for a port range is ':', not '-' (21-22) :
+       ERROR: The separator for a port range is ':', not '-' (21-22) : 
              /etc/shorewall/rules (line 3)
 5)  Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
@@ -1242,7 +745,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    'status' command now gives the detailed status as 'Restored from
    <filename>' rather than 'Started'; <filename> is the saved script
    used to restore the configuration.
-
+ 
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------
@@ -1251,7 +754,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    installer and are included in the rpm.
 2)  An invalid octal number (e.g., 080) appearing in a port list
-    resulted in a perl error message.
+    resulted in a perl error message. 
    As part of this fix, both hex and octal numbers are now accepted
    for protocol and port numbers.
@@ -1316,7 +819,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      f) If a chain ends with an unconditional branch to a second chain
         (other than to 'reject'), then the branch is deleted from the
         first chain and the rules from the second chain are appended
-         to it.
+         to it. 
      The following chains are exempted from optimization 4:
@@ -1373,7 +876,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    Modules loaded when LOAD_HELPERS_ONLY=Yes are the protocol
    helpers. These cannot be autoloaded.
-
+    
    In addition, the nf_conntrack_sip module is loaded with
    sip_direct_media=0. This setting is slightly less secure than
    sip_direct_media=1, but it solves many VOIP problems that users
@@ -1406,7 +909,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    the setting of net.ipv4.config.all.rp_filter.
    Beginning with kernel 2.6.31, the value is the arithmetic MAX of
-    those two values.
+    those two values. 
    Given that Shorewall sets net.ipv4.config.all.rp_filter to 1 if
    there are any interfaces specifying 'routefilter', specifying
@@ -1438,7 +941,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	Keep	 - Shorewall does not change the setting of
 	           net.ipv4.config.all.rp_filter if the kernel version
 		   is 2.6.31 or later.
-
+        
 	The default remains Keep.
    e)  The 'routefilter' interface option can have values 0,1 or 2. If
@@ -1513,7 +1016,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 2)  If any interfaces had the 'bridge' option specified, compilation
    failed with the error:
-    Undefined subroutine &Shorewall::Rules::match_source_interface called
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.
 3)  The compiler now flags port number 0 as an error in all
@@ -1541,7 +1044,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 9)  The 'reload -c' command would ignore the setting of DONT_LOAD in
    shorewall.conf. The 'reload' command without '-c' worked as
-    expected.
+    expected. 
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 5
@@ -1627,7 +1130,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /etc/shorewall/zones:
-       #ZONE		TYPE
+       #ZONE		TYPE	
       fw		firewall
       world		ipv4
       z1:world		bport4
@@ -1760,7 +1263,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    	STARTUP_LOG=/var/log/shorewall-init.log
 	LOG_VERBOSITY=2
-    The effect is much the same as the old defaults, with the exception
+    The effect is much the same as the old defaults, with the exception 
    that:
 	a) Start, stop, etc. commands issued through /sbin/shorewall
@@ -1768,7 +1271,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	b) Logging will occur at maximum verbosity.
 	c) Log entries will be date/time stamped.
-    On non-Debian systems, new installs will now log all Shorewall
+    On non-Debian systems, new installs will now log all Shorewall 
    commands to /var/log/shorewall-init.log.
 2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
@@ -1786,9 +1289,9 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
 ----------------------------------------------------------------------------
-1)  Detection of Persistent SNAT was broken in the rules compiler.
+1)  Detection of Persistent SNAT was broken in the rules compiler. 
-2)  Initialization of the compiler's chain table was occurring before
+2)  Initialization of the compiler's chain table was occurring before 
    shorewall.conf had been read and before the capabilities had been
    determined. This could lead to incorrect rules and Perl runtime
    errors.
@@ -1840,14 +1343,14 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
                N E W   F E A T U R E S   I N   4 . 4 . 2
 ----------------------------------------------------------------------------
-1)  Prior to this release, line continuation has taken precedence over
+1)  Prior to this release, line continuation has taken precedence over 
    #-style comments. This prevented us from doing the following:
    	    ACCEPT    net:206.124.146.176,\   #Gateway
 	    	          206.124.146.177,\   #Mail
 			  206.124.146.178\    #Server
 			  		      ...
-
+    
    Now, unless a line ends with '\', any trailing comment is stripped
    off (including any white-space preceding the '#'). Then if the line
    ends with '\', it is treated as a continuation line as normal.
@@ -1899,7 +1402,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 7)  MULTICAST=Yes generates an incorrect rule that limits its
    effectiveness to a small part of the multicast address space.
-8)  Checking for zone membership has been tighened up. Previously,
+8)  Checking for zone membership has been tighened up. Previously, 
    a zone could contain <interface>:0.0.0.0/0 along with other hosts;
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.
@@ -1923,7 +1426,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    eth0	0.0.0.0/0  206.124.146.177-206.124.146.179:persistent
    This feature requires Persistent SNAT support in your kernel and
-    iptables.
+    iptables. 
    If you use a capabilities file, you will need to create a new one
    as a result of this feature.
@@ -1936,7 +1439,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    iptables when asked.
 2)  A 'clean' target has been added to the Makefiles. It removes backup
-    files (*~ and .*~).
+    files (*~ and .*~). 
 3)  The meaning of 'full' has been redefined when used in the context
    of a traffic shaping sub-class. Previously, 'full' always meant the
@@ -2072,7 +1575,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    As always, /var/lib/shorewall[6] is the default directory which may
    be overridden using the /etc/shorewall[6]/vardir file.
-5)  Dynamic zone support is once again available for IPv4. This support
+5)  Dynamic zone support is once again available for IPv4. This support 
    is built on top of ipsets so you must have the xtables-addons
    installed on the firewall system.
@@ -2090,7 +1593,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    - By specifying <interface>:dynamic in the HOST(S) column of an
      entry for the zone in /etc/shorewall/hosts.
-    When there are any dynamic zones present in your configuration,
+    When there are any dynamic zones present in your configuration, 
    Shorewall (Shorewall-lite) will:
    a) Execute the following commands during 'shorewall start' or
@@ -2099,7 +1602,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
           ipset -U :all: :all:
 	   ipset -U :all: :default:
 	   ipset -F
-	   ipset -X
+	   ipset -X   
 	   ipset -R < ${VARDIR}/ipsets.save
       where $VARDIR normally contains /var/lib/shorewall
@@ -2192,7 +1695,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    	 gateway:~ # shorewall restart
    	 Restarting Shorewall....
    	 done.
-    	 gateway:~ #
+    	 gateway:~ # 
    In other words, you can compile the current configuration then
    install it at a later time.
@@ -2242,8 +1745,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    This previously generated these two rules (long rules folded):
 	 -A loc2net -p 6 --dport 25 -j LOG --log-level 6
-	    --log-prefix "Shorewall:loc2net:reject:"
+	    --log-prefix "Shorewall:loc2net:reject:" 
-	 -A loc2net -p 6 --dport 25 -j reject
+	 -A loc2net -p 6 --dport 25 -j reject 
    It now generates these rules:
@@ -2252,8 +1755,8 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	 -A loc2net -p 6 --dport 25 -g log0
 	 ...
 	 -A log0 -j LOG --log-level 6
-	    --log-prefix "Shorewall:loc2net:REJECT:"
+	    --log-prefix "Shorewall:loc2net:REJECT:" 
-	 -A log0 -j reject
+	 -A log0 -j reject 
    Notice that now there is only a single rule generated in the
    'loc2net' chain where before there were two. Packets for other than
@@ -2353,7 +1856,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    It is important to realize that, while class IDs are composed of a
    <major> and a <minor> value, the set of <minor> values must be
    unique. You must keep this in mind when deciding how to map IP
-    addresses to class IDs.
+    addresses to class IDs. 
    For example, suppose that your internal network is 192.168.1.0/29
    (host IP addresses 192.168.1.1 - 192.168.1.6). Your first notion
@@ -2466,7 +1969,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    1:100	-	16mbit		20mbit		2
    1:100:101	-	 8mbit		20mbit		3	default
    1:100:102	-	 8mbit		20mbit		3
-
+     
    /etc/shorewall/tcrules
    #MARK	SOURCE		DEST
@@ -2482,7 +1985,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    Local traffic (that coming from the firewall and from the DMZ
    server) is placed in the effectively unrestricted class 1:10. The
    default class is guaranteed half of the download capacity and my
-    work system (172.20.1.107) is guarandeed the other half.
+    work system (172.20.1.107) is guarandeed the other half.	
 19) Support for the "Hierarchical Fair Service Curve" (HFSC) queuing
    discipline has been added. HFSC is claimed to be superior to the
@@ -2510,7 +2013,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	         in the class should experience. The delay is expressed
 	         in milliseconds and may be followed by 'ms' (e.g.,
 	      	 10ms. Note that there may be no white space between the
-	      	 number and 'ms').
+	      	 number and 'ms'). 
              3. The maximum transmission unit (UMAX) for this class of
 	         traffic. If not specified, the MTU of the interface is
 		 used. The length is specified in bytes and may be
@@ -2593,7 +2096,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 25) A new extension script, 'lib.private' has been added. This file is
    intended to include declarations of shell functions that will be
-    called by the other run-time extension scripts.
+    called by the other run-time extension scripts. 
 26) Paul Gear has contributed the following macros:
@@ -2670,7 +2173,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    If flow is not supported, you will see:
       Unknown filter "flow", hence option "help" is unparsable
-
+    
    If your kernel supports module autoloading, just type (as root):
       modprobe cls_flow
@@ -2679,7 +2182,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    see:
       FATAL: Module cls_flow not found.
-
+    
    If your kernel is not modularized or does not support module
     autoloading, look at your kernel configuration (either
    /proc/config.gz or the .config file in
@@ -2687,7 +2190,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    If 'flow' is supported, you will see:
-       NET_CLS_FLOW=m
+       NET_CLS_FLOW=m 
    or
@@ -2695,4 +2198,4 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    For modularized kernels, Shorewall will attempt to load
    /lib/modules/<kernel-version>/net/sched/cls_flow.ko by default.
