Update for 4.4.4.3, if needed

Update the known problem list
Fix DONT_LOAD vs 'reload -c'
2009-12-08 08:45:10 -08:00 · 2009-12-08 08:36:09 -08:00 · 2009-12-07 14:46:10 -08:00 · 2009-12-07 13:51:08 -08:00 · 2009-12-07 12:53:29 -08:00 · 2009-12-06 09:48:06 -08:00
248 changed files with 8128 additions and 21718 deletions
--- a/Samples/Universal/interfaces
+++ b/Samples/Universal/interfaces
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional
--- a/Samples/Universal/policy
+++ b/Samples/Universal/policy
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-$FW	net	ACCEPT
-net	all	DROP
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -1,213 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
-#
-#  For information about the settings in this file, type "man shorewall.conf"
-#
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-MACLIST_LOG_LEVEL=info
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-LOG_MARTIANS=Yes
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IPTABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=On
-
-ADD_IP_ALIASES=No
-
-ADD_SNAT_ALIASES=No
-
-RETAIN_ALIASES=No
-
-TC_ENABLED=Internal
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-DELAYBLACKLISTLOAD=No
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-BRIDGING=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-USE_ACTIONS=Yes
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-USE_DEFAULT_RT=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-MACLIST_DISPOSITION=REJECT
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE
--- a/Samples/Universal/zones
+++ b/Samples/Universal/zones
@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -68,8 +70,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 IP_FORWARDING=Off

-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes

 ADD_SNAT_ALIASES=No

@@ -119,8 +119,6 @@ TC_ENABLED=Internal

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -139,7 +137,7 @@ BLACKLISTNEWONLY=Yes

 DELAYBLACKLISTLOAD=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 DISABLE_IPV6=No

@@ -197,20 +195,6 @@ TRACK_PROVIDERS=Yes

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -42,7 +42,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -68,8 +70,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -109,7 +109,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 IP_FORWARDING=On

-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes

 ADD_SNAT_ALIASES=No

@@ -119,8 +119,6 @@ TC_ENABLED=Internal

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -139,7 +137,7 @@ BLACKLISTNEWONLY=Yes

 DELAYBLACKLISTLOAD=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 DISABLE_IPV6=No

@@ -197,20 +195,6 @@ TRACK_PROVIDERS=Yes

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -49,7 +49,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -75,8 +77,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -116,7 +116,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 IP_FORWARDING=On

-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes

 ADD_SNAT_ALIASES=No

@@ -126,8 +126,6 @@ TC_ENABLED=Internal

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -146,7 +144,7 @@ BLACKLISTNEWONLY=Yes

 DELAYBLACKLISTLOAD=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 DISABLE_IPV6=No

@@ -204,20 +202,6 @@ TRACK_PROVIDERS=Yes

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/Universal/interfaces
+++ b/Samples6/Universal/interfaces
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Interfaces File
-#
-# For information about entries in this file, type "man shorewall-interfaces"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-interfaces.html
-#
-###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback
-
--- a/Samples6/Universal/policy
+++ b/Samples6/Universal/policy
@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Policy File
-#
-# For information about entries in this file, type "man shorewall-policy"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-policy.html
-#
-###############################################################################
-#SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
-#				LEVEL	BURST		MASK
-fw	net	ACCEPT
-net	all	DROP
-
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - Rules File
-#
-# For information on the settings in this file, type "man shorewall-rules"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-rules.html
-#
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION ESTABLISHED
-#SECTION RELATED
-SECTION NEW
-
-SSH(ACCEPT)	net		$FW
-Ping(ACCEPT)	net		$FW
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -1,168 +0,0 @@
-###############################################################################
-#
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
-#
-#  For information about the settings in this file, type "man shorewall6.conf"
-#
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
-###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
-STARTUP_ENABLED=Yes
-
-###############################################################################
-#		              V E R B O S I T Y
-###############################################################################
-
-VERBOSITY=1
-
-###############################################################################
-#			       L O G G I N G
-###############################################################################
-
-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall6-init.log
-
-LOG_VERBOSITY=2
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGTAGONLY=No
-
-LOGLIMIT=
-
-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
-TCP_FLAGS_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
-###############################################################################
-#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-###############################################################################
-
-IP6TABLES=
-
-IP=
-
-TC=
-
-IPSET=
-
-PERL=/usr/bin/perl
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-SHOREWALL_SHELL=/bin/sh
-
-SUBSYSLOCK=
-
-MODULESDIR=
-
-CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
-
-###############################################################################
-#		D E F A U L T   A C T I O N S / M A C R O S
-###############################################################################
-
-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
-
-###############################################################################
-#                        R S H / R C P  C O M M A N D S
-###############################################################################
-
-RSH_COMMAND='ssh ${root}@${system} ${command}'
-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
-
-###############################################################################
-#			F I R E W A L L	  O P T I O N S
-###############################################################################
-
-IP_FORWARDING=Off
-
-TC_ENABLED=No
-
-TC_EXPERT=No
-
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=15
-
-EXPORTPARAMS=Yes
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
-ZONE2ZONE=2
-
-ACCOUNTING=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-DYNAMIC_BLACKLIST=Yes
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=Yes
-
-###############################################################################
-#			P A C K E T   D I S P O S I T I O N
-###############################################################################
-
-BLACKLIST_DISPOSITION=DROP
-
-TCP_FLAGS_DISPOSITION=DROP
-
-#LAST LINE -- DO NOT REMOVE
--- a/Samples6/Universal/zones
+++ b/Samples6/Universal/zones
@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Zones File
-#
-# For information about this file, type "man shorewall-zones"
-#
-# The manpage is also online at
-# http://www.shorewall.net/manpages/shorewall-zones.html
-#
-###############################################################################
-#ZONE	TYPE		OPTIONS		IN			OUT
-#					OPTIONS			OPTIONS
-fw	firewall
-net	ip
-
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info

 IP6TABLES=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -99,8 +99,6 @@ TC_ENABLED=No

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 FASTACCEPT=No

@@ -145,21 +143,7 @@ TRACK_PROVIDERS=Yes

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
-##############################################################################
+###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

--- a/Samples6/three-interfaces/interfaces
+++ b/Samples6/three-interfaces/interfaces
@@ -12,6 +12,6 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
-dmz     eth2            detect		tcpflags,forward=1
+net     eth0            detect          tcpflags
+loc     eth1            detect          tcpflags
+dmz     eth2            detect
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info

 IP6TABLES=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -99,8 +99,6 @@ TC_ENABLED=No

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 FASTACCEPT=No

@@ -145,20 +143,6 @@ TRACK_PROVIDERS=Yes

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/interfaces
+++ b/Samples6/two-interfaces/interfaces
@@ -12,5 +12,5 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
+net     eth0            detect          tcpflags
+loc     eth1            detect          tcpflags
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
@@ -40,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -56,8 +58,6 @@ SMURF_LOG_LEVEL=info

 IP6TABLES=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -99,8 +99,6 @@ TC_ENABLED=No

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -113,7 +111,7 @@ ADMINISABSENTMINDED=Yes

