Document addition of startup_error()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add startup_error() function to the -lite CLIs
2010-11-29 16:01:19 -08:00 · 2010-11-29 15:46:56 -08:00 · 2010-11-28 07:48:03 -08:00 · 2010-11-28 07:42:12 -08:00 · 2010-11-28 07:07:58 -08:00 · 2010-11-28 07:05:18 -08:00
144 changed files with 4091 additions and 1673 deletions
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -126,18 +126,12 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko

 DISABLE_IPV6=No

-BRIDGING=No
-
 DYNAMIC_ZONES=No

-PKTTYPE=Yes
-
 NULL_ROUTE_RFC1918=No

 MACLIST_TABLE=filter
@@ -196,7 +190,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=Yes

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=Yes

--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -137,14 +137,10 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko

 DISABLE_IPV6=No

-BRIDGING=No
-
 DYNAMIC_ZONES=No

 PKTTYPE=Yes
@@ -165,8 +161,6 @@ IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

-USE_ACTIONS=Yes
-
 OPTIMIZE=1

 EXPORTPARAMS=No
@@ -207,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -137,14 +137,10 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko

 DISABLE_IPV6=No

-BRIDGING=No
-
 DYNAMIC_ZONES=No

 PKTTYPE=Yes
@@ -165,8 +161,6 @@ IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

-USE_ACTIONS=Yes
-
 OPTIMIZE=1

 EXPORTPARAMS=No
@@ -207,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -144,14 +144,10 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko

 DISABLE_IPV6=No

-BRIDGING=No
-
 DYNAMIC_ZONES=No

 PKTTYPE=Yes
@@ -172,8 +168,6 @@ IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

-USE_ACTIONS=Yes
-
 OPTIMIZE=1

 EXPORTPARAMS=No
@@ -214,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=Yes

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=Yes

--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
@@ -285,11 +285,8 @@ fi
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-init
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
+	    
+	    update-rc.d shorewall-init defaults

 	    echo "Shorewall Init will start automatically at boot"
 	else
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,6 +1,6 @@
 %define name shorewall-init
-%define version 4.4.13
-%define release 1
+%define version 4.4.15
+%define release 0base

 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
@@ -99,10 +99,26 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
+* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0base
+* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0RC1
+* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta2
+* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta1
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -17,10 +17,9 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

-[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

 export SHOREWALL_INIT_SCRIPT
-
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
@@ -355,6 +355,8 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite

+	    update-rc.d shorewall-lite defaults
+
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -94,9 +94,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread | tac"
+	g_logread="logread | tac"
    elif [ -r $LOGFILE ]; then
-	LOGREAD="tac $LOGFILE"
+	g_logread="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,10 +113,6 @@ get_config() {

    [ -n "$FW" ] || FW=fw

-    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
-
-    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
-
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -145,6 +141,12 @@ get_config() {

    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
+    fi
+
    g_hostname=$(hostname 2> /dev/null)

    IP=$(mywhich ip 2> /dev/null)
@@ -175,6 +177,15 @@ verify_firewall_script() {
    fi
 }

+#
+# Fatal error
+#
+startup_error() {
+    echo "   ERROR: $@" >&2
+    kill $$
+    exit 1
+}
+
 #
 # Start Command Executor
 #
@@ -463,6 +474,13 @@ g_use_verbosity=
 g_noroutes=
 g_timestamp=
 g_recovering=
+g_logread=
+
+#
+# Make sure that these variables are cleared
+#
+VERBOSE=
+VERBOSITY=

 finished=0

--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -21,6 +21,7 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
+
 VERBOSITY=

 ###############################################################################
@@ -29,8 +30,6 @@ VERBOSITY=

 LOGFILE=

-LOGFORMAT=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
-%define release 1
+%define version 4.4.15
+%define release 0base

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -102,10 +102,26 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
+* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0base
+* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0RC1
+* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta2
+* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta1
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -224,7 +224,7 @@ while : ; do
 	# One of the interfaces changed state -- restart Shorewall
 	#
 	echo $if1_state > $VARDIR/${IF1}.status
-	echo $if2_state > $VARDIR/${IF2}.status 
+	echo $if2_state > $VARDIR/${IF2}.status
 	eval $COMMAND
 	state_changed=
    fi
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -32,7 +32,7 @@
 ### BEGIN INIT INFO
 # Provides:	  swping
 # Required-Start: shorewall
-# Should-Start: 
+# Should-Start:
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
@@ -87,7 +87,7 @@ case "$command" in
 	    echo "swping is running"
 	    exit 0
 	else
-	    echo "swping is stopped" 
+	    echo "swping is stopped"
 	    exit 3
 	fi
 	;;
--- a/Shorewall/Macros/macro.BitTorrent
+++ b/Shorewall/Macros/macro.BitTorrent
@@ -5,7 +5,7 @@
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	If you are running BitTorrent 3.2 or later, you should use the 
+#	If you are running BitTorrent 3.2 or later, you should use the
 #	BitTorrent32 macro.
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - ICPV2 Macro
+#
+# /usr/share/shorewall/macro.ICPV2
+#
+#	This macro handles Internet Cache Protocol V2 (Squid) traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.IPPserver
+++ b/Shorewall/Macros/macro.IPPserver
@@ -15,7 +15,7 @@
 #	Example for a two-interface firewall which acts as a print
 #	server for loc:
 #		IPPserver/ACCEPT loc $FW
-#	
+#
 #	NOTE: If you want both to serve requests for local printers and
 #	listen to requests for remote printers (i.e. your CUPS server is
 #	also a client), you need to apply the rule twice, e.g.
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -13,5 +13,5 @@
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS/PARAM
-SSH/PARAM
+HTTPS(PARAM)
+SSH(PARAM)
--- a/Shorewall/Macros/macro.Munin
+++ b/Shorewall/Macros/macro.Munin
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Munin Macro
+#
+# /usr/share/shorewall/macro.Munin
+#
+#	This macro handles Munin networked resource monitoring traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	4949
--- a/Shorewall/Macros/macro.Squid
+++ b/Shorewall/Macros/macro.Squid
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Squid Macro
+#
+# /usr/share/shorewall/macro.Squid
+#
+#	This macro handles Squid web proxy traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	3128
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -304,9 +304,9 @@
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
-#	MARK		Specifies a MARK value to match. Must be empty or 
+#	MARK		Specifies a MARK value to match. Must be empty or
 #			'-' if the macro is to be used within an action.
-#			
+#
 #				[!]value[/mask][:C]
 #
 #    			Defines a test on the existing packet or connection
@@ -341,7 +341,7 @@
 #				[!]limit[:mask]
 #
 #			May be used to limit the number of simultaneous
-#			connections from each individual host to limit 
+#			connections from each individual host to limit
 #			connections. Requires connlimit match in your kernel
 #			and iptables. While the limit is only checked on rules
 #			specifying CONNLIMIT, the number of current connections
@@ -398,6 +398,27 @@
 #
 #					Defines the ending date and time.
 #
+#	HEADERS [any:|exactly:]<header list>
+#
+#	where <header list> is a comma-separated list of headers from the following:
+#
+#
+#	      Long Name		Short Name	Number
+#             --------------------------------------
+#	      auth   		ah    		50
+#	      esp		esp		51
+#	      hop-by-hop	hop		0
+#	      route		ipv6-route	41
+#	      frag		ipv6-frag	44
+#	      none		ipv6-nonxt	59	
+#	      protocol	proto		255
+#
+#       If 'any:' is specified, the rule will match if any of the listed
+#     	headers are present. If 'exactly:' is specified, the will match
+#     	packets that exactly include all specified headers. If neither is
+#     	given, 'any:' is assumed.
+#
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4.14';

 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {

    our $jumpchainref;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -95,10 +95,10 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $rule2 = 0;
    my $jump  = 0;
-    
+
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
 	    $target = 'RETURN';
@@ -166,7 +166,7 @@ sub process_accounting_rule( ) {
 		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
 	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
 	    $chainref->{ipsec} = $dir;
 	}
    } elsif ( $ipsec ne '-' ) {
@@ -224,48 +224,48 @@ sub process_accounting_rule( ) {

 sub setup_accounting() {

-    my $fn = open_file 'accounting';
+    if ( my $fn = open_file 'accounting' ) {

-    first_entry "$doing $fn...";
+	first_entry "$doing $fn...";

-    my $nonEmpty = 0;
+	my $nonEmpty = 0;

-    $nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line;

-    clear_comment;
+	clear_comment;

-    if ( have_bridges ) {
-	if ( $filter_table->{accounting} ) {
-	    for my $chain ( qw/INPUT FORWARD/ ) {
+	if ( have_bridges ) {
+	    if ( $filter_table->{accounting} ) {
+		for my $chain ( qw/INPUT FORWARD/ ) {
+		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		}
+	    }
+
+	    if ( $filter_table->{accountout} ) {
+		add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	    }
+	} elsif ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}

-	if ( $filter_table->{accountout} ) {
-	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	if ( $filter_table->{accipsecin} ) {
+	    for my $chain ( qw/INPUT FORWARD/ ) {
+		add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	    }
 	}
-    } elsif ( $filter_table->{accounting} ) {
-	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+
+	if ( $filter_table->{accipsecout} ) {
+	    for my $chain ( qw/FORWARD OUTPUT/ ) {
+		add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	    }
+	}
+
+	for ( accounting_chainrefs ) {
+	    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
 	}
    }
-
-    if ( $filter_table->{accipsecin} ) {
-	for my $chain ( qw/INPUT FORWARD/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
-	}
-    }
-
-    if ( $filter_table->{accipsecout} ) {
-	for my $chain ( qw/FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
-	}
-    }
-
-    for ( accounting_chainrefs ) {
-	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-    }
-
 }

 1;
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -195,7 +195,7 @@ sub split_action ( $ ) {
 	$action = $2 ? $3 : '';
 	$max    = 2;
    }
-	
+
    my @a = split( /:/ , $action, 4 );
    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
    $target = shift @a unless $target;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -143,6 +143,8 @@ our %EXPORT_TAGS = (
 				       do_tos
 				       do_connbytes
 				       do_helper
+				       do_headers
+				       have_ipset_rules
 				       match_source_dev
 				       match_dest_dev
 				       iprange_match
@@ -182,7 +184,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_13';
+our $VERSION = '4.4_15';

 #
 # Chain Table
@@ -243,6 +245,9 @@ our $section;

 our $comment;

+#
+# Target Types
+#
 use constant { STANDARD => 1,              #defined by Netfilter
 	       NATRULE  => 2,              #Involves NAT
 	       BUILTIN  => 4,              #A built-in action
@@ -256,7 +261,9 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       CHAIN    => 1024,           #Manual Chain
 	       SET      => 2048.           #SET
 	   };
-
+#
+# Valid Targets -- value is a combination of one or more of the above
+#
 our %targets;
 #
 # expand_rule() restrictions
@@ -267,7 +274,7 @@ use constant { NO_RESTRICT         => 0,   # FORWARD chain rule     - Both -i an
 	       OUTPUT_RESTRICT     => 8,   # OUTPUT chain rule      - -i not allowed
 	       POSTROUTE_RESTRICT  => 16,  # POSTROUTING chain rule - -i converted to -s <address list> using main routing table
 	       ALL_RESTRICT        => 12,  # fw->fw rule            - neither -i nor -o allowed
-	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface
+	       DESTIFACE_DISALLOW  => 32,  # Don't allow dest interface. Similar to INPUT_RESTRICT but generates a more relevant error message
 	       };

 our $iprangematch;
@@ -276,8 +283,8 @@ our $idiotcount;
 our $idiotcount1;
 our $warningcount;
 our $hashlimitset;
-
 our $global_variables;
+our $ipset_rules;

 #
 # Determines the commands for which a particular interface-oriented shell variable needs to be set
@@ -285,7 +292,7 @@ our $global_variables;
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };

 #
-# These hashes hold the shell code to set shell variables
+# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
 our %interfaceaddr;         # First interface address
 our %interfaceaddrs;        # All interface addresses
@@ -301,14 +308,16 @@ our %interfacegateways;     # Gateway of default route out of the interface
 our @builtins = qw(PREROUTING INPUT FORWARD OUTPUT POSTROUTING);

 #
-# Mode of the emitter.
+# Mode of the emitter (part of this module that converts rules in the chain table into iptables-restore input)
 #
 use constant { NULL_MODE => 0 ,   # Emitting neither shell commands nor iptables-restore input
 	       CAT_MODE  => 1 ,   # Emitting iptables-restore input
 	       CMD_MODE  => 2 };  # Emitting shell commands.

 our $mode;
-
+#
+# Address Family
+#
 our $family;

 #
@@ -369,7 +378,7 @@ sub initialize( $ ) {
    #
    $chainseq = 0;
    #
-    # Used to suppress duplicate match specifications.
+    # Used to suppress duplicate match specifications for old iptables binaries.
    #
    $iprangematch = 0;
    #
@@ -388,6 +397,7 @@ sub initialize( $ ) {
    $idiotcount1        = 0;
    $warningcount       = 0;
    $hashlimitset       = 0;
+    $ipset_rules        = 0;
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
    #
@@ -445,7 +455,7 @@ sub decr_cmd_level( $ ) {
 sub trace( $$$$ ) {
    my ($chainref, $action, $rulenum, $message) = @_;

-    my $heading = $rulenum ? sprintf "NF-(%s)-> %s:%s:%s", $action, $chainref->{table}, $chainref->{name}, $rulenum : sprintf "NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};
+    my $heading = $rulenum ? sprintf "NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum : sprintf "NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};

    my $length = length $heading;

@@ -622,7 +632,7 @@ sub delete_reference( $$ ) {
 #
 # In the first function, the rule number is zero-relative. In the second function,
 # the rule number is one-relative. In the first function, if the rule number is < 0, then
-# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be 
+# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
 # inserted at the front of the chain and the chain's 'blacklist' member incremented.
 #
 sub insert_rule1($$$)
@@ -717,6 +727,8 @@ sub move_rules( $$ ) {
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
 	my $blacklist = $chain2->{blacklist};
+
+	assert( ! $chain1->{blacklist} );
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -725,7 +737,7 @@ sub move_rules( $$ ) {
 	for ( @{$chain1->{rules}} ) {
 	    adjust_reference_counts( $tableref->{$1}, $name1, $name2 ) if / -[jg] ([^\s]+)/;
 	}
-	
+
 	if ( $debug ) {
 	    my $rule = $blacklist;
 	    trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
@@ -735,14 +747,18 @@ sub move_rules( $$ ) {

 	$chain2->{referenced} = 1;

-	unless ( $chain2->{blacklist} += $chain1->{blacklist} ) {
-	    #
-	    # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
-	    # This hack avoids that.
-	    #
+	#
+	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
+	# This hack avoids that.
+	#
+	if ( $blacklist ) {
+	    my $rule = shift @{$rules};
+	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
+	    unshift @{$rules}, $rule;
+	} else {
 	    shift @{$rules} while @{$rules} > 1 && $rules->[0] eq $rules->[1];
 	}
-	    
+
 	delete_chain $chain1;

 	$count;
@@ -777,7 +793,7 @@ sub copy_rules( $$ ) {
 	# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
 	#
 	my $rule = shift @rules1;
-	
+
 	$rule =~ / -j ([^\s])/;

 	my $chainb = $1;
@@ -802,7 +818,7 @@ sub copy_rules( $$ ) {
 	trace( $chain2, 'A', 1 , $rules1[0]) if $debug;

 	unshift @$rules2, shift @rules1;
-	
+
 	$chain1->{blacklist} = 0;
 	$chain2->{blacklist} = 1;
    }
@@ -811,7 +827,7 @@ sub copy_rules( $$ ) {
 	my $rule = @$rules2;
 	trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
    }
-    
+
    push @$rules2, @rules1;

    progress_message "  $count rules from $chain1->{name} appended to $chain2->{name}";
@@ -1066,10 +1082,10 @@ sub find_chain($$) {
    my ($table, $chain) = @_;

    assert( $table && $chain && $chain_table{$table} );
-    
+
    $chain_table{$table}{$chain};
 }
-    
+
 #
 # Create a chain if it doesn't exist already
 #
@@ -1745,163 +1761,198 @@ sub check_optimization( $ ) {
 #
 # Perform Optimization
 #
-sub optimize_ruleset() {
-    for my $table ( qw/raw mangle nat filter/ ) {
+sub optimize_level4( $$ ) {
+    my ( $table, $tableref ) = @_;
+    my $progress = 1;
+    my $passes   = 0;
+    #
+    # Make repeated passes through each table looking for short chains (those with less than 2 entries)
+    #
+    # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
+    # When an empty chain is found, delete the references to it.
+    # When a chain with a single entry is found, replace it's references by its contents
+    #
+    # The search continues until no short chains remain
+    # Chains with 'dont_optimize = 1' are exempted from optimization
+    #
+    while ( $progress ) {
+	$progress = 0;
+	$passes++;

-	next if $family == F_IPV6 && $table eq 'nat';
+	my @chains  = grep $_->{referenced}, values %$tableref;
+	my $chains  = @chains; 
+	
+	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";

-	my $progress = 1;
-	my $passes   = 0;
-
-	if ( $config{OPTIMIZE} & 4 ) {
+	for my $chainref ( @chains ) {
 	    #
-	    # Make repeated passes through each table looking for short chains (those with less than 2 entries)
+	    # If the chain isn't branched to, then delete it
 	    #
-	    # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
-	    # When an empty chain is found, delete the references to it.
-	    # When a chain with a single entry is found, replace it's references by its contents
-	    #
-	    # The search continues until no short chains remain
-	    # Chains with 'dont_optimize = 1' are exempted from optimization
-	    #
-	    while ( $progress ) {
-		$progress = 0;
-		$passes++;
-
-		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-		    #
-		    # If the chain isn't branched to, then delete it
-		    #
-		    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
-			delete_chain $chainref;
-			next;
-		    }
-
-		    unless ( $chainref->{dont_optimize} ) {
-			my $numrules = @{$chainref->{rules}};
-
-			if ( $numrules == 0 ) {
-			    #
-			    # No rules in this chain
-			    #
-			    if ( $chainref->{builtin} ) {
-				#
-				# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
-				#
-				$chainref->{dont_optimize} = 1;
-			    } else {
-				#
-				# Not a built-in -- we can delete it and it's references
-				#
-				delete_references $chainref;
-				$progress = 1;
-			    }
-			} elsif ( $numrules == 1 ) {
-			    my $firstrule = $chainref->{rules}[0];
-			    #
-			    # Chain has a single rule
-			    #
-			    if ( $firstrule =~ /^-A -[jg] (.*)$/ ) {
-				#
-				# Easy case -- the rule is a simple jump
-				#
-				if ( $chainref->{builtin} ) {
-				    #
-				    # A built-in chain. If the target is a user chain without 'dont_move',
-				    # we can copy its rules to the built-in
-				    #
-				    if ( conditionally_copy_rules $chainref, $1 ) {
-					#
-					# Target was a user chain -- rules moved
-					#
-					$progress = 1;
-				    } else {
-					#
-					# Target was a built-in. Ignore this chain in follow-on passes
-					#
-					$chainref->{dont_optimize} = 1;
-				    }
-				} else {
-				    #
-				    # Replace all references to this chain with references to the target
-				    #
-				    replace_references $chainref, $1;
-				    $progress = 1;
-				}
-			    } elsif ( $firstrule =~ /-A(.+) -[jg] (.*)$/ ) {
-				#
-				# Not so easy -- the rule contains matches
-				#
-				if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
-				    #
-				    # This case requires a new rule merging algorithm. Ignore this chain for
-				    # now.
-				    #
-				    $chainref->{dont_optimize} = 1;
-				} else {
-				    #
-				    # Replace references to this chain with the target and add the matches
-				    #
-				    replace_references1 $chainref, $2, $1;
-				    $progress = 1;
-				}
-			    }
-			}
-		    }
-		}
+	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+		delete_chain $chainref;
+		next;
 	    }

-	    #
-	    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
-	    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
-	    #
-	    $progress = 1;
+	    unless ( $chainref->{dont_optimize} ) {
+		my $numrules = @{$chainref->{rules}};

-	    while ( $progress ) {
-		$progress = 0;
-		$passes++;
-
-		for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-		    my $lastrule = $chainref->{rules}[-1];
-
-		    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
+		if ( $numrules == 0 ) {
+		    #
+		    # No rules in this chain
+		    #
+		    if ( $chainref->{builtin} ) {
 			#
-			# Last rule is a simple branch
-			my $targetref = $chain_table{$table}{$1};
-
-			if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
-			    copy_rules( $targetref, $chainref );
+			# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
+			#
+			$chainref->{dont_optimize} = 1;
+		    } else {
+			#
+			# Not a built-in -- we can delete it and it's references
+			#
+			delete_references $chainref;
+			$progress = 1;
+		    }
+		} elsif ( $numrules == 1 ) {
+		    my $firstrule = $chainref->{rules}[0];
+		    #
+		    # Chain has a single rule
+		    #
+		    if ( $firstrule =~ /^-A -[jg] (.*)$/ ) {
+			#
+			# Easy case -- the rule is a simple jump
+			#
+			if ( $chainref->{builtin} ) {
+			    #
+			    # A built-in chain. If the target is a user chain without 'dont_move',
+			    # we can copy its rules to the built-in
+			    #
+			    if ( conditionally_copy_rules $chainref, $1 ) {
+				#
+				# Target was a user chain -- rules moved
+				#
+				$progress = 1;
+			    } else {
+				#
+				# Target was a built-in. Ignore this chain in follow-on passes
+				#
+				$chainref->{dont_optimize} = 1;
+			    }
+			} else {
+			    #
+			    # Replace all references to this chain with references to the target
+			    #
+			    replace_references $chainref, $1;
+			    $progress = 1;
+			}
+		    } elsif ( $firstrule =~ /-A(.+) -[jg] (.*)$/ ) {
+			#
+			# Not so easy -- the rule contains matches
+			#
+			if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
+			    #
+			    # This case requires a new rule merging algorithm. Ignore this chain for
+			    # now.
+			    #
+			    $chainref->{dont_optimize} = 1;
+			} else {
+			    #
+			    # Replace references to this chain with the target and add the matches
+			    #
+			    replace_references1 $chainref, $2, $1;
 			    $progress = 1;
 			}
 		    }
 		}
 	    }
 	}
+    }

-	if ( $config{OPTIMIZE} & 8 ) {
-	    #
-	    # Now delete duplicate chains
-	    #
-	    $passes++;
+    #
+    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
+    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
+    #
+    $progress = 1;

-	    for my $chainref ( grep $_->{referenced} && ! $_->{builtin}, values %{$chain_table{$table}} ) {
-		my $rules = $chainref->{rules};
-		next if not @$rules;
-	      CHAIN:
-		for my $chainref1 ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-		    next if $chainref eq $chainref1;
-		    my $rules1 = $chainref1->{rules};
-		    next if @$rules != @$rules1;
-		    next if $chainref1->{dont_delete};
+    while ( $progress ) {
+	$progress = 0;
+	$passes++;