-
+       
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -32,7 +32,7 @@
 #     $1 = Yes: read the params file
 #     $2 = Yes: check for STARTUP_ENABLED
 #     $3 = Yes: Check for LOGFILE
-#
+#     
 get_config() {
    local prog
@@ -47,7 +47,7 @@ get_config() {
    fi
    config=$(find_file shorewall.conf)
-
+    
    if [ -f $config ]; then
 	if [ -r $config ]; then
 	    . $config
@@ -61,21 +61,21 @@ get_config() {
    fi
    ensure_config_path
-
+    
    if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
 	#
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
+	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-		if [ -n "$(syslog_circular_buffer)" ]; then
+
-		    g_logread="logread | tac"
+	    if [ -n "$(syslog_circular_buffer)" ]; then
-		elif [ -r $LOGFILE ]; then
+		g_logread="logread | tac"
-		    g_logread="tac $LOGFILE"
+	    elif [ -r $LOGFILE ]; then
-		else
+		g_logread="tac $LOGFILE"
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    else
-		    exit 2
+		echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		fi
+		exit 2
 	    fi
 	fi
@@ -109,7 +109,7 @@ get_config() {
 		    IP=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    IP='ip'
 	fi
@@ -130,7 +130,7 @@ get_config() {
 		    IPSET=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    IPSET='ipset'
 	fi
@@ -151,7 +151,7 @@ get_config() {
 		    TC=$prog
 		    ;;
 	    esac
-	else
+	else 
 	    TC='tc'
 	fi
 	#
@@ -196,7 +196,7 @@ get_config() {
 		;;
 	esac
-	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s'
+	[ -z "$LOGFORMAT" ] && LOGFORMAT='Shorewall:%s.%s' 
 	[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
@@ -222,7 +222,7 @@ get_config() {
    else
 	STARTUP_LOG=
 	LOG_VERBOSITY=-1
-    fi
+    fi   
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
@@ -313,7 +313,7 @@ startup_error() {
 # Run the compiler
 #
 compiler() {
-
+   
    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
 	    startup_error "Ordinary users may not compile the /etc/shorewall configuration"
@@ -338,10 +338,10 @@ compiler() {
    [ -n "$g_profile" ] && debugflags='-wd:DProf'
    # Perl compiler only takes the output file as a argument
-
+	    
    [ "$1" = debug -o "$1" = trace ]  && shift;
    [ "$1" = nolock ] && shift;
-    shift
+    shift 
    options="--verbose=$VERBOSITY"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@@ -356,20 +356,11 @@ compiler() {
    #
    # Run the appropriate params file
    #
-    set -a;
+    set -a; 
    run_user_exit params
    set +a
-    if [ -n "$PERL" ]; then
+    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
 	if [ ! -x "$PERL" ]; then
 	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
 	    PERL=/usr/bin/perl
 	fi
    else
 	PERL=/usr/bin/perl
    fi
    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
 }
 #
@@ -486,7 +477,7 @@ start_command() {
 	    export RESTOREFILE
-	    if ! make -qf ${CONFDIR}/Makefile; then
+	    if make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -546,7 +537,7 @@ compile_command() {
 			t*)
 			    g_test=Yes
 			    option=${option#t}
-			    ;;
+			    ;;			    
 			d*)
 			    g_debug=Yes;
 			    option=${option#d}
@@ -764,7 +755,7 @@ restart_command() {
 	fi
    fi
-    if [ -z "$g_fast" ]; then
+    if [ -z "$g_fast" ]; then  
 	progress_message3 "Compiling..."
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
@@ -783,7 +774,7 @@ restart_command() {
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    fi
-
+    
    return $rc
 }
@@ -967,7 +958,7 @@ safe_commands() {
 	    else
 		${VARDIR}/.$command clear
 	    fi
-
+	    
 	    [ -n "$nolock" ] || mutex_off
 	    echo "New configuration has been rejected and the old one restored"
@@ -998,7 +989,7 @@ try_command() {
 		echo "Directory $1 does not exist" >&2 && exit 2
 	    fi
 	fi
-
+	
 	SHOREWALL_DIR=$(resolve_file $1)
    }
@@ -1041,7 +1032,7 @@ try_command() {
 	2)
 	    handle_directory $1
 	    timeout=$2
-	    case $timeout in
+	    case $timeout in 
 		*[!0-9]*)
                    echo "   ERROR: Invalid timeout ($timeout)" >&2;
 		    exit 1
@@ -1093,12 +1084,12 @@ try_command() {
    if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout
-
+	    
 	if [ "$command" = "restart" ]; then
 	    ${VARDIR}/.try restore
 	else
 	    ${VARDIR}/.$command clear
-	fi
+	fi	    
    fi
    [ -n "$nolock" ] || mutex_off
@@ -1115,7 +1106,7 @@ rsh_command() {
 rcp_command() {
    files="$1"
    destination=$2
-
+    
    eval $RCP_COMMAND
 }
@@ -1256,12 +1247,12 @@ reload_command() # $* = original arguments less the command.
 export_command() # $* = original arguments less the command.
 {
    local verbose
-    verbose=$(make_verbose)
+    verbose=$(make_verbose) 
    local file
-    file=
+    file= 
    local finished
-    finished=0
+    finished=0 
-    local directory
+    local directory 
    local target
    while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -1464,7 +1455,7 @@ while [ $finished -eq 0 ]; do
 			;;
 		    v*)
 			option=${option#v}
-			case $option in
+			case $option in 
 			    -1*)
 				g_use_verbosity=-1
 				option=${option#-1}
@@ -1551,7 +1542,7 @@ version_command() {
    [ $# -gt 0 ] && usage 1
    echo $SHOREWALL_VERSION
-
+    
    if [ -n "$all" ]; then
 	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
 	    if [ -f /usr/share/$product/version ]; then
@@ -1579,7 +1570,7 @@ g_timestamp=
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 if [ ! -f ${VARDIR}/firewall ]; then
-    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall
+    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi
 g_firewall=${VARDIR}/firewall
@@ -1631,17 +1622,17 @@ case "$COMMAND" in
 	get_config
 	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $g_debugging $nolock $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_off
 	;;
    reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
-	run_it $g_firewall $g_debugging reset $@
+	run_it $g_firewall $g_debugging $nolock reset $@
-	[ -n "$nolock" ] || mutex_off
+	mutex_off
 	;;
    compile)
 	get_config Yes
@@ -1930,7 +1921,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;
+	;;	
     noiptrace)
 	get_config
 	shift
@@ -1940,7 +1931,7 @@ case "$COMMAND" in
 	else
 	    fatal_error "Shorewall is not started"
 	fi
-	;;
+	;;	
    *)
 	usage 1
 	;;
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
+%define version 4.4.10
-%define release 1
+%define release 0base
 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -105,51 +105,13 @@ fi
 %attr(0644,root,root) %{_mandir}/man5/*
 %attr(0644,root,root) %{_mandir}/man8/*
-%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
+%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-1
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Mon Jun 07 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
--- a/Shorewall/wait4ifup
+++ b/Shorewall/wait4ifup
@@ -33,7 +33,7 @@
 #
 interface_is_up() {
-    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ]
+    [ -n "$(/sbin/ip link list dev $1 2> /dev/null | /bin/grep -e '[<,]UP[,>]')" ] 
 }
 case $# in
@@ -57,4 +57,4 @@ done
 exit 1
-
+    
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
@@ -350,13 +350,7 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-
+	    ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall6-lite
 	    else
 		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
 	    fi
 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
 	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -58,7 +58,7 @@ g_product="Shorewall Lite"
 SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)
 VERBOSITY=0
 load_kernel_modules No
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -615,9 +615,7 @@ case "$COMMAND" in
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
+	run_it $g_firewall $debugging $nolock $COMMAND
 	run_it $g_firewall $debugging $COMMAND
 	[ -n "$nolock" ] || mutex_off
 	;;
    restart)
 	shift
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
+%define version 4.4.10
-%define release 1
+%define release 0base
 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,48 +93,10 @@ fi
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-1
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Mon Jun 07 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -28,11 +28,6 @@ Auth(REJECT)
 #
 AllowICMPs	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -20,16 +20,10 @@
 #
 Auth(REJECT)
 #
-# Drop Multicasts so they don't clutter up the log
+# ACCEPT critical ICMP types
 # (broadcasts must *not* be rejected).
 #
 AllowICMPs	-	-	ipv6-icmp
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
--- a/Shorewall6/blacklist
+++ b/Shorewall6/blacklist
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
+#ADDRESS/SUBNET		PROTOCOL	PORT
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
@@ -311,8 +311,8 @@ delete_file ${DESTDIR}/usr/share/shorewall6/lib.proxyarp
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tc
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tcrules
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.tunnels
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.header6
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.header
-delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer6
+delete_file ${DESTDIR}/usr/share/shorewall6/prog.footer
 #
 # Install wait4ifup
@@ -507,16 +507,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/notrack ]; then
    run_install $OWNERSHIP -m 0600 notrack ${DESTDIR}/etc/shorewall6/notrack
    echo "Notrack file installed as ${DESTDIR}/etc/shorewall6/notrack"
 fi
 #
 # Install the Secmarks file
 #
 run_install $OWNERSHIP -m 0644 secmarks ${DESTDIR}/usr/share/shorewall6/configfiles/secmarks
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/secmarks ]; then
    run_install $OWNERSHIP -m 0600 secmarks ${DESTDIR}/etc/shorewall6/secmarks
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall6/secmarks"
 fi
 #
 # Install the default config path file
 #
@@ -728,13 +718,7 @@ fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
-
+	ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
 	if [ -x /sbin/insserv ]; then
 	    insserv /etc/init.d/shorewall6
 	else
 	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
 	fi
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #
 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40408
 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -134,18 +134,18 @@ syslog_circular_buffer() {
 packet_log() # $1 = number of messages
 {
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
 }
 search_log() # $1 = IP address to search for
 {
    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed -r 's/ kernel://; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | grep "$1" | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed -r 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] //; s/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  grep "$1" | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
 }    
@@ -208,19 +208,6 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')
@@ -452,7 +439,7 @@ show_command() {
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
 	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -470,20 +457,6 @@ show_command() {
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
 	    if [ -z "$LOGFILE" ]; then
 		LOGFILE=/var/log/messages
 		if [ -n "$(syslog_circular_buffer)" ]; then
 		    g_logread="logread | tac"
 		elif [ -r $LOGFILE ]; then
 		    g_logread="tac $LOGFILE"