 BLACKLISTNEWONLY=Yes

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 FASTACCEPT=No

@@ -145,20 +143,6 @@ TRACK_PROVIDERS=Yes

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-init/COPYING
+++ b/Shorewall-init/COPYING
@@ -1,340 +0,0 @@
-		    GNU GENERAL PUBLIC LICENSE
-		       Version 2, June 1991
-
- Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-			    Preamble
-
-  The licenses for most software are designed to take away your
-freedom to share and change it.  By contrast, the GNU General Public
-License is intended to guarantee your freedom to share and change free
-software--to make sure the software is free for all its users.  This
-General Public License applies to most of the Free Software
-Foundation's software and to any other program whose authors commit to
-using it.  (Some other Free Software Foundation software is covered by
-the GNU Library General Public License instead.)  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-this service if you wish), that you receive source code or can get it
-if you want it, that you can change the software or use pieces of it
-in new free programs; and that you know you can do these things.
-
-  To protect your rights, we need to make restrictions that forbid
-anyone to deny you these rights or to ask you to surrender the rights.
-These restrictions translate to certain responsibilities for you if you
-distribute copies of the software, or if you modify it.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must give the recipients all the rights that
-you have.  You must make sure that they, too, receive or can get the
-source code.  And you must show them these terms so they know their
-rights.
-
-  We protect your rights with two steps: (1) copyright the software, and
-(2) offer you this license which gives you legal permission to copy,
-distribute and/or modify the software.
-
-  Also, for each author's protection and ours, we want to make certain
-that everyone understands that there is no warranty for this free
-software.  If the software is modified by someone else and passed on, we
-want its recipients to know that what they have is not the original, so
-that any problems introduced by others will not reflect on the original
-authors' reputations.
-
-  Finally, any free program is threatened constantly by software
-patents.  We wish to avoid the danger that redistributors of a free
-program will individually obtain patent licenses, in effect making the
-program proprietary.  To prevent this, we have made it clear that any
-patent must be licensed for everyone's free use or not licensed at all.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-		    GNU GENERAL PUBLIC LICENSE
-   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
-
-  0. This License applies to any program or other work which contains
-a notice placed by the copyright holder saying it may be distributed
-under the terms of this General Public License.  The "Program", below,
-refers to any such program or work, and a "work based on the Program"
-means either the Program or any derivative work under copyright law:
-that is to say, a work containing the Program or a portion of it,
-either verbatim or with modifications and/or translated into another
-language.  (Hereinafter, translation is included without limitation in
-the term "modification".)  Each licensee is addressed as "you".
-
-Activities other than copying, distribution and modification are not
-covered by this License; they are outside its scope.  The act of
-running the Program is not restricted, and the output from the Program
-is covered only if its contents constitute a work based on the
-Program (independent of having been made by running the Program).
-Whether that is true depends on what the Program does.
-
-  1. You may copy and distribute verbatim copies of the Program's
-source code as you receive it, in any medium, provided that you
-conspicuously and appropriately publish on each copy an appropriate
-copyright notice and disclaimer of warranty; keep intact all the
-notices that refer to this License and to the absence of any warranty;
-and give any other recipients of the Program a copy of this License
-along with the Program.
-
-You may charge a fee for the physical act of transferring a copy, and
-you may at your option offer warranty protection in exchange for a fee.
-
-  2. You may modify your copy or copies of the Program or any portion
-of it, thus forming a work based on the Program, and copy and
-distribute such modifications or work under the terms of Section 1
-above, provided that you also meet all of these conditions:
-
-    a) You must cause the modified files to carry prominent notices
-    stating that you changed the files and the date of any change.
-
-    b) You must cause any work that you distribute or publish, that in
-    whole or in part contains or is derived from the Program or any
-    part thereof, to be licensed as a whole at no charge to all third
-    parties under the terms of this License.
-
-    c) If the modified program normally reads commands interactively
-    when run, you must cause it, when started running for such
-    interactive use in the most ordinary way, to print or display an
-    announcement including an appropriate copyright notice and a
-    notice that there is no warranty (or else, saying that you provide
-    a warranty) and that users may redistribute the program under
-    these conditions, and telling the user how to view a copy of this
-    License.  (Exception: if the Program itself is interactive but
-    does not normally print such an announcement, your work based on
-    the Program is not required to print an announcement.)
-
-These requirements apply to the modified work as a whole.  If
-identifiable sections of that work are not derived from the Program,
-and can be reasonably considered independent and separate works in
-themselves, then this License, and its terms, do not apply to those
-sections when you distribute them as separate works.  But when you
-distribute the same sections as part of a whole which is a work based
-on the Program, the distribution of the whole must be on the terms of
-this License, whose permissions for other licensees extend to the
-entire whole, and thus to each and every part regardless of who wrote it.
-
-Thus, it is not the intent of this section to claim rights or contest
-your rights to work written entirely by you; rather, the intent is to
-exercise the right to control the distribution of derivative or
-collective works based on the Program.
-
-In addition, mere aggregation of another work not based on the Program
-with the Program (or with a work based on the Program) on a volume of
-a storage or distribution medium does not bring the other work under
-the scope of this License.
-
-  3. You may copy and distribute the Program (or a work based on it,
-under Section 2) in object code or executable form under the terms of
-Sections 1 and 2 above provided that you also do one of the following:
-
-    a) Accompany it with the complete corresponding machine-readable
-    source code, which must be distributed under the terms of Sections
-    1 and 2 above on a medium customarily used for software interchange; or,
-
-    b) Accompany it with a written offer, valid for at least three
-    years, to give any third party, for a charge no more than your
-    cost of physically performing source distribution, a complete
-    machine-readable copy of the corresponding source code, to be
-    distributed under the terms of Sections 1 and 2 above on a medium
-    customarily used for software interchange; or,
-
-    c) Accompany it with the information you received as to the offer
-    to distribute corresponding source code.  (This alternative is
-    allowed only for noncommercial distribution and only if you
-    received the program in object code or executable form with such
-    an offer, in accord with Subsection b above.)
-
-The source code for a work means the preferred form of the work for
-making modifications to it.  For an executable work, complete source
-code means all the source code for all modules it contains, plus any
-associated interface definition files, plus the scripts used to
-control compilation and installation of the executable.  However, as a
-special exception, the source code distributed need not include
-anything that is normally distributed (in either source or binary
-form) with the major components (compiler, kernel, and so on) of the
-operating system on which the executable runs, unless that component
-itself accompanies the executable.
-
-If distribution of executable or object code is made by offering
-access to copy from a designated place, then offering equivalent
-access to copy the source code from the same place counts as
-distribution of the source code, even though third parties are not
-compelled to copy the source along with the object code.
-
-  4. You may not copy, modify, sublicense, or distribute the Program
-except as expressly provided under this License.  Any attempt
-otherwise to copy, modify, sublicense or distribute the Program is
-void, and will automatically terminate your rights under this License.
-However, parties who have received copies, or rights, from you under
-this License will not have their licenses terminated so long as such
-parties remain in full compliance.
-
-  5. You are not required to accept this License, since you have not
-signed it.  However, nothing else grants you permission to modify or
-distribute the Program or its derivative works.  These actions are
-prohibited by law if you do not accept this License.  Therefore, by
-modifying or distributing the Program (or any work based on the
-Program), you indicate your acceptance of this License to do so, and
-all its terms and conditions for copying, distributing or modifying
-the Program or works based on it.
-
-  6. Each time you redistribute the Program (or any work based on the
-Program), the recipient automatically receives a license from the
-original licensor to copy, distribute or modify the Program subject to
-these terms and conditions.  You may not impose any further
-restrictions on the recipients' exercise of the rights granted herein.
-You are not responsible for enforcing compliance by third parties to
-this License.
-
-  7. If, as a consequence of a court judgment or allegation of patent
-infringement or for any other reason (not limited to patent issues),
-conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot
-distribute so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you
-may not distribute the Program at all.  For example, if a patent
-license would not permit royalty-free redistribution of the Program by
-all those who receive copies directly or indirectly through you, then
-the only way you could satisfy both it and this License would be to
-refrain entirely from distribution of the Program.
-
-If any portion of this section is held invalid or unenforceable under
-any particular circumstance, the balance of the section is intended to
-apply and the section as a whole is intended to apply in other
-circumstances.
-
-It is not the purpose of this section to induce you to infringe any
-patents or other property right claims or to contest validity of any
-such claims; this section has the sole purpose of protecting the
-integrity of the free software distribution system, which is
-implemented by public license practices.  Many people have made
-generous contributions to the wide range of software distributed
-through that system in reliance on consistent application of that
-system; it is up to the author/donor to decide if he or she is willing
-to distribute software through any other system and a licensee cannot
-impose that choice.
-
-This section is intended to make thoroughly clear what is believed to
-be a consequence of the rest of this License.
-
-  8. If the distribution and/or use of the Program is restricted in
-certain countries either by patents or by copyrighted interfaces, the
-original copyright holder who places the Program under this License
-may add an explicit geographical distribution limitation excluding
-those countries, so that distribution is permitted only in or among
-countries not thus excluded.  In such case, this License incorporates
-the limitation as if written in the body of this License.
-
-  9. The Free Software Foundation may publish revised and/or new versions
-of the General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-Each version is given a distinguishing version number.  If the Program
-specifies a version number of this License which applies to it and "any
-later version", you have the option of following the terms and conditions
-either of that version or of any later version published by the Free
-Software Foundation.  If the Program does not specify a version number of
-this License, you may choose any version ever published by the Free Software
-Foundation.
-
-  10. If you wish to incorporate parts of the Program into other free
-programs whose distribution conditions are different, write to the author
-to ask for permission.  For software which is copyrighted by the Free
-Software Foundation, write to the Free Software Foundation; we sometimes
-make exceptions for this.  Our decision will be guided by the two goals
-of preserving the free status of all derivatives of our free software and
-of promoting the sharing and reuse of software generally.
-
-			    NO WARRANTY
-
-  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-REPAIR OR CORRECTION.
-
-  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-POSSIBILITY OF SUCH DAMAGES.
-
-		     END OF TERMS AND CONDITIONS
-
-	    How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-convey the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) 19yy  <name of author>
-
-    This program is free software; you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation; either version 2 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program; if not, write to the Free Software
-    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
-
-
-Also add information on how to contact you by electronic and paper mail.
-
-If the program is interactive, make it output a short notice like this
-when it starts in an interactive mode:
-
-    Gnomovision version 69, Copyright (C) 19yy name of author
-    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, the commands you use may
-be called something other than `show w' and `show c'; they could even be
-mouse-clicks or menu items--whatever suits your program.
-
-You should also get your employer (if you work as a programmer) or your
-school, if any, to sign a "copyright disclaimer" for the program, if
-necessary.  Here is a sample; alter the names:
-
-  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
-  `Gnomovision' (which makes passes at compilers) written by James Hacker.
-
-  <signature of Ty Coon>, 1 April 1989
-  Ty Coon, President of Vice
-
-This General Public License does not permit incorporating your program into
-proprietary programs.  If your program is a subroutine library, you may
-consider it more useful to permit linking proprietary applications with the
-library.  If this is what you want to do, use the GNU Library General
-Public License instead of this License.
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
-This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -1,104 +0,0 @@
-#!/bin/sh
-#
-# ifupdown script for Shorewall-based products
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-IFUPDOWN=0
-PRODUCTS=
-
-if [ -f /etc/default/shorewall-init ]; then
-    . /etc/default/shorewall-init
-elif [ -f /etc/sysconfig/shorewall-init ]; then
-    . /etc/sysconfig/shorewall-init
-fi
-
-[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
-
-if [ -f /etc/debian_version ]; then
-    #
-    # Debian ifupdown system
-    #
-    if [ "$MODE" = start ]; then
-	COMMAND=up
-    elif [ "$MODE" = stop ]; then
-	COMMAND=down
-    else
-	exit 0
-    fi
-
-    case "$PHASE" in
-	pre-*)
-	    exit 0
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    #
-    # SuSE ifupdown system
-    #
-    IFACE="$2"
-
-    case $0 in
-	*if-up.d*)
-	    COMMAND=up
-	    ;;
-	*if-down.d*)
-	    COMMAND=down
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    IFACE="$1"
-    
-    case $0 in 
-	*ifup*)
-	    COMMAND=up
-	    ;;
-	*ifdown*)
-	    COMMAND=down
-	    ;;
-	*dispatcher.d*)
-	    COMMAND="$2"
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-fi
-
-for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/$PRODUCT/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
-	    mutex_off
-	  )
-    fi
-done
-
-exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,146 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-### BEGIN INIT INFO
-# Provides:          shorewall-init
-# Required-Start:    $local_fs
-# X-Start-Before:    $network
-# Required-Stop:     $local_fs
-# X-Stop-After:      $network
-# Default-Start:     S
-# Default-Stop:      0 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time prior to
-#                    bringing up the network
-### END INIT INFO
-
-export VERBOSITY=0
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-echo_notdone () {
-  echo "not done."
-  exit 1
-}
-
-not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
-}
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
-then
-	. /etc/default/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
-	not_configured
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local product
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
-	      fi
-	      mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local product
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
-      fi
-  done
-
-  echo "done."
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  reload|force-reload)
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
-     exit 1
-esac
-
-exit 0
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,104 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# chkconfig: - 09 91
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-start: $local_fs
-# Required-stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
-	  fi
-      fi
-  done
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local VARDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
-  done
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -1,336 +0,0 @@
-#!/bin/sh
-#
-# Script to install Shoreline Firewall Init
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
-#
-#       Shorewall documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-
-VERSION=4.4.13.2
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    echo "       $ME -v"
-    echo "       $ME -h"
-    exit $1
-}
-
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-run_install()
-{
-    if ! install $*; then
-	echo
-	echo "ERROR: Failed to install $*" >&2
-	exit 1
-    fi
-}
-
-cant_autostart()
-{
-    echo
-    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
-}
-
-delete_file() # $1 = file to delete
-{
-    rm -f $1
-}
-
-install_file() # $1 = source $2 = target $3 = mode
-{
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
-}
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
-#
-# Parse the run line
-#
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
-
-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-    shift
-    ARGS="yes"
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-#
-# Determine where to install the firewall script
-#
-
-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	T=
-	;;	
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
-
-if [ -n "$DESTDIR" ]; then
-    if [ `id -u` != 0 ] ; then
-	echo "Not setting file owner/group permissions, not running as root."
-	OWNERSHIP=""
-    fi
-    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
-fi
-
-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Init Version $VERSION"
-
-#
-# Check for /usr/share/shorewall-init/version
-#
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
-    first_install=""
-else
-    first_install="Yes"
-fi
-
-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /usr/share/shorewall-init if needed
-#
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
-
-#
-# Create the version file
-#
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
-
-#
-# Remove and create the symbolic link to the init script
-#
-if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
-fi
-
-if [ -n "$DEBIAN" ]; then
-    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
-    fi
-
-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
-	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
-	fi
-
-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
-    fi
-else
-    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
-
-	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
-	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
-	    fi
-	fi
-    fi
-
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
-    fi 
-fi
-
-#
-# Install the ifupdown script
-#
-
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-
-install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
-
-if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
-fi
-
-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
-
-if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-init
-	    else
-		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
-	    fi
-
-	    echo "Shorewall Init will start automatically at boot"
-	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-init ; then
-		    echo "Shorewall Init will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-init
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-init default; then
-		    echo "Shorewall Init will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
-	fi
-    fi
-else
-    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    if [ -n "${DESTDIR}" ]; then
-		mkdir -p ${DESTDIR}/etc/rcS.d
-	    fi
-
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
-	    echo "Shorewall Init will start automatically at boot"
-	fi
-    fi
-fi
-
-#
-#  Report Success
-#
-echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,160 +0,0 @@
-%define name shorewall-init
-%define version 4.4.13
-%define release 2
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
- Initial version
-
-
-
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -1,12 +0,0 @@
-# List the Shorewall products that Shorewall-init is to
-# initialize (space-separated list).
-#
-# Sample: PRODUCTS="shorewall shorewall6"
-#
-PRODUCTS=""
-
-#
-# Set this to 1 if you want Shorewall-init to react to 
-# ifup/ifdown and NetworkManager events
-#
-IFUPDOWN=0
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,97 +0,0 @@
-#!/bin/sh
-#
-# Script to back uninstall Shoreline Firewall
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
-#
-#       Shorewall documentation is available at http://shorewall.sourceforge.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#    Usage:
-#
-#       You may only use this script to uninstall the version
-#       shown below. Simply run this script to remove Shorewall Firewall
-
-VERSION=4.4.13.2
-
-usage() # $1 = exit status
-{
-    ME=$(basename $0)
-    echo "usage: $ME"
-    exit $1
-}
-
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-remove_file() # $1 = file to restore
-{
-    if [ -f $1 -o -L $1 ] ; then
-	rm -f $1
-	echo "$1 Removed"
-    fi
-}
-
-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
-    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
-	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
-	echo "         and this is the $VERSION uninstaller."
-	VERSION="$INSTALLED_VERSION"
-    fi
-else
-    echo "WARNING: Shorewall Init Version $VERSION is not installed"
-    VERSION=""
-fi
-
-echo "Uninstalling Shorewall Init $VERSION"
-
-INITSCRIPT=/etc/init.d/shorewall-init
-
-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $INITSCRIPT)
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
-    fi
-
-    remove_file $INITSCRIPT
-fi
-
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-
-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
-
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-
-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
-
-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-
-rm -rf /usr/share/shorewall-init
-
-echo "Shorewall Init Uninstalled"
-
-
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +1 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
+This is the Shorewall-lite development 4.3 branch of SVN.
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null