-		    for ( my $i = 0; $i <= $#$rules; $i++ ) {
-			next CHAIN unless $rules->[$i] eq $rules1->[$i];
-		    }
+	my @chains  = grep $_->{referenced}, values %$tableref;
+	my $chains  = @chains; 
+	
+	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b...";

-		    replace_references1 $chainref1, $chainref->{name}, '';
+	for my $chainref ( @chains ) {
+	    my $lastrule = $chainref->{rules}[-1];
+
+	    if ( defined $lastrule && $lastrule  =~ /^-A -[jg] (.*)$/ ) {
+		#
+		# Last rule is a simple branch
+		my $targetref = $tableref->{$1};
+
+		if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
+		    copy_rules( $targetref, $chainref );
+		    $progress = 1;
 		}
 	    }
 	}
+    }
+
+    $passes;
+}
+
+#
+# Delete duplicate chains replacing their references
+#
+sub optimize_level8( $$$ ) {
+    my ( $table, $tableref , $passes ) = @_;
+    my $progress = 1;
+    my @chains   = ( grep $_->{referenced} && ! $_->{builtin}, values %{$tableref} );
+    my @chains1  = @chains;
+    my $chains   = @chains;
+
+    $passes++;
+    
+    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";
+	    
+    for my $chainref ( @chains ) {
+	my $rules    = $chainref->{rules};
+	my $numrules = @$rules;
+	#
+	# Shift the current $chainref off of @chains1
+	#
+	shift @chains1;
+	#
+	# Skip empty chains
+	#
+	next if not $numrules;	
+      CHAIN:
+	for my $chainref1 ( @chains1 ) {
+	    my $rules1 = $chainref1->{rules};
+	    next if @$rules1 != $numrules;
+	    next if $chainref1->{dont_delete};
+
+	    for ( my $i = 0; $i < $numrules; $i++ ) {
+		next CHAIN unless $rules->[$i] eq $rules1->[$i];
+	    }
+
+	    replace_references1 $chainref1, $chainref->{name}, '';
+	}
+    }
+
+    $passes;
+}
+
+sub optimize_ruleset() {
+    for my $table ( qw/raw mangle nat filter/ ) {
+
+	next if $family == F_IPV6 && $table eq 'nat';
+
+	my $tableref = $chain_table{$table};
+	my $passes   = 0;
+
+	$passes =  optimize_level4( $table, $tableref )           if $config{OPTIMIZE} & 4;
+	$passes =  optimize_level8( $table, $tableref , $passes ) if $config{OPTIMIZE} & 8;

 	progress_message "  Table $table Optimized -- Passes = $passes";
 	progress_message '';
@@ -2472,7 +2523,7 @@ sub do_connbytes( $ ) {
 }

 #
-# Create a "-m helper" match for the passed argument
+# Create a soft "-m helper" match for the passed argument
 #
 sub do_helper( $ ) {
    my $helper = shift;
@@ -2492,6 +2543,60 @@ sub do_length( $ ) {
    $length ne '-' ? "-m length --length $length " : '';
 }

+#
+# Create a "-m -ipv6header" match for the passed argument
+#
+my %headers = ( hop          => 1,
+		dst          => 1,
+		route        => 1,
+		frag         => 1,
+		auth         => 1,
+		esp          => 1,  
+		none         => 1,
+		'hop-by-hop' => 1,
+		'ipv6-opts'  => 1,
+		'ipv6-route' => 1,
+		'ipv6-frag'  => 1,
+		ah           => 1,
+		'ipv6-nonxt' => 1,
+		'protocol'   => 1,
+		0            => 1,
+		43           => 1,
+		44           => 1,
+		50           => 1,
+		51           => 1,
+		59           => 1,
+		60           => 1,
+		255          => 1 );
+
+sub do_headers( $ ) {
+    my $headers = shift;
+
+    return '' if $headers eq '-';
+
+    require_capability 'HEADER_MATCH', 'A non-empty HEADER column', 's';
+
+    my $invert = $headers =~ s/^!// ? '! ' : "";
+
+    my $soft   = '--soft ';
+
+    if ( $headers =~ s/^exactly:// ) {
+	$soft = '';
+    } else {
+	$headers =~ s/^any://;
+    }
+
+    for ( split_list $headers, "Header" ) {
+	if ( $_ eq 'proto' ) {
+	    $_ = 'protocol';
+	} else {
+	    fatal_error "Unknown IPv6 Header ($_)" unless $headers{$_};
+	}
+    }
+
+    "-m ipv6header ${invert}--header ${headers} ${soft}";
+}
+
 #
 # Match Source Interface
 #
@@ -2548,6 +2653,8 @@ sub get_set_flags( $$ ) {
    my ( $setname, $option ) = @_;
    my $options = $option;

+    $ipset_rules++;
+
    $setname =~ s/^!//; # Caller has already taken care of leading !

    if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
@@ -2564,8 +2671,15 @@ sub get_set_flags( $$ ) {
    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;

    have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
+
 }

+sub have_ipset_rules() {
+    $ipset_rules;
+}
+
+sub mysplit( $ );
+
 #
 # Match a Source.
 #
@@ -2586,6 +2700,18 @@ sub match_source_net( $;$ ) {
    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '' );
 	join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	my $result = '';
+	my @sets = mysplit $1;
+
+	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
+
+	for $net ( @sets ) {
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
+	}
+
+	$result;
    } elsif ( $net =~ s/^!// ) {
 	validate_net $net, 1;
 	"! -s $net ";
@@ -2610,6 +2736,18 @@ sub match_dest_net( $ ) {
    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
 	require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' , '');
 	join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
+    } elsif ( $net =~ /^\+\[(.+)\]$/ ) {
+	my $result = '';
+	my @sets = mysplit $1;
+
+	require_capability 'KLUDGEFREE', 'Multiple ipset matches', '' if @sets > 1;
+
+	for $net ( @sets ) {
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
+	}
+
+	$result;
    } elsif ( $net =~ /^!/ ) {
 	$net =~ s/!//;
 	validate_net $net, 1;
@@ -2749,11 +2887,11 @@ sub do_ipsec($$) {
    fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );

    my @options = split_list $ipsec, 'IPSEC options';
-	
+
    if ( @options == 1 ) {
 	if ( lc( $options[0] ) =~ /^(yes|ipsec)$/ ) {
 	    return do_ipsec_options $dir, 'ipsec', '';
-	} 
+	}

 	if ( lc( $options[0] ) =~ /^(no|none)$/ ) {
 	    return do_ipsec_options $dir, 'none', '';
@@ -2857,7 +2995,7 @@ sub addnatjump( $$$ ) {

 #
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
-# where an element of the list might be +ipset[binding].
+# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
 sub mysplit( $ ) {
    my @input = split_list $_[0], 'host';
@@ -2870,12 +3008,12 @@ sub mysplit( $ ) {
 	my $element = shift @input;

 	if ( $element =~ /\[/ ) {
-	    while ( substr( $element, -1, 1 ) ne ']' ) {
-		last unless @input;
+	    while ( $element =~ tr/[/[/ > $element =~ tr/]/]/ ) {
+		fatal_error "Missing ']' ($element)" unless @input;
 		$element .= ( ',' . shift @input );
 	    }

-	    fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
+	    fatal_error "Mismatched [...] ($element)" unless $element =~ tr/[/[/ == $element =~ tr/]/]/;
 	}

 	push @result, $element;
@@ -3180,7 +3318,6 @@ sub have_global_variables() {
 #
 # Generate setting of run-time global shell variables
 #
-
 sub set_global_variables( $ ) {

    my $setall = shift;
@@ -3206,6 +3343,84 @@ sub set_global_variables( $ ) {
    }
 }

+#
+# Issue an invalid list error message
+#
+sub invalid_network_list ( $$ ) {
+    my ( $srcdst, $list ) = @_;
+    fatal_error "Invalid $srcdst network list ($list)";
+}
+
+#
+# Split a network element into the net part and exclusion part (if any)
+#
+sub split_network( $$$ ) {
+    my ( $input, $srcdst, $list ) = @_;
+
+    my @input = split '!', $input;
+    my @result;
+
+    if ( $input =~ /\[/ ) {
+	while ( @input ) {
+	    my $element = shift @input;
+
+	    if ( $element =~ /\[/ ) {
+		my $openbrackets;
+
+		while ( ( $openbrackets = ( $element =~ tr/[/[/ ) ) > $element =~ tr/]/]/ ) {
+		    fatal_error "Missing ']' ($element)" unless @input;
+		    $element .= ( '!' . shift @input );
+		}
+
+		fatal_error "Mismatched [...] ($element)" unless $openbrackets == $element =~ tr/]/]/;
+	    }
+
+	    push @result, $element;
+	}
+    } else {
+	@result = @input;
+    }
+
+    invalid_network_list( $srcdst, $list ) if @result > 2;
+	
+    @result;
+}
+
+#
+# Handle SOURCE or DEST network list, including exclusion
+#
+sub handle_network_list( $$ ) {
+    my ( $list, $srcdst ) = @_;
+
+    my $nets = '';
+    my $excl = '';
+	
+    my @nets = mysplit $list;
+
+    for ( @nets ) {
+	if ( /!/ ) {
+	    if ( /^!(.*)$/ ) {
+		invalid_network_list( $srcdst, $list) if ( $nets || $excl );
+		$excl = $1;
+	    } else {
+		my ( $temp1, $temp2 ) = split_network $_, $srcdst, $list;
+		$nets = $nets ? join(',', $nets, $temp1 ) : $temp1;
+		if ( $temp2 ) {
+		    invalid_network_list( $srcdst, $list) if $excl;
+		    $excl = $temp2;
+		}
+	    }
+	} elsif ( $excl ) {
+	    $excl .= ",$_";
+	} else {
+	    $nets = $nets ? join(',', $nets, $_ ) : $_;
+	}	    
+    }
+
+    ( $nets, $excl );
+
+}
+
 ################################################################################################################
 #
 # This function provides a uniform way to generate Netfilter[6] rules (something the original Shorewall
@@ -3491,23 +3706,15 @@ sub expand_rule( $$$$$$$$$$;$ )
    # Determine if there is Source Exclusion
    #
    if ( $inets ) {
-	fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || $inets =~ /.*!.*!/;
+	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );

-	if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
-	    $inets = $1;
-	    $iexcl = $2;
-	} else {
-	    $iexcl = '';
-	}
-
-	unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
+	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
 	    my @iexcl = mysplit $iexcl;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
 		$trivialiexcl = 1;
 	    }
-
 	}
    } else {
 	$iexcl = '';
@@ -3517,16 +3724,9 @@ sub expand_rule( $$$$$$$$$$;$ )
    # Determine if there is Destination Exclusion
    #
    if ( $dnets ) {
-	fatal_error "Invalid DEST" if  $dnets =~ /^([^!]+)?,!([^!]+)$/ || $dnets =~ /.*!.*!/;
+	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );

-	if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
-	    $dnets = $1;
-	    $dexcl = $2;
-	} else {
-	    $dexcl = '';
-	}
-
-	unless ( $dnets ) {
+	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
 	    my @dexcl = mysplit $dexcl;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl";
@@ -3606,14 +3806,14 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Log rule
 	    #
-	    log_rule_limit( $loglevel , 
-			    $echainref , 
-			    $chain, 
+	    log_rule_limit( $loglevel ,
+			    $echainref ,
+			    $chain,
 			    $disposition eq 'reject' ? 'REJECT' : $disposition ,
-			    '' ,  
-			    $logtag , 
+			    '' ,
+			    $logtag ,
 			    'add' ,
-			    '' ) 
+			    '' )
 		if $loglevel;
 	    #
 	    # Generate Final Rule
@@ -3726,14 +3926,14 @@ sub promote_blacklist_rules() {
 	# Copy 'blacklst''s references since they will change in the following loop
 	#
 	my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
-	
+
 	for my $chain1ref ( @references ) {
 	    assert( $chain1ref->{blacklist} == 1 );

 	    my $copied = 0;
 	    my $rule   = $chain1ref->{rules}[0];
 	    my $chain1 = $chain1ref->{name};
-	    
+
 	    for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
 		unless ( $chain2ref->{builtin} ) {
 		    #
@@ -3908,7 +4108,7 @@ sub load_ipsets() {

    my @ipsets = all_ipsets;

-    if ( @ipsets || $config{SAVE_IPSETS} ) {
+    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit ( '',
 	       'local hack',
 	       '',
@@ -3946,7 +4146,7 @@ sub load_ipsets() {
 	       '        fi' ,
 	       '    fi' ,
 	     );
-	
+
 	if ( @ipsets ) {
 	    emit '';

--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -445,7 +445,7 @@ EOF
    my $config_dir = $globals{CONFIGDIR};

    emit<<"EOF";
-    set_state Started $config_dir 
+    set_state Started $config_dir
    run_restored_exit
 else
    if [ \$COMMAND = refresh ]; then
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -122,6 +122,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $debug
 				       %config
 				       %globals
+				       %params

 		                       F_IPV4
 		                       F_IPV6
@@ -132,7 +133,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_13';
+our $VERSION = '4.4_15';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -253,6 +254,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 FLOW_FILTER     => 'Flow Classifier',
 		 FWMARK_RT_MASK  => 'fwmark route mask',
 		 MARK_ANYWHERE   => 'Mark in any table',
+		 HEADER_MATCH    => 'Header Match',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -268,6 +270,10 @@ our @includestack;
 # Allow nested opens
 #
 our @openstack;
+#
+# From the params file
+#
+our %params;

 our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
@@ -347,8 +353,8 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED => 0,
-		    VERSION => "4.4.13.1",
-		    CAPVERSION => 40413 ,
+		    VERSION => "4.4.15",
+		    CAPVERSION => 40415 ,
 		  );

    #
@@ -679,6 +685,7 @@ sub initialize( $ ) {
 	       FLOW_FILTER => undef,
 	       FWMARK_RT_MASK => undef,
 	       MARK_ANYWHERE => undef,
+	       HEADER_MATCH => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -704,6 +711,8 @@ sub initialize( $ ) {
    $shorewall_dir = '';      #Shorewall Directory

    $debug = 0;
+
+    %params = ();
 }

 INIT {
@@ -1475,11 +1484,12 @@ sub split_list1( $$ ) {

 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" if $element || $count > 1;
+	    s/\(//;
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
+		s/\)//;
 		push @list2 , $_;
 	    } else {
-		s/\(//;
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
@@ -1576,7 +1586,12 @@ sub open_file( $ ) {

    assert( ! defined $currentfile );

-    -f $fname && -s _ ? do_open_file $fname : '';
+    if ( -f $fname && -s _ ) {
+	$first_entry = 0;
+	do_open_file $fname;;
+    } else {
+	'';
+    }
 }

 #
@@ -1779,7 +1794,7 @@ sub embedded_perl( $ ) {
 #   - Remove trailing comments.
 #   - Handle Line Continuation
 #   - Handle embedded SHELL and PERL scripts
-#   - Expand shell variables from $ENV.
+#   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
 #

@@ -1841,18 +1856,26 @@ sub read_a_line(;$) {
 		    embedded_perl( $1 );
 		    next;
 		}
-	    } 
+	    }

 	    my $count = 0;
 	    #
-	    # Expand Shell Variables using %ENV
+	    # Expand Shell Variables using %params and %ENV
 	    #
 	    #                            $1      $2      $3           -     $4
 	    while ( $currentline =~ m( ^(.*?) \$({)? ([a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
-		my $val = $ENV{$3};
+
+		unless ( exists $params{$3} ) {
+		    #
+		    # Given the way that getparams works, this should never help but better safe than sorry
+		    #
+		    $params{$3} = $ENV{$3} if exists $ENV{$3};
+		}
+
+		my $val = $params{$3};

 		unless ( defined $val ) {
-		    fatal_error "Undefined shell variable (\$$3)" unless exists $ENV{$3};
+		    fatal_error "Undefined shell variable (\$$3)" unless exists $params{$3} || exists $ENV{$3};
 		    $val = '';
 		}

@@ -2053,7 +2076,7 @@ sub default_log_level( $$ ) {
 #
 sub check_trivalue( $$ ) {
    my ( $var, $default) = @_;
-    my $val = "\L$config{$var}";
+    my $val = lc( $config{$var} || '' );

    if ( defined $val ) {
 	if ( $val eq 'yes' || $val eq 'on' ) {
@@ -2482,6 +2505,10 @@ sub Mark_Anywhere() {
    qt1( "$iptables -A $sillyname -j MARK --set-mark 5" );
 }

+sub Header_Match() {
+    qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" );
+}
+
 our %detect_capability =
    ( ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
@@ -2496,6 +2523,7 @@ our %detect_capability =
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
+      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
@@ -2863,6 +2891,30 @@ sub unsupported_yes_no_warning( $ ) {
    warning_message "$option=Yes is not supported by Shorewall $globals{VERSION}" if $config{$option};
 }

+#
+# Process the params file
+#
+sub get_params() {
+    if ( my $fn = find_file 'params' ) {
+
+	progress_message2 "Processing $fn ...";
+
+	my $command = "$globals{SHAREDIRPL}/getparams $fn " . join( ':', @config_path );
+
+	my @params = `$command`;
+
+	fatal_error "Processing of $fn failed" if $?;
+
+	for ( @params ) {
+	    if ( /^(.*?)=(.*)$/ ) {
+		$params{$1} = $2 unless $1 eq '_';
+	    } else {
+		assert(0);
+	    }
+	} 
+    }
+}
+
 #
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
@@ -2880,6 +2932,8 @@ sub get_configuration( $ ) {

    ensure_config_path;

+    get_params;
+
    process_shorewall_conf;

    ensure_config_path;
@@ -2928,12 +2982,12 @@ sub get_configuration( $ ) {

 	    if ( $units && $units ne 'sec' ) {
 		my $expire = 60000; # 1 minute in milliseconds
-		
+
 		if ( $units ne 'min' ) {
 		    $expire *= 60; #At least an hour
 		    $expire *= 24 if $units eq 'day';
 		}
-		
+
 		$limit .= "--hashlimit-htable-expire $expire ";
 	    }
 	} elsif ( $rate =~ /^((\d+)(\/(sec|min|hour|day))):(\d+)$/ ) {
@@ -3173,6 +3227,8 @@ sub get_configuration( $ ) {
 	$globals{TC_SCRIPT} = $file;
    } elsif ( $val eq 'internal' ) {
 	$config{TC_ENABLED} = 'Internal';
+     } elsif ( $val eq 'shared' ) {
+	$config{TC_ENABLED} = 'Shared';
    } elsif ( $val eq 'simple' ) {
 	$config{TC_ENABLED} = 'Simple';
    } else {
@@ -3272,13 +3328,17 @@ sub propagateconfig() {
 # Add a shell script file to the output script -- Return true if the
 # file exists and is not in /usr/share/shorewall/ and is non-empty.
 #
-sub append_file( $;$ ) {
-    my $user_exit = find_file $_[0];
+sub append_file( $;$$ ) {
+    my ( $file, $nomsg, $unindented ) = @_;
+    my $user_exit = find_file $file;
    my $result = 0;
+    my $save_indent = $indent;
+    
+    $indent = '' if $unindented;

-    unless ( $user_exit =~ /^($globals{SHAREDIR})/ ) {
+    unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
 	if ( -f $user_exit ) {
-	    if ( $_[1] ) {
+	    if ( $nomsg ) {
 		#
 		# Suppress progress message
 		#
@@ -3294,6 +3354,8 @@ sub append_file( $;$ ) {
 	}
    }

+    $indent = $save_indent;
+
    $result;
 }

@@ -3415,8 +3477,29 @@ sub generate_aux_config() {

    conditionally_add_option1 'TC_ENABLED';

-    finalize_aux_config;
+    my $fn = find_file 'scfilter';

+    if ( -f $fn ) {
+	emit( '',
+	      'show_connections_filter() {' );
+	push_indent;
+	append_file( $fn,1 ) or emit 'cat -';
+	pop_indent;
+	emit '}';
+    }
+
+    $fn = find_file 'dumpfilter';
+
+    if ( -f $fn ) {
+	emit( '',
+	      'dump_filter() {' );
+	push_indent;
+	append_file( $fn,1 ) or emit 'cat -';
+	pop_indent;
+	emit '}';
+    }
+
+    finalize_aux_config;
 }

 END {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -73,7 +73,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_14';

 #
 # Some IPv4/6 useful stuff
@@ -184,7 +184,16 @@ sub validate_4net( $$ ) {
    $net = '' unless defined $net;

    fatal_error "Missing address" if $net eq '';
-    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
+
+    if ( $net =~ /\+(\[?)/ ) {
+	if ( $1 ) {
+	    fatal_error "An ipset list ($net) is not allowed in this context";
+	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
+	    fatal_error "An ipset name ($net) is not allowed in this context";
+	} else {
+	    fatal_error "Invalid ipset name ($net)";
+	}
+    }

    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -297,7 +306,7 @@ sub resolve_proto( $ ) {
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
 	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-	
+
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
    }
 }
@@ -540,7 +549,15 @@ sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[1];

-    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
+    if ( $net =~ /\+(\[?)/ ) {
+	if ( $1 ) {
+	    fatal_error "An ipset list ($net) is not allowed in this context";
+	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
+	    fatal_error "An ipset name ($net) is not allowed in this context";
+	} else {
+	    fatal_error "Invalid ipset name ($net)";
+	}
+    }

    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';

 our @addresses_to_add;
 our %addresses_to_add;
@@ -262,14 +262,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    my $fn = open_file 'masq';
+    if ( my $fn = open_file 'masq' ) {

-    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

-    process_one_masq while read_a_line;
-
-    clear_comment;
+	process_one_masq while read_a_line;

+	clear_comment;
+    }
 }

 #
@@ -359,32 +359,32 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {

-    my $fn = open_file 'nat';
+    if ( my $fn = open_file 'nat' ) {

-    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );

-    while ( read_a_line ) {
+	while ( read_a_line ) {

-	my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';

-	if ( $external eq 'COMMENT' ) {
-	    process_comment;
-	} else {
-	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    if ( $external eq 'COMMENT' ) {
+		process_comment;
+	    } else {
+		( $interfacelist, my $digit ) = split /:/, $interfacelist;

-	    $digit = defined $digit ? ":$digit" : '';
+		$digit = defined $digit ? ":$digit" : '';

-	    for my $interface ( split_list $interfacelist , 'interface' ) {
-		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
-		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		for my $interface ( split_list $interfacelist , 'interface' ) {
+		    fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		}
+
+		progress_message "   NAT entry \"$currentline\" $done";
 	    }
-
-	    progress_message "   NAT entry \"$currentline\" $done";
 	}