 		else
 		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		    exit 2
 		fi
 	    fi
 	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
@@ -694,19 +667,6 @@ dump_command() {
 	esac
    done
    if [ -z "$LOGFILE" ]; then
 	LOGFILE=/var/log/messages
 	if [ -n "$(syslog_circular_buffer)" ]; then
 	    g_logread="logread | tac"
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
 	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
    g_ipt_options="$g_ipt_options $g_ipt_options1"
    [ $VERBOSITY -lt 2 ] && VERBOSITY=2
@@ -787,7 +747,7 @@ dump_command() {
    report_capabilities
    echo
-    netstat -6tunap
+    netstat -tunap
    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -958,10 +918,6 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    chain=$1
    local finished
    finished=$2
    local which
    which='-s'
    local range
    range='--src-range'
    if ! chain_exists dynamic; then
 	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
@@ -973,31 +929,19 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    while [ $# -gt 0 ]; do
 	case $1 in
 	    from)
 		which='-s'
 		range='--src-range'
 		shift
 		continue
 		;;
 	    to)
 		which='-d'
 		range='--dst-range'
 		shift
 		continue
 		;;
 	    *-*)
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject
-		qt $IP6TABLES -D dynamic -m iprange $range  $1 -j DROP
+		qt $IP6TABLES -D dynamic -m iprange --src-range  $1 -j DROP
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
-		qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop
+		qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop
-		$IP6TABLES -A dynamic -m iprange $range $1 -j $chain || break 1
+		$IP6TABLES -A dynamic -m iprange --src-range $1 -j $chain || break 1
 		;;
 	    *)
-		qt $IP6TABLES -D dynamic $which $1 -j reject
+		qt $IP6TABLES -D dynamic -s $1 -j reject
-		qt $IP6TABLES -D dynamic $which $1 -j DROP
+		qt $IP6TABLES -D dynamic -s $1 -j DROP
-		qt $IP6TABLES -D dynamic $which $1 -j logreject
+		qt $IP6TABLES -D dynamic -s $1 -j logreject
-		qt $IP6TABLES -D dynamic $which $1 -j logdrop
+		qt $IP6TABLES -D dynamic -s $1 -j logdrop
-		$IP6TABLES -A dynamic $which $1 -j $chain || break 1
+		$IP6TABLES -A dynamic -s $1 -j $chain || break 1
 		;;
 	esac
@@ -1102,11 +1046,6 @@ allow_command() {
    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall6_is_started ; then
 	local which
 	which='-s'
 	local range
 	range='--src-range'
 	if ! chain_exists dynamic; then
 	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
@@ -1116,21 +1055,11 @@ allow_command() {
 	while [ $# -gt 1 ]; do
 	    shift
 	    case $1 in
 		from)
 		    which='-s'
 		    range='--src-range'
 		    continue
 		    ;;
 		to)
 		    which='-d'
 		    range='--dst-range'
 		    continue
 		    ;;
 		*-*)
-		    if  qt $IP6TABLES -D dynamic -m iprange $range $1 -j reject    ||\
+		    if  qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic -m iprange $range $1 -j logreject
+			qt $IP6TABLES -D dynamic -m iprange --src-range $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1138,10 +1067,10 @@ allow_command() {
 		    fi
 		    ;;
 		*)
-		    if  qt $IP6TABLES -D dynamic $which $1 -j reject    ||\
+		    if  qt $IP6TABLES -D dynamic -s $1 -j reject    ||\
-			qt $IP6TABLES -D dynamic $which $1 -j DROP      ||\
+			qt $IP6TABLES -D dynamic -s $1 -j DROP      ||\
-			qt $IP6TABLES -D dynamic $which $1 -j logdrop   ||\
+			qt $IP6TABLES -D dynamic -s $1 -j logdrop   ||\
-			qt $IP6TABLES -D dynamic $which $1 -j logreject
+			qt $IP6TABLES -D dynamic -s $1 -j logreject
 			then
 			echo "$1 Allowed"
 		    else
@@ -1231,7 +1160,6 @@ determine_capabilities() {
    RECENT_MATCH=
    OWNER_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
@@ -1262,8 +1190,6 @@ determine_capabilities() {
    IPMARK_TARGET=
    LOG_TARGET=Yes
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    chain=fooX$$
@@ -1278,10 +1204,6 @@ determine_capabilities() {
    [ -n "$IP" -a -x "$IP" ] || IP=
    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
    [ -n "$TC" -a -x "$TC" ] || TC=
    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
    qt $IP6TABLES -F $chain
@@ -1405,15 +1327,13 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IP6TABLES -F $chain
    qt $IP6TABLES -X $chain
    qt $IP6TABLES -F $chain1
    qt $IP6TABLES -X $chain1
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
@@ -1448,10 +1368,7 @@ report_capabilities() {
 	report_capability "IP range Match" $IPRANGE_MATCH
 	report_capability "Recent Match" $RECENT_MATCH
 	report_capability "Owner Match" $OWNER_MATCH
-	if [ -n "$IPSET_MATCH" ]; then
+	report_capability "Ipset Match" $IPSET_MATCH
 	    report_capability "Ipset Match" $IPSET_MATCH
 	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
 	fi
 	report_capability "CONNMARK Target" $CONNMARK
 	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
@@ -1481,8 +1398,6 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1513,7 +1428,6 @@ report_capabilities1() {
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
@@ -1543,8 +1457,6 @@ report_capabilities1() {
    report_capability1 LOG_TARGET
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -92,12 +92,7 @@ run_it() {
 	#
 	# 4.4.8 or later -- no additional exports required
 	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	options='-'
 	    options="$1 -"
 	    shift;
 	else
 	    options='-'
 	fi
 	[ -n "$g_noroutes" ]   && options=${options}n
 	[ -n "$g_timestamp" ]  && options=${options}t
@@ -452,11 +447,7 @@ find_file()
 #
 set_state () # $1 = state
 {
-    if [ $# -gt 1 ]; then
+    echo "$1 ($(date))" > ${VARDIR}/state
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
    else
 	echo "$1 ($(date))" > ${VARDIR}/state
    fi
 }
 #
--- a/Shorewall6/secmarks
+++ b/Shorewall6/secmarks
@@ -1,8 +0,0 @@
 #
 # Shorewall6 version 4 - Secmarks File
 #
 # For information about entries in this file, type "man shorewall-secmarks"
 #
 ############################################################################################################
 #SECMARK			CHAIN	SOURCE		DEST		PROTO	DEST	SOURCE		MARK
 #										PORT(S)	PORT(S)
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -67,15 +67,15 @@ get_config() {
 	# This block is avoided for compile for export and when the user isn't root
 	#
 	if [ "$3" = Yes ]; then
-	    if [ -n "$LOGFILE" ]; then
+	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-		if [ -n "$(syslog_circular_buffer)" ]; then
+
-		    g_logread="logread | tac"
+	    if [ -n "$(syslog_circular_buffer)" ]; then
-		elif [ -r $LOGFILE ]; then
+		g_logread="logread | tac"
-		    g_logread="tac $LOGFILE"
+	    elif [ -r $LOGFILE ]; then
-		else
+		g_logread="tac $LOGFILE"
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    else
-		    exit 2
+		echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		fi
+		exit 2
 	    fi
 	fi
@@ -299,16 +299,7 @@ compiler() {
 	set +a
    fi
-    if [ -n "$PERL" ]; then
+    $command perl $debugflags $pc $options $@
 	if [ ! -x "$PERL" ]; then
 	    echo "   WARNING: The program specified in the PERL option does not exist or is not executable; falling back to /usr/bin/perl" >&2
 	    PERL=/usr/bin/perl
 	fi
    else
 	PERL=/usr/bin/perl
    fi
    $command $PERL $debugflags $pc $options $@
 }    
 #
@@ -419,7 +410,7 @@ start_command() {
 	    export RESTOREFILE
-	    if ! make -qf ${CONFDIR}/Makefile; then
+	    if make -qf ${CONFDIR}/Makefile; then
 		g_fast=
 		AUTOMAKE=
 	    fi
@@ -1544,17 +1535,17 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 1
 	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
-	run_it $g_firewall $g_debugging $COMMAND
+	run_it $g_firewall $g_debugging $nolock $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	mutex_off
 	;;
    reset)
 	get_config
 	shift
-	[ -n "$nolock" ] || mutex_on
+	mutex_on
 	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
-	run_it $g_firewall $g_debugging reset $@
+	run_it $g_firewall $g_debugging $nolock reset $@
-	[ -n "$nolock" ] || mutex_off
+	mutex_off
 	;;
    compile)
 	get_config Yes
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -32,7 +32,9 @@ LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
@@ -54,8 +56,6 @@ TC=
 IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
@@ -151,12 +151,6 @@ DYNAMIC_BLACKLIST=Yes
 LOAD_HELPERS_ONLY=No
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.13
+%define version 4.4.10
-%define release 1
+%define release 0base
 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,48 +98,10 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6
 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
+* Tue Jun 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-1
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Mon Jun 07 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC3
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=4.4.13.1
+VERSION=4.4.10
 usage() # $1 = exit status
 {
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -119,7 +119,8 @@
        (from <filename>/etc/protocols</filename>), a protocol number or
        <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
        iptables must have ipp2p match support from <ulink
-        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
+        url="http://www.netfilter.org">Netfilter
        Patch_o_matic_ng</ulink>.</para>
      </listitem>
      <listitem>
@@ -145,7 +146,7 @@
        only be non-empty if the CHAIN is OUTPUT. The column may
        contain:</para>
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
+        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;][+&lt;program name&gt;]</programlisting>
        <para>When this column is non-empty, the rule applies only if the
        program generating the output is running under the effective
@@ -162,6 +163,9 @@
          <member>!:kids #program must not be run by a member of the
          <quote>kids</quote> group</member>
          <member>+upnpd #program named upnpd (This feature was removed from
          Netfilter in kernel version 2.6.14).</member>
        </simplelist>
      </listitem>
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
-      <year>2006-2010</year>
+      <year>2006-2007</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -180,11 +180,11 @@
        disable startup of Shorewall in your init scripts. For ease of
        reference, we call this system the 'administrative system'.</para>
-        <para>The administrative system may be a GNU/Linux system, a Windows
+        <para>The administrative system may be a Windows system running <ulink
-        system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
+        url="http://www.cygwin.com/">Cygwin</ulink> or an <ulink
-        an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
+        url="http://www.apple.com/mac/">Apple MacIntosh</ulink> running OS X.
-        running OS X. Install from a shell prompt <ulink
+        Install from a shell prompt <ulink url="Install.htm">using the
-        url="Install.htm">using the install.sh script</ulink>.</para>
+        install.sh script</ulink>.</para>
      </listitem>
      <listitem>
@@ -241,10 +241,8 @@
        <orderedlist>
          <listitem>
            <para>modify the files in the corresponding export directory
-            appropriately (i.e., <emphasis>just as you would if you were
+            appropriately. It's a good idea to include the IP address of the
-            configuring Shorewall on the firewall system itself</emphasis>).