-#
-# Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Script to back out the installation of Shorewall Lite and to restore the previous version of
+# the program
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to back out the installation of the version
+#       shown below. Simply run this script to revert to your prior version of
+#       Shoreline Firewall.
+
+VERSION=4.4.4.3
+
+usage() # $1 = exit status
+{
+    echo "usage: $(basename $0)"
+    exit $1
+}
+
+restore_directory() # $1 = directory to restore
+{
+    if [ -d ${1}-${VERSION}.bkout ]; then
+	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
+	    echo
+	    echo "$1 restored"
+	    rm -rf ${1}-${VERSION}
+	else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+	fi
+    fi
+}
+
+restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
+{
+    if [ -n "$2" ]; then
+	local file
+	file=$(basename $1)
+
+	if [ -f $2/$file ]; then
+	    if mv -f $2/$file $1 ; then
+		echo
+		echo "$1 restored"
+		return
+	    fi
+
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
+	if (mv -f ${1}-${VERSION}.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+}
+
+if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
+    echo "Shorewall Version $VERSION is not installed"
+    exit 1
+fi
+
+echo "Backing Out Installation of Shorewall $VERSION"
+
+if [ -L /usr/share/shorewall-lite/init ]; then
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
+else
+    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
+fi
+
+restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
+
+restore_directory /etc/shorewall-lite
+restore_directory /usr/share/shorewall-lite
+restore_directory /var/lib/shorewall-lite
+
+echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
+
+
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -2,8 +2,8 @@

 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -17,9 +17,10 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

 export SHOREWALL_INIT_SCRIPT
+
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
@@ -41,7 +42,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

-  exit 1
 }

 not_configured () {
@@ -87,11 +87,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
  return 0
 }

--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.2
+VERSION=4.4.4.3

 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi

+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@@ -128,12 +131,10 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 DEBIAN=
 CYGWIN=
-INSTALLD='-D'
-T='-T'

 case $(uname) in
    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -141,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
-	INSTALLD=
-	T=
-	;;	   
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -153,14 +150,14 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -182,186 +179,162 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
+    first_install=""
    [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
-else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-fi
-
-#
-# Check for /sbin/shorewall-lite
-#
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
-    first_install=""
 else
    first_install="Yes"
+    rm -rf ${PREFIX}/etc/shorewall-lite
+    rm -rf ${PREFIX}/usr/share/shorewall-lite
+    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi

-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules

-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout

-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"

 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout

 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi

-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"

 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite

-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${PREFIX}/etc/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi

 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"

 #
 # Install wait4ifup
 #

-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755

-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"

 #
 # Install the Modules file
 #
-
-if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
-fi
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"

 #
 # Install the Man Pages
 #

-if [ -d manpages ]; then
-    cd manpages
+cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
-
-    for f in *.5; do
+for f in *.5; do
    gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done

-    for f in *.8; do
+for f in *.8; do
    gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done

-    cd ..
+cd ..

-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"

-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
 fi


 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    rm -f /usr/share/shorewall-lite/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi

-if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
-
-    if [ -n "$first_install" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
-	    else
 	ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	    fi
-
 	echo "Shorewall Lite will start automatically at boot"
+	touch /var/log/shorewall-init.log
    else
 	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall-lite ; then
@@ -386,7 +359,6 @@ if [ -z "$DESTDIR" ]; then
 	    cant_autostart
 	fi
    fi
-    fi
 fi

 #
--- a/Shorewall-lite/logrotate
+++ b/Shorewall-lite/logrotate
@@ -1,4 +1,4 @@
-/var/log/shorewall-lite-init.log {
+/var/log/shorewall-init.log {
  missingok
  notifempty
  create 0600 root root
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,19 +48,18 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+PRODUCT="Shorewall Lite"

 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)

 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

-VERBOSITY=0
+VERBOSE=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -95,7 +95,7 @@ get_config() {

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -117,6 +117,8 @@ get_config() {

    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"

+    export LOGFORMAT
+
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -130,6 +132,8 @@ get_config() {
 	fi
    fi

+    export IPTABLES
+
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -141,26 +145,15 @@ get_config() {

    validate_restorefile RESTOREFILE

+    export RESTOREFILE
+
    [ -n "${VERBOSITY:=2}" ]

-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))

-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
+    export VERBOSE

-    g_hostname=$(hostname 2> /dev/null)
-
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
+    [ -n "${HOSTNAME:=$(hostname)}" ]

 }

@@ -168,13 +161,13 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
+    if [ ! -f $FIREWALL ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
+	if [ -L $FIREWALL ]; then
+	    echo "          $FIREWALL is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $g_firewall does not exist" >&2
+	    echo "          The file $FIREWALL does not exist" >&2
 	fi
 	
 	exit 2
@@ -194,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on

 	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
+	    ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -226,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    g_fast=Yes
+			    FAST=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -255,21 +248,36 @@ start_command() {
 	    ;;
    esac

-    if [ -n "$g_fast" ]; then
+    export NOROUTES
+
+    if [ -n "$FAST" ]; then
 	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
+	    #
+	    # RESTOREFILE is exported by get_config()
+	    #
+	    make -qf ${CONFDIR}/Makefile || FAST=
 	fi

-	if [ -n "$g_fast" ]; then
+	if [ -n "$FAST" ]; then

-	    g_restorepath=${VARDIR}/$RESTOREFILE
+	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
+		if [ -x ${RESTOREPATH}-ipsets ]; then
+		    echo Restoring Ipsets...
+		    #
+		    # We must purge iptables to be sure that there are no
+		    # references to ipsets
+		    #
+		    iptables -F
+		    iptables -X
+		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
+		fi

-	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
+		$SHOREWALL_SHELL $RESTOREPATH restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
+		progress_message3 Shorewall Lite restored from $RESTOREPATH
 	    else
 		do_it
 	    fi
@@ -305,12 +313,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -334,10 +342,12 @@ restart_command() {
 	    ;;
    esac

+    export NOROUTES
+
    [ -n "$nolock" ] || mutex_on

    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
+	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
 	rc=$?
    else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -356,14 +366,13 @@ usage() # $1 = exit status
 {
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
    echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   clear"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
    echo "   forget [ <file name> ]"
    echo "   help"
+    echo "   hits [ -t ]"
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
@@ -372,7 +381,7 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -380,71 +389,23 @@ usage() # $1 = exit status
    echo "   show classifiers"
    echo "   show config"
    echo "   show connections"
-    echo "   show filters"
+    echo "   show dynamic <zone>"
+    echo "   show filter"
    echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
+    echo "   show [ -m ] log"
+    echo "   show [ -x ] mangle|nat|raw"
+    echo "   show routing"
+    echo "   show tc"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -n ] [ -p ]"
    echo "   stop"
    echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
    echo
    exit $1
 }

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -462,13 +423,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
    shift
 fi

-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
+IPT_OPTIONS="-nv"
+FAST=
+VERBOSE_OFFSET=0
+USE_VERBOSITY=
+NOROUTES=
+EXPORT=
+export TIMESTAMP=
+noroutes=

 finished=0

@@ -487,48 +449,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			g_ipt_options="-xnv"
+			IPT_OPTIONS="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			g_fast=Yes
+			FAST=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				g_use_verbosity=-1
+				USE_VERBOSITY=-1
 				option=${option#-1}
 				;;
 			    0*)
-				g_use_verbosity=0
+				USE_VERBOSITY=0
 				option=${option#0}
 				;;
 			    1*)
-				g_use_verbosity=1
+				USE_VERBOSITY=1
 				option=${option#1}
 				;;
 			    2*)
-				g_use_verbosity=2
+				USE_VERBOSITY=2
 				option=${option#2}
 				;;
 			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
+				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
+				USE_VERBOSITY=
 				;;
 			esac
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
 		    t*)
-			g_timestamp=Yes
+			TIMESTAMP=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -553,11 +515,12 @@ if [ $# -eq 0 ]; then
 fi

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+export PATH
 MUTEX_TIMEOUT=

 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+export PRODUCT="Shorewall Lite"

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

@@ -565,10 +528,17 @@ g_product="Shorewall Lite"

 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"

-version_file=$SHAREDIR/version
+LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
+VERSION_FILE=$SHAREDIR/version
+HELP=$SHAREDIR/help

-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
+for library in $LIBRARIES; do
+    if [ -f $library ]; then
+	. $library
+    else
+	echo "Installation error: $library does not exist!" >&2
+	exit 2
+    fi
 done

 ensure_config_path
@@ -588,6 +558,7 @@ else
 fi

 ensure_config_path
+export CONFIG_PATH

 LITEDIR=${VARDIR}

@@ -595,17 +566,17 @@ LITEDIR=${VARDIR}

 get_config

-g_firewall=$LITEDIR/firewall
+FIREWALL=$LITEDIR/firewall

-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
+if [ -f $VERSION_FILE ]; then
+    version=$(cat $VERSION_FILE)
 else
    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
+    echo "          The file $VERSION_FILE does not exist" >&2
    exit 1
 fi

-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
+banner="Shorewall Lite $version Status at $HOSTNAME -"

 case $(echo -e) in
    -e*)
@@ -634,12 +605,15 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	export NOROUTES
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+	;;
+    reset)
+	verify_firewall_script
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
 	;;
    restart)
 	shift
@@ -652,7 +626,7 @@ case "$COMMAND" in
    status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -665,7 +639,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -686,8 +660,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	shift
-	version_command $@
+	echo $version Lite
 	;;
    logwatch)
 	logwatch_command $@
@@ -756,7 +729,7 @@ case "$COMMAND" in
 	    ;;
 	esac