+	clear_comment;
    }
-
-    clear_comment;
 }

 #
@@ -392,40 +392,43 @@ sub setup_nat() {
 #
 sub setup_netmap() {

-    my $fn = open_file 'netmap';
+    if ( my $fn = open_file 'netmap' ) {

-    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );

-    while ( read_a_line ) {
+	while ( read_a_line ) {

-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';

-	$net3 = ALLIP if $net3 eq '-';
+	    $net3 = ALLIP if $net3 eq '-';

-	for my $interface ( split_list $interfacelist, 'interface' ) {
+	    for my $interface ( split_list $interfacelist, 'interface' ) {

-	    my $rulein = '';
-	    my $ruleout = '';
-	    my $iface = $interface;
+		my $rulein = '';
+		my $ruleout = '';
+		my $iface = $interface;

-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev( $interface );
-		$interface = $interfaceref->{name};
+		unless ( $interfaceref->{root} ) {
+		    $rulein  = match_source_dev( $interface );
+		    $ruleout = match_dest_dev( $interface );
+		    $interface = $interfaceref->{name};
+		}
+
+		if ( $type eq 'DNAT' ) {
+		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		} elsif ( $type eq 'SNAT' ) {
+		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		} else {
+		    fatal_error "Invalid type ($type)";
+		}
+
+		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
-
-	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
-	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
-	    } else {
-		fatal_error "Invalid type ($type)";
-	    }
-
-	    progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	}
+
+	clear_comment;
    }

 }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_15';

 # @policy_chains is a list of references to policy chains in the filter table

@@ -341,15 +341,16 @@ sub validate_policy()
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
-	    }		
+	    }
 	}
    }

-    my $fn = open_file 'policy';
-
-    first_entry "$doing $fn...";
-
-    process_a_policy while read_a_line;
+    if ( my $fn = open_file 'policy' ) {
+	first_entry "$doing $fn...";
+	process_a_policy while read_a_line;
+    } else {
+	fatal_error q(The 'policy' file does not exist or has zero size);
+    }

    for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
@@ -490,19 +491,22 @@ sub complete_standard_chain ( $$$$ ) {
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
 sub setup_syn_flood_chains() {
+    my @zones = ( non_firewall_zones );
    for my $chainref ( @policy_chains ) {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
+	    my $synchainref = @zones > 1 ? 
+		    new_chain 'filter' , syn_flood_chain $chainref :
+		    new_chain( 'filter' , '@' . $chainref->{name} );
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level , 
-			    $synchainref , 
-			    $chainref->{name} , 
-			    'DROP', 
-			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
-			    '' , 
-			    'add' , 
+	    log_rule_limit( $level ,
+			    $synchainref ,
+			    $chainref->{name} ,
+			    'DROP',
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' ,
+			    '' ,
+			    'add' ,
 			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -20,8 +20,8 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module deals with the /etc/shorewall/providers and
-#   /etc/shorewall/route_rules files.
+#   This module deals with the /etc/shorewall/providers,
+#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_15';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -631,7 +631,7 @@ sub add_an_rtrule( ) {
 	my $base = uc chain_base( $providers{$provider}{physical} );
 	finish_current_if if $base ne $current_if;
 	start_new_if( $base ) unless $current_if;
-  } else {
+    } else {
 	finish_current_if;
    }

@@ -641,15 +641,70 @@ sub add_an_rtrule( ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }

-#
-# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
-# it makes sense to keep all of the routing code together
-#
+sub add_a_route( ) {
+    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
+
+    our $current_if;
+
+    unless ( $providers{$provider} ) {
+	my $found = 0;
+
+	if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
+	    my $provider_number = numeric_value $provider;
+
+	    for ( keys %providers ) {
+		if ( $providers{$_}{number} == $provider_number ) {
+		    $provider = $_;
+		    fatal_error "You may not add routes to the $provider table" if $provider_number == LOCAL_TABLE || $provider_number == UNSPEC_TABLE;
+		    $found = 1;
+		    last;
+		}
+	    }
+	}
+
+	fatal_error "Unknown provider ($provider)" unless $found;
+    }
+
+    validate_net ( $dest, 1 );
+
+    validate_address ( $gateway, 1 ) if $gateway ne '-';
+
+    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
+
+    my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device );
+    
+    if ( $providers{$provider}{optional} ) {
+	my $base = uc chain_base( $physical );
+	finish_current_if if $base ne $current_if;
+	start_new_if ( $base ) unless $current_if;
+    } else {
+	finish_current_if;
+    }
+
+    if ( $gateway ne '-' ) {
+	if ( $device ne '-' ) {
+	    emit qq(run_ip route add $dest via $gateway dev $physical table $number);
+	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
+	} else {
+	    emit qq(run_ip route add $dest via $gateway table $number);
+	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; 
+	}
+    } else {
+	fatal_error "You must specify a device for this route" unless $physical;
+	emit qq(run_ip route add $dest dev $physical table $number);
+	emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
+    }
+
+    progress_message "   Route \"$currentline\" $done";
+}
+
 sub setup_null_routing() {
    save_progress_message "Null Routing the RFC 1918 subnets";
    for ( rfc1918_networks ) {
-	emit( qq(run_ip route replace unreachable $_) );
-	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
+	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
+	      qq(    run_ip route replace unreachable $_),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
+	      qq(fi\n) );
    }
 }

@@ -757,20 +812,35 @@ sub setup_providers() {

    $lastmark = 0;

-    my $fn = open_file 'providers';
+    if ( my $fn = open_file 'providers' ) {

-    first_entry sub() {
-	progress_message2 "$doing $fn...";
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
-	push_indent;
-	start_providers; };
-
-    add_a_provider, $providers++ while read_a_line;
+	first_entry sub() {
+	    progress_message2 "$doing $fn...";
+	    emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	    push_indent;
+	    start_providers; };
+ 
+	add_a_provider, $providers++ while read_a_line;
+    }

    if ( $providers ) {
 	finish_providers;

-	my $fn = open_file 'route_rules';
+	my $fn = open_file 'routes';
+
+	if ( $fn ) {
+	    our $current_if = '';
+
+	    first_entry "$doing $fn...";
+
+	    emit '';
+
+	    add_a_route while read_a_line;
+
+	    finish_current_if;
+	}
+
+	$fn = open_file 'route_rules';

 	if ( $fn ) {
 	    our $current_if = '';
@@ -849,7 +919,7 @@ sub handle_optional_interfaces( $ ) {

    if ( @$interfaces ) {
 	my $require     = $config{REQUIRE_INTERFACE};
-	
+
 	verify_required_interfaces( shift );

 	emit( 'HAVE_INTERFACE=', '' ) if $require;
@@ -860,9 +930,9 @@ sub handle_optional_interfaces( $ ) {

 	if ( $wildcards ) {
 	    #
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
+	    # We must consider all interfaces with an address in $family -- generate a list of such addresses.
 	    #
-	    emit( '', 
+	    emit( '',
 		  'for interface in $(find_all_interfaces1); do',
 		);

@@ -904,10 +974,10 @@ sub handle_optional_interfaces( $ ) {
 	    if ( $wildcards ) {
 		emit( "$case)" );
 		push_indent;
-		
+
 		if ( $wild ) {
 		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-		    push_indent; 
+		    push_indent;
 		    emit ( 'if interface_is_usable $interface; then' );
 		} else {
 		    emit ( "if interface_is_usable $physical; then" );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';

 #
 # Notrack
@@ -76,24 +76,25 @@ sub process_notrack_rule( $$$$$$ ) {

 sub setup_notrack() {

-    my $fn = open_file 'notrack';
+    if ( my $fn = open_file 'notrack' ) {

-    first_entry "$doing $fn...";
+	first_entry "$doing $fn...";

-    my $nonEmpty = 0;
+	my $nonEmpty = 0;

-    while ( read_a_line ) {
+	while ( read_a_line ) {

-	my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';

-	if ( $source eq 'COMMENT' ) {
-	    process_comment;
-	} else {
-	    process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+	    if ( $source eq 'COMMENT' ) {
+		process_comment;
+	    } else {
+		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+	    }
 	}
-    }

-    clear_comment;
+	clear_comment;
+    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_15';

 our $macro_nest_level;
 our $current_param;
@@ -322,119 +322,120 @@ sub setup_blacklist() {

 sub process_routestopped() {

-    my ( @allhosts, %source, %dest , %notrack, @rule );
+    if ( my $fn = open_file 'routestopped' ) {
+	my ( @allhosts, %source, %dest , %notrack, @rule );

-    my $fn = open_file 'routestopped';
+	my $seq = 0;

-    my $seq = 0;
+	first_entry "$doing $fn...";

-    first_entry "$doing $fn...";
+	while ( read_a_line ) {

-    while ( read_a_line ) {
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';

-	my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
+	    my $interfaceref;

-	my $interfaceref;
+	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
+	    $hosts = ALLIP unless $hosts && $hosts ne '-';

-	fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
-	$hosts = ALLIP unless $hosts && $hosts ne '-';
+	    my $routeback = 0;

-	my $routeback = 0;
+	    my @hosts;

-	my @hosts;
+	    $seq++;

-	$seq++;
-
-	my $rule = do_proto( $proto, $ports, $sports, 0 );
-
-	for my $host ( split /,/, $hosts ) {
-	    fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
-	    validate_host $host, 1;
-	    push @hosts, "$interface|$host|$seq";
-	    push @rule, $rule;
-	}
-
-	unless ( $options eq '-' ) {
-	    for my $option (split /,/, $options ) {
-		if ( $option eq 'routeback' ) {
-		    if ( $routeback ) {
-			warning_message "Duplicate 'routeback' option ignored";
-		    } else {
-			$routeback = 1;
-		    }
-		} elsif ( $option eq 'source' ) {
-		    for my $host ( split /,/, $hosts ) {
-			$source{"$interface|$host|$seq"} = 1;
-		    }
-		} elsif ( $option eq 'dest' ) {
-		    for my $host ( split /,/, $hosts ) {
-			$dest{"$interface|$host|$seq"} = 1;
-		    }
-		} elsif ( $option eq 'notrack' ) {
-		    for my $host ( split /,/, $hosts ) {
-			$notrack{"$interface|$host|$seq"} = 1;
-		    }
-		} else {
-		    warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
-		    warning_message "The 'critical' option is no longer supported (or needed)";
-		}
-	    }
-	}
-
-	if ( $routeback || $interfaceref->{options}{routeback} ) {
-	    my $chainref = $filter_table->{FORWARD};
+	    my $rule = do_proto( $proto, $ports, $sports, 0 );

 	    for my $host ( split /,/, $hosts ) {
-		add_rule( $chainref ,
-			  match_source_dev( $interface ) .
-			  match_dest_dev( $interface ) .
-			  match_source_net( $host ) .
-			  match_dest_net( $host ) );
-		clearrule;
+		fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
+		validate_host $host, 1;
+		push @hosts, "$interface|$host|$seq";
+		push @rule, $rule;
 	    }
-	}

-	push @allhosts, @hosts;
-    }

-    for my $host ( @allhosts ) {
-	my ( $interface, $h, $seq ) = split /\|/, $host;
-	my $source  = match_source_net $h;
-	my $dest    = match_dest_net $h;
-	my $sourcei = match_source_dev $interface;
-	my $desti   = match_dest_dev $interface;
-	my $rule    = shift @rule;
+	    unless ( $options eq '-' ) {
+		for my $option (split /,/, $options ) {
+		    if ( $option eq 'routeback' ) {
+			if ( $routeback ) {
+			    warning_message "Duplicate 'routeback' option ignored";
+			} else {
+			    $routeback = 1;
+			}
+		    } elsif ( $option eq 'source' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $source{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'dest' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $dest{"$interface|$host|$seq"} = 1;
+			}
+		    } elsif ( $option eq 'notrack' ) {
+			for my $host ( split /,/, $hosts ) {
+			    $notrack{"$interface|$host|$seq"} = 1;
+			}
+		    } else {
+			warning_message "Unknown routestopped option ( $option ) ignored" unless $option eq 'critical';
+			warning_message "The 'critical' option is no longer supported (or needed)";
+		    }
+		}
+	    }

-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
+	    if ( $routeback || $interfaceref->{options}{routeback} ) {
+		my $chainref = $filter_table->{FORWARD};

-	my $matched = 0;
-
-	if ( $source{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
-	    $matched = 1;
-	}
-
-	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
-	    $matched = 1;
-	}
-
-	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
-	}
-
-	unless ( $matched ) {
-	    for my $host1 ( @allhosts ) {
-		unless ( $host eq $host1 ) {
-		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
-		    my $dest1 = match_dest_net $h1;
-		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
+		for my $host ( split /,/, $hosts ) {
+		    add_rule( $chainref ,
+			      match_source_dev( $interface ) .
+			      match_dest_dev( $interface ) .
+			      match_source_net( $host ) .
+			      match_dest_net( $host ) );
 		    clearrule;
 		}
 	    }
+
+	    push @allhosts, @hosts;
+	}
+
+	for my $host ( @allhosts ) {
+	    my ( $interface, $h, $seq ) = split /\|/, $host;
+	    my $source  = match_source_net $h;
+	    my $dest    = match_dest_net $h;
+	    my $sourcei = match_source_dev $interface;
+	    my $desti   = match_dest_dev $interface;
+	    my $rule    = shift @rule;
+
+	    add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
+	    add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};
+
+	    my $matched = 0;
+
+	    if ( $source{$host} ) {
+		add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
+		$matched = 1;
+	    }
+
+	    if ( $dest{$host} ) {
+		add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
+		$matched = 1;
+	    }
+
+	    if ( $notrack{$host} ) {
+		add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
+		add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
+	    }
+
+	    unless ( $matched ) {
+		for my $host1 ( @allhosts ) {
+		    unless ( $host eq $host1 ) {
+			my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
+			my $dest1 = match_dest_net $h1;
+			my $desti1 = match_dest_dev $interface1;
+			add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
+			clearrule;
+		    }
+		}
+	    }
 	}
    }
 }
@@ -759,54 +760,55 @@ sub setup_mac_lists( $ ) {
 	    }
 	}

-	my $fn = open_file 'maclist';
+	if ( my $fn = open_file 'maclist' ) {

-	first_entry "$doing $fn...";
+	    first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	    while ( read_a_line ) {

-	    my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
+		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';

-	    if ( $original_disposition eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
-
-		fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
-
-		my $targetref = $maclist_targets{$disposition};
-
-		fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
-		fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
-		fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
-
-		my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
-
-		$mac       = '' unless $mac && ( $mac ne '-' );
-		$addresses = '' unless defined $addresses && ( $addresses ne '-' );
-
-		fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
-
-		$mac = mac_match $mac if $mac;
-
-		if ( $addresses ) {
-		    for my $address ( split ',', $addresses ) {
-			my $source = match_source_net $address;
-			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
-			    if defined $level && $level ne '';
-			add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
-		    }
+		if ( $original_disposition eq 'COMMENT' ) {
+		    process_comment;
 		} else {
-		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
-			if defined $level && $level ne '';
-		    add_jump $chainref , $targetref->{target}, 0, "$mac";
+		    my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
+
+		    fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
+
+		    my $targetref = $maclist_targets{$disposition};
+
+		    fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
+		    fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
+		    fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
+
+		    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
+
+		    $mac       = '' unless $mac && ( $mac ne '-' );
+		    $addresses = '' unless defined $addresses && ( $addresses ne '-' );
+
+		    fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
+
+		    $mac = mac_match $mac if $mac;
+
+		    if ( $addresses ) {
+			for my $address ( split ',', $addresses ) {
+			    my $source = match_source_net $address;
+			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
+				if defined $level && $level ne '';
+			    add_jump $chainref , $targetref->{target}, 0, "${mac}${source}";
+			}
+		    } else {
+			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+			    if defined $level && $level ne '';
+			add_jump $chainref , $targetref->{target}, 0, "$mac";
+		    }
+
+		    progress_message "      Maclist entry \"$currentline\" $done";
 		}
-
-		progress_message "      Maclist entry \"$currentline\" $done";
 	    }
-	}

-	clear_comment;
+	    clear_comment;
+	}
 	#
 	# Generate jumps from the input and forward chains
 	#
@@ -886,13 +888,13 @@ sub setup_mac_lists( $ ) {
    }
 }

-sub process_rule1 ( $$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$ );

 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$ ) {
-    my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$ ) {
+    my ($macro, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;

    my $nocomment = no_comment;

@@ -910,13 +912,13 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime);
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );

 	if ( $format == 1 ) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime ) = qw/- - - -/;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime ) = split_line1 1, 12, 'macro file', $macro_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $macro_commands;
 	}

 	if ( $mtarget eq 'COMMENT' ) {
@@ -984,6 +986,7 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mmark,      $mark ) ,
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
+				    merge_macro_column( $mheaders,   $headers ),
 				    $wildcard
 				   );

@@ -1003,8 +1006,8 @@ sub process_macro ( $$$$$$$$$$$$$$$ ) {
 # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 #
-sub process_rule1 ( $$$$$$$$$$$$$ ) {
-    my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wildcard ) = @_;
+sub process_rule1 ( $$$$$$$$$$$$$$ ) {
+    my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
    my ( $action, $loglevel) = split_action $target;
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
@@ -1032,7 +1035,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

 	if ( $param ne '' ) {
 	    push @param_stack, $current_param;
-	    $current_param = $param;
+	    $current_param = $param unless $param eq 'PARAM';
 	}

 	my $generated = process_macro( $basictarget,
@@ -1049,6 +1052,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 				       $mark,
 				       $connlimit,
 				       $time,
+				       $headers,
 				       $wildcard );

 	$macro_nest_level--;
@@ -1064,7 +1068,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$action = "NFQUEUE --queue-num $paramval";
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
-	fatal_error "$action rules require a set name parameter" unless $param;  
+	fatal_error "$action rules require a set name parameter" unless $param;
    } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -1134,7 +1138,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	$dest = $2;
    } elsif ( $dest =~ /.*\..*\./ ) {
 	#
-	# Appears to be an address
+	# Appears to be an IPv4 address (no NAT in IPv6)
 	#
 	$destzone = '-';
    } else {
@@ -1242,7 +1246,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
-		      do_time( $time ) );
+		      do_time( $time ) ,
+		      do_headers( $headers )
+		    );
    }

    unless ( $section eq 'NEW' ) {
@@ -1256,7 +1262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    #
    if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
-	my $randomize = $dest =~ s/:random$// ? '--random ' : '';
+	my $randomize = $dest =~ s/:random$// ? ' --random' : '';

 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
@@ -1307,8 +1313,8 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {

 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
-	    $target  = 'REDIRECT ';
-	    $target .= "--to-port $serverport " if $serverport;
+	    $target  = 'REDIRECT';
+	    $target .= " --to-port $serverport" if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
 	    } elsif ( $origdest eq 'detect' ) {
@@ -1331,14 +1337,14 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }

 	    if ( $action eq 'DNAT' ) {
-		$target = 'DNAT ';
+		$target = 'DNAT';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
-			$target .= "--to-destination ${serv}${serverport} ";
+			$target .= " --to-destination ${serv}${serverport}";
 		    }
 		} else {
-		    $target .= "--to-destination :$serverport ";
+		    $target .= " --to-destination :$serverport";
 		}
 	    }

@@ -1531,7 +1537,7 @@ sub process_section ($) {
 	@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
    }
-    
+
    $section = $sect;
 }

@@ -1604,7 +1610,7 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time ) = split_line1 1, 12, 'rules file', \%rules_commands;
+    my ( $target, $source, $dest, $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers ) = split_line1 1, 13, 'rules file', \%rules_commands;

    process_comment,            return 1 if $target eq 'COMMENT';
    process_section( $source ), return 1 if $target eq 'SECTION';
@@ -1636,7 +1642,7 @@ sub process_rule ( ) {
 	    my $destzone   = (split( /:/, $dest,   2 ) )[0];
 	    $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
 	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
-		$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $wild;
+		$generated |= process_rule1 $target, $source, $dest , $proto, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $wild;
 	    }
 	}
    }
@@ -1653,11 +1659,15 @@ sub process_rules() {

    my $fn = open_file 'rules';

-    first_entry "$doing $fn...";
+    if ( $fn ) {

-    process_rule while read_a_line;
+	first_entry "$doing $fn...";
+
+	process_rule while read_a_line;
+
+	clear_comment;
+    }

-    clear_comment;
    $section = 'DONE';
 }

@@ -1698,13 +1708,13 @@ sub generate_dest_rules( $$$$ ) {

    if ( $type2 == VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
-	    my $exclusion   = dest_exclusion( $hostref->{exclusions}, $chain); 
+	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);

 	    for my $net ( @{$hostref->{hosts}} ) {
-		add_jump( $chainref, 
+		add_jump( $chainref,
 			  $exclusion ,
 			  0,
-			  join('', $match, match_dest_net( $net ) ) ) 
+			  join('', $match, match_dest_net( $net ) ) )
 	    }
 	}
    } else {
@@ -1718,7 +1728,7 @@ sub generate_dest_rules( $$$$ ) {
 sub generate_source_rules( $$$$ ) {
    my ( $outchainref, $z1, $z2, $match ) = @_;
    my $chain = rules_target ( $z1, $z2 );
-	    
+
    if ( $chain ) {
 	#
 	# Not a CONTINUE policy with no rules
@@ -1726,20 +1736,20 @@ sub generate_source_rules( $$$$ ) {
 	for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
 	    my $ipsec_match = match_ipsec_in $z1 , $hostref;
 	    my $exclusion   = source_exclusion( $hostref->{exclusions}, $chain);
-		
+
 	    for my $net ( @{$hostref->{hosts}} ) {
 		generate_dest_rules( $outchainref,
 				     $exclusion,
-				     $z2,  
+				     $z2,
 				     join('', match_source_net( $net ), $match , $ipsec_match )
 				   );
-	    }	
+	    }
 	}
-    } 
+    }
 }

 #
-# Loopback traffic -- this is where we assemble the intra-firewall traffic routing
+# Loopback traffic -- this is where we assemble the intra-firewall chains
 #
 sub handle_loopback_traffic() {
    my @zones   = ( vserver_zones, firewall_zone );
@@ -1780,11 +1790,11 @@ sub handle_loopback_traffic() {
 	    for my $typeref ( values %{$source_hosts_ref} ) {
 		for my $hostref ( @{$typeref->{'%vserver%'}} ) {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);
-		
+
 		    for my $net ( @{$hostref->{hosts}} ) {
 			add_jump( $natout, $exclusion, 0, match_source_net( $net ), 0, $rulenum++ );
 		    }
-		}	
+		}
 	    }
 	}
    }
@@ -1860,15 +1870,33 @@ sub generate_matrix() {
    our %forward_jump_added = ();

    progress_message2 'Generating Rule Matrix...';
+    progress_message  '  Handling blacklisting and complex zones...';
    #
-    # Special processing for complex and blacklisting configurations
+    # Special processing for complex and/or blacklisting configurations
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	#
+	# Handle blacklisting first
+	#
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
 	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		    }
+		}
+	    }
 	}

 	if ( $zoneref->{options}{out}{blacklist} ) {
@@ -1879,14 +1907,14 @@ sub generate_matrix() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};