+            administrative system in the <ulink
            It's a good idea to include the IP address of the administrative
            system in the <ulink
            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
            file</ulink>.</para>
@@ -285,29 +283,26 @@
          <listitem>
            <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load firewall</command></programlisting>
+<command>/sbin/shorewall load -c firewall</command></programlisting>
            <para>The <ulink
            url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
            command compiles a firewall script from the configuration files in
            the current working directory (using <command>shorewall compile
            -e</command>), copies that file to the remote system via scp and
-            starts Shorewall Lite on the remote system via ssh.</para>
+            starts Shorewall Lite on the remote system via ssh. The -c option
            causes the capabilities of the remote system to be generated and
            copied to a file named <filename>capabilities</filename> in the
            export directory. See <link
            linkend="Shorecap">below</link>.</para>
            <para>Example (firewall's DNS name is 'gateway'):</para>
-            <para><command>/sbin/shorewall load gateway</command><note>
+            <para><command>/sbin/shorewall load -c gateway</command><note>
                <para>Although scp and ssh are used by default, you can use
                other utilities by setting RSH_COMMAND and RCP_COMMAND in
                <filename>/etc/shorewall/shorewall.conf</filename>.</para>
              </note></para>
            <para>The first time that you issue a <command>load</command>
            command, Shorewall will use ssh to run
            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
            remote firewall to create a capabilities file in the firewall's
            administrative direction. See <link
            linkend="Shorecap">below</link>.</para>
          </listitem>
        </orderedlist>
      </listitem>
@@ -461,7 +456,7 @@ clean:
      </simplelist>
    </blockquote>
-    <para>You will normally never touch
+    <para>You will normally not need to touch
    <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
    run Debian or one of its derivatives (see <link
    linkend="Debian">above</link>).</para>
@@ -564,11 +559,11 @@ clean:
          <blockquote>
            <para>Before editing:</para>
-            <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=/etc/shorewall:/usr/share/shorewall</programlisting>
            <para>After editing:</para>
-            <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
+            <programlisting>CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall</programlisting>
          </blockquote>
          <para>Changing CONFIG_PATH will ensure that subsequent compilations
@@ -601,21 +596,14 @@ clean:
          <blockquote>
            <programlisting><command>cd &lt;export directory&gt;</command>
-<command>/sbin/shorewall load &lt;firewall system&gt;</command>
+<command>/sbin/shorewall load -c &lt;firewall system&gt;</command>
 </programlisting>
            <para>Example (firewall's DNS name is 'gateway'):</para>
-            <para><command>/sbin/shorewall load gateway</command></para>
+            <para><command>/sbin/shorewall load -c gateway</command></para>
          </blockquote>
          <para>The first time that you issue a <command>load</command>
          command, Shorewall will use ssh to run
          <filename>/usr/share/shorewall-lite/shorecap</filename> on the
          remote firewall to create a capabilities file in the firewall's
          administrative direction. See <link
          linkend="Shorecap">below</link>.</para>
          <para>The <ulink
          url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
          command compiles a firewall script from the configuration files in
@@ -652,8 +640,7 @@ clean:
 <command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
          <para>Or simply use the -c option the next time that you use the
-          <command>reload</command> command (e.g., <command>shorewall reload
+          <command>reload</command> command.</para>
          -c gateway</command>).</para>
        </listitem>
      </orderedlist>
    </section>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -57,9 +57,11 @@
          <row>
            <entry></entry>
-            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>
+            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
            Machine)</ulink></entry>
-            <entry></entry>
+            <entry><ulink url="Laptop.html">Shorewall on a
            Laptop</ulink></entry>
          </row>
          <row>
@@ -102,8 +104,8 @@
          </row>
          <row>
-            <entry><ulink url="Anatomy.html">Anatomy of
+            <entry><ulink url="Anatomy.html">Anatomy of Shorewall</ulink>
-            Shorewall</ulink></entry>
+            (<ulink url="Anatomy_ru.html">Russian</ulink>)</entry>
            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
@@ -112,8 +114,8 @@
          </row>
          <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth
+            <entry><ulink url="traffic_shaping.htm">Bandwidth Control</ulink>
-            Control</ulink></entry>
+            (<ulink url="traffic_shaping_ru.html">Russian</ulink>)</entry>
            <entry><ulink url="ManualChains.html">Manual
            Chains</ulink></entry>
@@ -123,8 +125,9 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="blacklisting_support.htm">Blacklisting</ulink>
-            url="blacklisting_support.htm">Blacklisting</ulink></entry>
+            (<ulink
            url="blacklisting_support_ru.html">Russian</ulink>)</entry>
            <entry><ulink
            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@@ -184,7 +187,7 @@
            <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
-            <entry><ulink url="simple_traffic_shaping.html">Traffic
+            <entry> <ulink url="simple_traffic_shaping.html">Traffic
            Shaping/QOS - Simple</ulink></entry>
          </row>
@@ -196,7 +199,8 @@
            NAT)</entry>
            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
-            Complex</ulink></entry>
+            Complex</ulink> (<ulink
            url="traffic_shaping_ru.html">Russian</ulink>)</entry>
          </row>
          <row>
@@ -318,8 +322,8 @@
          </row>
          <row>
-            <entry><ulink
+            <entry><ulink url="Install.htm">Installation/Upgrade</ulink>
-            url="Install.htm">Installation/Upgrade</ulink></entry>
+            (<ulink url="Install_fr.html">Français</ulink>)</entry>
            <entry><ulink url="ReleaseModel.html">Release
            Model</ulink></entry>
@@ -382,16 +386,6 @@
            <entry></entry>
          </row>
          <row>
            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
            Machine)</ulink></entry>
            <entry><ulink url="Laptop.html">Shorewall on a
            Laptop</ulink></entry>
            <entry></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -687,9 +687,11 @@ eth1:192.168.1.5        eth1            <emphasis role="bold">130.151.100.69</em
          <para>That rule (and the second one in the previous bullet) only
          works of course if you have a static external IP address. If you
          have a dynamic IP address then include this in
-          <filename>/etc/shorewall/params</filename>.</para>
+          <filename>/etc/shorewall/params</filename> (or your
          <filename>&lt;export directory&gt;/init</filename> file if you are
          using Shorewall Lite on the firewall system):</para>
-          <programlisting><command>ETH0_IP=$(find_first_interface_address eth0)</command>        </programlisting>
+          <programlisting><command>ETH0_IP=`find_first_interface_address eth0`</command>        </programlisting>
          <para>and make your DNAT rule:</para>
@@ -710,14 +712,6 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
            will return 0.0.0.0 if the interface has no configured IP address;
            the latter terminates the calling program.</para>
          </note>
          <note>
            <para>If you run Shorewall-lite on your firewall, you must use the
            following in the firewall's configuration directory
            <filename>params</filename> file:</para>
            <programlisting><command>ETH0_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</command></programlisting>
          </note>
        </listitem>
      </itemizedlist>
@@ -1188,18 +1182,6 @@ to debug/develop the newnat interface.</programlisting></para>
  <section id="Logging">
    <title>Logging</title>
    <section id="faq91">
      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
      spit out logs to /var/log/shorewall.log and it's not happening after I
      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
      the correct line, right? </title>
      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
      The LOGFILE setting tells Shorewall where to find the log; it does not
      determine where messages are written. See <link linkend="faq6">the next
      FAQ</link>.</para>
    </section>
    <section id="faq6">
      <title>(FAQ 6) Where are the log messages written and how do I change
      the destination?</title>
@@ -2108,57 +2090,6 @@ shorewall status &gt; /dev/null 2&gt;&amp;1 || shorewall start # Start Shorewall
      <filename>/etc/shorewall/params</filename> when processing the <emphasis
      role="bold">restore</emphasis> command.</para>
    </section>
    <section id="faq90">
      <title>(FAQ 90) Shorewall starts fine but after several minutes, it
      stops. Why is it doing that?</title>
      <para><emphasis role="bold">Answer:</emphasis> Shorewall uses the
      presence of a chain named <emphasis>shorewall</emphasis> to indicate
      whether is started or stopped. That chain is created during execution of
      a successful <emphasis role="bold">start</emphasis>, <emphasis
      role="bold">restart</emphasis> or <emphasis
      role="bold">restore</emphasis> command and is removed during <emphasis
      role="bold">stop</emphasis> and <emphasis role="bold">clear</emphasis>.
      If <emphasis role="bold">shorewall status</emphasis> indicates that
      Shorewall is stopped, then something has deleted that chain. Look at the
      output of <emphasis role="bold">shorewall status</emphasis>; if it looks
      like this:</para>
      <blockquote>
        <programlisting>gateway:~# shorewall status
 Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:21:41 PDT 2010
 Shorewall is <emphasis role="bold">stopped</emphasis>
 State:<emphasis role="bold">Started</emphasis> (Tue Jul 20 16:01:49 PDT 2010)
 gateway:~# 
 </programlisting>
      </blockquote>
      <para>then it means that somehing outside of Shorewall has deleted the
      chain. This usually means that you were running another firewall package
      before you installed Shorewall and that other package has replaced
      Shorewall's Netfilter configuration with its own. You must remove (or at
      least disable) the other firewall package and restart Shorewall.</para>
      <blockquote>
        <programlisting>gateway:~# shorewall status
 Shorewall-4.4.11 Status at gateway - Wed Jul 21 13:26:29 PDT 2010
 Shorewall is <emphasis role="bold">stopped</emphasis>
 State:<emphasis role="bold">Stopped</emphasis> (Wed Jul 21 13:26:26 PDT 2010)
 gateway:~# </programlisting>
      </blockquote>
      <para>then a <emphasis role="bold">shorewall stop</emphasis> command has
      been executed (if the State shown in the output is <emphasis
      role="bold">Cleared</emphasis>, then a <emphasis role="bold">shorewall
      clear</emphasis> command was executed). Most likely, you have installed
      and configured the <emphasis>shorewall-init</emphasis> package and a
      required interface has gone down.</para>
    </section>
  </section>
  <section id="MultiISP">
@@ -2393,13 +2324,9 @@ We have an error talking to the kernel
      subzones? I've got a system with Linux-VServers, it's one interface
      (eth0) with multiple IPs</title>
-      <para><emphasis role="bold">Answer</emphasis>: Beginning with Shorewall
+      <para><emphasis role="bold">Answer</emphasis>: There is no way to create
-      4.4.11 Beta 2, you can <ulink url="Vserver.html">create vserver
+      sub-zones of the firewall zone. But you can use shell variables to make
-      zones</ulink> that are nested within the firewall zone.</para>
+      vservers easier to deal with.</para>
      <para>Prior to 4.4.11 Beta 2, there is no way to create sub-zones of the
      firewall zone. But you can use shell variables to make vservers easier
      to deal with.</para>
      <para><filename>/etc/shorewall/params</filename>:</para>
--- a/docs/GettingStarted.xml
+++ b/docs/GettingStarted.xml
@@ -22,8 +22,6 @@
      <year>2007</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -47,41 +45,33 @@
    </listitem>
  </itemizedlist>
  <para>Now, <ulink url="Install.htm">install Shorewall</ulink>.</para>
  <para>Next, read the QuickStart Guide that is appropriate for your
  configuration:</para>
  <para><emphasis role="bold">If you just want to protect a system: (Requires
  Shorewall 4.4.12-Beta3 or later)</emphasis></para>
  <itemizedlist>
    <listitem>
      <para><ulink url="Universal.html">Universal</ulink> configuration --
      requires no configuration to protect a single system.</para>
    </listitem>
  </itemizedlist>
  <para><emphasis role="bold">If you have only one public IP
  address:</emphasis></para>
  <itemizedlist>
    <listitem>
      <para><ulink url="standalone.htm">Standalone</ulink> Linux System with a
-      single network interface (if you are running Shorewall 4.4.12 Beta 3 or
+      single network interface (<ulink url="standalone_fr.html">Version
-      later, use the <ulink url="Universal.html">Universal</ulink>
+      Française</ulink>) <ulink url="standalone_ru.html">(Russian
-      configuration instead).</para>
+      Version)</ulink> <ulink url="standalone_es.html">Version en
      Español</ulink></para>
    </listitem>
    <listitem>
      <para><ulink url="two-interface.htm">Two-interface</ulink> Linux System
-      acting as a firewall/router for a small local network</para>
+      acting as a firewall/router for a small local network (<ulink
      url="two-interface_fr.html">Version Française</ulink>) (<ulink
      url="two-interface_ru.html">Russian Version</ulink>)</para>
    </listitem>
    <listitem>
      <para><ulink url="three-interface.htm">Three-interface</ulink> Linux
-      System acting as a firewall/router for a small local network and a
+      System acting as a firewall/router for a small local network and a DMZ..