-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE

 	[ "$nolock" ] || mutex_on

@@ -778,15 +751,20 @@ case "$COMMAND" in
 	esac


-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE

-	if [ -x $g_restorepath ]; then
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
+	if [ -x $RESTOREPATH ]; then
+
+	    if [ -x ${RESTOREPATH}-ipsets ]; then
+		rm -f ${RESTOREPATH}-ipsets
+		echo "    ${RESTOREPATH}-ipsets removed"
+	    fi
+
+	    rm -f $RESTOREPATH
+	    rm -f ${RESTOREPATH}-iptables
+	    echo "    $RESTOREPATH removed"
+	elif [ -f $RESTOREPATH ]; then
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -4,11 +4,12 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  For information about the settings in this file, type
-#  "man shorewall-lite.conf"
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall-lite
+#
+#  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.13
-%define release 2
+%define version 4.4.4
+%define release 3

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}

 %description

@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall-based firewalls.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -89,7 +88,6 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
@@ -102,111 +100,13 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0Beta2
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.2
+VERSION=4.4.4.3

 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi

 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall-lite
 fi
@@ -106,7 +106,6 @@ rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall-lite

 echo "Shorewall Uninstalled"

--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Macros/macro.Citrix
+++ b/Shorewall/Macros/macro.Citrix
@@ -3,8 +3,7 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
-#	ICA Session Reliability)
+# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
 #
 ####################################################################################
 #ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
--- a/Shorewall/Macros/macro.DHCPfwd
+++ b/Shorewall/Macros/macro.DHCPfwd
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - DHCPfwd Macro
-#
-# /usr/share/shorewall/macro.DHCPfwd
-#
-#	This macro (bidirectional) handles forwarded DHCP traffic
-#
-###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
-PARAM	-	-	udp	67:68	67:68	# DHCP
-PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP
--- a/Shorewall/Macros/macro.HKP
+++ b/Shorewall/Macros/macro.HKP
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - HKP Macro
-#
-# /usr/share/shorewall/macro.HKP
-#
-#	This macro handles OpenPGP HTTP keyserver protocol traffic.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	11371
--- a/Shorewall/Macros/macro.OSPF
+++ b/Shorewall/Macros/macro.OSPF
@@ -5,7 +5,7 @@
 #
 #       This macro handles OSPF multicast traffic
 #
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	89	# OSPF
+#######################################################################################################
+#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
+#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
+PARAM           -               -       89      -                                                       # OSPF
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,15 +1,12 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.mDNS
+# /usr/share/shorewall/macro.DNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
-PARAM	-	-			udp	32768:	5353
-PARAM	-	224.0.0.251		2
-PARAM	DEST	SOURCE:224.0.0.251	udp	5353
-PARAM	DEST	SOURCE:224.0.0.251	2
+PARAM	-	-	udp	5353
+PARAM	DEST	SOURCE	udp	5353
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.13';
+our $VERSION = '4.4_1';

 #
 # Called by the compiler to [re-]initialize this module's state
@@ -52,7 +52,7 @@ sub process_accounting_rule( ) {

    our $jumpchainref;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -61,16 +61,6 @@ sub process_accounting_rule( ) {

    our $disposition = '';

-    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
-    }
-
-    sub ipsec_chain_name($) {
-	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
-	    $1;
-	}
-    }
-
    sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -82,11 +72,10 @@ sub process_accounting_rule( ) {

    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
    }

    my $target = '';
@@ -95,21 +84,18 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
    my $rule2 = 0;
-    my $jump  = 0;

    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
+	    $target = '-j RETURN';
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
-		} elsif ( $cmd eq 'JUMP' ) {
-		    $jump = 1;
-		} else {
+		    $rule2=1;
+		} elsif ( $cmd ne 'JUMP' ) {
 		    accounting_error;
 		}
 	    }
@@ -151,31 +137,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }

-    my $chainref = $filter_table->{$chain};
-    my $dir;
-
-    if ( ! $chainref ) {
-	$chainref = ensure_accounting_chain $chain, 0;
-	$dir      = ipsec_chain_name( $chain );
-
-	if ( $ipsec ne '-' ) {
-	    if ( $dir ) {
-		$rule .= do_ipsec( $dir, $ipsec );
-		$chainref->{ipsec} = $dir;
-	    } else {
-		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-	    }
-	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
-	    $chainref->{ipsec} = $dir;
-	}
-    } elsif ( $ipsec ne '-' ) {
-	$dir = $chainref->{ipsec};
-	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	$rule .= do_ipsec( $dir , $ipsec );
-    }
-
-    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
+    my $chainref = ensure_accounting_chain $chain;

    expand_rule
 	$chainref ,
@@ -189,22 +151,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;

-    if ( $rule2 || $jump ) {
-	if ( $chainref->{ipsec} ) {
-	    if ( $jumpchainref->{ipsec} ) {
-		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
-	    } else {
-		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
-		$jumpchainref->{ipsec} = $chainref->{ipsec};
-	    }
-	} elsif ( $jumpchainref->{ipsec} ) {
-	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
-	} else {
-	    $jumpchainref->{ipsec} = $chainref->{ipsec};
-	}
-
-    }
-
    if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -232,40 +178,27 @@ sub setup_accounting() {

    $nonEmpty |= process_accounting_rule while read_a_line;

+    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
+
    clear_comment;

    if ( have_bridges ) {
 	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD/ ) {
-		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 	    }
 	}

 	if ( $filter_table->{accountout} ) {
-	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
 	}
-    } elsif ( $filter_table->{accounting} ) {
+    } else {
+	if ( $filter_table->{accounting} ) {
 	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 	    }
 	}
-
-    if ( $filter_table->{accipsecin} ) {
-	for my $chain ( qw/INPUT FORWARD/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
    }
-    }
-
-    if ( $filter_table->{accipsecout} ) {
-	for my $chain ( qw/FORWARD OUTPUT/ ) {
-	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
-	}
-    }
-
-    for ( accounting_chainrefs ) {
-	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-    }
-
 }

 1;
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,7 +28,6 @@ require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::IPAddrs;

 use strict;

@@ -58,7 +57,7 @@ our @EXPORT = qw( merge_levels
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_2';

 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
@@ -179,27 +178,9 @@ sub find_macro( $ )
 #
 sub split_action ( $ ) {
    my $action = $_[0];
-
-    my $target = '';
-    my $max    = 3;
-    #
-    # The following rather grim RE, when matched, breaks the action into two parts:
-    #
-    #    basicaction(param)
-    #    logging part (may be empty)
-    #
-    # The param may contain one or more ':' characters
-    #
-    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
-	$target = $1;
-	$action = $2 ? $3 : '';
-	$max    = 2;
-    }
-	
    my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
-    $target = shift @a unless $target;
-    ( $target, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
+    ( shift @a, join ":", @a );
 }

 #
@@ -232,7 +213,7 @@ sub merge_macro_source_dest( $$ ) {
    if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
-	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
 	    return "$invocation:$body";
 	}

@@ -324,10 +305,10 @@ sub map_old_actions( $ ) {
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
-# the $chain, $level and $tag variable serves as arguments to the user's
+# the CHAIN, LEVEL and TAG variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
-# set $chain to the name of the iptables chain where rules are to be added.
-# Similarly, $level and $tag contain the log level and log tag respectively.
+# set CHAIN to the name of the iptables chain where rules are to be added.
+# Similarly, LEVEL and TAG contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
@@ -360,8 +341,6 @@ sub createlogactionchain( $$ ) {

    unless ( $targets{$action} & BUILTIN ) {

-	dont_optimize $chainref;
-
 	my $file = find_file $chain;

 	if ( -f $file ) {
@@ -388,8 +367,6 @@ sub createsimpleactionchain( $ ) {

    unless ( $targets{$action} & BUILTIN ) {

-	dont_optimize $chainref;
-
 	my $file = find_file $action;

 	if ( -f $file ) {
@@ -407,7 +384,7 @@ sub createsimpleactionchain( $ ) {
 }

 #
-# Create an action chain and run its associated user exit
+# Create an action chain and run it's associated user exit
 #
 sub createactionchain( $ ) {
    my ( $action , $level ) = split_action $_[0];
@@ -597,7 +574,7 @@ sub process_actions2 () {
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
-	    assert( $actionref );
+	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
@@ -632,11 +609,11 @@ sub process_action( $$$$$$$$$$$ ) {

    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
-		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, 0xFF ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  $action ,
+		  $action ? "-j $action" : '',
 		  $level ,
 		  $action ,
 		  '' );
@@ -789,14 +766,10 @@ sub process_action3( $$$$$ ) {
 sub dropBcast( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	    if ( $family == F_IPV4 ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
-	    } else {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
-	    }
 	}

 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
@@ -820,14 +793,14 @@ sub dropBcast( $$$ ) {
    if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    } else {
-	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
+	add_rule $chainref, '-d ff00::/10 -j DROP';
    }
 }

 sub allowBcast( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
@@ -852,8 +825,8 @@ sub allowBcast( $$$ ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
-	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
+	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
    }
 }
@@ -861,46 +834,44 @@ sub allowBcast( $$$ ) {
 sub dropNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_rule $chainref , '-p 6 ! --syn -j DROP';
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    add_rule $chainref , '-p tcp ! --syn -j DROP';
 }

 sub rejNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
+    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
 }

 sub dropInvalid ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
+    add_rule $chainref , '-m state --state INVALID -j DROP';
 }

 sub allowInvalid ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

-    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
+    add_rule $chainref , '-m state --state INVALID -j ACCEPT';
 }

 sub forwardUPnP ( $$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
-    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }

 sub allowinUPnP ( $$$ ) {
    my ($chainref, $level, $tag) = @_;

    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
-	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
    }

-    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
-    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
+    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
 }

 sub Limit( $$$ ) {
@@ -926,7 +897,7 @@ sub Limit( $$$ ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
-	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
+	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
    } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
    }
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -41,9 +41,9 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler );
+our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_4';

 our $export;

@@ -72,38 +72,36 @@ sub initialize_package_globals() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header to the generated script.
 #    Generate the various user-exit jacket functions.
 #
-#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
-#
-sub generate_script_1( $ ) {
+sub generate_script_1() {

-    my $script = shift;
-
-    if ( $script ) {
    if ( $test ) {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
    } else {
 	my $date = localtime;

 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
 	} else {
 	    copy $globals{SHAREDIRPL} . 'prog.header6';
 	}
-
-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
-	}
-
    }

    my $lib = find_file 'lib.private';

-    copy2( $lib, $debug ) if -f $lib;
+    if ( -f $lib ) {
+	emit <<'EOF';
+################################################################################
+# Functions imported from lib.private
+################################################################################
+EOF
+
+	copy1 $lib;
+	emit "\n";
+    }

    emit <<'EOF';
 ################################################################################
@@ -166,24 +164,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'PRODUCT="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'PRODUCT=\'Shorewall\'',
 		 );
 	}
    } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'PRODUCT="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'PRODUCT=\'Shorewall6\'',
 		 );
 	}
    }
@@ -215,15 +213,16 @@ sub generate_script_2() {
    my @dont_load = split_list $config{DONT_LOAD}, 'module';

    emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSITY:=0}" ]',
+	   '[ -n "${VERBOSE:=0}" ]',
 	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );

-    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;

    emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
+	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );

@@ -232,7 +231,7 @@ sub generate_script_2() {
    append_file 'params' if $config{EXPORTPARAMS};

    emit ( '',
-	   "g_stopping=",
+	   "STOPPING=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -271,7 +270,7 @@ sub generate_script_2() {

 	set_global_variables(1);

-	handle_optional_interfaces(0);
+	handle_optional_interfaces;

 	emit ';;';