-		if ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) {
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 		    add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
-		} 
+		}
 	    }
 	}

-	next if @zones <= 2 && ! $zoneref->{options}{complex};
-	
+	next if $simple;
+
 	#
 	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	#
@@ -1939,6 +1967,8 @@ sub generate_matrix() {
    #
    # Main source-zone matrix-generation loop
    #
+    progress_message '  Entering main matrix-generation loop...';
+
    for my $zone ( @zones ) {
 	my $zoneref          = find_zone( $zone );
 	my $source_hosts_ref = $zoneref->{hosts};
@@ -2008,7 +2038,7 @@ sub generate_matrix() {
 		    my $ipsec_in_match  = match_ipsec_in  $zone , $hostref;
 		    my $ipsec_out_match = match_ipsec_out $zone , $hostref;
 		    my $exclusions = $hostref->{exclusions};
-		    
+
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my $dest   = match_dest_net $net;

@@ -2287,6 +2317,8 @@ sub generate_matrix() {
 	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
    }

+    progress_message '  Finishing matrix...';
+
    add_interface_jumps @interfaces unless $interface_jumps_added;

    promote_blacklist_rules;
@@ -2586,7 +2618,7 @@ EOF

    my @ipsets = all_ipsets;

-    if ( @ipsets || $config{SAVE_IPSETS} ) {
+    if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
 	emit <<'EOF';

    case $IPSET in
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_15';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -195,7 +195,7 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';

    our @tccmd;

@@ -254,7 +254,7 @@ sub process_tc_rule( ) {
 	} else {
 	    fatal_error "Invalid MARK ($originalmark)"   unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;

-	    if ( $config{TC_ENABLED} eq 'Internal' ) {
+	    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
 		fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
 	    }

@@ -297,7 +297,7 @@ sub process_tc_rule( ) {
 			}

 			$restriction = DESTIFACE_DISALLOW;
-			
+
 			ensure_mangle_chain($target);

 			$sticky++;
@@ -412,7 +412,8 @@ sub process_tc_rule( ) {
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
-				     do_helper( $helper ),
+				     do_helper( $helper ) .
+				     do_headers( $headers ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -424,7 +425,7 @@ sub process_tc_rule( ) {
 	#
 	# expand_rule() returns destination device if any
 	#
-	fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result;
+	fatal_error "Class Id $originalmark is not associated with device $result" if $device ne $result &&( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' );
    }

    progress_message "  TC Rule \"$currentline\" $done";
@@ -939,13 +940,16 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 # Process a record from the tcfilters file
 #
-sub process_tc_filter( ) {
+sub process_tc_filter() {
+
    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';

    my ($device, $class, $rest ) = split /:/, $devclass, 3;

    fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );

+    my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
+
    ( $device , my $devref ) = dev_by_number( $device );

    my $devnum = $devref->{number};
@@ -963,16 +967,16 @@ sub process_tc_filter( ) {
    fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
    fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;

-    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32";

    if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
-	$rule .= "\\\n   match ip src $net/$mask";
+	$rule .= "\\\n   match $ip32 src $net/$mask";
    }

    if ( $dest ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $dest );
-	$rule .= "\\\n   match ip dst $net/$mask";
+	$rule .= "\\\n   match $ip dst $net/$mask";
    }

    if ( $tos ne '-' ) {
@@ -990,14 +994,14 @@ sub process_tc_filter( ) {
 	    fatal_error "Invalid TOS ($tos)";
 	}

-	$rule .= "\\\n  match ip tos $tosval $mask";
+	$rule .= "\\\n  match $ip32 tos $tosval $mask";
    }

    if ( $length ne '-' ) {
 	my $len = numeric_value( $length ) || 0;
 	my $mask = $validlengths{$len};
 	fatal_error "Invalid LENGTH ($length)" unless $mask;
-	$rule .="\\\n   match u16 0x0000 $mask at 2";
+	$rule .="\\\n   match u16 0x0000 $mask at $lo";
    }

    my $protonumber = 0;
@@ -1005,7 +1009,7 @@ sub process_tc_filter( ) {
    unless ( $proto eq '-' ) {
 	$protonumber = resolve_proto $proto;
 	fatal_error "Unknown PROTO ($proto)" unless defined $protonumber;
-	$rule .= "\\\n   match ip protocol $protonumber 0xff" if $protonumber;
+	$rule .= "\\\n   match $ip32 protocol $protonumber 0xff" if $protonumber;
    }

    if ( $portlist eq '-' && $sportlist eq '-' ) {
@@ -1034,17 +1038,22 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;

-	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
 	#
-	emit( "\nrun_tc $rule\\" ,
-	      "   link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
+	if ( $family == F_IPV4 ) {
+	    emit( "\nrun_tc $rule\\" ,
+		  "   link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
+	} else {
+	    emit( "\nrun_tc $rule\\" ,
+		  "   link $tnum:0 offset plus 40 eat" );
+	}    
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32 ht $tnum:0";

 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -1076,6 +1085,7 @@ sub process_tc_filter( ) {

 	    for my $portrange ( split_list $portlist, 'port list' ) {
 		if ( $protonumber == ICMP ) {
+		    fatal_error "ICMP not allowed with IPv6" unless $family == F_IPV4;
 		    fatal_error "SOURCE PORT(S) are not allowed with ICMP" if $sportlist ne '-';

 		    my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $portrange );
@@ -1085,6 +1095,17 @@ sub process_tc_filter( ) {
 		    emit( "\nrun_tc ${rule}\\" ,
 			  "$rule1\\" ,
 			  "   flowid $devref->{number}:$class" );
+		} elsif ( $protonumber == IPv6_ICMP ) {
+		    fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
+		    fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-';
+
+		    my ( $icmptype , $icmpcode ) = split '//', validate_icmp6( $portrange );
+
+		    my $rule1 = "   match icmp6 type $icmptype 0xff";
+		    $rule1   .= "\\\n   match icmp6 code $icmpcode 0xff" if defined $icmpcode;
+		    emit( "\nrun_tc ${rule}\\" ,
+			  "$rule1\\" ,
+			  "   flowid $devref->{number}:$class" );
 		} else {
 		    my @portlist = expand_port_range $protonumber , $portrange;

@@ -1137,16 +1158,59 @@ sub process_tc_filter( ) {

    emit '';

-    progress_message "  TC Filter \"$currentline\" $done";
+    if ( $family == F_IPV4 ) {

-    $currentline =~ s/\s+/ /g;
+	progress_message "  IPv4 TC Filter \"$currentline\" $done";

-    save_progress_message_short qq('   TC Filter \"$currentline\" defined.');
+	$currentline =~ s/\s+/ /g;
+
+	save_progress_message_short qq('   IPv4 TC Filter \"$currentline\" defined.');
+    } else {
+	progress_message "  IPv6 TC Filter \"$currentline\" $done";
+
+	$currentline =~ s/\s+/ /g;
+
+	save_progress_message_short qq('   IPv6 TC Filter \"$currentline\" defined.');
+    }

    emit '';

 }

+sub process_tcfilters() {
+
+    my $fn = open_file 'tcfilters';
+
+    if ( $fn ) {
+	my @family = ( $family );
+	
+	first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
+	
+	while ( read_a_line ) {
+	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
+		Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
+	    } elsif ( $currentline =~ /^\s*IPV6\s*$/ ) {
+		Shorewall::IPAddrs::initialize( $family = F_IPV6 ) unless $family == F_IPV6;
+	    } elsif ( $currentline =~ /^\s*ALL\s*$/ ) {
+		$family = 0;
+	    } elsif ( $family ) {
+		process_tc_filter;
+	    } else {
+		push @family, $family;
+
+		for ( F_IPV4, F_IPV6 ) {
+		    Shorewall::IPAddrs::initialize( $family = $_ );
+		    process_tc_filter;
+		}
+
+		Shorewall::IPAddrs::initialize( $family = pop @family );
+	    }
+	}
+
+	Shorewall::IPAddrs::initialize( $family = pop @family );
+    }
+}
+
 sub process_tc_priority() {
    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';

@@ -1271,80 +1335,83 @@ sub setup_traffic_shaping() {

 	my $dev = chain_base( $device );

-	emit "if interface_is_up $device; then";
+	unless ( $config{TC_ENABLED} eq 'Shared' ) {

-	push_indent;
+	    emit "if interface_is_up $device; then";

-	emit ( "${dev}_exists=Yes",
-	       "qt \$TC qdisc del dev $device root",
-	       "qt \$TC qdisc del dev $device ingress",
-	       "${dev}_mtu=\$(get_device_mtu $device)",
-	       "${dev}_mtu1=\$(get_device_mtu1 $device)"
-	     );
+	    push_indent;

-	if ( $devref->{qdisc} eq 'htb' ) {
-	    emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
-		   "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
-	} else {
-	    emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
-		   "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
-	}
+	    emit ( "${dev}_exists=Yes",
+		   "qt \$TC qdisc del dev $device root",
+		   "qt \$TC qdisc del dev $device ingress",
+		   "${dev}_mtu=\$(get_device_mtu $device)",
+		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
+		 );

-	if ( $devref->{occurs} ) {
-	    #
-	    # The following command may succeed yet generate an error message and non-zero exit status :-(. We thus run it silently
-	    # and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test
-	    # is fairly robust
-	    #
-	    my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol all fw";
-
-	    emit( qq(if ! qt $command ; then) ,
-		  qq(    if ! \$TC filter list dev $device | grep -q 65535; then) ,
-		  qq(        error_message "ERROR: Command '$command' failed"),
-		  qq(        stop_firewall),
-		  qq(        exit 1),
-		  qq(    fi),
-		  qq(fi) );
-	}
-
-	my $in_burst = '10kb';
-	my $inband;
-
-	if ( $devref->{in_bandwidth} =~ /:/ ) {
-	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
-
-	    if ( defined $burst && $burst ne '' ) {
-		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-		$in_burst = $burst;
+	    if ( $devref->{qdisc} eq 'htb' ) {
+		emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
+		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
+	    } else {
+		emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
+		       "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
 	    }

-	    $inband = rate_to_kbit( $in_band );
-	} else {
-	    $inband = rate_to_kbit $devref->{in_bandwidth};
+	    if ( $devref->{occurs} ) {
+		#
+		# The following command may succeed yet generate an error message and non-zero exit status :-(. We thus run it silently
+		# and check the result. Note that since this is the first filter added after the root qdisc was added, the 'ls | grep' test
+		# is fairly robust
+		#
+		my $command = "\$TC filter add dev $device parent $devnum:0 prio 65535 protocol all fw";
+
+		emit( qq(if ! qt $command ; then) ,
+		      qq(    if ! \$TC filter list dev $device | grep -q 65535; then) ,
+		      qq(        error_message "ERROR: Command '$command' failed"),
+		      qq(        stop_firewall),
+		      qq(        exit 1),
+		      qq(    fi),
+		      qq(fi) );
+	    }
+
+	    my $in_burst = '10kb';
+	    my $inband;
+
+	    if ( $devref->{in_bandwidth} =~ /:/ ) {
+		my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
+
+		if ( defined $burst && $burst ne '' ) {
+		    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
+		    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+		    $in_burst = $burst;
+		}
+
+		$inband = rate_to_kbit( $in_band );
+	    } else {
+		$inband = rate_to_kbit $devref->{in_bandwidth};
+	    }
+
+	    if ( $inband ) {
+		emit ( "run_tc qdisc add dev $device handle ffff: ingress",
+		       "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
+		     );
+	    }
+
+	    for my $rdev ( @{$devref->{redirected}} ) {
+		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
+		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+	    }
+
+	    save_progress_message_short qq("   TC Device $device defined.");
+
+	    pop_indent;
+	    emit 'else';
+	    push_indent;
+
+	    emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
+	    emit "${dev}_exists=";
+	    pop_indent;
+	    emit "fi\n";
 	}
-
-	if ( $inband ) {
-	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
-		   );
-	}
-
-	for my $rdev ( @{$devref->{redirected}} ) {
-	    emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
-	    emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
-	}
-
-	save_progress_message_short qq("   TC Device $device defined.");
-
-	pop_indent;
-	emit 'else';
-	push_indent;
-
-	emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
-	emit "${dev}_exists=";
-	pop_indent;
-	emit "fi\n";
    }

    my $lastdevice = '';
@@ -1365,67 +1432,71 @@ sub setup_traffic_shaping() {
 	my $tcref    = $tcclasses{$device}{$decimalclassnum};
 	my $mark     = $tcref->{mark};
 	my $devicenumber  = in_hexp $devref->{number};
-	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
+	my $classid  = join( ':', $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );

 	$classids{$classid}=$device;
 	$device = physical_name $device;

-	my $dev      = chain_base $device;
-	my $priority = $tcref->{priority} << 8;
-	my $parent   = in_hexp $tcref->{parent};
+	unless ( $config{TC_ENABLED} eq 'Shared' ) {
+	    my $dev      = chain_base $device;
+	    my $priority = $tcref->{priority} << 8;
+	    my $parent   = in_hexp $tcref->{parent};

-	if ( $lastdevice ne $device ) {
-	    if ( $lastdevice ) {
-		pop_indent;
-		emit "fi\n";
+	    if ( $lastdevice ne $device ) {
+		if ( $lastdevice ) {
+		    pop_indent;
+		    emit "fi\n";
+		}
+
+		emit qq(if [ -n "\$${dev}_exists" ]; then);
+		push_indent;
+		$lastdevice = $device;
 	    }

-	    emit qq(if [ -n "\$${dev}_exists" ]; then);
-	    push_indent;
-	    $lastdevice = $device;
-	}
+	    emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );

-	emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
-
-	if ( $devref->{qdisc} eq 'htb' ) {
-	    emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
-	} else {
-	    my $dmax = $tcref->{dmax};
-
-	    if ( $dmax ) {
-		my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+	    if ( $devref->{qdisc} eq 'htb' ) {
+		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 	    } else {
-		emit ( "run_tc class add dev $device parent $devref->{number}:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+		my $dmax = $tcref->{dmax};
+
+		if ( $dmax ) {
+		    my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
+		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+		} else {
+		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+		}
 	    }
+
+	    if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+		$sfqinhex = in_hexp( ++$sfq);
+		emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+	    }
+	    #
+	    # add filters
+	    #
+	    unless ( $devref->{classify} ) {
+		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+	    }
+
+	    emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	    #
+	    # options
+	    #
+	    emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
+
+	    for my $tospair ( @{$tcref->{tos}} ) {
+		my ( $tos, $mask ) = split q(/), $tospair;
+		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+	    }
+
+	    save_progress_message_short qq("   TC Class $classid defined.");
+	    emit '';
+
 	}

-	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-	    $sfqinhex = in_hexp( ++$sfq);
-	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-	}
-	#
-	# add filters
-	#
-	unless ( $devref->{classify} ) {
-	    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
-	}
-
-	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
-	#
-	# options
-	#
-	emit "run_tc filter add dev $device parent $devref->{number}:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
-
-	for my $tospair ( @{$tcref->{tos}} ) {
-	    my ( $tos, $mask ) = split q(/), $tospair;
-	    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
-	}
-
-	save_progress_message_short qq("   TC Class $classid defined.");
-	emit '';
    }

    if ( $lastdevice ) {
@@ -1433,15 +1504,7 @@ sub setup_traffic_shaping() {
 	emit "fi\n";
    }

-    if ( $family == F_IPV4 ) {
-	$fn = open_file 'tcfilters';
-
-	if ( $fn ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
-
-	    process_tc_filter while read_a_line;
-	}
-    }
+    process_tcfilters;
 }

 #
@@ -1462,7 +1525,7 @@ sub process_secmark_rule() {
 		 O => 'tcout'   , );

    my %state = ( N =>  'NEW' ,
-		  E =>  'ESTABLISHED' , 
+		  E =>  'ESTABLISHED' ,
 		  ER => 'ESTABLISHED,RELATED' );

    my ( $chain , $state, $rest) = split ':', $chainin , 3;
@@ -1470,7 +1533,7 @@ sub process_secmark_rule() {
    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;

    my $chain1= $chns{$chain};
-    
+
    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';

@@ -1488,22 +1551,22 @@ sub process_secmark_rule() {

    $disposition =~ s/ .*//;

-    expand_rule( ensure_mangle_chain( $chain1 ) , 
+    expand_rule( ensure_mangle_chain( $chain1 ) ,
 		 $restrictions{$chain1} ,
 		 $state .
 		 do_proto( $proto, $dport, $sport ) .
 		 do_user( $user ) .
 		 do_test( $mark, $globals{TC_MASK} ) ,
-		 $source , 
-		 $dest , 
-		 '' , 
-		 $target , 
-		 '' , 
+		 $source ,
+		 $dest ,
+		 '' ,
+		 $target ,
+		 '' ,
 		 $disposition,
 		 '' );

    progress_message "Secmarks rule \"$currentline\" $done";
-		 
+
 }

 #
@@ -1552,7 +1615,7 @@ sub setup_tc() {
    if ( $globals{TC_SCRIPT} ) {
 	save_progress_message q('Setting up Traffic Control...');
 	append_file $globals{TC_SCRIPT};
-    } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
+    } elsif ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
 	setup_traffic_shaping;
    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
 	setup_simple_traffic_shaping;
@@ -1622,7 +1685,7 @@ sub setup_tc() {
 	    first_entry "$doing $fn...";

 	    process_secmark_rule while read_a_line;
-	
+
 	    clear_comment;
 	}

--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';

 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -277,22 +277,23 @@ sub setup_tunnels() {
    #
    # Setup_Tunnels() Starts Here
    #
-    my $fn = open_file 'tunnels';
+    if ( my $fn = open_file 'tunnels' ) {

-    first_entry "$doing $fn...";
+	first_entry "$doing $fn...";

-    while ( read_a_line ) {
+	while ( read_a_line ) {

-	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';

-	if ( $kind eq 'COMMENT' ) {
-	    process_comment;
-	} else {
-	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
+	    if ( $kind eq 'COMMENT' ) {
+		process_comment;
+	    } else {
+		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
+	    }
 	}
-    }

-    clear_comment;
+	clear_comment;
+    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_15';

 #
 # IPSEC Option types
@@ -160,7 +160,7 @@ our %reservedName = ( all => 1,
 #                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
-#    the same order as the interfaces are encountered in the configuration files. 
+#    the same order as the interfaces are encountered in the configuration files.
 #
 our @interfaces;
 our %interfaces;
@@ -296,7 +296,7 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$)
+sub parse_zone_option_list($$\$)
 {
    my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
@@ -310,13 +310,13 @@ sub parse_zone_option_list($$)
 			 "tunnel-dst" => NETWORK,
 		       );

-    use constant { UNRESTRICTED => 1, NOFW => 2 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );

-    my ( $list, $zonetype ) = @_;
+    my ( $list, $zonetype, $complexref ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -346,14 +346,18 @@ sub parse_zone_option_list($$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }

-	    if ( $key{$e} ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+	    my $key = $key{$e};
+
+	    if ( $key ) {
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
+		$$complexref = 1;
 	    }
 	}
    }
@@ -420,7 +424,7 @@ sub process_zone( \$ ) {
 	fatal_error 'Firewall zone may not be nested' if @parents;
 	fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
 	$firewall_zone = $zone;
-	$ENV{FW} = $zone;
+	$params{FW} = $zone;
 	$type = FIREWALL;
    } elsif ( $type eq 'vserver' ) {
 	fatal_error 'Vserver zones may not be nested' if @parents;
@@ -439,13 +443,15 @@ sub process_zone( \$ ) {
 	}
    }

+    my $complex = 0;
+
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-						    in      => parse_zone_option_list( $in_options || '', $type ) ,
-						    out     => parse_zone_option_list( $out_options || '', $type ) ,
-						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
+						    complex => ( $type == IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -475,11 +481,12 @@ sub determine_zones()
    my @z;
    my $ip = 0;

-    my $fn = open_file 'zones';
-
-    first_entry "$doing $fn...";
-
-    push @z, process_zone( $ip ) while read_a_line;
+    if ( my $fn = open_file 'zones' ) {
+	first_entry "$doing $fn...";
+	push @z, process_zone( $ip ) while read_a_line;
+    } else {
+	fatal_error q(The 'zones' file does not exist or has zero size);
+    }

    fatal_error "No firewall zone defined" unless $firewall_zone;
    fatal_error "No IP zones defined" unless $ip;
@@ -801,7 +808,7 @@ sub chain_base($) {
    #
    return $name if $name;
    #
-    # Remember initial value 
+    # Remember initial value
    #
    my $key = $chain;
    #
@@ -810,7 +817,7 @@ sub chain_base($) {
    $chain =~ s/\+$//;
    $chain =~ tr/./_/;

-    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
@@ -879,7 +886,7 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
-	    
+
 	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}

@@ -947,7 +954,7 @@ sub process_interface( $$ ) {

 	    if ( $zone ) {
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else { 
+	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }

@@ -1102,16 +1109,16 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
    my $export = shift;
-
-    my $fn = open_file 'interfaces';
-
+    
    my @ifaces;
-
    my $nextinum = 1;

-    first_entry "$doing $fn...";
-
-    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+    if ( my $fn = open_file 'interfaces' ) {
+	first_entry "$doing $fn...";
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+    } else {
+	fatal_error q(The 'interfaces' file does not exist or has zero size);
+    }

    #
    # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1175,7 +1182,7 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in
 # %interfaces.
 #
 sub known_interface($;$)
@@ -1192,7 +1199,7 @@ sub known_interface($;$)
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
 	    my $physical = map_physical( $interface, $interfaceref );
-	    
+
 	    my $copyref = { options  => $interfaceref->{options},
 			    bridge   => $interfaceref->{bridge} ,
 			    name     => $i ,
@@ -1389,7 +1396,7 @@ sub verify_required_interfaces( $ ) {
 	    my $wait = $interfaces{$interface}{options}{wait};

 	    emit q() unless $first-- > 0;
-	    
+
 	    if ( $wait ) {
 		my $physical = get_physical $interface;

@@ -1428,7 +1435,7 @@ sub verify_required_interfaces( $ ) {
 	}

 	emit( ";;\n" );
-	
+
 	pop_indent;
 	pop_indent;

@@ -1667,7 +1674,13 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
+	    if ( $hosts =~ /^\+/ ) {
+		$zoneref->{options}{complex} = 1;
+		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
+	    }
+
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
@@ -1688,7 +1701,7 @@ sub process_host( ) {
 	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
-    } 
+    }

    my $optionsref = { dynamic => 0 };

@@ -1714,7 +1727,7 @@ sub process_host( ) {
 	    }
 	}

-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;