-      DMZ.</para>
+      (<ulink url="three-interface_fr.html">Version Française</ulink>) (<ulink
      url="three-interface_ru.html">Russian Version</ulink>)</para>
    </listitem>
  </itemizedlist>
@@ -91,10 +81,11 @@
  <itemizedlist>
    <listitem>
      <para>The <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-      Guide</ulink> outlines the steps necessary to set up a firewall where
+      Guide</ulink> (<ulink url="shorewall_setup_guide_fr.htm">Version
-      there are multiple public IP addresses involved or if you want to learn
+      Française</ulink>) outlines the steps necessary to set up a firewall
-      more about Shorewall than is explained in the single-address guides
+      where there are multiple public IP addresses involved or if you want to
-      above.</para>
+      learn more about Shorewall than is explained in the single-address
      guides above.</para>
    </listitem>
  </itemizedlist>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -5,7 +5,7 @@
  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
  <articleinfo>
-    <title>Shorewall 4.4 Manpages</title>
+    <title>Shorewall 4.4/4.5 Manpages</title>
    <authorgroup>
      <author>
@@ -129,9 +129,6 @@
        <member><ulink url="manpages/shorewall-rules.html">rules</ulink> -
        Specify exceptions to policies, including DNAT and REDIRECT.</member>
        <member><ulink url="manpages/shorewall-secmarks.html">secmarks</ulink>
        - Attach an SELinux context to a packet.</member>
        <member><ulink
        url="manpages/shorewall-tcclasses.html">tcclasses</ulink> - Define htb
        classes for traffic shaping.</member>
@@ -140,11 +137,6 @@
        url="manpages/shorewall-tcdevices.html">tcdevices</ulink> - Specify
        speed of devices for traffic shaping.</member>
        <member><ulink
        url="manpages/shorewall-tcfilters.html">tcfilters</ulink> - Classify
        traffic for shaping; often used with an IFB to shape ingress
        traffic.</member>
        <member><ulink
        url="manpages/shorewall-tcinterfaces.html">tcinterfaces</ulink> -
        Specify devices for simplified traffic shaping.</member>
@@ -192,11 +184,6 @@
        <member><ulink url="manpages/shorewall.html">shorewall</ulink> -
        /sbin/shorewall command syntax and semantics.</member>
        <member><ulink
        url="manpages/shorewall-init.html">shorewall-init</ulink> - Companion
        package that allows for automatic start/stop of other Shorewall
        products based on network events.</member>
        <member><ulink
        url="manpages/shorewall-lite.html">shorewall-lite</ulink> -
        /sbin/shorewall-lite command syntax and semantics.</member>
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -5,7 +5,7 @@
  <!--$Id: template.xml 5908 2007-04-12 23:04:36Z teastep $-->
  <articleinfo>
-    <title>Shorewall6 4.4 Manpages</title>
+    <title>Shorewall6 4.4/4.5 Manpages</title>
    <authorgroup>
      <author>
@@ -114,10 +114,6 @@
        <member><ulink url="manpages6/shorewall6-rules.html">rules</ulink> -
        Specify exceptions to policies, including DNAT and REDIRECT.</member>
        <member><ulink
        url="manpages6/shorewall6-secmarks.html">secmarks</ulink> - Attached
        an SELinux context to a packet.</member>
        <member><ulink
        url="manpages6/shorewall6-tcclasses.html">tcclasses</ulink> - Define
        htb classes for traffic shaping.</member>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -1100,40 +1100,6 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
      </section>
    </section>
    <section>
      <title>Looking at the routing tables</title>
      <para>To look at the various routing tables, you must use the <emphasis
      role="bold">ip</emphasis> utility. To see the entire routing
      configuration (including rules), the command is <command>shorewall show
      routing</command>. To look at an individual provider's table use
      <command>ip route ls table <replaceable>provider</replaceable></command>
      where <replaceable>provider</replaceable> can be either the provider
      name or number.</para>
      <para>Example:</para>
      <programlisting>lillycat:- #<command>ip route ls</command>
 144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199
 71.190.227.208 dev ppp1  proto kernel  scope link  src 71.24.88.151
 192.168.7.254 dev eth1  scope link  src 192.168.7.1
 192.168.7.253 dev eth1  scope link  src 192.168.7.1
 192.168.7.0/24 dev eth1  proto kernel  scope link  src 192.168.7.1
 192.168.5.0/24 via 192.168.4.2 dev eth0
 192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223
 192.168.1.0/24 via 192.168.4.222 dev eth0
 default
        nexthop dev ppp1 weight 2
        nexthop dev ppp0 weight 1
 lillycat: #ip <command>route ls provider 1</command>
 144.77.167.142 dev ppp0  proto kernel  scope link  src 144.177.121.199 
 192.168.5.0/24 via 192.168.4.2 dev eth0 
 192.168.4.0/24 dev eth0  proto kernel  scope link  src 192.168.4.223 
 192.168.1.0/24 via 192.168.4.222 dev eth0 
 default dev ppp0  scope link 
 lillycat: #</programlisting>
    </section>
    <section id="USE_DEFAULT_RT">
      <title>USE_DEFAULT_RT</title>
@@ -1561,7 +1527,7 @@ connection {
 connection {
    name=Comcast
-    checkip=${SW_ETH0_GATEWAY:-71.231.152.1}
+    checkip=${ETH0_GATEWAY:-71.231.152.1}
    device=$COM_IF
    ttl=1
 }
@@ -1577,14 +1543,9 @@ EOF
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>
-        <para>eth0 has a dynamic IP address so I need to use the
+        <para>eth3 has a dynamic IP address so I need to use the
-        Shorewall-detected gateway address ($SW_ETH1_GATEWAY). I supply a
+        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        default value to be used in the event that detection fails.</para>
+        value to be used in the event that detection fails.</para>
        <note>
          <para>In Shorewall 4.4.7 and earlier, the variable name is
          ETH1_GATEWAY.</para>
        </note>
        <para><filename>/etc/shorewall/started</filename>:</para>
--- a/docs/NetfilterOverview.xml
+++ b/docs/NetfilterOverview.xml
@@ -89,8 +89,8 @@
    Shorewall system itself.</para>
    <para>A more elaborate version of this flow is available <ulink
-    url="http://jengelh.medozas.de/images/nf-packet-flow.png">here</ulink> and
+    url="http://shorewall.net/pub/shorewall/misc/netfilterflow.pdf">here</ulink>
-    <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
+    and <ulink url="http://www.docum.org/docum.org/kptd/">this one</ulink>
    contrasts the Netfilter flow with that of ipchains.</para>
    <para>In the above diagram are boxes similar to this:</para>
--- a/docs/OPENVPN.xml
+++ b/docs/OPENVPN.xml
@@ -498,202 +498,6 @@ DNAT	172.20.1.0/24		tun1		192.168.1.0/24
    the right as 172.20.1.0/24.</para>
  </section>
  <section>
    <title>Roadwarrior with IPv6</title>
    <para>While OpenVPN supports tunneling of IPv6 packets, the version of the
    code that I run under OS X on my Macbook Pro does not support that option.
    Nevertheless, I am able to take IPv6 on the road with me by creating a
    6to4 tunnel through the OpenVPN IPv6 tunnel. In this configuration, the
    IPv4 address pair (172.20.0.10,172.20.0.11) is used for the OpenVPN tunnel
    and (2001:470:e857:2::1,2001:470:e857:2::2) is used for the 6to4
    tunnel.</para>
    <para>Here are my config files:</para>
    <para>Server (conventional routed server config):</para>
    <blockquote>
      <programlisting>dev tun
 local 70.90.191.121
 server 172.20.0.0 255.255.255.128
 dh dh1024.pem
 ca /etc/certs/cacert.pem
 crl-verify /etc/certs/crl.pem
 cert /etc/certs/gateway.pem
 key /etc/certs/gateway_key.pem
 port 1194
 comp-lzo
 user nobody
 group nogroup
 keepalive 15 45
 ping-timer-rem
 persist-tun
 persist-key
 client-config-dir /etc/openvpn/clients
 ccd-exclusive
 client-to-client
 push "route 172.20.1.0 255.255.255.0"
 verb 3</programlisting>
      <para>In the CCD file for the Macbook Pro:</para>
      <programlisting>ifconfig-push <emphasis role="bold">172.20.0.11 172.20.0.10</emphasis></programlisting>
      <para>From <filename>/etc/network/interfaces</filename> (very standard
      <ulink url="6to4.htm#SixInFour">6to4 tunnel
      configuration</ulink>):</para>
      <programlisting>auto mac
 iface mac inet6 v4tunnel
      address <emphasis role="bold">2001:470:e857:2::1</emphasis>
      netmask 64
      endpoint <emphasis role="bold">172.20.0.11</emphasis>
      local <emphasis role="bold">172.20.1.254</emphasis></programlisting>
      <para>Note that while the remote endpoint (172.20.0.11) is also the
      remote endpoint of the OpenVPN tunnel, the local endpoint (172.20.1.254)
      of the 6to4 tunnel is not the local endpoint of the OpenVPN tunnel
      (that;s 172.20.0.10). 172.20.1.254 is the IPv4 address of the Shorewall
      firewall's LAN interface.</para>
      <para>The following excerpts from the Shorewall configuration show the
      parts of that configuration that are relevant to these two tunnels (bold
      font). <emphasis role="bold">This is not a complete
      configuration.</emphasis></para>
      <para><filename>/etc/shorewall/zones</filename>:</para>
      <programlisting>#ZONE           TYPE
 fw              firewall
 loc             ip              #Local Zone
 drct:loc        ipv4            #Direct internet access
 net             ipv4            #Internet
 <emphasis role="bold">vpn             ipv4 </emphasis>           #OpenVPN clients</programlisting>
      <para><filename>/etc/shorewall/interfaces</filename>:</para>
      <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
 loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,physical=$INT_IF,required,wait=5
 net    COM_IF     detect    dhcp,blacklist,optional,routefilter=0,logmartians,proxyarp=0,physical=$COM_IF,nosmurfs
 <emphasis role="bold">vpn    TUN_IF+    detect    physical=tun+,routeback</emphasis>
 -      sit1       -         ignore
 <emphasis role="bold">-      mac        -         ignore</emphasis>
 -      EXT_IF     -         ignore
 -      lo         -         ignore</programlisting>
      <para><filename>/etc/shorewall/tunnels</filename>:</para>
      <programlisting>#TYPE                   ZONE    GATEWAY         GATEWAY
 #                                               ZONE
 <emphasis role="bold">openvpnserver:udp       net</emphasis>
 6to4                    net
 <emphasis role="bold">6to4                    vpn</emphasis></programlisting>
      <para>Similarly, here are exerpts from the Shorewall6
      configuration.</para>
      <para><filename>/etc/shorewall6/zones</filename>:</para>
      <programlisting>#ZONE     TYPE     OPTIONS        IN            OUT
 #                                 OPTIONS       OPTIONS
 fw        firewall
 net       ipv6
 <emphasis role="bold">loc       ipv6</emphasis>
 rest      ipv6</programlisting>
      <para><filename>/etc/shorewall6/interfaces</filename>:</para>
      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
 net     sit1            detect          tcpflags,forward=1,nosmurfs,routeback
 loc     eth4            detect          tcpflags,forward=1
 <emphasis role="bold">loc     mac             detect          tcpflags,forward=1</emphasis>
 rest    eth+</programlisting>
      <para>Note that in the IPv6 firewall configuration, the remove Macbook
      Pro is considered to be part of the local zone (loc).</para>
    </blockquote>
    <para>Client (conventional routed client config):</para>
    <blockquote>
      <programlisting>client
 dev tun
 proto udp
 remote gateway.shorewall.net 1194
 resolv-retry infinite
 nobind
 persist-key
 persist-tun
 mute-replay-warnings
 ca ca.crt
 cert mac.crt
 key mac.key
 ns-cert-type server
 comp-lzo
 verb 3
 up /Users/teastep/bin/up
 down /Users/teastep/bin/down