@@ -284,7 +283,7 @@ sub generate_script_2() {

 	    set_global_variables(0);

-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;

 	    emit ';;';
 	}
@@ -294,7 +293,7 @@ sub generate_script_2() {

 	emit ( 'esac' ) ,
    } else {
-	emit( 'true' ) unless handle_optional_interfaces(1);
+	emit( 'true' ) unless handle_optional_interfaces;
    }

    pop_indent;
@@ -303,6 +302,7 @@ sub generate_script_2() {
    
 }

+#
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
@@ -334,9 +334,9 @@ sub generate_script_3($) {
    save_progress_message 'Initializing...';

    if ( $export ) {
-	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
+	my $fn = find_file 'modules';

-	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
+	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -353,17 +353,54 @@ sub generate_script_3($) {
    }

    if ( $family == F_IPV4 ) {
-	load_ipsets;
+	my @ipsets = all_ipsets;
+
+	if ( @ipsets ) {
+	    emit ( '',
+		   'case $IPSET in',
+		   '    */*)',
+		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
+		   '        ;;',
+		   '    *)',
+		   '        IPSET="$(mywhich $IPSET)"',
+		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
+		   '        ;;',
+		   'esac',
+		   '',
+		   'if [ "$COMMAND" = start ]; then' ,
+		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
+		   '    fi' ,
+		   '' );
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   'elif [ "$COMMAND" = restart ]; then' ,
+		   '' );
+
+	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	    emit ( '' ,
+		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
+		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
+		   '    fi' );
+	    emit ( 'fi',
+		   '' );
+	}

 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
+	       '   run_refresh_exit' );
+
+	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
+
+	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );

-	save_dynamic_chains;
-
 	mark_firewall_not_started;

 	emit ('',
@@ -371,7 +408,7 @@ sub generate_script_3($) {
 	       ''
 	     );

-	if ( have_capability( 'NAT_ENABLED' ) ) {
+	if ( $capabilities{NAT_ENABLED} ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -386,7 +423,6 @@ sub generate_script_3($) {
    } else {
 	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-	save_dynamic_chains;
 	mark_firewall_not_started;
 	emit '';
    }
@@ -441,38 +477,31 @@ EOF
    pop_indent;
    setup_forwarding( $family , 1 );
    push_indent;
-
-    my $config_dir = $globals{CONFIGDIR};
-
-    emit<<"EOF";
-    set_state Started $config_dir 
+    emit<<'EOF';
+    set_state "Started"
    run_restored_exit
 else
-    if [ \$COMMAND = refresh ]; then
+    if [ $COMMAND = refresh ]; then
        chainlist_reload
 EOF
    setup_forwarding( $family , 0 );
-
-    emit<<"EOF";
+    emit<<'EOF';
        run_refreshed_exit
        do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
    else
        setup_netfilter
+        restore_dynamic_rules
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
-
-    emit<<"EOF";
+    emit<<'EOF';
        run_start_exit
        do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
        run_started_exit
    fi

-EOF
-
-    emit<<'EOF';
    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi

@@ -480,16 +509,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        logger -p kern.info "$PRODUCT started"
        ;;
    restart)
-        logger -p kern.info "$g_product restarted"
+        logger -p kern.info "$PRODUCT restarted"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        logger -p kern.info "$PRODUCT refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        logger -p kern.info "$PRODUCT restored"
        ;;
 esac
 EOF
@@ -507,8 +536,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1 );

    $export = 0;
    $test   = 0;
@@ -540,7 +569,6 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview },
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -565,8 +593,6 @@ sub compiler {
 	set_shorewall_dir( $directory );
    }

-    $verbosity = 1 if $debug && $verbosity < 1;
-
    set_verbosity( $verbosity );
    set_log($log, $log_verbosity) if $log;
    set_timestamp( $timestamp );
@@ -576,11 +602,11 @@ sub compiler {
    #
    get_configuration( $export );

-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+    report_capabilities;

    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};

    if ( $scriptfilename ) {
@@ -633,11 +659,11 @@ sub compiler {

    enable_script;

-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	#
 	# Place Header in the script
 	#
-	generate_script_1( $scriptfilename );
+	generate_script_1;
 	#
 	#                               C O M M O N _ R U L E S
 	#           (Writes the setup_common_rules() function to the compiled script)
@@ -651,11 +677,11 @@ sub compiler {
 	push_indent;
    }
    #
-    # Do all of the zone-independent stuff (mostly /proc)
+    # Do all of the zone-independent stuff
    #
    add_common_rules;
    #
-    # More /proc
+    # /proc stuff
    #
    if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
@@ -673,7 +699,7 @@ sub compiler {
    #
    setup_zone_mss;

-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
@@ -686,7 +712,7 @@ sub compiler {
    #
    enable_script;

-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -704,7 +730,7 @@ sub compiler {
    #
    setup_tc;

-    if ( $scriptfilename || $debug ) {
+    if ( $scriptfilename ) {
 	pop_indent;
 	emit "}\n";
    }
@@ -720,7 +746,7 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
@@ -763,26 +789,14 @@ sub compiler {
    #
    # Accounting.
    #
-    setup_accounting if $config{ACCOUNTING};
+    setup_accounting;

    if ( $scriptfilename ) {
 	#
-	# Compiling a script - generate the zone by zone matrix
+	# Generate the zone by zone matrix
 	#
 	generate_matrix;

-	if ( $config{OPTIMIZE} & 0xD ) {
-	    progress_message2 'Optimizing Ruleset...';
-	    #
-	    # Optimize Policy Chains
-	    #
-	    optimize_policy_chains if $config{OPTIMIZE} & 2;
-	    #
-	    # More Optimization
-	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
-	}
-
 	enable_script;
 	#
 	#                             I N I T I A L I Z E
@@ -804,12 +818,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export );
-	#
-	#                               U P D O W N
-	#               (Writes the updown() function to the compiled script)
-	#
-	compile_updown;
+	compile_stop_firewall( $test );
 	#
 	# Copy the footer to the script
 	#
@@ -831,50 +840,17 @@ sub compiler {
 	#
 	enable_script, generate_aux_config if $export;
    } else {
-	#
-	# Just checking the configuration
-	#
-	if ( $preview || $debug ) {
-	    #
-	    # User wishes to preview the ruleset or we are tracing -- generate the rule matrix
-	    #
-	    generate_matrix;
-
-	    if ( $config{OPTIMIZE} & 6 ) {
-		progress_message2 'Optimizing Ruleset...';
-		#
-		# Optimize Policy Chains
-		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
-		#
-		# Ruleset Optimization
-		#
-		optimize_ruleset if $config{OPTIMIZE} & 4;
-	    }
-
-	    enable_script if $debug;
-
-	    generate_script_2 if $debug;
-
-	    preview_netfilter_load if $preview;
-	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
 	Shorewall::Chains::initialize( $family );
 	initialize_chain_table;
-
-	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
-	    disable_script;
-	} else {
 	#
 	# compile_stop_firewall() also validates the routestopped file. Since we don't
-	    # call that function during normal 'check', we must validate routestopped here.
+	# call that function during 'check', we must validate routestopped here.
 	#
 	process_routestopped;
-	}

 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
 use Socket;

 use strict;
@@ -47,7 +47,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALL
 		  TCP
 		  UDP
-		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
@@ -73,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_4';

 #
 # Some IPv4/6 useful stuff
@@ -87,29 +86,28 @@ our $validate_address;
 our $validate_net;
 our $validate_range;
 our $validate_host;
-our $family;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
-	       IPv6_LINKLOCAL      => 'fe80::/10' ,
-	       IPv6_SITELOCAL      => 'feC0::/10' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
 	       ICMP                => 1,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
+	       SCTP                => 132 };

 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

+
 #
 # Note: initialize() is declared at the bottom of the file
 #
@@ -124,8 +122,8 @@ sub valid_4address( $ ) {

    my @address = split /\./, $address;
    return 0 unless @address == 4;
-    for ( @address ) {
-	return 0 unless /^\d+$/ && $_ < 256;
+    for my $a ( @address ) {
+	return 0 unless $a =~ /^\d+$/ && $a < 256;
    }

    1;
@@ -158,8 +156,8 @@ sub decodeaddr( $ ) {

    my $result = shift @address;

-    for ( @address ) {
-	$result = ( $result << 8 ) | $_;
+    for my $a ( @address ) {
+	$result = ( $result << 8 ) | $a;
    }

    $result;
@@ -289,17 +287,7 @@ sub resolve_proto( $ ) {
    my $proto = $_[0];
    my $number;

-    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
-	$number = numeric_value ( $proto );
-	defined $number && $number <= 65535 ? $number : undef;
-    } else {
-	#
-	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
-	#
-	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-	
-	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
-    }
+    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
 }

 sub proto_name( $ ) {
@@ -313,19 +301,16 @@ sub validate_port( $$ ) {

    my $value;

-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
-	$port = numeric_value $port;
-	return $port if defined $port && $port && $port <= 65535;
+    if ( $port =~ /^(\d+)$/ ) {
+	return $port if $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }

-    return $value if defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;

-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
-
-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    $value;
 }

 sub validate_portpair( $$ ) {
@@ -338,7 +323,7 @@ sub validate_portpair( $$ ) {

    my @ports = split /:/, $portpair, 2;

-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    $_ = validate_port( $proto, $_) for ( @ports );

    if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -445,7 +430,7 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );

 	$last++; #Increment last address for limit testing.
 	#
@@ -688,7 +673,7 @@ sub validate_host ($$ ) {
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family = shift;
+    my $family = shift;

    if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_4';

 our @addresses_to_add;
 our %addresses_to_add;
@@ -49,6 +49,56 @@ sub initialize() {
    %addresses_to_add = ();
 }

+#
+# Handle IPSEC Options in a masq record
+#
+sub do_ipsec_options($)
+{
+    my %validoptions = ( strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+    my $list=$_[0];
+    my $options = '-m policy --pol ipsec --dir out ';
+    my $fmt;
+
+    for my $e ( split_list $list, 'option' ) {
+	my $val    = undef;
+	my $invert = '';
+
+	if ( $e =~ /([\w-]+)!=(.+)/ ) {
+	    $val    = $2;
+	    $e      = $1;
+	    $invert = '! ';
+	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
+	    $val = $2;
+	    $e   = $1;
+	}
+
+	$fmt = $validoptions{$e};
+
+	fatal_error "Invalid Option ($e)" unless $fmt;
+
+	if ( $fmt eq NOTHING ) {
+	    fatal_error "Option \"$e\" does not take a value" if defined $val;
+	} else {
+	    fatal_error "Missing value for option \"$e\""        unless defined $val;
+	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
+	}
+
+	$options .= $invert;
+	$options .= "--$e ";
+	$options .= "$val " if defined $val;
+    }
+
+    $options;
+}
+
 #
 # Process a single rule from the the masq file
 #
@@ -100,16 +150,16 @@ sub process_one_masq( )
    # Handle IPSEC options, if any
    #
    if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};

 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	    $baserule .= '-m policy --pol ipsec --dir out ';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
+	    $baserule .= '-m policy --pol none --dir out ';
 	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	    $baserule .= do_ipsec_options $ipsec;
 	}
-    } elsif ( have_ipsec ) {
+    } elsif ( $capabilities{POLICY_MATCH} ) {
 	$baserule .= '-m policy --pol none --dir out ';
    }

@@ -120,12 +170,12 @@ sub process_one_masq( )
    #
    # Handle Mark
    #
-    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
    $baserule .= do_user( $user )      if $user ne '-';