 	$optionsref = \%options;
    }
@@ -1762,11 +1775,10 @@ sub validate_hosts_file()
 {
    my $ipsec = 0;

-    my $fn = open_file 'hosts';
-
-    first_entry "$doing $fn...";
-
-    $ipsec |= process_host while read_a_line;
+    if ( my $fn = open_file 'hosts' ) {
+	first_entry "$doing $fn...";
+	$ipsec |= process_host while read_a_line;
+    }

    $have_ipsec = $ipsec || haveipseczones;

--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -0,0 +1,35 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+. /usr/share/shorewall/lib.base
+. /usr/share/shorewall/lib.cli
+
+CONFIG_PATH="$2"
+
+set -a
+
+. $1 >/dev/null # Avoid spurious output
+
+set +a
+
+env
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -17,6 +17,19 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
+    else
+	return 0
+    fi
+}
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -155,40 +168,41 @@ done

 COMMAND="$1"

-kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-    status=2
-else
-    case "$COMMAND" in
-	start)
-	    [ $# -ne 1 ] && usage 2
-	    if shorewall6_is_started; then
-		error_message "$g_product is already Running"
-		status=0
-	    else
-		progress_message3 "Starting $g_product...."
+
+case "$COMMAND" in
+    start)
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    error_message "$g_product is already Running"
+	    status=0
+	else
+	    progress_message3 "Starting $g_product...."
+	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
 		progress_message3 "done."
 	    fi
-	    ;;
-	stop)
-	    [ $# -ne 1 ] && usage 2
+	fi
+	;;
+    stop)
+	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
-	    ;;
- 	reset)
-	    if ! shorewall6_is_started ; then
-		error_message "$g_product is not running"
-		status=2
-	    elif [ $# -eq 1 ]; then
+	fi
+	;;
+    reset)
+	if ! shorewall6_is_started ; then
+	    error_message "$g_product is not running"
+	    status=2
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
@@ -211,17 +225,19 @@ else
 		    fi
 		done
 	    fi
-	    ;;
-	restart)
-	    [ $# -ne 1 ] && usage 2
-	    if shorewall6_is_started; then
-		progress_message3 "Restarting $g_product...."
-	    else
-		error_message "$g_product is not running"
-		progress_message3 "Starting $g_product...."
-		COMMAND=start
-	    fi
+	fi
+	;;
+    restart)
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    progress_message3 "Restarting $g_product...."
+	else
+	    error_message "$g_product is not running"
+	    progress_message3 "Starting $g_product...."
+	    COMMAND=start
+	fi

+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
@@ -229,84 +245,90 @@ else
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
 	    progress_message3 "done."
-	    ;;
-	refresh)
-	    [ $# -ne 1 ] && usage 2
-	    if shorewall6_is_started; then
-		progress_message3 "Refreshing $g_product...."
+	fi
+	;;
+    refresh)
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
-	    else
-		echo "$g_product is not running" >&2
-		status=2
 	    fi
-	    ;;
-	restore)
-	    [ $# -ne 1 ] && usage 2
+	else
+	    echo "$g_product is not running" >&2
+	    status=2
+	fi
+	;;
+    restore)
+	[ $# -ne 1 ] && usage 2
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
-	    ;;
-	clear)
-	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Clearing $g_product...."
+	fi
+	;;
+    clear)
+	[ $# -ne 1 ] && usage 2
+	progress_message3 "Clearing $g_product...."
+	if checkkernelversion; then
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
-	    ;;
-	status)
-	    [ $# -ne 1 ] && usage 2
-	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	    echo
-	    if shorewall6_is_started; then
-		echo "$g_product is running"
-		status=0
-	    else
-		echo "$g_product is stopped"
-		status=4
-	    fi
+	fi
+	;;
+    status)
+	[ $# -ne 1 ] && usage 2
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	echo
+	if shorewall6_is_started; then
+	    echo "$g_product is running"
+	    status=0
+	else
+	    echo "$g_product is stopped"
+	    status=4
+	fi

-	    if [ -f ${VARDIR}/state ]; then
-		state="$(cat ${VARDIR}/state)"
-		case $state in
-		    Stopped*|Clear*)
-			status=3
-			;;
-		esac
-	    else
-		state=Unknown
-	    fi
-	    echo "State:$state"
-	    echo
-	    ;;
-	up|down)
-	    [ $# -eq 1 ] && exit 0
-	    shift
-	    [ $# -ne 1 ] && usage 2
-	    updown $1
-	    status=0
-	    ;;
-	version)
-	    [ $# -ne 1 ] && usage 2
-	    echo $SHOREWALL_VERSION
-	    status=0
-	    ;;
-	help)
-	    [ $# -ne 1 ] && usage 2
-	    usage 0
-	    ;;
-	*)
-	    usage 2
-	    ;;
-    esac
-fi
+	if [ -f ${VARDIR}/state ]; then
+	    state="$(cat ${VARDIR}/state)"
+	    case $state in
+		Stopped*|Clear*)
+		    status=3
+		    ;;
+	    esac
+	else
+	    state=Unknown
+	fi
+	echo "State:$state"
+	echo
+	;;
+    up|down)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	updown $1
+	status=0
+	;;
+    version)
+	[ $# -ne 1 ] && usage 2
+	echo $SHOREWALL_VERSION
+	status=0
+	;;
+    help)
+	[ $# -ne 1 ] && usage 2
+	usage 0
+	;;
+    *)
+	usage 2
+	;;
+esac

 exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -509,7 +509,7 @@ undo_routing() {
 #
 restore_default_route() {
    local result
-    
+
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -497,7 +497,7 @@ undo_routing() {
 #
 restore_default_route() {
    local result
-    
+
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,8 +1,69 @@
-Changes in Shorewall 4.4.13.1
+Changes in Shorewall 4.4.15

-1)  Make log messages uniform.
+1)  Add macros from Tuomo Soini.

-2)  Fix blacklisting in simple configurations.
+2)  Corrected macro.JAP.
+
+3)  Added fatal_error() functions to the -lite CLIs.
+
+RC 1
+
+1)  Another Perl 5.12 warning.
+
+2)  Avoid anomalous behavior regarding syn flood chains.
+
+3)  Add HEADERS column for IPv6
+
+Beta 2
+
+1)  Tweaks to IPv6 tcfilters
+
+2)  Add support for explicit provider routes
+
+3)  Fix shared TC tcfilters handling.
+
+Beta 1
+
+1)  Handle exported VERBOSE.
+
+2)  Modernize handling of the params file.
+
+3)  Fix NULL_ROUTE_RFC1918
+
+4)  Fix problem of appending incorrect files.
+
+5)  Implement shared TC.
+
+Changes in Shorewall 4.4.14
+
+1)  Support ipset lists.
+
+2)  Use conntrack in 'shorewall connections'
+
+3)  Clean up Shorewall6 error messages when running on a kernel <
+    2.6.24
+
+4)  Clean up ipset related error reporting out of validate_net().
+
+5)  Dramatically reduce the amount of CPU time spent in optimization.
+
+6)  Add 'scfilter' script.
+
+7)  Fix -lite init scripts.
+
+8)  Clamp VERBOSITY to valid range.
+
+9)  Delete obsolete options from shorewall.conf.
+
+10) Change value of FORWARD_CLEAR_MARK in *.conf.
+
+11) Use update-rc.d to install init symlinks.
+
+12) Fix split_list().
+
+13) Fix 10+ TC Interfaces.
+
+14) Insure that VERBOSITY=0 when interrogating compiled script's version

 Changes in Shorewall 4.4.13

--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################################
+#################################################################################################################
 #ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/findgw
+++ b/Shorewall/configfiles/findgw
@@ -3,11 +3,11 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the 
+#    The code in this file is executed when Shorewall is trying to detect the
 #    gateway through an interface in /etc/shorewall/providers that has GATEWAY
 #    specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what 
+#    The function should echo the IP address of the gateway if it knows what
 #    it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
--- a/Shorewall/configfiles/restored
+++ b/Shorewall/configfiles/restored
@@ -4,7 +4,7 @@
 # /etc/shorewall/restored
 #
 #	Add commands below that you want to be executed after shorewall has
-#	completed a 'restore' command. 
+#	completed a 'restore' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/routes
+++ b/Shorewall/configfiles/routes
@@ -0,0 +1,9 @@
+#
+# Shorewall version 4 - routes File
+#
+# For information about entries in this file, type "man shorewall-routes"
+#
+# For additional information, see http://www.shorewall.net/MultiISP.html
+##############################################################################
+#PROVIDER		DEST			GATEWAY		DEVICE
+
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -0,0 +1,15 @@
+#! /bin/sh
+#
+# Shorewall version 4 - Show Connections Filter
+#
+# /etc/shorewall/scfilter
+#
+#	Replace the 'cat' command below to filter the output of
+#       'show connections. Unlike other extension scripts, this file
+#       must be executable before Shorewall will use it.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################
+cat -
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -10,4 +10,4 @@



-								
+
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -126,14 +126,10 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-DELAYBLACKLISTLOAD=No
-
 MODULE_SUFFIX=ko

 DISABLE_IPV6=No

-BRIDGING=No
-
 DYNAMIC_ZONES=No

 PKTTYPE=Yes
@@ -154,8 +150,6 @@ IMPLICIT_CONTINUE=No

 HIGH_ROUTE_MARKS=No

-USE_ACTIONS=Yes
-
 OPTIMIZE=0

 EXPORTPARAMS=Yes
@@ -196,7 +190,7 @@ LOAD_HELPERS_ONLY=No

 REQUIRE_INTERFACE=No

-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=

 COMPLETE=No

--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
@@ -301,7 +301,7 @@ fi
 run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0744 configfiles/zones ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/etc/shorewall
    echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi

@@ -737,6 +737,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclear ]; then
    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall/tcclear"
 fi
 #
+# Install the Scfilter file
+#
+run_install $OWNERSHIP -m 644 configfiles/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/scfilter ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/scfilter ${DESTDIR}/etc/shorewall
+    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall/scfilter"
+fi
+#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall/actions.std 0644
@@ -807,6 +816,13 @@ install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755
 echo
 echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
 #
+# Install the params file helper
+#
+install_file getparams ${DESTDIR}/usr/share/shorewall/getparams 0755
+
+echo
+echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
+#
 # Install the libraries
 #
 for f in Shorewall/*.pm ; do
@@ -878,11 +894,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644

-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall
-	else
-	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
-	fi
+	update-rc.d shorewall defaults

 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,11 +1 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
-
-2)  The date/time formatting in the STARTUP_LOG is not uniform.
-
-    Fixed in 4.4.13.1
-
-3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
-    configurations with the effect that blacklisting was not enabled.
-
-    Fixed in 4.4.13.1
+There are no known problems in Shorewall 4.4.15
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,7 +29,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40415

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -433,6 +433,36 @@ list_zone() {
    done
 }

+#
+# Show Filter - For Shorewall-lite, if there was an scfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+show_connections_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file scfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -520,15 +550,33 @@ show_command() {

    g_ipt_options="$g_ipt_options $g_ipt_options1"

+
    [ -n "$g_debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+
+	    if [ -d /proc/sys/net/netfilter/ ]; then
+		local count
+		local max
+		count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
+	    else
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+	    fi
+
 	    echo
-	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
+
+	    if qt mywhich conntrack ; then
+		conntrack -f ipv4 -L | show_connections_filter
+	    else
+		if [ -f /proc/net/ip_conntrack ]; then
+		    cat /proc/net/ip_conntrack | show_connections_filter
+		else
+		    grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
+		fi
+	    fi
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
@@ -556,7 +604,7 @@ show_command() {

 	    if [ -z "$LOGFILE" ]; then
 		LOGFILE=/var/log/messages
-		
+
 		if [ -n "$(syslog_circular_buffer)" ]; then
 		    g_logread="logread | tac"
 		elif [ -r $LOGFILE ]; then
@@ -763,10 +811,40 @@ show_command() {
    esac
 }

+#
+# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+dump_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file dumpfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Dump Command Executor
 #
-dump_command() {
+do_dump_command() {
    local finished
    finished=0

@@ -912,6 +990,10 @@ dump_command() {
 	fi
 }

+dump_command() {
+    do_dump_command | dump_filter
+}
+
 #
 # Restore Comand Executor
 #
@@ -1577,6 +1659,7 @@ determine_capabilities() {
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
+    HEADER_MATCH=

    chain=fooX$$

@@ -1795,6 +1878,7 @@ report_capabilities() {
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
+	report_capability "Header Match" $HEADER_MATCH
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1860,6 +1944,7 @@ report_capabilities1() {
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
+    report_capability1 HEADER_MATCH

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -34,6 +34,10 @@ get_script_version() { # $1 = script
    local version
    local ifs
    local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0

    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )

@@ -54,6 +58,8 @@ get_script_version() { # $1 = script
    fi

    echo $version
+
+    VERBOSITY="$verbosity"
 }

 #
@@ -514,7 +520,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2 
+set_state () # $1 = state $2
 {
    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                      S H O R E W A L L  4 . 4 . 1 3 . 1
+                      S H O R E W A L L  4 . 4 . 1 5
 ----------------------------------------------------------------------------

 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -13,260 +13,150 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

-4.4.13.1
+1)  Previously, if 

-1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
+    a) syn flood protection was enabled in a policy that
+       specified 'all' for the SOURCE or DEST, and
+    b) there was only one pair of zones matching that policy, and
+    c) PROPAGATE_POLICIES=Yes in shorewall.conf, and
+    d) logging was specified on the policy

-2)  The blacklisting change in 4.4.13 was broken in some simple
-    configurations with the effect that blacklisting was not enabled.
+    then the chain implementing the chain had "all" in its name while
+    the logging rule did not.

-4.4.13
- 
-1)  Under rare circumstances where COMMENT is used to attach comments
-    to rules, OPTIMIZE 8 through 15 could result in invalid
-    iptables-restore (ip6tables-restore) input.
+    Example

-2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
-    could result in invalid iptables-restore (ip6tables-restore) input.
+	On a simple standalone configuration, /etc/shorewall/policy
+	has:

-3)  The change in 4.4.12 to detect and use the new ipset match syntax
-    broke the ability to detect the old ipset match capability. Now,
-    both versions of the capability can be correctly detected.
+	     #SOURCE	DEST	POLICY	LOGGING
+    	     net	all	DROP	info

-4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
-    if the last optional interface tested was not available.
+	then the chain implementing syn flood protection would be named
+	@net2all while the logging rule would indicate net2fw.

-5)  Exclusion in the blacklist file was correctly validated but was then
-    ignored when generating iptables (ip6tables) rules.
+    Now, the chain will be named @net2fw.

-6)  Previously, non-trivial exclusion (more than one excluded
-    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
-    valid but incorrect iptables input. This has been corrected but
-    requires that your iptables/kernel support marking rules in any
-    Netfilter table (CONTINUE in the tcrules file does not require this
-    support).
+2)  If the current environment exported the VERBOSE variable with a
+    non-zero value, then startup would fail.

-    This fix implements a new 'Mark in any table' capability; those
-    who utilize a capabilities file should re-generate the file using
-    this release.
+3)  If a route existed for an entire RFC1918 subnet (10.0.0.0/8,
+    172.20.0.0/12 or 192.168.0.0/16), then setting
+    NULL_ROUTE_RFC1918=Yes would cause the route to be replaced with an
+    'unreachable' one.

-7)  Interface handling has been extensively modified in this release
-    to correct a number of problems with the earlier
-    implementation. Among those problems:
+4)  Shorewall6 failed to start correctly if all the following were true:

-    - Invalid shell variable names could be generated in the firewall
-      script. The generated firewall script uses shell variables to
-      track the availability of optional and required interfaces and
-      to record detected gateways, detected addresses, etc.
+    - Shorewall was installed using the tarball. It may have
+      subsequently been installed using a distribution-specific package
+      or the rpm from shorewall.net without first unstalling the
+      tarball components.

-    - The same shell variable name could be generated by two different
-      interface names.
+    - Shorewall6 was installed using a distribution-specific package or
+      the rpm from shorewall.net.

-    - Entries in the interfaces file with a wildcard physical name
-      (physical name ends with "+") and with the 'optional' option were
-      handled strangely.
+    - The file /etc/shorewall6/init was not created.

-      o If there were references to specific interfaces that matched
-        the wildcard, those entries were handled as if they had been
-        defined as optional in the interfaces file.
+5)  If an interface with physical='+' is given the 'optional' or
+    'required' option, then invalid shell variables names were
+    generated by the compiler.

-      o If there were no references matching the wildcard, then the
-        'optional' option was effectively ignored. 
+6)  The contributed macro macro.JAP generated a fatal error when used.
+    The root cause was a defect in parameter processing in nested
+    macros (if 'PARAM' was passed to an nested macro invocation, it was
+    not expanded to the current parameter value).

-    The new implementation:
+7)  Previously, if find_first_interface_address() failed when running
+    shorewall-lite or shoreawll6-lite, the following unhelpful message
+    was issued:

-    - Insures valid shell variable names.
-    
-    - Insures that shell variable names are unique.
-
-    - Handles interface names appearing in the INTERFACE column of the
-      providers file as a special case for 'optional'. If the name
-      matches a wildcard entry in the interfaces file then the
-      usability of the specific interface is tracked individually. 
-
-    - Handles the availabilty of other interfaces matching a wildcard
-      as a group; if there is one useable interface in the group then
-      the wildcard itself is considered usable.
-
-      The following example illustrates this use case:
-
-      /etc/shorewall/interfaces
-
-	net	ppp+	-	optional
-
-      /etc/shorewall/shorewall.conf
-
-	REQUIRE_INTERFACE=Yes
-
-      If there is any usable PPP interface then the firewall will be
-      allowed to start. Previously, the firewall would never be allowed
-      to start.
-
-8)  When a comma-separated list of 'src' and/or 'dst' was specified in
-    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
-    or 'dst' was previously ignored when generating the resulting
-    iptables rule.
-
-9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
-    generated invalid iptables (ip6tables) input. That target now
-    generates correct input.
-
-10) Ipsets associated with 'dynamic' zones were being created during
-    'restart' but not during 'start'.
-
-11) To work around an issue in Netfilter/iptables, Shorewall now uses
-    state match rather than conntrack match for UNTRACKED state
-    matching.
-
-12) If the routestopped files contains NOTRACK rules, 'shorewall* clear' 
-    did not clear the raw table.
-
-13) An error message was incorrectly generated if a port range of the
-    form :<port> (e.g., :22) appeared.
-
-14) An error is now generated if '*' appears in an interface name.
+    	/usr/share/shorewall-lite/lib.common: line 449: startup_error: command
+                                              not found

 ----------------------------------------------------------------------------
           I I.  K N O W N   P R O B L E M S   R E M A I N I N G
 ----------------------------------------------------------------------------

-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
+1)  On systems running Upstart, shorewall-init cannot reliably secure
+    the firewall before interfaces are brought up.

 ----------------------------------------------------------------------------
      I I I.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

-1)  Entries in the rules file (both Shorewall and Shorewall6) may now
-    contain zone lists in the SOURCE and DEST column. A zone list is a
-    comma-separated list of zone names where each name appears in the
-    zones file. A zone list may be optionally followed by a plus sign
-    ("+") to indicate that the rule should apply to intra-zone traffic
-    as well as to inter-zone traffic.
+1)   Munin and Squid macros have been contributed by Tuomo Soini.

-    Zone lists behave like 'all' and 'any' with respect to Optimization
-    1. If the rule matches the applicable policy for a given (source
-    zone, dest zone), then the rule will be suppessed for that pair of
-    zones unless overridden by the '!' suffix on the target in the
-    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+2)   The Shorewall6 accounting, tcrules and rules files now include a
+     HEADERS column which allows matching based on the IPv6 extension and
+     protocol headers included in a packet.

-    Additionally, 'any', 'all' and zone lists may be qualified in the
-    same way as a single zone.
+     The contents of the column are:

-    Examples:
+     	 [any:|exactly:]<header list>

-	fw,dmz:90.90.191.120/29
-	all:+blacklist
+     where <header list> is a comma-separated list of headers from the
+     following:

-    The 'all' and 'any' keywords now support exclusion in the form of a
-    comma-separated list of excluded zones.
+	Long Name	Short Name	Number
+        --------------------------------------
+	auth   		ah    		51
+	esp		esp		50
+d	hop-by-hop	hop		0
+	route		ipv6-route	41
+	frag		ipv6-frag	44
+	none		ipv6-nonxt	59	
+	protocol	proto		255

-    Examples: 
+     If 'any:' is specified, the rule will match if any of the listed
+     headers are present. If 'exactly:' is specified, the will match
+     packets that exactly include all specified headers. If neither is
+     given, 'any:' is assumed.

-    	     all!fw         (same as all-).
-	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
-	     		     include intra-zone rules).
+     This change adds a new capability (Header Match) so if you use a
+     capabilities file, you will need to regenerate using this release.

-2)  An IPSEC column has been added to the accounting file, allowing you
-    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
-    shorewall-accounting' (man shorewall6-accounting) for details.
+3)  It is now possible to add explicit routes to individual provider
+    routing tables using the /etc/shorewall/routes (/etc/shorewall6/routes)
+    file.

-    With this change, there are now three trees of accounting chains:
+    See the shorewall-routes (5) and/or the shorewall6-routes (5)  manpage.

-    - The one rooted in the 'accounting' chain.
-    - The one rooted in the 'accipsecin' chain. This tree handles
-      traffic that has been decrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the DEST column.
-    - The one rooted in the 'accipsecout' chain. This tree handles
-      traffic that will be encrypted on the firewall. Rules in this
-      tree cannot specify an interface name in the SOURCE column.
+4)  Previously, /usr/share/shorewall/compiler.pl expected the contents
+    of the params file to be passed in the environment. Now, the
+    compiler invokes a small shell program
+    (/usr/share/shorewall/getparams) to process the file and to pass
+    the (variable,value) pairs back to the compiler.

-    In reality, when there are bridges defined in the configuration,
-    there is a fourth tree rooted in the 'accountout' chain. That chain
-    handles traffic that originates on the firewall (both IPSEC and
-    non-IPSEC).
+    Shell variable expansion uses the value from the params file if the
+    parameter was set in that file. Otherwise the current environment
+    is used. If the variable does not appear in either place, an error
+    message is generated.