 </programlisting>
      <para><filename>/Users/teastep/bin/up</filename>:</para>
      <programlisting>#!/bin/bash
 LOCAL_IP=<emphasis role="bold">172.20.0.11</emphasis>
 LOCAL_IPV6=<emphasis role="bold">2001:470:e857:2::2</emphasis>
 REMOTE_IP=<emphasis role="bold">172.20.1.254</emphasis>
 REMOTE_IPV6=<emphasis role="bold">2001:470:e857:2::1</emphasis>
 TUNNEL_IF=gif0
 if [ $(ifconfig gif0 | wc -l ) -eq 1 ]; then
    #
    # Tunnel interface is not configured yet
    #
    /sbin/ifconfig $TUNNEL_IF tunnel $LOCAL_IP $REMOTE_IP
    /sbin/ifconfig $TUNNEL_IF inet6 $LOCAL_IPV6 $REMOTE_IPV6 prefixlen 128
 else
    /sbin/ifconfig $TUNNEL_IF up
 fi
 /sbin/route -n add -inet6 default $REMOTE_IPV6 &gt; /dev/null 2&gt;&amp;1</programlisting>
      <para><filename>/Users/teastep/bin/down</filename>:</para>
      <programlisting>#!/bin/bash
 TUNNEL_IF=gif0
 /sbin/ifconfig $TUNNEL_IF down
 /sbin/route -n delete -inet6 default &gt; /dev/null 2&gt;&amp;1
 </programlisting>
    </blockquote>
  </section>
  <section>
    <title>Bridged Roadwarrior</title>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -267,108 +267,6 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>Connection marking rules use a mask value of 0xff.</para>
      </listitem>
    </itemizedlist>
    <para>Shorewall actually allows you to have complete control over the
    layout of the 32-bit mark using the following options in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
    <variablelist>
      <varlistentry>
        <term>TC_BITS</term>
        <listitem>
          <para>The number of bits at the low end of the mark to be used for
          traffic shaping marking. May be zero.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROVIDER_BITS</term>
        <listitem>
          <para>The number of bits in the mark to be used for provider
          numbers. May be zero.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>PROVIDER_OFFSET</term>
        <listitem>
          <para>The offset from the right (low-order end) of the provider
          number field. If non-zero, must be &gt;= TC_BITS (Shorewall
          automatically adjusts PROVIDER_OFFSET's value). PROVIDER_OFFSET +
          PROVIDER_BITS must be &lt;= 32.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>MASK_BITS</term>
        <listitem>
          <para>Number of bits on the right of the mark to be masked when
          clearing the traffic shaping mark. Must be &gt;= TC_BITS and &lt;=
          PROVIDER_OFFSET (if PROVIDER_OFFSET &gt; 0)</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The relationship between these options is shown in this
    diagram.</para>
    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
    <para></para>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
    <table>
      <title>Default Values</title>
      <tgroup cols="2">
        <tbody>
          <row>
            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
            MASK_BITS=8</entry>
          </row>
          <row>
            <entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=Yes</entry>
            <entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=8,
            MASK_BITS=8</entry>
          </row>
          <row>
            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=No</entry>
            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
            MASK_BITS=16</entry>
          </row>
          <row>
            <entry>WIDE_TC_MARKS=Yes, HIGH_ROUTE_MARKS=Yes</entry>
            <entry>TC_BITS=14, PROVIDER_BITS=8, PROVIDER_OFFSET=16,
            MASK_BITS=16</entry>
          </row>
        </tbody>
      </tgroup>
    </table>
    <para>The existence of both TC_BITS and MASK_BITS is owed to the way that
    WIDE_TC_MARKS was originally implemented. Note that TC_BITS is 14 rather
    than 16 when WIDE_TC_MARKS=Yes.</para>
    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
    PROVIDER_OFFSET can be used for any purpose you want.</para>
    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
  </section>
  <section id="Shorewall">
--- a/docs/Shorewall-init.xml
+++ b/docs/Shorewall-init.xml
@@ -74,13 +74,13 @@
    <title>Closing the Firewall before the Network Interfaces are brought
    up</title>
-    <para>When Shorewall-init is first installed, it does nothing until you
+    <para> When Shorewall-init is first installed, it does nothing until you
    configure it.</para>
    <para>The configuration file is <filename>/etc/default/shorewall-init
    </filename>on Debian-based systems and
    <filename>/etc/sysconfig/shorewall-init</filename> otherwise. There are
-    two settings in the file:</para>
+    two settings in the file: </para>
    <variablelist>
      <varlistentry>
@@ -115,7 +115,7 @@
      <listitem>
        <para>Be sure that your current firewall script(s) (normally in
        <filename>/var/lib/&lt;product&gt;/firewall</filename>) is(are)
-        compiled with the 4.4.10 compiler.</para>
+        compiled with the 4.4.10 compiler. </para>
        <para>Shorewall and Shorewall6 users can execute these
        commands:</para>
@@ -139,7 +139,7 @@
      </listitem>
    </orderedlist>
-    <para>That's all that is required.</para>
+    <para>That's all that is required. </para>
  </section>
  <section id="NM">
@@ -147,7 +147,7 @@
    <para>To integrate with NetworkManager and ifup/ifdown, additional steps
    are required. You probably don't want to enable this feature if you run a
-    link status monitor like swping or LSM.</para>
+    link status monitor like swping or LSM. </para>
    <orderedlist numeration="loweralpha">
      <listitem>
@@ -165,21 +165,15 @@
      <listitem>
        <para>Optional) -- If you have specified at least one
        <option>required</option> or <option>optional</option> interface, you
-        can then disable automatic firewall startup at boot time. On Debian
+        can then disable automatic firewall startup at boot time. On
-        systems, set startup=0 in
+        Debian-based systems, set startup=0 in
        <filename>/etc/default/<replaceable>product</replaceable></filename>.
        On other systems, use your service startup configuration tool
-        (chkconfig, insserv, ...) to disable startup.</para>
+        (chkconfig, insserv, ...) to disable startup. </para>
        <warning>
          <para>If your system uses Upstart as it's system initialization
          daemon, you should not disable startup. Upstart is standard on
          recent Ubuntu and Fedora releases and is optional on Debian.</para>
        </warning>
      </listitem>
    </orderedlist>
-    <para>The following actions occur when an interface comes up:</para>
+    <para>The following actions occur when an interface comes up: </para>
    <informaltable>
      <tgroup cols="3">
@@ -259,7 +253,7 @@
      </tgroup>
    </informaltable>
-    <para>For optional interfaces, the
+    <para> For optional interfaces, the
    <filename>/var/lib/<replaceable>product</replaceable>/<replaceable>interface</replaceable>.state</filename>
    files are maintained to reflect the state of the interface so that they
    may be used by the standard <firstterm>isusable</firstterm> script. Please
@@ -278,13 +272,13 @@
    <para>Similarly, if an optional interface goes down and there are no
    optional interfaces remaining in the up state, then the firewall is
-    stopped.</para>
+    stopped. </para>
    <para>On Debian-based systems, during system shutdown the firewall is
    opened prior to network shutdown (<command>/etc/init.d/shorewall
    stop</command> performs a 'clear' operation rather than a 'stop'). This is
    required by Debian standards. You can change this default behavior by
    setting SAFESTOP=1 in <filename>/etc/default/shorewall</filename>
-    (<filename>/etc/default/shorewall6</filename>, ...).</para>
+    (<filename>/etc/default/shorewall6</filename>, ...). </para>
  </section>
 </article>
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -320,7 +320,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
    <para>The following configuration works with Squid running on the firewall
-    itself (assume that Squid is listening on port 3128).</para>
+    itself.</para>
    <para><filename>/etc/shorewall/interfaces:</filename></para>
@@ -332,7 +332,7 @@ ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
 Tproxy    1        1        -           lo        -            local</programlisting>
-    <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
+    <para><filename>/etc/shorewall/tcrules</filename> (assume Z interface is
    eth1):</para>
    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
@@ -341,7 +341,7 @@ TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
    <para>/etc/shorewall/rules:</para>
    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
-ACCEPT    loc      $FW    tcp     3128
+ACCEPT    Z        $FW    tcp     SP
 ACCEPT    $FW      net    tcp     80</programlisting>
  </section>
 </article>
--- a/docs/Universal.xml
+++ b/docs/Universal.xml
@@ -1,352 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Universal Configuration</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Configuring Shorewall</title>
    <para>Once you have installed the Shorewall software, you must configure
    it. The easiest way to do that is to use one of Shorewall's
    <firstterm>Sample Configurations</firstterm>. The Universal Configuration
    is one of those samples.</para>
  </section>
  <section>
    <title>What the Universal Configuration does</title>
    <para>The Universal Shorewall configuration requires that you simply copy
    the configuration to <filename class="directory">/etc/shorewall</filename>
    and start Shorewall. This sample configuation:</para>
    <itemizedlist>
      <listitem>
        <para>Allows all outgoing traffic.</para>
      </listitem>
      <listitem>
        <para>Blocks all incoming connections except:</para>
        <itemizedlist>
          <listitem>
            <para>Secure Shell</para>
          </listitem>
          <listitem>
            <para>Ping</para>
          </listitem>
        </itemizedlist>
      </listitem>
      <listitem>
        <para>Allows forwarding of traffic, provided that the system has more
        than one interface or is set up to route between networks on a single
        interface.</para>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>How to Install it</title>
    <para>The location of the sample configuration files is dependent on your
    distribution and <ulink url="Install.htm">how you installed
    Shorewall</ulink>.</para>
    <orderedlist>
      <listitem>
        <para>If you installed using an <acronym>RPM</acronym>, the samples
        will be in the <filename
        class="directory">Samples/Universal</filename> subdirectory of the
        Shorewall documentation directory. If you don't know where the
        Shorewall documentation directory is, you can find the samples using
        this command:</para>
        <programlisting>~# rpm -ql shorewall-common | fgrep Universal
 /usr/share/doc/packages/shorewall/Samples/Universal
 /usr/share/doc/packages/shorewall/Samples/Universal/interfaces
 /usr/share/doc/packages/shorewall/Samples/Universal/policy
 /usr/share/doc/packages/shorewall/Samples/Universal/rules
 /usr/share/doc/packages/shorewall/Samples/Universal/zones
 ~#</programlisting>
      </listitem>
      <listitem>
        <para>If you installed using the tarball, the samples are in the
        <filename class="directory">Samples/Universal</filename> directory in
        the tarball.</para>
      </listitem>
      <listitem>
        <para>If you installed using a Shorewall 4.x .deb, the samples are in
        <filename
        class="directory">/usr/share/doc/shorewall-common/examples/Universal</filename>..