    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -171,7 +221,7 @@ sub process_one_masq( )
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "SNAT --to-source $variable";
+		    $target = "-j SNAT --to-source $variable";

 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -181,13 +231,13 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = 'RETURN';
+		    $target = '-j RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
 			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
+			    $target = '-j SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
 				validate_range( $1, $2 );
@@ -322,7 +372,7 @@ sub do_one_nat( $$$$$ )
 	$interface = $interfaceref->{name};
    }

-    if ( have_ipsec ) {
+    if ( $capabilities{POLICY_MATCH} ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
    }
@@ -352,6 +402,7 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
    }
+
 }

 #
@@ -398,9 +449,7 @@ sub setup_netmap() {

    while ( read_a_line ) {

-	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	$net3 = ALLIP if $net3 eq '-';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';

 	for my $interface ( split_list $interfacelist, 'interface' ) {

@@ -408,18 +457,18 @@ sub setup_netmap() {
 	    my $ruleout = '';
 	    my $iface = $interface;

-	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );

 	    unless ( $interfaceref->{root} ) {
-		$rulein  = match_source_dev( $interface );
-		$ruleout = match_dest_dev( $interface );
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }

 	    if ( $type eq 'DNAT' ) {
-		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , input_chain $interface )  , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
-		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_12';
+our $VERSION = '4.4_4';

 # @policy_chains is a list of references to policy chains in the filter table

@@ -66,11 +66,11 @@ sub convert_to_policy_chain($$$$$)
 #
 sub new_policy_chain($$$$)
 {
-    my ($source, $dest, $policy, $provisional) = @_;
+    my ($source, $dest, $policy, $optional) = @_;

    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );

-    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
+    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );

    $chainref;
 }
@@ -115,7 +115,7 @@ sub set_policy_chain($$$$$)
 #
 # Process the policy file
 #
-use constant { PROVISIONAL => 1 };
+use constant { OPTIONAL => 1 };

 sub add_or_modify_policy_chain( $$ ) {
    my ( $zone, $zone1 ) = @_;
@@ -124,11 +124,11 @@ sub add_or_modify_policy_chain( $$ ) {

    if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
-	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
 	    push @policy_chains, $chainref;
 	}
    } else {
-	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
    }
 }

@@ -307,7 +307,6 @@ sub validate_policy()
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );

    my $zone;
-    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );

    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
@@ -330,12 +329,9 @@ sub validate_policy()
    }

    for $zone ( all_zones ) {
-	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
-	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
+	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );

-	my $zoneref = find_zone( $zone );
-
-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
@@ -366,7 +362,7 @@ sub policy_rules( $$$$$ ) {

    unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_jump $chainref, $default, 0 if $default && $default ne 'none';
+	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;

@@ -418,27 +414,15 @@ sub apply_policy_rules() {

    for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
-
-	unless ( $policy eq 'NONE' ) {
 	my $loglevel    = $chainref->{loglevel};
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
-	    my $synparms    = $chainref->{synparms};

-	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
-		if ( $config{OPTIMIZE} & 2 ) {
-		    #
-		    # This policy chain is empty and the only thing that we would put in it is
-		    # the policy-related stuff. Don't create it if all we are going to put in it
-		    # is a single jump. Generate_matrix() will just use the policy target when
-		    # needed.
-		    #
-		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
-		} else {
+	if ( $policy ne 'NONE' ) {
+	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
 		ensure_filter_chain $name, 1;
 	    }
-	    }

 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
@@ -471,7 +455,7 @@ sub apply_policy_rules() {
 sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;

-    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
+    add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};

    run_user_exit $stdchainref;

@@ -496,38 +480,11 @@ sub setup_syn_flood_chains() {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
-	    log_rule_limit( $level , 
-			    $synchainref , 
-			    $chainref->{name} , 
-			    'DROP', 
-			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
-			    '' , 
-			    'add' , 
-			    '' )
+	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
    }
 }

-#
-# Optimize Policy chains with ACCEPT policy
-#
-sub optimize_policy_chains() {
-    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
-	optimize_chain ( $chainref );
-    }
-    #
-    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
-    #
-    my $outputrules = $filter_table->{OUTPUT}{rules};
-
-    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
-	optimize_chain( $filter_table->{OUTPUT} );
-    }
-
-    progress_message '  Policy chains optimized';
-    progress_message '';
-}
-
 1;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_4';

 #
 # ARP Filtering
@@ -96,18 +96,16 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {

    my $interfaces = find_interfaces_by_option 'routefilter';
-    my $config     = $config{ROUTE_FILTER};

-    if ( @$interfaces || $config ) {
+    if ( @$interfaces || $config{ROUTE_FILTER} ) {

 	progress_message2 "$doing Kernel Route Filtering...";

 	save_progress_message "Setting up Route Filtering...";

-	my $val = '';

-	if ( $config{ROUTE_FILTER} ne '' ) {
-	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
+	if ( $config{ROUTE_FILTER} ) {
+	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;

 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -130,15 +128,15 @@ sub setup_route_filtering() {
 	    emit   "fi\n";
 	}

-	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
 	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	} elsif ( $val ne '' ) {
-	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
+
+	if ( $config{ROUTE_FILTER} eq 'on' ) {
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
+	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
+	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	}

-	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
-
-	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
+	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
    }
 }

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_4';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -59,8 +59,6 @@ our @providers;

 our $family;

-our $lastmark;
-
 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };

 #
@@ -96,7 +94,7 @@ sub initialize( $ ) {
 # Set up marking for 'tracked' interfaces.
 #
 sub setup_route_marking() {
-    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

@@ -114,7 +112,7 @@ sub setup_route_marking() {
 	my $mark      = $providerref->{mark};

 	unless ( $marked_interfaces{$interface} ) {
-	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
 	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
@@ -275,7 +273,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }

-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
+    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

    my $physical    = get_physical $interface;
@@ -295,8 +293,36 @@ sub add_a_provider( ) {
 	$gateway = '';
    }

-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+    my $val = 0;
+    my $pref;
+
+    if ( $mark ne '-' ) {
+
+	$val = numeric_value $mark;
+
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val;
+
+	verify_mark $mark;
+
+	if ( $val < 65535 ) {
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
+		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes and WIDE_TC_MARKS=Yes" if $config{WIDE_TC_MARKS};
+		fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $val < 256;
+	    }
+	} else {
+	    fatal_error "Invalid Mark Value ($mark)" unless $config{HIGH_ROUTE_MARKS} && $config{WIDE_TC_MARKS};
+	}
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
+	}
+
+	$pref = 10000 + $number - 1;
+
+    }
+
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -337,43 +363,12 @@ sub add_a_provider( ) {
 		} else {
 		    $default = -1;
 		}
-	    } elsif ( $option eq 'local' ) {
-		$local = 1;
-		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}
    }

-    my $val = 0;
-    my $pref;
-
-    $mark = ( $lastmark += ( 1 << $config{PROVIDER_OFFSET} ) ) if $mark eq '-' && $track;
-
-    if ( $mark ne '-' ) {
-
-	$val = numeric_value $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
-
-	verify_mark $mark;
-
-	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
-
-	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
-
-	for my $providerref ( values %providers  ) {
-	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	}
-
-	$pref = 10000 + $number - 1;
-
-	$lastmark = $val;
-
-    }
-
    unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
@@ -416,7 +411,7 @@ sub add_a_provider( ) {
 	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
 	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
@@ -425,22 +420,14 @@ sub add_a_provider( ) {

 	$provider_interfaces{$interface} = $table;

-	if ( $gatewaycase eq 'none' ) {
-	    if ( $local ) {
-		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
-	    } else {
-		emit "run_ip route add default dev $physical table $number";
-	    }
-	}
+	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
    }

    if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};

-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
+	emit ( "run_ip rule add fwmark $mark pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
 	     );
    }

@@ -483,12 +470,7 @@ sub add_a_provider( ) {
 	}
    }

-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-	fatal_error "MARK required with 'local'"              unless $mark;
-    } elsif ( $loose ) {
+    if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
 	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
@@ -545,7 +527,7 @@ sub add_a_provider( ) {
 sub start_new_if( $ ) {
    our $current_if = shift;

-    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
+    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
    push_indent;
 }
  
@@ -607,7 +589,7 @@ sub add_an_rtrule( ) {
 	} else {
 	    $source = "iif $source";
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
 	$interface = physical_name $interface;
@@ -755,14 +737,12 @@ sub finish_providers() {
 sub setup_providers() {
    my $providers = 0;

-    $lastmark = 0;
-
    my $fn = open_file 'providers';

    first_entry sub() {
-	progress_message2 "$doing $fn...";
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	emit "\nif [ -z \"\$NOROUTES\" ]; then";
 	push_indent;
+	progress_message2 "$doing $fn...";
 	start_providers; };

    add_a_provider, $providers++ while read_a_line;
@@ -787,14 +767,14 @@ sub setup_providers() {
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
 	#
-	# This completes the if-block begun in the first_entry closure above
+	# This completes the if block begun in the first_entry closure
 	#
 	pop_indent;
 	emit "fi\n";

 	setup_route_marking if @routemarked_interfaces;
    } else {
-	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	emit "\nif [ -z \"\$NOROUTES\" ]; then";

 	push_indent;

@@ -838,132 +818,49 @@ sub lookup_provider( $ ) {

 #
 # This function is called by the compiler when it is generating the detect_configuration() function.
-# The function calls Shorewall::Zones::verify_required_interfaces then emits code to set the
-# ..._IS_USABLE interface variables appropriately for the  optional interfaces
+# The function emits code to set the ..._IS_USABLE interface variables appropriately for the
+# optional interfaces
 #
-# Returns true if there were required or optional interfaces
+# Returns true if there were optional interfaces
 #
-sub handle_optional_interfaces( $ ) {
+sub handle_optional_interfaces() {

-    my ( $interfaces, $wildcards )  = find_interfaces_by_option1 'optional';
+    my $interfaces = find_interfaces_by_option 'optional';

    if ( @$interfaces ) {
-	my $require     = $config{REQUIRE_INTERFACE};
-	
-	verify_required_interfaces( shift );
-
-	emit( 'HAVE_INTERFACE=', '' ) if $require;
-	#
-	# Clear the '_IS_USABLE' variables
-	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
-
-	if ( $wildcards ) {
-	    #
-	    # We must consider all interfaces with an address in $family -- generate a list of such addresses. 
-	    #
-	    emit( '', 
-		  'for interface in $(find_all_interfaces1); do',
-		);
-
-	    push_indent;
-	    emit ( 'case "$interface" in' );
-	    push_indent;
-	} else {
-	    emit '';
-	}
-
-	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
+	for my $interface ( @$interfaces ) {
 	    my $provider = $provider_interfaces{$interface};
 	    my $physical = get_physical $interface;
 	    my $base     = uc chain_base( $physical );
-	    my $providerref = $providers{$provider};

-	    emit( "$physical)" ), push_indent if $wildcards;
+	    emit '';
+
+	    if ( $provider ) {
+		#
+		# This interface is associated with a non-shared provider -- get the provider table entry
+		#
+		my $providerref = $providers{$provider};

 		if ( $providerref->{gatewaycase} eq 'detect' ) {
 		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
 		    emit qq(if interface_is_usable $physical; then);
 		}
+	    } else {
+		#
+		# Not a provider interface
+		#
+		emit qq(if interface_is_usable $physical; then);
+	    }