-    This change also implements a couple of new warnings:
+5)  Shared IPv4/IPv6 traffic shaping configuraiton is now
+    available. The device and class configuration can be included in
+    either the Shorewall or the Shorewall6 configuration. To place it
+    in the Shorewall configuration:

-    - WARNING: Adding rule to unreferenced accounting chain <name>
+    a) Set TC_ENABLED=Internal in shorewall.conf
+    b) Set TC_ENABLED=Shared in shorewall6.conf
+    c) Create symbolic link /etc/shorewall6/tcdevices pointing to
+       /etc/shorewall/tcdevices.
+    d) Create symbolic link /etc/shorewall6/tcclasses pointing to
+       /etc/shorewall/tcclasses.
+    e) Entries for both IPv4 and IPv6 can be included in
+       /etc/shorewall/tcfilters. This file has been extended to allow
+       both IPv4 and IPv6 entries to be included in a single file.
+    f) Packet marking rules are included in both configurations'
+       tcrules file as needed. CLASSIFY rules in
+       /etc/shorewall6/tcrules are validated against the Shorewall TC
+       configuration.
+  
+    In this setup, the tcdevices and tcclasses will only be updated
+    when Shorewall is restarted. The IPv6 marking rules are updated
+    when Shorewall6 is restarted.

-      The first reference to user-defined accounting chain <name> is
-      not a JUMP or COUNT from an already-defined chain.
-
-    - WARNING: Accounting chain <name> has o references
-
-      The named chain contains accounting rules but no JUMP or COUNT
-      specifies that chain as the target.
-
-3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
-    manipulating the SELinux context of packets.
-
-    See the shorewall-secmarks and shorewall6-secmarks manpages for
-    details.
-
-    As part of this change, the tcrules file now accepts $FW in the
-    DEST column for marking packets in the INPUT chain.
-
-4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
-
-    a) Blacklisting is now based on zones rather than on interfaces and
-       host groups.
-
-    b) Near compatibility with earlier releases is maintained.
-
-    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
-       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
-       respectively. The old keywords are still supported.
-
-    d) The 'blacklist' keyword may now appear in the OPTIONS,
-       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
-
-       i)  In the IN_OPTIONS column, it indicates that packets received
-           on the interface are checked against the 'src' entries in
-           /etc/shorewall/blacklist.
-
-       ii) In the OUT_OPTIONS column, it indicates that packets being
-           sent to the interface are checked against the 'dst' entries.
-
-       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
-           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
-
-    e) The 'blacklist' option in the OPTIONS column of
-       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
-       equivalent to placing it in the IN_OPTIONS column of the
-       associates record in /etc/shorewall/zones. If no zone is given
-       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
-       option is ignored with a warning (it was previously ignored
-       silently).
-
-    f) The 'blacklist' option in the /etc/shorewall/interfaces and
-       /etc/shorewall/hosts files is now deprecated but will continue
-       to be supported for several releases. A warning will be added at
-       least one release before support is removed.
-
-5)  There is now an OUT-BANDWIDTH column in
-    /etc/shorewall/tcinterfaces.
-
-    The format of this column is:
-
-    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
-
-    These terms are described in tc-tbf(8). Shorewall supplies default
-    values as follows:
-
-    	   <burst>   = 10kb
-	   <latency> = 200ms
-
-    The remaining options are defaulted by tc.
-
-6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
-    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
-
-        <rate>[:<burst>]
-
-    The default <burst> is 10kb. A larger <burst> can help make the
-    <rate> more accurate; often for fast lines, the enforced rate is
-    well below the specified <rate>.
+    The above configuration may be reversed to allow Shorewall6 to
+    control the TC configuration.

 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
@@ -487,6 +377,394 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 4
+----------------------------------------------------------------------------
+
+1)  Previously, messages to the STARTUP_LOG had inconsistent date formats.
+
+2)  The blacklisting change in 4.4.13 was broken in some simple
+    configurations with the effect that blacklisting was not enabled.
+
+3)  Previously, Shorewall6 produced an untidy sequence of error
+    messages when an attempt was made to start it on a system running a
+    kernel older than 2.6.24:
+
+       [root@localhost shorewall6]# shorewall6 start
+       Compiling...
+       Processing /etc/shorewall6/shorewall6.conf...
+       Loading Modules...
+       Compiling /etc/shorewall6/zones...
+       ...
+       Shorewall configuration compiled to /var/lib/shorewall6/.start
+          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
+       /usr/share/shorewall6/lib.common: line 73:
+             [: -lt: unary operator expected
+          ERROR: Shorewall6 requires Linux kernel 2.6.24 or later
+       [root@localhost shorewall6]#
+
+    This has been corrected so that a single ERROR message is
+    generated.
+
+4)  Previously, an ipset name appearing in the /etc/shorewall/hosts
+    file could be qualified with a list of 'src' and/or 'dst' enclosed
+    in quotes. This was virtually guaranteed not to work since the set
+    must match when used to verify both a packet source and a
+    packet destination. Now, the following error is raised:
+
+    	   ERROR: ipset name qualification is disallowed in this file
+
+    As part of this change, the ipset name is now verified to begin
+    with a letter and be composed of letters, digits, underscores ("_")
+    and hyphens ("-").
+
+5)  The Shorewall-lite and Shorewall6-lite Debian init scripts contained a
+    syntax error.
+
+6)  If the -v or -q options were used in /sbin/shorewall-lite or
+    /sbin/shorewall6-lite commands that involve the compiled firewall
+    script and the resulting effective VERBOSITY was > 2 or < -1, then
+    the command would fail.
+
+7)  The log reading commands (show log, logwatch, and dump) returned no
+    log records when run on one of the -lite products.
+
+8)  To avoid future confusion, the following obsolete options have been
+    deleted from the sample shorewall.conf files:
+
+    	    BRIDGING
+    	    DELAYBLACKLISTLOAD
+	    PKTTYPE
+
+    They will still be recognized by the rules compiler.
+
+9)  All sample .conf files have been changed to specify
+
+    	FORWARD_CLEAR_MARK=
+
+    rather than
+
+    	FORWARD_CLEAR_MARK=Yes
+
+    That way, systems without MARK support will still be able to
+    install the sample configurations and FORWARD_CLEAR_MARK will
+    default to Yes on systems with MARK support.
+
+10) The install scripts in the tarballs now correctly create init
+    symlinks on recent Ubuntu releases.
+
+11) Previously, this entry in the OPTIONS column of
+    /etc/shorewall/interfaces incorrectly generated a syntax error.
+
+    	nets=(1.2.3.0/24)
+
+    The error was:
+
+    	ERROR: Invalid VLSM (24))
+
+12) Previously, if 10 or more interfaces were configured in Complex
+    Traffic Shaping (/etc/shorewall/tcdevices), the following
+    compilation diagnostic was generated:
+
+        Argument "a" isn't numeric in sprintf at
+	/usr/share/shorewall/Shorewall/Config.pm line 893.
+ 
+    and an invalid TC configuration was generated.
+
+13) If the current environment exported the VERBOSITY variable with a
+    non-zero value, startup would fail.
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 4
+----------------------------------------------------------------------------
+
+1)  Multiple source or destination ipset matches can be generated by
+    enclosing the ipset list in +[...].
+
+    Example (/etc/shorewall/rules):
+
+        ACCEPT $FW net:+[dest-ip-map,dest-port-map]
+
+2)  Shorewall now uses the 'conntrack' utility for 'show connections'
+    if that utility is installed. Going forward, the Netfilter team
+    will be enhancing this interface rather than the /proc interface.
+
+3)  The CPU time required for optimization has been reduced by 2/3.
+
+4)  An 'scfilter' extension script has been added. This extension
+    script differs from other such scripts in that it is invoked by the
+    command line tools (/sbin/shorewall, /sbin/shorewall6,
+    /sbin/shorewall-lite and /sbin/shorewall6-lite).
+
+    The script acts as a filter for the output of the 'show
+    connections' command. Each connection is piped through the filter
+    which can modify and/or drop information as desired.
+
+    Example:
+
+	#!/bin/sh
+ 	sed 's/secmark=0 //'
+
+    That script will remove 'secmark=0 ' from each line.
+
+    The default script is:
+
+    	#!/bin/sh
+	cat -
+
+    which passes the output through unmodified.
+
+    If you are using Shorewall-lite and/or Shorewall6-lite, the
+    scfilter file is kept on the administrative system. The compiler
+    encapsulates the script into a shell function that is copied
+    into the generated auxillary configuration file
+    (firewall.conf). That function is then invoked by the 'show
+    connections' command.
+
+----------------------------------------------------------------------------
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 3
+----------------------------------------------------------------------------
+
+1)  Under rare circumstances where COMMENT is used to attach comments
+    to rules, OPTIMIZE 8 through 15 could result in invalid
+    iptables-restore (ip6tables-restore) input.
+
+2)  Under rare circumstances involving exclusion, OPTIMIZE 8 through 15
+    could result in invalid iptables-restore (ip6tables-restore) input.
+
+3)  The change in 4.4.12 to detect and use the new ipset match syntax
+    broke the ability to detect the old ipset match capability. Now,
+    both versions of the capability can be correctly detected.
+
+4)  Previously, if REQUIRE_INTERFACE=Yes then start/restart would fail
+    if the last optional interface tested was not available.
+
+5)  Exclusion in the blacklist file was correctly validated but was then
+    ignored when generating iptables (ip6tables) rules.
+
+6)  Previously, non-trivial exclusion (more than one excluded
+    address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
+    valid but incorrect iptables input. This has been corrected but
+    requires that your iptables/kernel support marking rules in any
+    Netfilter table (CONTINUE in the tcrules file does not require this
+    support).
+
+    This fix implements a new 'Mark in any table' capability; those
+    who utilize a capabilities file should re-generate the file using
+    this release.
+
+7)  Interface handling has been extensively modified in this release
+    to correct a number of problems with the earlier
+    implementation. Among those problems:
+
+    - Invalid shell variable names could be generated in the firewall
+      script. The generated firewall script uses shell variables to
+      track the availability of optional and required interfaces and
+      to record detected gateways, detected addresses, etc.
+
+    - The same shell variable name could be generated by two different
+      interface names.
+
+    - Entries in the interfaces file with a wildcard physical name
+      (physical name ends with "+") and with the 'optional' option were
+      handled strangely.
+
+      o If there were references to specific interfaces that matched
+        the wildcard, those entries were handled as if they had been
+        defined as optional in the interfaces file.
+
+      o If there were no references matching the wildcard, then the
+        'optional' option was effectively ignored.
+
+    The new implementation:
+
+    - Insures valid shell variable names.
+
+    - Insures that shell variable names are unique.
+
+    - Handles interface names appearing in the INTERFACE column of the
+      providers file as a special case for 'optional'. If the name
+      matches a wildcard entry in the interfaces file then the
+      usability of the specific interface is tracked individually.
+
+    - Handles the availabilty of other interfaces matching a wildcard
+      as a group; if there is one useable interface in the group then
+      the wildcard itself is considered usable.
+
+      The following example illustrates this use case:
+
+      /etc/shorewall/interfaces
+
+	net	ppp+	-	optional
+
+      /etc/shorewall/shorewall.conf
+
+	REQUIRE_INTERFACE=Yes
+
+      If there is any usable PPP interface then the firewall will be
+      allowed to start. Previously, the firewall would never be allowed
+      to start.
+
+8)  When a comma-separated list of 'src' and/or 'dst' was specified in
+    an ipset invocation (e.g., "+fooset[src,src]), all but the first 'src'
+    or 'dst' was previously ignored when generating the resulting
+    iptables rule.
+
+9)  Beginning with Shorewall 4.4.9, the SAME target in tcrules has
+    generated invalid iptables (ip6tables) input. That target now
+    generates correct input.
+
+10) Ipsets associated with 'dynamic' zones were being created during
+    'restart' but not during 'start'.
+
+11) To work around an issue in Netfilter/iptables, Shorewall now uses
+    state match rather than conntrack match for UNTRACKED state
+    matching.
+
+12) If the routestopped files contains NOTRACK rules, 'shorewall* clear'
+    did not clear the raw table.
+
+13) An error message was incorrectly generated if a port range of the
+    form :<port> (e.g., :22) appeared.
+
+14) An error message is now generated when '*' appears in an interface
+    name.
+
+----------------------------------------------------------------------------
+               N E W   F E A T U R E S   I N   4 . 4 . 1 3
+----------------------------------------------------------------------------
+
+1)  Entries in the rules file (both Shorewall and Shorewall6) may now
+    contain zone lists in the SOURCE and DEST column. A zone list is a
+    comma-separated list of zone names where each name appears in the
+    zones file. A zone list may be optionally followed by a plus sign
+    ("+") to indicate that the rule should apply to intra-zone traffic
+    as well as to inter-zone traffic.
+
+    Zone lists behave like 'all' and 'any' with respect to Optimization
+    1. If the rule matches the applicable policy for a given (source
+    zone, dest zone), then the rule will be suppessed for that pair of
+    zones unless overridden by the '!' suffix on the target in the
+    ACTION column (e.g., ACCEPT!, DROP!:info, etc.).
+
+    Additionally, 'any', 'all' and zone lists may be qualified in the
+    same way as a single zone.
+
+    Examples:
+
+	fw,dmz:90.90.191.120/29
+	all:+blacklist
+
+    The 'all' and 'any' keywords now support exclusion in the form of a
+    comma-separated list of excluded zones.
+
+    Examples:
+
+    	     all!fw         (same as all-).
+	     any+!dmz,loc   (All zones except 'dmz' and 'loc' and
+	     		     include intra-zone rules).
+
+2)  An IPSEC column has been added to the accounting file, allowing you
+    to segregate IPSEC traffic from non-IPSEC traffic. See 'man
+    shorewall-accounting' (man shorewall6-accounting) for details.
+
+    With this change, there are now three trees of accounting chains:
+
+    - The one rooted in the 'accounting' chain.
+    - The one rooted in the 'accipsecin' chain. This tree handles
+      traffic that has been decrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the DEST column.
+    - The one rooted in the 'accipsecout' chain. This tree handles
+      traffic that will be encrypted on the firewall. Rules in this
+      tree cannot specify an interface name in the SOURCE column.
+
+    In reality, when there are bridges defined in the configuration,
+    there is a fourth tree rooted in the 'accountout' chain. That chain
+    handles traffic that originates on the firewall (both IPSEC and
+    non-IPSEC).
+
+    This change also implements a couple of new warnings:
+
+    - WARNING: Adding rule to unreferenced accounting chain <name>
+
+      The first reference to user-defined accounting chain <name> is
+      not a JUMP or COUNT from an already-defined chain.
+
+    - WARNING: Accounting chain <name> has o references
+
+      The named chain contains accounting rules but no JUMP or COUNT
+      specifies that chain as the target.
+
+3)  Shorewall now supports the SECMARK and CONNSECMARK targets for
+    manipulating the SELinux context of packets.
+
+    See the shorewall-secmarks and shorewall6-secmarks manpages for
+    details.
+
+    As part of this change, the tcrules file now accepts $FW in the
+    DEST column for marking packets in the INPUT chain.
+
+4)  Blacklisting has undergone considerable change in Shorewall 4.4.13.
+
+    a) Blacklisting is now based on zones rather than on interfaces and
+       host groups.
+
+    b) Near compatibility with earlier releases is maintained.
+
+    c) The keywords 'src' and 'dst' are now preferred in the OPTIONS
+       column in /etc/shoreawll/blacklist, replacing 'from' and 'to'
+       respectively. The old keywords are still supported.
+
+    d) The 'blacklist' keyword may now appear in the OPTIONS,
+       IN_OPTIONS and OUT_OPTIONS fields in /etc/shorewall/zones.
+
+       i)  In the IN_OPTIONS column, it indicates that packets received
+           on the interface are checked against the 'src' entries in
+           /etc/shorewall/blacklist.
+
+       ii) In the OUT_OPTIONS column, it indicates that packets being
+           sent to the interface are checked against the 'dst' entries.
+
+       iii) Placing 'blacklist' in the OPTIONS column is equivalent to
+           placing in in both the IN_OPTIONS and OUT_OPTIONS columns.
+
+    e) The 'blacklist' option in the OPTIONS column of
+       /etc/shorewall/interfaces or /etc/shorewall/hosts is now
+       equivalent to placing it in the IN_OPTIONS column of the
+       associates record in /etc/shorewall/zones. If no zone is given
+       in the ZONE column of /etc/shorewall/interfaces, the 'blacklist'
+       option is ignored with a warning (it was previously ignored
+       silently).
+
+    f) The 'blacklist' option in the /etc/shorewall/interfaces and
+       /etc/shorewall/hosts files is now deprecated but will continue
+       to be supported for several releases. A warning will be added at
+       least one release before support is removed.
+
+5)  There is now an OUT-BANDWIDTH column in
+    /etc/shorewall/tcinterfaces.
+
+    The format of this column is:
+
+    	<rate>[:[<burst>][:[<latency>][:[<peak>][:[<minburst>]]]]]
+
+    These terms are described in tc-tbf(8). Shorewall supplies default
+    values as follows:
+
+    	   <burst>   = 10kb
+	   <latency> = 200ms
+
+    The remaining options are defaulted by tc.
+
+6)  The IN-BANDWIDTH column in both /etc/shorewall/tcdevices and
+    /etc/shorewall/tcinterfaces now accepts an optional burst parameter.
+
+        <rate>[:<burst>]
+
+    The default <burst> is 10kb. A larger <burst> can help make the
+    <rate> more accurate; often for fast lines, the enforced rate is
+    well below the specified <rate>.
+
 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 2
 ----------------------------------------------------------------------------
@@ -505,7 +783,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    fatal compilation error in REDIRECT rules.

 4)  A number of problems associated with Shorewall-init and Upstart
-    have been corrected. 
+    have been corrected.

    If you use Shorewall-init, then when upgrading to this version, be
    sure to recompile all firewall scripts before you take interfaces
@@ -515,7 +793,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    /usr/share/shorewall/configfiles/Makefile and rather issued the
    following message:

-    	      install-file: command not found 
+    	      install-file: command not found

    This caused the Makefile to be omitted from RPMs as well.

@@ -543,7 +821,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S

 2)  Per-ip log rate limiting has been added in the form of the LOGLIMIT
    option in shorewall.conf. When LOGLIMIT is specified, LOGRATE and
-    LOGBURST are ignored. 
+    LOGBURST are ignored.

    LOGRATE and LOGBURST are now deprecated.

@@ -626,7 +904,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 	Shorewall is running
 	State:Started (Thu Aug 12 19:41:48 PDT 2010) from /etc/shorewall/

-	gateway:/etc/shorewall# 
+	gateway:/etc/shorewall#

 ----------------------------------------------------------------------------
         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 1 1
@@ -659,7 +937,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    shorewall.conf and shorewall6.conf. It has been added.

 6)  Under some versions of Perl, a Perl run-time diagnostic was produced
-    when options were omitted from shorewall.conf or shorewall6.conf. 
+    when options were omitted from shorewall.conf or shorewall6.conf.

 7) If the following options were specified in /etc/shorewall/interfaces
   for an interface with '-' in the ZONE column, then these options
@@ -680,7 +958,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
 9) Previously, if nets= was specified under Shorewall6, this error
   would result:

-   	 ERROR: Invalid IPv6 address (224.0.0.0) : 
+   	 ERROR: Invalid IPv6 address (224.0.0.0) :
                /etc/shorewall6/interfaces (line 16)

 ----------------------------------------------------------------------------
@@ -695,7 +973,7 @@ V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
    See http://www.shorewall.net/Vserver.html for details.

 2)  A new FORWARD_CLEAR_MARK option has been added to shorewall.conf
-    and shorewall6.conf. 
+    and shorewall6.conf.

    Traditionally, Shorewall has cleared the packet mark in the first
    rule in the mangle FORWARD chain. This behavior is maintained with
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -353,12 +353,6 @@ compiler() {
    [ -n "$g_preview" ] && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
-    #
-    # Run the appropriate params file
-    #
-    set -a;
-    run_user_exit params
-    set +a

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -1388,6 +1382,55 @@ usage() # $1 = exit status
    exit $1
 }

+version_command() {
+    local finished
+    finished=0
+    local all
+    all=
+    local product
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			a*)
+			    all=Yes
+			    option=${option#a}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -gt 0 ] && usage 1
+
+    echo $SHOREWALL_VERSION
+
+    if [ -n "$all" ]; then
+	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
+	    if [ -f /usr/share/$product/version ]; then
+		echo "$product: $(cat /usr/share/$product/version)"
+	    fi
+	done
+    fi
+}
+
 #
 # Execution begins here
 #
@@ -1417,6 +1460,12 @@ g_debug=
 g_export=
 g_refreshchains=

+#
+# Make sure that these variables are cleared
+#
+VERBOSE=
+VERBOSITY=
+
 finished=0

 while [ $finished -eq 0 ]; do
@@ -1512,55 +1561,6 @@ while [ $finished -eq 0 ]; do
    esac
 done

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-
-    if [ -n "$all" ]; then
-	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 if [ $# -eq 0 ]; then
    usage 1
 fi
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
-%define release 1
+%define version 4.4.15
+%define release 0base

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -97,6 +97,7 @@ fi
 %attr(0755,root,root) /usr/share/shorewall/wait4ifup

 %attr(755,root,root) /usr/share/shorewall/compiler.pl
+%attr(755,root,root) /usr/share/shorewall/getparams
 %attr(0644,root,root) /usr/share/shorewall/prog.*
 %attr(0644,root,root) /usr/share/shorewall/Shorewall/*.pm

@@ -108,10 +109,28 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples

 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
+* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0base
+* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0RC1
+* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta2
+* Sun Nov 14 2010 Tom Eastep tom@shorewall.net
+- Added getparams to installed files
+* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta1
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

-[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

 export SHOREWALL_INIT_SCRIPT

--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
@@ -351,11 +351,7 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite

-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall6-lite
-	    else
-		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
+	    update-rc.d shorewall6-lite defaults

 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -94,9 +94,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	LOGREAD="logread | tac"
+	g_logread="logread | tac"
    elif [ -r $LOGFILE ]; then
-	LOGREAD="tac $LOGFILE"
+	g_logread="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,10 +113,6 @@ get_config() {

    [ -n "$FW" ] || FW=fw

-    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
-
-    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
-
    if [ -n "$IP6TABLES" ]; then
 	if [ ! -x "$IP6TABLES" ]; then
 	    echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
@@ -145,6 +141,12 @@ get_config() {

    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
+    fi
+
    g_hostname=$(hostname 2> /dev/null)

    IP=$(mywhich ip 2> /dev/null)
@@ -174,6 +176,15 @@ verify_firewall_script() {
    fi
 }

+#
+# Fatal error
+#
+startup_error() {
+    echo "   ERROR: $@" >&2
+    kill $$
+    exit 1
+}
+
 #
 # Start Command Executor
 #
@@ -447,6 +458,13 @@ g_noroutes=
 g_timestamp=
 g_recovering=
 g_purge=
+g_logread=
+
+#
+# Make sure that these variables are cleared
+#
+VERBOSE=
+VERBOSITY=

 finished=0

--- a/Shorewall6-lite/shorewall6-lite.conf
+++ b/Shorewall6-lite/shorewall6-lite.conf
@@ -21,6 +21,7 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
+
 VERBOSITY=