        You do not need the shorewall-doc package to have access to the
        samples.</para>
      </listitem>
    </orderedlist>
    <para>Simple copy the files from the Universal directory to
    /etc/shorewall.</para>
  </section>
  <section>
    <title>How to Start the firewall</title>
    <para>Before starting Shorewall for the first time, it's a good idea to
    stop your existing firewall. On Redhat/CentOS/Fedora, at a root prompt
    type:</para>
    <blockquote>
      <para><command>service iptables stop</command></para>
    </blockquote>
    <para>If you are running SuSE, use Yast or Yast2 to stop
    SuSEFirewall.</para>
    <para>Once you have Shorewall running to your satisfaction, you should
    totally disable your existing firewall. On /Redhat/CentOS/Fedora:</para>
    <blockquote>
      <para><command>chkconfig --del iptables</command></para>
    </blockquote>
    <para>At a root prompt, type:</para>
    <blockquote>
      <para><command>/sbin/shorewall start</command></para>
    </blockquote>
    <para>That's it. Shorewall will automatically start again when you
    reboot.</para>
  </section>
  <section>
    <title>Now that it is running, ...</title>
    <section>
      <title>How do I stop the firewall?</title>
      <para>At a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall clear</command></para>
      </blockquote>
      <para>The system is now 'wide open'.</para>
    </section>
    <section>
      <title>How do I prevent it from responding to ping?</title>
      <para>Edit <filename>/etc/shorewall/rules</filename> and remove the line
      that reads:</para>
      <blockquote>
        <para>Ping(ACCEPT) net $FW</para>
      </blockquote>
      <para>and at a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall restart</command></para>
      </blockquote>
    </section>
    <section>
      <title>How do I allow other kinds of incoming connections?</title>
      <para>Shorewall includes a collection of <firstterm>macros</firstterm>
      that can be used to quickly allow or deny services. You can find a list
      of the macros included in your version of Shorewall using the command
      <command>ls <filename>/usr/share/shorewall/macro.*</filename></command>
      or at a shell prompt type:</para>
      <blockquote>
        <para><command>/sbin/shorewall show macros</command></para>
      </blockquote>
      <para>If you wish to enable connections from the Internet to your
      firewall and you find an appropriate macro in
      <filename>/etc/shorewall/macro.*</filename>, the general format of a
      rule in <filename>/etc/shorewall/rules</filename> is:</para>
      <programlisting>#ACTION         SOURCE    DESTINATION     PROTO       DEST PORT(S)
 &lt;<emphasis>macro</emphasis>&gt;(ACCEPT) net       $FW</programlisting>
      <important>
        <para>Be sure to add your rules after the line that reads <emphasis
        role="bold">SECTION NEW.</emphasis></para>
      </important>
      <example id="Example1">
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>
        <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
 Web(ACCEPT) net       $FW
 IMAP(ACCEPT)net       $FW</programlisting>
      </example>
      <para>You may also choose to code your rules directly without using the
      pre-defined macros. This will be necessary in the event that there is
      not a pre-defined macro that meets your requirements. In that case the
      general format of a rule in <filename>/etc/shorewall/rules</filename>
      is:</para>
      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
      <example id="Example2">
        <title>You want to run a Web Server and a IMAP Server on your firewall
        system:</title>
        <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
 ACCEPT    net       $FW             tcp          80
 ACCEPT    net       $FW             tcp          143</programlisting></para>
      </example>
      <para>If you don't know what port and protocol a particular application
      uses, see <ulink url="ports.htm">here</ulink>.</para>
    </section>
    <section>
      <title>How do I make the firewall log a message when it disallows an
      incoming connection?</title>
      <para>Shorewall does not maintain a log itself but rather relies on your
      <ulink url="shorewall_logging.html">system's logging
      configuration</ulink>. The following <ulink
      url="manpages/shorewall.html">commands</ulink> rely on knowing where
      Netfilter messages are logged:</para>
      <itemizedlist>
        <listitem>
          <para><command>shorewall show log</command> (Displays the last 20
          Netfilter log messages)</para>
        </listitem>
        <listitem>
          <para><command>shorewall logwatch</command> (Polls the log at a
          settable interval</para>
        </listitem>
        <listitem>
          <para><command>shorewall dump</command> (Produces an extensive
          report for inclusion in Shorewall problem reports)</para>
        </listitem>
      </itemizedlist>
      <para>It is important that these commands work properly because when you
      encounter connection problems when Shorewall is running, the first thing
      that you should do is to look at the Netfilter log; with the help of
      <ulink url="FAQ.htm#faq17">Shorewall FAQ 17</ulink>, you can usually
      resolve the problem quickly.</para>
      <para>The Netfilter log location is distribution-dependent:</para>
      <itemizedlist>
        <listitem>
          <para>Debian and its derivatives log Netfilter messages to
          <filename>/var/log/kern.log</filename>.</para>
        </listitem>
        <listitem>
          <para>Recent <trademark>SuSE/OpenSuSE</trademark> releases come
          preconfigured with syslog-ng and log netfilter messages to
          <filename>/var/log/firewall</filename>.</para>
        </listitem>
        <listitem>
          <para>For other distributions, Netfilter messages are most commonly
          logged to <filename>/var/log/messages</filename>.</para>
        </listitem>
      </itemizedlist>
      <para>Modify the LOGFILE setting in
      <filename>/etc/shorewall/shorewall.conf</filename> to specify the name
      of your log.</para>
      <important>
        <para>The LOGFILE setting does not control where the Netfilter log is
        maintained -- it simply tells the /sbin/<filename>shorewall</filename>
        utility where to find the log.</para>
      </important>
      <para>Now, edit <filename>/etc/shorewall/policy</filename> and modify
      the line that reads:</para>
      <blockquote>
        <para>net all DROP</para>
      </blockquote>
      <para>to</para>
      <blockquote>
        <para>net all DROP <emphasis role="bold">info</emphasis></para>
      </blockquote>
      <para>Then at a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall restart</command></para>
      </blockquote>
    </section>
    <section>
      <title>How do I prevent the firewall from forwarding connection
      requests?</title>
      <para>Edit /etc/shorewall/interfaces, and remove the routeback option
      from the interface. e.g., change the line that reads:</para>
      <blockquote>
        <para>net all - dhcp,physical=+<emphasis
        role="bold">,routeback</emphasis>,optional</para>
      </blockquote>
      <para>to</para>
      <blockquote>
        <para>net all - dhcp,physical=+,optional</para>
      </blockquote>
      <para>Then at a root prompt, type:</para>
      <blockquote>
        <para><command>/sbin/shorewall restart</command></para>
      </blockquote>
    </section>
  </section>
 </article>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -1,172 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <article>
  <!--$Id$-->
  <articleinfo>
    <title>Shorewall and Linux-vserver</title>
    <authorgroup>
      <author>
        <firstname>Tom</firstname>
        <surname>Eastep</surname>
      </author>
    </authorgroup>
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
    <copyright>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>
  <section>
    <title>Introduction</title>
    <para>Formal support for Linux-vserver was added in Shorewall 4.4.11
    Beta2. The centerpiece of that support is the
    <firstterm>vserver</firstterm> zone type. Vserver zones have the following
    characteristics:</para>
    <itemizedlist>
      <listitem>
        <para>They are defined on the Linux-vserver host.</para>
      </listitem>
      <listitem>
        <para>The $FW zone is their implicit parent.</para>
      </listitem>
      <listitem>
        <para>Their contents must be defined using the <ulink
        url="manpages/shorewall-hosts.html">shorewall-hosts </ulink>(5) file.
        The <emphasis role="bold">ipsec</emphasis> option may not be
        specified.</para>
      </listitem>
      <listitem>
        <para>They may not appear in the ZONE column of the <ulink
        url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
        (5) file.</para>
      </listitem>
    </itemizedlist>
    <para>If you use these zones, keep in mind that Linux-vserver implements a
    very weak form of network virtualization:</para>
    <itemizedlist>
      <listitem>
        <para>From a networking point of view, vservers live on the host
        system. So if you don't use care, Vserver traffic to/from zone z will
        be controlled by the fw-&gt;z and z-&gt;fw rules and policies rather
        than by vserver-&gt;z and z-&gt;vserver rules and policies.</para>
      </listitem>
      <listitem>
        <para>Outgoing connections from a vserver will not use the Vserver's
        address as the SOURCE IP address unless you configure applications
        running in the Vserver properly. This is especially true for IPv6
        applications. Such connections will appear to come from the $FW zone
        rather than the intended Vserver zone.</para>
      </listitem>
      <listitem>
        <para>While you can define the vservers to be associated with the
        network interface where their IP addresses are added at vserver
        startup time, Shorewall internally associates all vservers with the
        loopback interface (<emphasis role="bold">lo</emphasis>). Here's an
        example of how that association can show up:</para>
        <programlisting>gateway:~# shorewall show zones
 Shorewall 4.4.11-Beta2 Zones at gateway - Fri Jul  2 12:26:30 PDT 2010
 fw (firewall)
 drct (ipv4)
   eth4:+drct_eth4
 loc (ipv4)
   eth4:0.0.0.0/0
 net (ipv4)
   eth1:0.0.0.0/0
 vpn (ipv4)
   tun+:0.0.0.0/0
 dmz (<emphasis role="bold">vserver</emphasis>)
   <emphasis role="bold">lo</emphasis>:70.90.191.124/31
 gateway:~#</programlisting>
      </listitem>
    </itemizedlist>
  </section>
  <section>
    <title>Vserver Zones</title>
    <para>Here is a diagram of the network configuration here at Shorewall.net
    during the summer of 2010:</para>
    <graphic align="center" fileref="images/Network2010a.png" />
    <para>I created a zone for the vservers as follows:</para>
    <para><filename>/etc/shorewall/zones</filename>:</para>
    <programlisting>#ZONE           TYPE            OPTIONS            ...
 fw              firewall
 loc             ip              #Local Zone
 drct:loc        ipv4            #Direct internet access
 net             ipv4            #Internet
 vpn             ipv4            #OpenVPN clients
 <emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>
    <para><filename>/etc/shorewall/hosts</filename>:</para>
    <programlisting>#ZONE   HOST(S)                                 OPTIONS
 drct    eth4:dynamic
 <emphasis role="bold">dmz     eth1:70.90.191.124/31</emphasis></programlisting>
    <para>While the IP addresses 70.90.191.124 and 70.90.191.125 are
    configured on eth1, the actual interface name is irrelevate so long as the
    interface is defined in <ulink
    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink> (5).