-	    emit( '    HAVE_INTERFACE=Yes' ) if $require;
-
-	    emit( "    SW_${base}_IS_USABLE=Yes" ,
+	    emit( "    ${base}_IS_USABLE=Yes" ,
+		  'else' ,
+		  "    ${base}_IS_USABLE=" ,
 		  'fi' );
-
-	    emit( ';;' ), pop_indent if $wildcards;
 	}

-	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
-	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
-	    my $case        = $physical;
-	    my $wild        = $case =~ s/\+$/*/;
-
-	    if ( $wildcards ) {
-		emit( "$case)" );
-		push_indent;
-		
-		if ( $wild ) {
-		    emit( qq(if [ -z "\$SW_${base}_IS_USABLE" ]; then) );
-		    push_indent; 
-		    emit ( 'if interface_is_usable $interface; then' );
-		} else {
-		    emit ( "if interface_is_usable $physical; then" );
+	1;
    }
-	    } else {
-		emit ( "if interface_is_usable $physical; then" );
-	    }
-
-	    emit ( '    HAVE_INTERFACE=Yes' ) if $require;
-	    emit ( "    SW_${base}_IS_USABLE=Yes" ,
-		   'fi' );
-
-	    if ( $wildcards ) {
-		pop_indent, emit( 'fi' ) if $wild;
-		emit( ';;' );
-		pop_indent;
-	    }
-	}
-
-	if ( $wildcards ) {
-	    emit( '*)' ,
-		  '    ;;'
-		);
-	    pop_indent;
-	    emit( 'esac' );
-	    pop_indent;
-	    emit('done' );
-	}
-
-	if ( $require ) {
-	    emit( '',
-		  'if [ -z "$HAVE_INTERFACE" ]; then' ,
-		  '    case "$COMMAND" in',
-		  '        start|restart|restore|refresh)'
-		);
-
-	    if ( $family == F_IPV4 ) {
-		emit( '            if shorewall_is_started; then' );
-	    } else {
-		emit( '            if shorewall6_is_started; then' );
-	    }
-
-	    emit( '                fatal_error "No network interface available"',
-		  '            else',
-		  '                startup_error "No network interface available"',
-		  '            fi',
-		  '            ;;',
-		  '    esac',
-		  'fi'
-		);
-	}
-
-	return 1;
-    }
-
-    verify_required_interfaces( shift );
 }

 #
@@ -972,7 +869,7 @@ sub handle_optional_interfaces( $ ) {
 #
 sub handle_stickiness( $ ) {
    my $havesticky   = shift;
-    my $mask         = in_hex( $globals{PROVIDER_MASK} );
+    my $mask         = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
    my $setstickyref = $mangle_table->{setsticky};
    my $setstickoref = $mangle_table->{setsticko};
    my $tcpreref     = $mangle_table->{tcpre};
@@ -1002,14 +899,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
-			$rule2 = '';
 		    }

-		    assert ( $rule1 =~ s/^-A // );
+		    $rule1 =~ s/-A tcpre //;
+
 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			assert ( $rule2 =~ s/^-A // );
+			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -1029,14 +926,14 @@ sub handle_stickiness( $ ) {
 		    } else {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
-			$rule2 = '';
 		    }

-		    assert( $rule1 =~ s/-A // );
+		    $rule1 =~ s/-A tcout //;
+
 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A //;
+			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
 		}
@@ -1045,9 +942,8 @@ sub handle_stickiness( $ ) {
    }

    if ( @routemarked_providers ) {
-	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
-	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
+	purge_jump $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
+	purge_jump $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
 }
-
 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_9';
+our $VERSION = '4.4_4';

 our @proxyarp;

@@ -76,7 +76,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
    }

    unless ( $haveroute ) {
-	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
+	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
    }

@@ -118,7 +118,6 @@ sub setup_proxy_arp() {
 		}

 		$interface = get_physical $interface;
-		$external  = get_physical $external;

 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.3_7';

 #
 # Notrack
@@ -50,9 +50,9 @@ sub process_notrack_rule( $$$$$$ ) {
    ( my $zone, $source) = split /:/, $source, 2;
    my $zoneref  = find_zone $zone;
    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'NOTRACK' ,
+	'-j NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -40,44 +40,37 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_4';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
-		    fw       => 1,
-		    fwi      => 0,
+		    fw       => 1
 		  } ,
 	    CT => { chain  => 'tcpost' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
-		    fwi      => 0,
+		    fw       => 1
 		    } ,
 	    C  => { target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 1 ,
-		    fwi      => 1 ,
+		    fw       => 1
 		    } ,
 	    P  => { chain    => 'tcpre' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    CP => { chain    => 'tcpre' ,
 		    target => 'CONNMARK --set-mark' ,
 		    connmark => 1 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    F =>  { chain    => 'tcfor' ,
 		    connmark => 0 ,
-		    fw       => 0 ,
-		    fwi      => 0 ,
+		    fw       => 0
 		    } ,
 	    CF => { chain    => 'tcfor' ,
 		    connmark => 1 ,
 		    fw       => 0 ,
-		    fwi      => 0 ,
 		    } ,
 	    );

@@ -86,6 +79,48 @@ use constant { NOMARK    => 0 ,
 	       HIGHMARK  => 2
 	       };

+our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+		 target    => 'CONNMARK --save-mark --mask' ,
+		 mark      => SMALLMARK ,
+		 mask      => '0xFF' ,
+		 connmark  => 1
+	       } ,
+	      { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+		target    => 'CONNMARK --restore-mark --mask' ,
+		mark      => SMALLMARK ,
+		mask      => '0xFF' ,
+		connmark  => 1
+		} ,
+	      { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+		target    => 'RETURN' ,
+		mark      => NOMARK ,
+		mask      => '' ,
+		connmark  => 0
+		} ,
+	      { match     => sub ( $ ) { $_[0] eq 'SAME' },
+		target    => 'sticky' ,
+		mark      => NOMARK ,
+		mask      => '' ,
+		connmark  => 0
+		} ,
+	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+		target    => 'IPMARK' ,
+		mark      => NOMARK,
+		mask      => '',
+		connmark  => 0
+	        } ,
+	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+		target    => 'MARK --or-mark' ,
+		mark      => HIGHMARK ,
+		mask      => '' } ,
+	      { match     => sub ( $ ) { $_[0] =~ '&.*' },
+		target    => 'MARK --and-mark ' ,
+		mark      => HIGHMARK ,
+		mask      => '' ,
+		connmark  => 0
+		}
+	      );
+
 our %flow_keys = ( 'src'            => 1,
 		   'dst'            => 1,
 		   'proto'          => 1,
@@ -137,7 +172,7 @@ our %tcdevices;
 our @devnums;
 our $devnum;
 our $sticky;
-our $ipp2p;
+

 #
 # TCClasses Table
@@ -165,7 +200,6 @@ our %tcclasses;
 our %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
-		      tcin       => INPUT_RESTRICT ,
 		      tcout      => OUTPUT_RESTRICT );

 our $family;
@@ -191,14 +225,11 @@ sub initialize( $ ) {
    @devnums   = ();
    $devnum = 0;
    $sticky = 0;
-    $ipp2p  = 0;
 }

 sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules file';

-    our @tccmd;
-
    if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -226,28 +257,17 @@ sub process_tc_rule( ) {
 	}
    }

-    if ( $dest ) {
-	if ( $dest eq $fw ) {
-	    $chain = 'tcin';
-	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
-	}
-    }
-
    if ( $designator ) {
 	$tcsref = $tcs{$designator};

 	if ( $tcsref ) {
 	    if ( $chain eq 'tcout' ) {
 		fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
-	    } elsif ( $chain eq 'tcin' ) {
-		fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
 	    }

 	    $chain    = $tcsref->{chain}  if $tcsref->{chain};
 	    $target   = $tcsref->{target} if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};

 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;

@@ -265,12 +285,12 @@ sub process_tc_rule( ) {
 	}
    }

+    my $mask = 0xffff;
+
    my ($cmd, $rest) = split( '/', $mark, 2 );

    $list = '';

-    my $restriction = 0;
-
    unless ( $classid ) {
      MARK:
 	{
@@ -280,7 +300,7 @@ sub process_tc_rule( ) {

 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};

-		    $target      = $tccmd->{target};
+		    $target      = "$tccmd->{target} ";
 		    my $marktype = $tccmd->{mark};

 		    if ( $marktype == NOMARK ) {
@@ -289,19 +309,15 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }

-		    if ( $target eq 'sticky' ) {
+		    if ( $target eq 'sticky ' ) {
 			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}

-			$restriction = DESTIFACE_DISALLOW;
-			
-			ensure_mangle_chain($target);
-
 			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
+		    } elsif ( $target eq 'IPMARK ' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );

 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
@@ -338,40 +354,8 @@ sub process_tc_rule( ) {
 			}

 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
-			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
-
-			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
-			$chain = 'tcpre';
-
-			$cmd =~ /TPROXY\((.+?)\)$/;
-
-			my $params = $1;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-
-			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-			if ( $port ) {
-			    $port = validate_port( 'tcp', $port );
-			} else {
-			    $port = 0;
 		    }

-			$target .= "--on-port $port";
-
-			if ( defined $ip && $ip ne '' ) {
-			    validate_address $ip, 1;
-			    $target .= " --on-ip $ip";
-			}
-
-			$target .= ' --tproxy-mark';
-		    }
-
-
 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;

@@ -392,23 +376,21 @@ sub process_tc_rule( ) {

 	    validate_mark $mark;

-	    if ( $config{PROVIDER_OFFSET} ) {
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
 		my $val = numeric_value( $cmd );
 		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
+		my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
 		fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
 	    }
 	}
    }
-    }

    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
+				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
-				     do_test( $testval, $globals{TC_MASK} ) .
+				     do_test( $testval, $mask ) .
 				     do_length( $length ) .
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
@@ -416,9 +398,9 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     $mark ? "$target $mark" : $target,
+				     "-j $target $mark" ,
+				     '' ,
 				     '' ,
-				     $target ,
 				     '' ) )
 	  && $device ) {
 	#
@@ -435,11 +417,11 @@ sub rate_to_kbit( $ ) {
    my $rate = $_[0];

    return 0           if $rate eq '-';
-    return $1          if $rate =~ /^((\d+)(\.\d+)?)kbit$/i;
-    return $1 * 1000   if $rate =~ /^((\d+)(\.\d+)?)mbit$/i;
-    return $1 * 8000   if $rate =~ /^((\d+)(\.\d+)?)mbps$/i;
-    return $1 * 8      if $rate =~ /^((\d+)(\.\d+)?)kbps$/i;
-    return ($1/125)    if $rate =~ /^((\d+)(\.\d+)?)(bps)?$/;
+    return $1          if $rate =~ /^(\d+)kbit$/i;
+    return $1 * 1000   if $rate =~ /^(\d+)mbit$/i;
+    return $1 * 8000   if $rate =~ /^(\d+)mbps$/i;
+    return $1 * 8      if $rate =~ /^(\d+)kbps$/i;
+    return int($1/125) if $rate =~ /^(\d+)(bps)?$/;
    fatal_error "Invalid Rate ($rate)";
 }

@@ -458,6 +440,8 @@ sub calculate_quantum( $$ ) {
 sub process_flow($) {
    my $flow = shift;