 ###############################################################################
@@ -29,8 +30,6 @@ VERBOSITY=

 LOGFILE=

-LOGFORMAT=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
-%define release 1
+%define version 4.4.15
+%define release 0base

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -93,10 +93,26 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
+* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0base
+* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0RC1
+* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta2
+* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta1
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
--- a/Shorewall6/accounting
+++ b/Shorewall6/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
+###############################################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC	HEADERS
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
@@ -249,7 +249,7 @@ fi
 [ -n "$INIT" ] && echo  "Shorewall6 script installed in ${DESTDIR}${DEST}/$INIT"

 #
-# Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
+# Create /etc/shorewall, /usr/share/shorewall and /var/lib/shorewall6 if needed
 #
 mkdir -p ${DESTDIR}/etc/shorewall6
 mkdir -p ${DESTDIR}/usr/share/shorewall6
@@ -296,7 +296,7 @@ fi
 run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/usr/share/shorewall6/configfiles/zones

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/zones ]; then
-    run_install $OWNERSHIP -m 0744 zones ${DESTDIR}/etc/shorewall6/zones
+    run_install $OWNERSHIP -m 0644 zones ${DESTDIR}/etc/shorewall6/zones
    echo "Zones file installed as ${DESTDIR}/etc/shorewall6/zones"
 fi

@@ -631,6 +631,15 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tcclear ]; then
    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall6/tcclear"
 fi
 #
+# Install the Scfilter file
+#
+run_install $OWNERSHIP -m 0644 tcclear ${DESTDIR}/usr/share/shorewall6/configfiles/scfilter
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/scfilter ]; then
+    run_install $OWNERSHIP -m 0600 scfilter ${DESTDIR}/etc/shorewall6/scfilter
+    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall6/scfilter"
+fi
+#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall6/actions.std 0644
@@ -729,11 +738,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6

-	if [ -x /sbin/insserv ]; then
-	    insserv /etc/init.d/shorewall6
-	else
-	    ln -s ../init.d/shorewall6 /etc/rcS.d/S40shorewall6
-	fi
+	update-rc.d shorewall6 defaults

 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_CAPVERSION=40415

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -357,6 +357,36 @@ show_routing() {
    fi
 }

+#
+# Show Filter - For Shorewall6-lite, if there was an scfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+show_connections_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file scfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -448,11 +478,17 @@ show_command() {
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
-	    echo
-	    grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g'
+	    if mywhich conntrack ; then
+		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
+		echo
+		conntrack -f ipv6 -L | show_connections_filter
+	    else
+		local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+		local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+		echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
+		echo
+		grep '^ipv6' /proc/net/nf_conntrack | sed -r 's/0000:/:/g; s/:::+/::/g; s/:0+/:/g' | show_connections_filter
+	    fi
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
@@ -650,10 +686,40 @@ show_command() {
    esac
 }

+#
+# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
+#               then the compiler generated another version of this function and
+#               embedded it in the firewall.conf file. That version supersedes this
+#               one.
+#
+dump_filter() {
+    local filter
+    local command
+    local first
+
+    command=${SHOREWALL_SHELL}
+
+    filter=$(find_file dumpfilter)
+
+    if [ -f $filter ]; then
+	first=$(head -n1 $filter)
+
+	case $first in
+	    \#!*)
+		command=${first#\#!}
+		;;
+	esac
+
+	$command $filter
+    else
+	cat -
+    fi
+}
+
 #
 # Dump Command Executor
 #
-dump_command() {
+do_dump_command() {
    local finished
    finished=0

@@ -797,6 +863,10 @@ dump_command() {
 	fi
 }

+dump_command() {
+    do_dump_command | dump_filter
+}
+
 #
 # Restore Comand Executor
 #
@@ -1264,6 +1334,7 @@ determine_capabilities() {
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
+    HEADER_MATCH=

    chain=fooX$$

@@ -1406,6 +1477,7 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
+    qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes

    qt $IP6TABLES -F $chain
    qt $IP6TABLES -X $chain
@@ -1483,6 +1555,7 @@ report_capabilities() {
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
+	report_capability "Header Match" $HEADER_MATCH
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1545,6 +1618,7 @@ report_capabilities1() {
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
+    report_capability1 HEADER_MATCH
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -32,10 +32,14 @@ get_script_version() { # $1 = script
    local version
    local ifs
    local digits
+    local verbosity
+
+    verbosity="$VERBOSITY"
+    VERBOSITY=0

    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )

-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
    else
 	ifs=$IFS
@@ -52,6 +56,8 @@ get_script_version() { # $1 = script
    fi
    
    echo $version
+
+    VERBOSITY="$verbosity"
 }
  
 #
--- a/Shorewall6/routes
+++ b/Shorewall6/routes
@@ -0,0 +1,9 @@
+#
+# Shorewall6 version 4 - routes File
+#
+# For information about entries in this file, type "man shorewall6-routes"
+#
+# For additional information, see http://www.shorewall.net/MultiISP.html
+##############################################################################
+#PROVIDER		DEST			GATEWAY		DEVICE
+
--- a/Shorewall6/rules
+++ b/Shorewall6/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+#######################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME            HEADERS
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall6/scfilter
+++ b/Shorewall6/scfilter
@@ -0,0 +1,15 @@
+#! /bin/sh
+#
+# Shorewall version 4 - Show Connections Filter
+#
+# /etc/shorewall/scfilter
+#
+#	Replace the 'cat' command below to filter the output of
+#       'show connections. Unlike other extension scripts, this file
+#       must be executable before Shorewall will use it.
+#
+# See http://shorewall.net/shorewall_extension_scripts.htm for additional
+# information.
+#
+###############################################################################
+cat -
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -290,14 +290,6 @@ compiler() {
    [ "$g_debugging" = trace ] && options="$options --debug"
    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
    [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
-    #
-    # Run the appropriate params file
-    #
-    if [ -z "$haveparams" ]; then
-	set -a; 
-	run_user_exit params
-	set +a
-    fi

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -1303,6 +1295,54 @@ usage() # $1 = exit status
    exit $1
 }

+version_command() {
+    local finished
+    finished=0
+    local all
+    all=
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			a*)
+			    all=Yes
+			    option=${option#a}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -gt 0 ] && usage 1
+
+    echo $SHOREWALL_VERSION
+
+    if [ -n "$all" ]; then
+	for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do
+	    if [ -f /usr/share/$product/version ]; then
+		echo "$product: $(cat /usr/share/$product/version)"
+	    fi
+	done
+    fi
+}
+
 #
 # Execution begins here
 #
@@ -1332,6 +1372,12 @@ g_noroutes=
 g_purge=
 g_timestamp=

+#
+# Make sure that these variables are cleared
+#
+VERBOSE=
+VERBOSITY=
+
 finished=0

 while [ $finished -eq 0 ]; do
@@ -1427,54 +1473,6 @@ while [ $finished -eq 0 ]; do
    esac
 done

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 if [ $# -eq 0 ]; then
    usage 1
 fi
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.13
-%define release 1
+%define version 4.4.15
+%define release 0base

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -98,10 +98,26 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
+* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0base
+* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0RC1
+* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta2
+* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.15-0Beta1
+* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0base
+* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0RC1
+* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta4
+* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta3
+* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta2
+* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.14-0Beta1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
--- a/Shorewall6/tcrules
+++ b/Shorewall6/tcrules
@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
+##################################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS
 #						PORT(S)	PORT(S)
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.1
+VERSION=4.4.15

 usage() # $1 = exit status
 {
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -53,141 +53,11 @@
    including traffic that will later be rejected by interface options such as
    <quote>tcpflags</quote> and <quote>maclist</quote>.</para>

-    <para>The columns in the accounting file are as follows:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para><emphasis role="bold">ACTION </emphasis>- What to do when a
-        match is found. Possible values are:</para>
-
-        <itemizedlist>
-          <listitem>
-            <para>COUNT- Simply count the match and continue trying to match
-            the packet with the following accounting rules</para>
-          </listitem>
-
-          <listitem>
-            <para>DONE- Count the match and don't attempt to match any
-            following accounting rules.</para>
-          </listitem>
-
-          <listitem>
-            <para><emphasis>&lt;chain&gt;</emphasis> - The name of a chain;
-            Shorewall will create the chain automatically if it doesn't
-            already exist. A jump to this chain will be generated from the
-            chain specified by the CHAIN column. If the name of the chain is
-            followed by <quote>:COUNT</quote> then a COUNT rule matching this
-            entry will automatically be added to &lt;chain&gt;. Chain names
-            must start with a letter, must be composed of letters and digits,
-            and may contain underscores (<quote>_</quote>) and periods
-            (<quote>.</quote>). Beginning with Shorewall version 1.4.8, chain
-            names may also contain embedded dashes (<quote>-</quote>) and are
-            not required to start with a letter.</para>
-          </listitem>
-
-          <listitem>
-            <para>COMMENT - (Shorewall-perl only) - The remainder of the line
-            is treated as a comment which is <ulink
-            url="configuration_file_basics.htm#COMMENT">attached to subsequent
-            rules</ulink> until another COMMENT line is found or until the end
-            of the file is reached. To stop adding comments to rules, use a
-            line with only the word COMMENT.</para>
-          </listitem>
-        </itemizedlist>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">CHAIN</emphasis> - The name of the chain
-        where the accounting rule is to be added. If empty or <quote>-</quote>
-        then the <quote>accounting</quote> chain is assumed (see <link
-        linkend="Bridge">below</link> for exceptions).</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">SOURCE</emphasis> - Packet Source. The
-        name of an interface, an address (host or net), or an interface name
-        followed by <quote>:</quote> and a host or net address.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">DESTINATION</emphasis> - Packet
-        Destination. Format the same as the SOURCE column.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">PROTOCOL</emphasis> - A protocol name
-        (from <filename>/etc/protocols</filename>), a protocol number or
-        <quote>ipp2p</quote>. For <quote>ipp2p</quote>, your kernel and
-        iptables must have ipp2p match support from <ulink
-        url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink>.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
-        number. Service name from <filename>/etc/services</filename> or port
-        number. May only be specified if the protocol is TCP (6), UDP (17),
-        DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
-        <quote>ipp2p</quote>, then this column is interpreted as an ipp2p
-        option without the leading <quote>--</quote> (default
-        <quote>ipp2p</quote>). For a list of value ipp2p options, as root type
-        <command>iptables -m ipp2p --help</command>.</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
-        number. Service name from /etc/services or port number. May only be
-        specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
-        or UDPLITE (136).</para>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">USER/GROUP</emphasis> - This column may
-        only be non-empty if the CHAIN is OUTPUT. The column may
-        contain:</para>
-
-        <programlisting>[!][&lt;user name or number&gt;][:&lt;group name or number&gt;]</programlisting>
-
-        <para>When this column is non-empty, the rule applies only if the
-        program generating the output is running under the effective
-        &lt;user&gt; and/or &lt;group&gt; specified (or is NOT running under
-        that id if <quote>!</quote> is given).</para>
-
-        <para>Examples:</para>
-
-        <simplelist>
-          <member>joe #program must be run by joe</member>
-
-          <member>:kids #program must be run by a member of the
-          <quote>kids</quote> group.</member>
-
-          <member>!:kids #program must not be run by a member of the
-          <quote>kids</quote> group</member>
-        </simplelist>
-      </listitem>
-
-      <listitem>
-        <para><emphasis role="bold">MARK</emphasis> - Only count packets with
-        particular mark values. <programlisting>[!]&lt;value&gt;[/&lt;mask&gt;][:C]</programlisting>
-        Defines a test on the existing packet or connection mark. The rule
-        will match only if the test returns true.</para>
-
-        <para>If you don’t want to define a test but need to specify anything
-        in the following columns, place a <quote>-</quote> in this
-        field.<simplelist>
-            <member>! — Inverts the test (not equal)</member>
-
-            <member>&lt;value&gt; — Value of the packet or connection
-            mark.</member>
-
-            <member>&lt;mask&gt; — A mask to be applied to the mark before
-            testing.</member>
-
-            <member>:C — Designates a connection mark. If omitted, the packet
-            mark’s value is tested. This option is only supported by
-            Shorewall-perl.</member>
-          </simplelist></para>
-      </listitem>
-    </itemizedlist>
+    <para>The columns in the accounting file are described in <ulink
+    url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)
+    and <ulink
+    url="manpages6/shorewall6-accounting.html">shorewall6-accounting</ulink>
+    (5).</para>

    <para>In all columns except ACTION and CHAIN, the values <quote>-</quote>,
    <quote>any</quote> and <quote>all</quote> are treated as
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -136,7 +136,7 @@

          <row>
            <entry>Bridge: <ulink
-            url="bridge-Shorewall-perl.html">Shorewall-perl</ulink></entry>
+            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>

            <entry><ulink url="MultiISP.html">Multiple Internet Connections
            from a Single Firewall</ulink> (<ulink
@@ -147,8 +147,8 @@
          </row>

          <row>
-            <entry>Bridge: <ulink url="SimpleBridge.html">No control of
-            traffic through the bridge</ulink></entry>
+            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
+            traffic between bridge port</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
            Interface</ulink></entry>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -54,6 +54,31 @@
      url="shorewall_quickstart_guide.htm">QuickStart Guides</ulink>.</para>
    </section>

+    <section id="faq92">
+      <title>(FAQ 92) There are lots of Shorewall packages; which one(s) do I
+      install?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: When first installing
+      Shorewall 4.4.0 or later, you must install the <emphasis
+      role="bold">shorewall</emphasis> package. If you want to configure an
+      IPv6 firewall, you must also install <emphasis
+      role="bold">shorewall6</emphasis>.</para>
+
+      <section id="faq92a">
+        <title>(FAQ 92a) Someone once told me to install shorewall-perl;
+        anything to that?</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: That was good advice in
+        Shorewall 4.2 and earlier. In those releases, there were two packages
+        that provided the basic firewalling functionality: <emphasis
+        role="bold">shorewall-shell</emphasis> and <emphasis
+        role="bold">shorewall-perl</emphasis>. Beginning with Shorewall 4.4.0,
+        <emphasis role="bold">shorewall-shell</emphasis> is discontinued and
+        <emphasis role="bold">shorewall-perl</emphasis> is renamed <emphasis
+        role="bold">shorewall</emphasis>.</para>
+      </section>
+    </section>
+
    <section id="faq37">
      <title>(FAQ 37) I just installed Shorewall on Debian and the
      /etc/shorewall directory is almost empty!!!</title>
@@ -1192,7 +1217,7 @@ to debug/develop the newnat interface.</programlisting></para>
      <title>(FAQ 91) I changed the shorewall.conf file in /etc/shorewall/ to
      spit out logs to /var/log/shorewall.log and it's not happening after I
      restart shorewall. LOGFILE=/var/log/shorewall.log &lt;-- that should be
-      the correct line, right? </title>
+      the correct line, right?</title>

      <para><emphasis role="bold">Answer</emphasis>: No, that is not correct.
      The LOGFILE setting tells Shorewall where to find the log; it does not
@@ -1420,6 +1445,22 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
        <para>Please see the <ulink url="shorewall_logging.html">Shorewall
        logging documentation</ulink> for further information.</para>
      </section>
+
+      <section id="faq16b">
+        <title>(FAQ 16b) Shorewall messages are flooding the output of
+        'dmesg'; how to I stop that?</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: Switch to using <ulink
+        url="???">ulogd</ulink>.</para>
+      </section>
+
+      <section id="faq16c">
+        <title>(FAQ 16c) I set LOGFILE=/var/log/shorewall but log messages are
+        still going to /var/log/messages.</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: See the answer to <link
+        linkend="faq16a">FAQ 16a</link> above.</para>
+      </section>
    </section>

    <section id="faq17">
@@ -1817,6 +1858,17 @@ ERROR: Command "ip -4 rule add from all table 254 pref 999" Failed</programlisti
  <section id="Start-Stop">
    <title>Starting and Stopping</title>

+    <section id="faq94">
+      <title>(FAQ 94) After I start Shorewall, ps doesn't show any shorewall
+      process running. What is the Shorewall daemon called?</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> Shorewall is not a
+      daemon. It is a configuration tool that configures your kernel based on
+      the contents of <filename>/etc/shorewall/</filename>. Once the
+      <command>start</command> command completes, Shorewall has done its job
+      and there are no Shorewall processes remaining in the system.</para>
+    </section>
+
    <section id="faq7">
      <title>(FAQ 7) When I stop Shorewall using <quote>shorewall[-lite]
      stop</quote>, I can't connect to anything. Why doesn't that command
@@ -1939,7 +1991,8 @@ iptables: Invalid argument
      <para><emphasis role="bold">Answer:</emphasis> Copy
      <filename>/usr/share/shorewall[-lite]/modules</filename> to
      <filename>/etc/shorewall/modules </filename>and modify the copy to
-      include only the modules that you need.</para>
+      include only the modules that you need. An alternative is to set
+      LOAD_HELPERS_ONLY=Yes in shorewall.conf.</para>
    </section>

    <section id="faq61">
@@ -2490,7 +2543,9 @@ rmmod nf_conntrack_sip</programlisting></para>
      <orderedlist>
        <listitem>
          <para>Copy <filename>/usr/share/shorewall/module</filename>s to
-          <filename class="directory">/etc/shorewall</filename>.</para>
+          <filename class="directory">/etc/shorewall</filename>
+          (<filename>/usr/share/shorewall/helpers</filename> if you have
+          LOAD_HELPERS_ONLY in shorewall.conf).</para>
        </listitem>

        <listitem>
@@ -2876,12 +2931,24 @@ EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254

          <programlisting>#INTERFACE			SOURCE			ADDRESS

-COMMENT DSL Modem
+COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html

 EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
 </programlisting>
        </listitem>
      </itemizedlist>
    </section>
+
+    <section>
+      <title id="faq93">(FAQ 93) I'm not able to use Shorewall to manage a
+      bridge. I get the following error: ERROR: BRIDGING=Yes is not supported
+      by Shorewall 4.4.13.3.</title>
+
+      <para><emphasis role="bold">Answer:</emphasis> If you want to apply
+      firewall rules to the traffic passing between bridge ports, see <ulink
+      url="bridge-Shorewall-perl.html">http://www.shorewall.net/bridge-Shorewall-perl.html</ulink>.
+      If you simply want to allow all traffic between ports, then see <ulink
+      url="SimpleBridge.html">http://www.shorewall.net/SimpleBridge.html</ulink>.</para>
+    </section>
  </section>
 </article>
--- a/docs/FoolsFirewall.xml
+++ b/docs/FoolsFirewall.xml
@@ -38,8 +38,9 @@
    <title>Definition</title>

    <para>Occasionally, we hear from someone who has cabled his firewall's
-    external and internal firewall interfaces to the same switch. I call this
-    configuration <firstterm>The Fool's Firewall</firstterm>.</para>
+    external and internal firewall interfaces to the same unmanaged switch (or
+    mis-configured managed switch). I call this configuration <firstterm>The
+    Fool's Firewall</firstterm>.</para>

    <para>When the external interface supports broadcast, this configuration
    has two very bad drawbacks:</para>
@@ -61,7 +62,7 @@

    <para>Because Fool's firewall is not physically located between the net
    and the local systems, the local systems are exposed to all of the systems
-    in the same broadcast domain. Because the local systems (expecially those
+    in the same broadcast domain. Because the local systems (especially those
    running Windows) send broadcasts, those systems can be easily detected by
    using a packet sniffer. Once the systems have been spotted, it is child's
    play to add an IP address in Fool's internal IP network and bypass his
@@ -73,8 +74,10 @@
  <section>
    <title>ARP Roulette</title>

-    <para>The Linux IP stack exhibits some unexpected behavior with respect to
-    ARP. It will respond to ARP 'who-has' requests received on
+    <para>The Linux IP stack implements the <ulink
+    url="http://en.wikipedia.org/wiki/Host_model">weak host model.</ulink> As
+    a result, it exhibits some unexpected behavior with respect to ARP. It
+    will respond to ARP 'who-has' requests received on
    <emphasis>any</emphasis> interface and not just on the interface owning
    the address. So when the upstream router sends a 'who-has' request for
    Fool's external IP address, the response may come from his
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -44,12 +44,12 @@
      <itemizedlist>
        <listitem>
          <para><ulink url="http://www.netfilter.org">Netfilter</ulink> - the
-          packet filter facility builtinto the 2.4 and later Linux
+          packet filter facility built into the 2.4 and later Linux
          kernels.</para>
        </listitem>

        <listitem>
-          <para>ipchains - the packet filter facility builtinto the 2.2 Linux
+          <para>ipchains - the packet filter facility built into the 2.2 Linux
          kernels. Also the name of the utility program used to configure and
          control that facility. Netfilter can be used in ipchains
          compatibility mode.</para>
--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -24,6 +24,8 @@

      <year>2009</year>

+      <year>2010</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -83,6 +85,10 @@
        the interfaces on the system and optionally associate them with
        zones.</member>

+        <member><ulink url="manpages/shorewall-ipsets.html">ipsets</ulink> -
+        Describes how to specify set names in Shorewall configuration
+        files.</member>
+
        <member><ulink url="manpages/shorewall-maclist.html">maclist</ulink> -
        Define MAC verification.</member>

@@ -121,6 +127,10 @@
        url="manpages/shorewall-route_rules.html">route_rules</ulink> - Define
        routing rules.</member>

+        <member><ulink url="manpages/shorewall-routes.html">routes</ulink> -
+        (Added in Shorewall 4.4.15) Add additional routes to provider routing
+        tables.</member>
+
        <member><ulink
        url="manpages/shorewall-routestopped.html">routestopped</ulink> -
        Specify connections to be permitted when Shorewall is in the stopped
--- a/docs/Manpages6.xml
+++ b/docs/Manpages6.xml
@@ -24,6 +24,8 @@

      <year>2009</year>

+      <year>2010</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -106,6 +108,10 @@
        url="manpages6/shorewall6-route_rules.html">route_rules</ulink> -
        Define routing rules.</member>

+        <member><ulink url="manpages6/shorewall6-routes.html">routes</ulink> -
+        (Added in Shorewall 4.4.15) Add additional routes to provider routing
+        tables.</member>
+
        <member><ulink
        url="manpages6/shorewall6-routestopped.html">routestopped</ulink> -
        Specify connections to be permitted when Shorewall6 is in the stopped
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -575,6 +575,12 @@
            Normally, you will list all interfaces on your firewall in this
            column except those Internet interfaces specified in the INTERFACE
            column of entries in this file.</para>
+
+            <note>
+              <para>Beginning with Shorewall 4.4.15, provider routing tables
+              can be augmeted with additional routes through use of the <link
+              linkend="routes">/etc/shorewall/routes</link> file.</para>
+            </note>
          </listitem>
        </varlistentry>
      </variablelist>
@@ -912,7 +918,8 @@ eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
    </section>

    <section id="Local">
-      <title>Applications running on the Firewall</title>
+      <title>Applications running on the Firewall -making them use a
+      particular provider</title>