    Shorewall will consider all vserver zones to be associated with the
    loopback interface (<emphasis role="bold">lo</emphasis>).</para>
    <para>Once a vserver zone is defined, it can be used like any other zone
    type.</para>
    <para>Here is the corresponding IPv6 configuration.</para>
    <para><filename>/etc/shorewall6/zones</filename></para>
    <programlisting>#ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ipv6
 loc	ipv6
 vpn	ipv6
 <emphasis role="bold">dmz	vserver</emphasis>
 </programlisting>
    <para><filename>/etc/shorewall6/hosts</filename>:</para>
    <programlisting>#ZONE   HOST(S)                                 OPTIONS
 dmz	sit1:[2001:470:e857:1::/64]</programlisting>
    <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
    interface) rather than on eth1. Again, it really doesn't matter
    much.</para>
  </section>
 </article>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -20,8 +20,6 @@
    <copyright>
      <year>2002-2006</year>
      <year>2010</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -36,13 +34,6 @@
    </legalnotice>
  </articleinfo>
  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
    later. If you are running a version of Shorewall earlier than Shorewall
    4.3.5 then please see the documentation for that
    release.</emphasis></para>
  </caution>
  <section id="Intro">
    <title>Introduction</title>
@@ -70,20 +61,6 @@
      the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
      connecting to you — they do not stop you or your users from connecting
      to blacklisted hosts .</para>
      <variablelist>
        <varlistentry>
          <term>UPDATE</term>
          <listitem>
            <para>Beginning with Shorewall 4.4.12, you can also blacklist by
            destination address. See <ulink
            url="manpages/shorewall-blacklist.html">shorewall-blacklist</ulink>
            (5) and <ulink url="manpages/shorewall.html">shorewall</ulink> (8)
            for details.</para>
          </listitem>
        </varlistentry>
      </variablelist>
    </important>
    <important>
@@ -184,28 +161,25 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
    Prior to that release, the feature is always enabled.</para>
    <para>Once enabled, dynamic blacklisting doesn't use any configuration
-    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
+    parameters but is rather controlled using /sbin/shorewall[-lite]
-    <emphasis role="bold">Note</emphasis> that <emphasis
+    commands:</para>
    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
    later</emphasis>.</para>
    <itemizedlist>
      <listitem>
-        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        <para>drop <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        causes packets from the listed IP addresses to be silently dropped by
+        packets from the listed IP addresses to be silently dropped by the
        the firewall.</para>
      </listitem>
      <listitem>
        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
        causes packets from the listed IP addresses to be rejected by the
        firewall.</para>
      </listitem>
      <listitem>
-        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        <para>reject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        re-enables receipt of packets from hosts previously blacklisted by a
+        packets from the listed IP addresses to be rejected by the
        firewall.</para>
      </listitem>
      <listitem>
        <para>allow <emphasis>&lt;ip address list&gt;</emphasis> - re-enables
        receipt of packets from hosts previously blacklisted by a
        <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
        command.</para>
      </listitem>
@@ -227,19 +201,19 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>
      </listitem>
      <listitem>
-        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+        <para>logdrop <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        causes packets from the listed IP addresses to be dropped and logged
+        packets from the listed IP addresses to be dropped and logged by the
-        by the firewall. Logging will occur at the level specified by the
+        firewall. Logging will occur at the level specified by the
        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
      </listitem>
      <listitem>
-        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
+        <para>logreject <emphasis>&lt;ip address list&gt;</emphasis> - causes
-        - causes packets from the listed IP addresses to be rejected and
+        packets from the listed IP addresses to be rejected and logged by the
-        logged by the firewall. Logging will occur at the level specified by
+        firewall. Logging will occur at the level specified by the
-        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
+        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
-        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
      </listitem>
    </itemizedlist>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -122,9 +122,8 @@
        </listitem>
        <listitem>
-          <para><filename>/etc/shorewall/tcrules </filename>- The file has a
+          <para><filename>/etc/shorewall/tcrules </filename>- defines marking
-          rather unfortunate name because it is used to define marking of
+          of packets for later use by traffic control/shaping or policy
          packets for later use by both traffic control/shaping and policy
          routing.</para>
        </listitem>
@@ -213,12 +212,6 @@
          shaping.</para>
        </listitem>
        <listitem>
          <para><filename>/etc/shorewall/secmarks</filename> - Added in
          Shorewall 4.4.13. Attach an SELinux context to selected
          packets.</para>
        </listitem>
        <listitem>
          <para><filename>/etc/shorewall/vardir</filename> - Determines the
          directory where Shorewall maintains its state.</para>
@@ -296,30 +289,6 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
    </example>
  </section>
  <section id="Names">
    <title>Names</title>
    <para>When you define an object in Shorewall (<ulink
    url="manpages/shorewall-zones.html">Zone</ulink>, <link
    linkend="Logical">Logical Interface</link>, <ulink
    url="ipsets.html">ipsets</ulink>, <ulink
    url="Actions.html">Actions</ulink>, etc., you give it a name. Shorewall
    names start with a letter and consist of letters, digits or underscores
    ("_"). Except for Zone names, Shorewall does not impose a limit on name
    length.</para>
    <para>When an ipset is referenced, the name must be preceded by a plus
    sign ("+").</para>
    <para>The last character of an interface may also be a plus sign to
    indicate a wildcard name.</para>
    <para>Physical interface names match names shown by 'ip link ls'; if the
    name includes an at sign ("@"), do not include that character or any
    character that follows. For example, "sit1@NONE" is referred to as simply
    'sit1".</para>
  </section>
  <section id="COMMENT">
    <title>Attach Comment to Netfilter Rules</title>
@@ -349,10 +318,6 @@ ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</progra
        <para><filename>/etc/shorewall/rules</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/secmarks</filename></para>
      </listitem>
      <listitem>
        <para><filename>/etc/shorewall/tcrules</filename></para>
      </listitem>
@@ -430,7 +395,7 @@ gateway:~ #
 COMMENT SSH
 PARAM   -      -     tcp   22 </programlisting>
    <filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home
-SSH(ACCEPT)    net:$MYIP      $FW
+SSH/ALLOW    net:$MYIP      $FW
 COMMENT</programlisting>The comment line in macro.SSH will not override the
    COMMENT line in the rules file and the generated rule will show <emphasis
    role="bold">/* Allow SSH from home */</emphasis> when displayed through
@@ -520,9 +485,8 @@ ACCEPT      net:\
      <listitem>
        <para>ADDRESS LIST — A list of one or more addresses (host or network)
        or address ranges, separated by commas. In an IPv6 configuration, this
-        list must be includef in square or angled brackets ("[...]" or
+        list must be includes in angled brackets ("&lt;...&gt;"). The list may
-        "&lt;...&gt;"). The list may have <link
+        have <link linkend="Exclusion">exclusion</link>.</para>
        linkend="Exclusion">exclusion</link>.</para>
      </listitem>
    </orderedlist>
@@ -561,7 +525,7 @@ ACCEPT      net:\
      <listitem>
        <para>Host 2002:ce7c:92b4:1:a00:27ff:feb1:46a9 in the <emphasis
        role="bold">loc</emphasis> zone — <emphasis
-        role="bold">loc:[2002:ce7c:92b4:1:a00:27ff:feb1:46a9]</emphasis></para>
+        role="bold">loc:&lt;2002:ce7c:92b4:1:a00:27ff:feb1:46a9&gt;</emphasis></para>
      </listitem>
    </orderedlist>
  </section>
@@ -785,7 +749,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
      </listitem>
      <listitem>
-        <para>Should not depend on where the code is called from.</para>
+        <para>Should not depend on where the code is called from (the params
        file is sourced by both /sbin/shorewall and
        /usr/lib/shorewall/firewall).</para>
      </listitem>
      <listitem>
@@ -1351,7 +1317,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    <para>Beginning with Shorewall 4.4.4, you can use logical interface names
    which are mapped to the actual interface using the
    <option>physical</option> option in <ulink
-    url="manpages/shorewall-interfaces.html">shorewall-interfaces</ulink>
+    url="manpages/shorewall-interfaces.html">shorewall-interfraces</ulink>
    (5).</para>
    <para>Here is an example:</para>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	fc5d80dba7	Remove extra logic	2010-06-08 15:57:45 -07:00
Tom Eastep	0b9213bc6d	Move ipset-load code to Chains.pm. Better there than in Compiler.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-08 15:33:09 -07:00
Tom Eastep	3adb8c29c5	Move save_dynamic_chains to Chains.pm where it belongs. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-08 15:18:22 -07:00
Tom Eastep	245d3d5574	Bump version of Actions.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-08 12:49:58 -07:00
Tom Eastep	1eb80541a5	Version to 4.4.10	2010-06-08 12:35:33 -07:00
Tom Eastep	96e2f38062	Update the UPnP document with the 4.4.10 changes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-08 11:37:17 -07:00
Tom Eastep	3aebdbfc63	Update blacklisting doc with 4.4.10 behavior. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-08 11:37:09 -07:00
Tom Eastep	5413c55718	Another release note tweak Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 14:54:57 -07:00
Tom Eastep	201476ce98	Tweak release notes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 14:44:55 -07:00
Tom Eastep	c1bfe7d5b8	More tweaks to saving/restoring dynamic chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 13:55:27 -07:00
Tom Eastep	486bb73c02	Merge major changes from 4.4.11 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 13:21:59 -07:00
Tom Eastep	afbb93ca8a	More changes having to do with with dynamic chains Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 13:16:25 -07:00
Tom Eastep	b591110fef	Much cleaner implementation of save_dynamic_chains() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 13:15:52 -07:00
Tom Eastep	a77abaf694	Make dynamic chain saving work with IPv6 Also, use hidden files to save the chain contents. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-07 13:13:25 -07:00
Tom Eastep	0d101799ec	Purge saved dynamic blacklist if the chain doesn't exist	2010-06-07 13:13:04 -07:00
Tom Eastep	4a2f08edef	Retain UPnP and dynamic blacklist over 'restart'	2010-06-07 13:12:49 -07:00
Tom Eastep	2578b2c7cb	Pretty up heading on the release notes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-06 13:37:56 -07:00
Tom Eastep	a8e3b2ea7c	Add introduction to config file basics document Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-06-06 08:25:13 -07:00