      <para>As <link linkend="Applications">noted above</link>, separate
      entries in <filename>/etc/shorewall/tcrules</filename> are required for
@@ -948,6 +955,11 @@ eth3             0.0.0.0/0         16.105.78.4</programlisting></para>
      that an entry in <filename>/etc/shorewall/route_rules</filename> with
      'lo' in the SOURCE column seems to be the most reliable way to direct
      such traffic to a particular ISP.</para>
+
+      <para>Example:</para>
+
+      <programlisting>#SOURCE     DEST      PROVIDER        PRIORITY
+lo          -         shorewall       1000</programlisting>
    </section>

    <section id="route_rules">
@@ -1100,6 +1112,70 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
      </section>
    </section>

+    <section id="routes">
+      <title>/etc/shorewall/routes File</title>
+
+      <para>Beginning with Shorewall 4.4.15, additional routes can be added to
+      the provider routing tables using the /etc/shorewall/routes file.</para>
+
+      <para>The columns in the file are as follows.</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><emphasis role="bold">PROVIDER</emphasis></term>
+
+          <listitem>
+            <para>The name or number of a provider defined in <ulink
+            url="shorewall-providers.html">shorewall-providers</ulink>
+            (5).</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">DEST</emphasis></term>
+
+          <listitem>
+            <para>Destination host address or network address.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">GATEWAY</emphasis> (Optional)</term>
+
+          <listitem>
+            <para>If specified, gives the IP address of the gateway to the
+            DEST.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">DEVICE</emphasis> (Optional)</term>
+
+          <listitem>
+            <para>Specifies the device route. If neither DEVICE nor GATEWAY is
+            given, then the INTERFACE specified for the PROVIDER in <ulink
+            url="manpages/shorewall-providers.html">shorewall-providers</ulink>
+            (5).</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para> Assume the following entry in
+      <filename>/etc/shorewall/providers</filename>:</para>
+
+      <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS          COPY
+Comcast      1     -    xxx             eth2            ....     </programlisting>
+
+      <para>The following table gives some example entries in the file and the
+      <command>ip route</command> command which results.</para>
+
+      <programlisting><emphasis role="bold">#PROVIDER     DEST             GATEWAY         DEVICE</emphasis>        | <emphasis
+          role="bold">             Generated Command</emphasis>
+Comcast       172.20.1.0/24    -               eth0          | ip -4 route add 172.20.1.0/24 dev eth0 table 1
+Comcast       192.168.4.0/24   172.20.1.1                    | ip -4 route add 192.168.1.0/24 via 172.20.1.1 table 1
+Comcast       192.168.4.0/24                                 | ip -4 route add 192.168.4.0/24 dev eth2 table 1 </programlisting>
+    </section>
+
    <section>
      <title>Looking at the routing tables</title>

--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -34,46 +34,50 @@
    </legalnotice>
  </articleinfo>

-  <para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
-  one network appear to be logically part of a different physical network
-  connected to the same router/firewall. Typically it allows us to hide a
-  machine with a public IP address on a private network behind a router, and
-  still have the machine appear to be on the public network "in front of" the
-  router. The router "proxys" ARP requests and all network traffic to and from
-  the hidden machine to make this fiction possible.</para>
+  <section>
+    <title>Overview</title>

-  <para>Consider a router with two interface cards, one connected to a public
-  network PUBNET and one connected to a private network PRIVNET. We want to
-  hide a server machine on the PRIVNET network but have it accessible from the
-  PUBNET network. The IP address of the server machine lies in the PUBNET
-  network, even though we are placing the machine on the PRIVNET network
-  behind the router.</para>
+    <para>Proxy ARP (RFC 1027) is a way to make a machine physically located
+    on one network appear to be logically part of a different physical network
+    connected to the same router/firewall. Typically it allows us to hide a
+    machine with a public IP address on a private network behind a router, and
+    still have the machine appear to be on the public network "in front of"
+    the router. The router "proxys" ARP requests and all network traffic to
+    and from the hidden machine to make this fiction possible.</para>

-  <para>By enabling proxy ARP on the router, any machine on the PUBNET network
-  that issues an ARP "who has" request for the server's MAC address will get a
-  proxy ARP reply from the router containing the router's MAC address. This
-  tells machines on the PUBNET network that they should be sending packets
-  destined for the server via the router. The router forwards the packets from
-  the machines on the PUBNET network to the server on the PRIVNET
-  network.</para>
+    <para>Consider a router with two interface cards, one connected to a
+    public network PUBNET and one connected to a private network PRIVNET. We
+    want to hide a server machine on the PRIVNET network but have it
+    accessible from the PUBNET network. The IP address of the server machine
+    lies in the PUBNET network, even though we are placing the machine on the
+    PRIVNET network behind the router.</para>

-  <para>Similarly, when the server on the PRIVNET network issues a "who has"
-  request for any machines on the PUBNET network, the router provides its own
-  MAC address via proxy ARP. This tells the server to send packets for
-  machines on the PUBNET network via the router. The router forwards the
-  packets from the server on the PRIVNET network to the machines on the PUBNET
-  network.</para>
+    <para>By enabling proxy ARP on the router, any machine on the PUBNET
+    network that issues an ARP "who has" request for the server's MAC address
+    will get a proxy ARP reply from the router containing the router's MAC
+    address. This tells machines on the PUBNET network that they should be
+    sending packets destined for the server via the router. The router
+    forwards the packets from the machines on the PUBNET network to the server
+    on the PRIVNET network.</para>

-  <para>The proxy ARP provided by the router allows the server on the
-  PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
-  pass ARP requests and other network packets in both directions between the
-  server machine and the PUBNET network, making the server machine appear to
-  be connected to the PUBNET network even though it is on the PRIVNET network
-  hidden behind the router.</para>
+    <para>Similarly, when the server on the PRIVNET network issues a "who has"
+    request for any machines on the PUBNET network, the router provides its
+    own MAC address via proxy ARP. This tells the server to send packets for
+    machines on the PUBNET network via the router. The router forwards the
+    packets from the server on the PRIVNET network to the machines on the
+    PUBNET network.</para>

-  <para>Before you try to use this technique, I strongly recommend that you
-  read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-  Guide</ulink>.</para>
+    <para>The proxy ARP provided by the router allows the server on the
+    PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
+    pass ARP requests and other network packets in both directions between the
+    server machine and the PUBNET network, making the server machine appear to
+    be connected to the PUBNET network even though it is on the PRIVNET
+    network hidden behind the router.</para>
+
+    <para>Before you try to use this technique, I strongly recommend that you
+    read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
+    Guide</ulink>.</para>
+  </section>

  <section id="Example">
    <title>Example</title>
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -194,6 +194,10 @@ DNAT      net        loc:192.168.1.3      tcp        80             -         20
      <programlisting>#INTERFACE             SUBNET          ADDRESS
 eth0                   192.168.1.0/24  206.124.146.178</programlisting>

+      <para>Similarly, you want SMTP traffic from local system 192.168.1.22 to
+      have source IP 206.124.146.178:<programlisting>#INTERFACE             SUBNET          ADDRESS             PROTO      DEST PORT(S)
+eth0                   192.168.1.22    206.124.146.178     tcp        25</programlisting></para>
+
      <para>Shorewall can create the alias (additional address) for you if you
      set ADD_SNAT_ALIASES=Yes in
      <filename>/etc/shorewall/shorewall.con</filename>f.</para>
--- a/docs/Vserver.xml
+++ b/docs/Vserver.xml
@@ -114,7 +114,7 @@ gateway:~#</programlisting>
  <section>
    <title>Vserver Zones</title>

-    <para>Here is a diagram of the network configuration here at Shorewall.net
+    <para>This is a diagram of the network configuration here at Shorewall.net
    during the summer of 2010:</para>

    <graphic align="center" fileref="images/Network2010a.png" />
@@ -131,6 +131,12 @@ net             ipv4            #Internet
 vpn             ipv4            #OpenVPN clients
 <emphasis role="bold">dmz             vserver         #Vservers</emphasis></programlisting>

+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+<emphasis role="bold">net     eth1          detect              dhcp,optional,routefilter=0,logmartians,proxyarp=0,nosmurfs,upnp</emphasis>
+...</programlisting>
+
    <para><filename>/etc/shorewall/hosts</filename>:</para>

    <programlisting>#ZONE   HOST(S)                                 OPTIONS
@@ -160,10 +166,16 @@ vpn	ipv6
 <emphasis role="bold">dmz	vserver</emphasis>
 </programlisting>

+    <para><filename>/etc/shorewall6/interfaces</filename>:</para>
+
+    <programlisting>#ZONE   INTERFACE     BROADCAST           OPTIONS
+<emphasis role="bold">net     sit1          detect              tcpflags,forward=1,nosmurfs,routeback</emphasis>
+...</programlisting>
+
    <para><filename>/etc/shorewall6/hosts</filename>:</para>

    <programlisting>#ZONE   HOST(S)                                 OPTIONS
-dmz	sit1:[2001:470:e857:1::/64]</programlisting>
+<emphasis role="bold">dmz     sit1:[2001:470:e857:1::/64]</emphasis></programlisting>

    <para>Note that I choose to place the Vservers on sit1 (the IPv6 net
    interface) rather than on eth1. Again, it really doesn't matter
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Shorewall-perl and Bridged Firewalls</title>
+    <title>Bridged Firewalls</title>

    <authorgroup>
      <author>
@@ -37,7 +37,7 @@
  </articleinfo>

  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall-perl 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
    later.</emphasis></para>
  </caution>

@@ -533,7 +533,7 @@ rc-update add bridge boot
    source bridge port.</para>

    <para>To deal with the asymmetric nature of the new physdev match,
-    Shorewall-perl supports a new type of zone - a <firstterm>Bridge
+    Shorewall supports a new type of zone - a <firstterm>Bridge
    Port</firstterm> (BP) zone. Bridge port zones have a number of
    restrictions:</para>

@@ -559,8 +559,9 @@ rc-update add bridge boot

    <para>In /etc/shorewall/zones, BP zones are specified using the <emphasis
    role="bold">bport</emphasis> (or <emphasis role="bold">bport4</emphasis>)
-    keyword. Shorewall perl requires that BRIDGING=No in
-    <filename>shorewall.conf</filename>.</para>
+    keyword. If your version of <filename>shorewall.conf</filename> contains
+    the <emphasis role="bold">BRIDGING</emphasis> option, it must be set to
+    <emphasis role="bold">No</emphasis>.</para>

    <para>In the scenario pictured above, there would probably be two BP zones
    defined -- one for the Internet and one for the local LAN so in
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -492,6 +492,63 @@ ACCEPT      net:\
    </example>
  </section>

+  <section>
+    <title>Addresses</title>
+
+    <para>In both Shorewall and Shorewall6, there are two basic types of
+    addresses:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>Host Address</term>
+
+        <listitem>
+          <para>This address type refer to a single host.</para>
+
+          <para>In IPv4, the format is <emphasis>i.j.k.l</emphasis> where
+          <emphasis>i</emphasis> through <emphasis>l</emphasis> are decimal
+          numbers between 1 and 255.</para>
+
+          <para>In IPv6, the format is <emphasis>a:b:c:d:e:f:g:h</emphasis>
+          where <emphasis>a</emphasis> through <emphasis>h</emphasis> consist
+          of 1 to 4 hexidecimal digits (leading zeros may be omitted). a
+          single series of 0 addresses may be omitted. For example
+          2001:227:e857:1:0:0:0:0:1 may be written 2001:227:e857:1::1.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Network Address</term>
+
+        <listitem>
+          <para>A network address refers to 1 or more hosts and consists of a
+          host address followed by a slash ("/") and a <firstterm>Variable
+          Length Subnet Mask</firstterm> (VLSM). This is known as
+          <firstterm>Classless Internet Domain Routing</firstterm> (CIDR)
+          notation.</para>
+
+          <para>The VLSM is a decimal number. For IPv4, it is in the range 0
+          through 32. For IPv6, the range is 0 through 128. The number
+          represents the number of leading bits in the address that represent
+          the network address; the remainder of the bits are a host address
+          and are generally given as zero.</para>
+
+          <para>Examples:</para>
+
+          <para>IPv4: 192.168.1.0/24</para>
+
+          <para>IPv6: 2001:227:e857:1:0:0:0:0:1/64</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>In the Shorewall documentation and manpages, we have tried to make
+    it clear which type of address is accepted in each specific case.</para>
+
+    <para>For more information about addressing, see the<ulink
+    url="shorewall_setup_guide.htm#Addressing"> Setup Guide</ulink>.</para>
+  </section>
+
  <section id="SOURCE-DEST">
    <title>Specifying SOURCE and DEST</title>

@@ -1391,6 +1448,28 @@ Comcast 2        0x20000 main       COM_IF     detect          balance
    class="devicefile">tun*</filename> in the COPY column.</para>
  </section>

+  <section>
+    <title>Zone and Chain Names</title>
+
+    <para>For a pair of zones, Shorewall creates two Netfilter chains; one for
+    connections in each direction. The names of these chains are formed by
+    separating the names of the two zones by either "2" or "-".</para>
+
+    <para>Example: Traffic from zone A to zone B would go through chain A2B
+    (think "A to B") or "A-B".</para>
+
+    <para>The default separator is "2" but you can override that by setting
+    ZONE_SEPARATOR="-" in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+
+    <para>Zones themselves have names that begin with a letter and are
+    composed of letters, numerals, and "_". The maximum length of a name is
+    dependent on the setting of LOGFORMAT in <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). See <ulink
+    url="manpages/shorewall-zones.html">shorewall-zones</ulink> (5) for
+    details.</para>
+  </section>
+
  <section id="Levels">
    <title>Shorewall Configurations</title>

--- a/docs/ipsets.xml
+++ b/docs/ipsets.xml
@@ -95,8 +95,8 @@
      </listitem>

      <listitem>
-        <para>They must be composed of letters, digits or underscores
-        ("_").</para>
+        <para>They must be composed of letters, digits, dashes ("-") or
+        underscores ("_").</para>
      </listitem>
    </itemizedlist>

@@ -128,6 +128,11 @@ ACCEPT       net:+sshok  $FW      tcp      22</programlisting></para>
    blacklist file, you can coerce the rule into matching the destination IP
    address rather than the source.</para>

+    <para>Beginning with Shorewall 4.4.14, multiple source or destination
+    matches may be specified by placing multiple set names in '+[...]' (e.g.,
+    +[myset,myotherset]). When so inclosed, the set names need not be prefixed
+    with a plus sign.</para>
+
    <para>Shorewall can save/restore your ipset contents with certain
    restrictions:</para>

--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -200,6 +200,26 @@ esac</programlisting><caution>
        with dhclient on several distributions are available at <ulink
        url="http://www.shorewall.net/pub/shorewall/contrib/findgw/">http://www.shorewall.net/pub/shorewall/contrib/findgw/</ulink></para>
      </listitem>
+
+      <listitem>
+        <para><filename>scfilter</filename> -- Added in Shorewall 4.4.14.
+        Unlike the other scripts, this script is executed by the command-line
+        tools (<filename>/sbin/shorewall</filename>,
+        <filename>/sbin/shorewall6</filename>, etc) and can be used to
+        reformat the output of the <command>show connections</command>
+        command. The connection information is piped through this script so
+        that the script can drop information, add information or alter the
+        format of the information. When using Shorewall Lite or Shorewall6
+        Lite, the script is encapsulated in a function that is copied into the
+        generated auxillary configuration file. That function is invoked by
+        the 'show connections' command.</para>
+
+        <para>The default script is as follows and simply pipes the output
+        through unaltered.</para>
+
+        <programlisting>#! /bin/sh
+cat -</programlisting>
+      </listitem>
    </itemizedlist>

    <para><emphasis role="bold">If your version of Shorewall doesn't have the
@@ -288,6 +308,12 @@ esac</programlisting><caution>
            <entry>save</entry>
          </row>

+          <row>
+            <entry>scfilter</entry>
+
+            <entry>show connections</entry>
+          </row>
+
          <row>
            <entry>start</entry>

@@ -512,6 +538,12 @@ esac</programlisting><caution>

                <entry>restored</entry>
              </row>
+
+              <row>
+                <entry></entry>
+
+                <entry>scfilter</entry>
+              </row>
            </tbody>
          </tgroup>
        </informaltable></para>
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Shorewall Features</title>
+    <title>Shorewall 4.4 Features</title>

    <author>
      <firstname>Tom</firstname>
@@ -142,13 +142,12 @@
          </listitem>

          <listitem>
-            <para><ulink url="netmap.html">NETMAP</ulink> (requires a 2.6
-            kernel or a patched 2.4 kernel).</para>
+            <para><ulink url="netmap.html">NETMAP</ulink>.</para>
          </listitem>

          <listitem>
-            <para><ulink url="Shorewall_and_Routing.html">Multiple ISP
-            support</ulink></para>
+            <para><ulink url="MultiISP.html">Multiple ISP support</ulink>
+            (Multiple Internet Links from the same firewall/gateway)</para>
          </listitem>
        </itemizedlist>
      </listitem>
@@ -196,7 +195,7 @@
      </listitem>

      <listitem>
-        <para>Support for <ulink url="traffic_shaping.htm"><emphasis
+        <para>Support for <ulink url="simple_traffic_shaping.html"><emphasis
        role="bold">Traffic</emphasis> Control/<emphasis
        role="bold">Shaping</emphasis></ulink>.</para>
      </listitem>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1161,6 +1161,13 @@ ppp0           6000kbit         500kbit</programlisting>
          modules such as <emphasis>ftp</emphasis>, <emphasis>sip</emphasis>,
          <emphasis>amanda</emphasis>, etc.</para>
        </listitem>
+
+        <listitem>
+          <para>HEADERS (Optioinal, Shorewall6 only, added in Shorewall
+          4.4.15). List of IPv6 headers that may appear in packets. See <ulink
+          url="manpages6/shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+          (5) for details.</para>
+        </listitem>
      </itemizedlist>

      <example id="Example1">
@@ -1278,6 +1285,58 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
 /sbin/shorewall refresh</programlisting>
    </section>

+    <section>
+      <title>Sharing a TC configuration between Shorewall and
+      Shorewall6</title>
+
+      <para>Beginning with Shorewall 4.4.15, the traffic-shaping configuration
+      in the tcdevices, tcclasses and tcfilters files can be shared between
+      Shorewall and Shorewall6. Only one of the products can control the
+      configuration but the other can configure CLASSIFY rules in its own
+      tcrules file that refer to the shared classes.</para>
+
+      <para>To defined the configuration in Shorewall and shared it with
+      Shorewall6:</para>
+
+      <itemizedlist>
+        <listitem>
+          <para>Set TC_ENABLED=Internal in <ulink
+          url="manpages/shorewall.conf.html">shorewall.conf</ulink>
+          (5).</para>
+        </listitem>
+
+        <listitem>
+          <para>Set TC_ENABLED=SHARED in <ulink
+          url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
+          (5).</para>
+        </listitem>
+
+        <listitem>
+          <para>Create symbolic links from /etc/shorewall6 to
+          /etc/shorewall/tcdevices and /etc/shorewall/tcclasses:</para>
+
+          <programlisting>ln -s ../shorewall/tcdevices /etc/shorewall6/tcdevices
+ln -s ../shorewall/tcclasses /etc/shorewall6/tcclasses</programlisting>
+        </listitem>
+
+        <listitem>
+          <para>If you need to define IPv6 tcfilter entries, do so in
+          /etc/shorewall/tcfilters. That file now allows entries that apply to
+          IPv6.</para>
+        </listitem>
+      </itemizedlist>
+
+      <para>Shorewall6 compilations to have access to the tcdevices and
+      tcclasses files although it will create no output. That access allows
+      CLASSIFY rules in /etc/shorewall6/tcrules to be validated against the TC
+      configuration.</para>
+
+      <para>In this configuration, it is Shorewall that controls TC
+      configuration (except for IPv6 tcrules). You can reverse the settings in
+      the files if you want to control the configuration using
+      Shorewall6.</para>
+    </section>
+
    <section id="perIP">
      <title>Per-IP Traffic Shaping</title>

@@ -1847,6 +1906,14 @@ ip link set ifb0 up</command></programlisting>
          <para>DNS Names are not supported</para>
        </listitem>

+        <listitem>
+          <para>Address ranges and lists are not supported</para>
+        </listitem>
+
+        <listitem>
+          <para>Exclusion is not supported.</para>
+        </listitem>
+
        <listitem>
          <para>filters are applied to packets as they <emphasis>appear on the
          wire</emphasis>. So incoming packets will not have DNAT applied yet
@@ -1893,6 +1960,11 @@ eth0              192.168.1.0/24   206.124.146.179</programlisting></para>
        </listitem>
      </orderedlist>

+      <para>Beginning with Shorewall 4.4.15, both IPv4 and IPv6 rules can be
+      defined in this file. See <ulink
+      url="manpages/shorewall-tcfilters.html">shorewall-tcfilters</ulink> (5)
+      for details.</para>
+
      <para>Columns in the file are as follow. As in all Shorewall
      configuration files, a hyphen ("-") may be used to indicate that no
      value is supplied in the column.</para>
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -285,7 +285,7 @@
          </listitem>

          <listitem>
-            <para>Explicitly set LOG_MARTIONS=No to maintain compatibility
+            <para>Explicitly set LOG_MARTIANS=No to maintain compatibility
            with prior versions of Shorewall.</para>
          </listitem>
        </orderedlist>
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -481,7 +481,7 @@
    </ulink></para>

    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
    shorewall-proxyarp(5), shorewall-route_rules(5),
--- a/manpages/shorewall-actions.xml
+++ b/manpages/shorewall-actions.xml
@@ -29,12 +29,10 @@
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>

    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and they must meet the
-    requirements of a Netfilter chain. If you intend to log from the action
-    then the name must be no longer than 11 characters in length. Names must
-    also meet the requirements for a Bourne Shell identifier (must begin with
-    a letter and be composed of letters, digits and underscore
-    characters).</para>
+    them from Shorewall-generated chain names and be composed of letters,
+    digits or numbers. If you intend to log from the action then the name must
+    be no longer than 11 characters in length if you use the standard
+    LOGFORMAT.</para>
  </refsect1>

  <refsect1>
@@ -50,12 +48,13 @@
    url="http://shorewall.net/Actions.html">http://shorewall.net/Actions.html</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-blacklist(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -113,8 +113,8 @@

              <listitem>
                <para>'blacklist' in the OPTIONS or OUT_OPTIONS column.
-                Trafficto this zone is passed against the entries in this file
-                that have the <emphasis role="bold">dst</emphasis>
+                Traffic to this zone is passed against the entries in this
+                file that have the <emphasis role="bold">dst</emphasis>
                option.</para>
              </listitem>
            </orderedlist>
@@ -168,10 +168,10 @@
    url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Show More
+++ b/Show More