+    $flow =~ s/^\(// if $flow =~ s/\)$//;
+
    my @flow = split /,/, $flow;

    for ( @flow ) {
@@ -467,119 +451,6 @@ sub process_flow($) {
    $flow;
 }

-sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
-
-    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
-    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
-
-    my $number = in_hexp( $tcdevices{$device} = ++$devnum );
-
-    my $physical = physical_name $device;
-    my $dev      = chain_base( $physical );
-
-    if ( $type ne '-' ) {
-	if ( lc $type eq 'external' ) {
-	    $type = 'nfct-src';
-	} elsif ( lc $type eq 'internal' ) {
-	    $type = 'dst';
-	} else {
-	    fatal_error "Invalid TYPE ($type)";
-	}
-    }
-
-    my $in_burst = '10kb';
-
-    if ( $in_bandwidth =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
-
-	if ( defined $burst && $burst ne '' ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$in_bandwidth = rate_to_kbit( $in_band );
-    } else {
-	$in_bandwidth = rate_to_kbit( $in_bandwidth );
-    }
-
-    emit "if interface_is_up $physical; then";
-
-    push_indent;
-
-    emit ( "${dev}_exists=Yes",
-	   "qt \$TC qdisc del dev $physical root",
-	   "qt \$TC qdisc del dev $physical ingress\n"
-	 );
-
-    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
-	 ) if $in_bandwidth;
-
-    if ( $out_part ne '-' ) {
-	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
-
-	fatal_error "Invalid Out-BANDWIDTH ($out_part)" if ( defined $minburst && $minburst =~ /:/ ) || $out_bandwidth eq '';
-
-	$out_bandwidth = rate_to_kbit( $out_bandwidth );
-
-	my $command = "run_tc qdisc add dev $physical root handle $number: tbf rate ${out_bandwidth}kbit";
-
-	if ( defined $burst && $burst ne '' ) {
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " burst $burst";
-	} else {
-	    $command .= ' burst 10kb';
-	}
-
-	if ( defined $latency && $latency ne '' ) {
-	    fatal_error "Invalid latency ($latency)" unless $latency =~ /^\d+(?:\.\d+)?(s|sec|secs|ms|msec|msecs|us|usec|usecs)?$/;
-	    $command .= " latency $latency";
-	} else {
-	    $command .= ' latency 200ms';
-	}
-
-	if ( defined $peak && $peak ne '' ) {
-	    fatal_error "Invalid peak ($peak)" unless $peak =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " peakrate $peak";
-	}
-
-	if ( defined $minburst && $minburst ne '' ) {
-	    fatal_error "Invalid minburst ($minburst)" unless $minburst =~ /^\d+(?:\.\d+)?(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $command .= " minburst $minburst";
-	}
-
-	emit $command;
-
-	my $id = $number; $number = in_hexp( $devnum | 0x100 );
-
-	emit "run_tc qdisc add dev $physical parent $id: handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    } else {
-	emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    }
-
-    for ( my $i = 1; $i <= 3; $i++ ) {
-	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
-	emit '';
-    }
-
-    save_progress_message_short qq("   TC Device $physical defined.");
-
-    pop_indent;
-    emit 'else';
-    push_indent;
-
-    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
-    emit "${dev}_exists=";
-    pop_indent;
-    emit "fi\n";
-
-    progress_message "  Simple tcdevice \"$currentline\" $done.";
-}
-
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';

@@ -638,6 +509,7 @@ sub validate_tc_device( ) {
    if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
 	$classify = 1;
+    }

    for my $rdevice ( @redirected ) {
 	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
@@ -645,7 +517,6 @@ sub validate_tc_device( ) {
 	fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
 	fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
    }
-    }

    $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ) . 'kbit',
 			    out_bandwidth => rate_to_kbit( $outband ) . 'kbit',
@@ -777,12 +648,10 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
-
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;

-	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0xffff : 0xff );

 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -886,7 +755,7 @@ sub validate_tc_class( ) {
 		fatal_error q(The 'occurs' option is only valid for IPv4)           if $family == F_IPV6;
 		fatal_error q(The 'occurs' option may not be used with 'classify')  if $devref->{classify};
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
-		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
+		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
 		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
@@ -1141,104 +1010,16 @@ sub process_tc_filter( ) {

    $currentline =~ s/\s+/ /g;

-    save_progress_message_short qq('   TC Filter \"$currentline\" defined.');
+    save_progress_message_short qq("   TC Filter \"$currentline\" defined.");

    emit '';

 }

-sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
-
-    if ( $band eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    my $val = numeric_value $band;
-
-    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
-
-    my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
-
-    $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
-
-    if ( $interface ne '-' ) {
-	fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
-
-	my $forwardref = $mangle_table->{tcfor};
-
-	add_rule( $forwardref ,
-		  join( '', match_source_dev( $interface) , $rule ) ,
-		  1 );
-    } else {
-	my $postref = $mangle_table->{tcpost};
-
-	if ( $address ne '-' ) {
-	    fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
-	    add_rule( $postref ,
-		      join( '', match_source_net( $address) , $rule ) ,
-		      1 );
-	} else {
-	    add_rule( $postref ,
-		      join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
-		      1 );
-
-	    if ( $ports ne '-' ) {
-		my $protocol = resolve_proto $proto;
-
-		if ( $proto =~ /^ipp2p/ ) {
-		    fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
-		    $ipp2p = 1;
-		}
-
-		add_rule( $postref ,
-			  join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
-			  1 )
-		    unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
-	    }
-	}
-    }
-}
-
-sub setup_simple_traffic_shaping() {
-    my $interfaces;
-
-    save_progress_message q("Setting up Traffic Control...");
-
-    my $fn = open_file 'tcinterfaces';
-
-    if ( $fn ) {
-	first_entry "$doing $fn...";
-	process_simple_device, $interfaces++ while read_a_line;
-    } else {
-	$fn = find_file 'tcinterfaces';
-    }
-
-    my $fn1 = open_file 'tcpri';
-
-    if ( $fn1 ) {
-	first_entry
-	    sub {
-		progress_message2 "$doing $fn1...";
-		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
-	    };
-
-	process_tc_priority while read_a_line;
-
-	clear_comment;
-
-	if ( $ipp2p ) {
-	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
-	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
-	}
-    }
-}
-
 sub setup_traffic_shaping() {
    our $lastrule = '';

-    save_progress_message q("Setting up Traffic Control...");
+    save_progress_message "Setting up Traffic Control...";

    my $fn = open_file 'tcdevices';

@@ -1248,9 +1029,6 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
    }

-    my $sfq = $devnum;
-    my $sfqinhex;
-
    $devnum = $devnum > 10 ? 10 : 1;

    $fn = open_file 'tcclasses';
@@ -1307,26 +1085,11 @@ sub setup_traffic_shaping() {
 		  qq(fi) );
 	}

-	my $in_burst = '10kb';
-	my $inband;
-
-	if ( $devref->{in_bandwidth} =~ /:/ ) {
-	    my ( $in_band, $burst ) = split /:/, $devref->{in_bandwidth}, 2;
-
-	    if ( defined $burst && $burst ne '' ) {
-		fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-		fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-		$in_burst = $burst;
-	    }
-
-	    $inband = rate_to_kbit( $in_band );
-	} else {
-	    $inband = rate_to_kbit $devref->{in_bandwidth};
-	}
+	my $inband = rate_to_kbit $devref->{in_bandwidth};

 	if ( $inband ) {
 	    emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst $in_burst drop flowid :1"
+		   "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${inband}kbit burst 10k drop flowid :1"
 		   );
 	}

@@ -1335,7 +1098,7 @@ sub setup_traffic_shaping() {
 	    emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	}

-	save_progress_message_short qq("   TC Device $device defined.");
+	save_progress_message_short "   TC Device $device defined.";

 	pop_indent;
 	emit 'else';
@@ -1402,18 +1165,17 @@ sub setup_traffic_shaping() {
 	    }
 	}

-	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-	    $sfqinhex = in_hexp( ++$sfq);
-	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-	}
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
 	unless ( $devref->{classify} ) {
-	    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+	    if ( $tcref->{occurs} == 1 ) {
+		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
+	    }
 	}

-	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
@@ -1437,178 +1199,67 @@ sub setup_traffic_shaping() {
 	$fn = open_file 'tcfilters';

 	if ( $fn ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
+	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );

 	    process_tc_filter while read_a_line;
 	}
    }
 }

-#
-# Process a record in the secmarks file
-#
-sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
-
-    if ( $secmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    my %chns = ( T => 'tcpost'  ,
-		 P => 'tcpre'   ,
-		 F => 'tcfor'   ,
-		 I => 'tcin'    ,
-		 O => 'tcout'   , );
-
-    my %state = ( N =>  'NEW' ,
-		  E =>  'ESTABLISHED' , 
-		  ER => 'ESTABLISHED,RELATED' );
-
-    my ( $chain , $state, $rest) = split ':', $chainin , 3;
-
-    fatal_error "Invalid CHAIN:STATE ($chainin)" if $rest || ! $chain;
-
-    my $chain1= $chns{$chain};
-    
-    fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
-    fatal_error "USER/GROUP may only be used in the OUTPUT chain" if $user ne '-' && $chain1 ne 'tcout';
-
-    if ( ( $state ||= '' ) ne '' ) {
-	my $state1;
-	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
-	$state = "$globals{STATEMATCH} $state1 ";
-    }
-
-    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
-	         $secmark eq 'RESTORE' ? 'CONNSECMARK --restore' :
-		 "SECMARK --selctx $secmark";
-
-    my $disposition = $target;
-
-    $disposition =~ s/ .*//;
-
-    expand_rule( ensure_mangle_chain( $chain1 ) , 
-		 $restrictions{$chain1} ,
-		 $state .
-		 do_proto( $proto, $dport, $sport ) .
-		 do_user( $user ) .
-		 do_test( $mark, $globals{TC_MASK} ) ,
-		 $source , 
-		 $dest , 
-		 '' , 
-		 $target , 
-		 '' , 
-		 $disposition,
-		 '' );
-
-    progress_message "Secmarks rule \"$currentline\" $done";
-		 
-}
-
 #
 # Process the tcrules file and setup traffic shaping
 #
 sub setup_tc() {

-    if ( $config{MANGLE_ENABLED} ) {
+    if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
 	ensure_mangle_chain 'tcpre';
 	ensure_mangle_chain 'tcout';

-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
+	if ( $capabilities{MANGLE_FORWARD} ) {
 	    ensure_mangle_chain 'tcfor';
 	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain 'tcin';
 	}

 	my $mark_part = '';

 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
+	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';

-	    unless ( $config{TRACK_PROVIDERS} ) {
-		#
-		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
-		#
 	    for my $interface ( @routemarked_interfaces ) {
-		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
-		}
+		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
 	    }
 	}

-	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
-	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
+	add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
+	add_rule $mangle_table->{OUTPUT} ,     "$mark_part -j tcout";

-	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
+	if ( $capabilities{MANGLE_FORWARD} ) {
+	    add_rule $mangle_table->{FORWARD} ,     '-j tcfor';
+	    add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
+	}

-	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
-	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
-	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
-	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
+	if ( $config{HIGH_ROUTE_MARKS} ) {
+	    for my $chain qw(INPUT FORWARD) {
+		insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0xFFFF' : '-j MARK --and-mark 0xFF';
+	    }
+	    #
+	    # In POSTROUTING, we only want to clear routing mark and not IPMARK.
+	    #
+	    insert_rule1 $mangle_table->{POSTROUTING}, 0, $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFFFF -j MARK --and-mark 0' : '-m mark --mark 0/0xFF -j MARK --and-mark 0';
 	}
    }

    if ( $globals{TC_SCRIPT} ) {
-	save_progress_message q('Setting up Traffic Control...');
+	save_progress_message 'Setting up Traffic Control...';
 	append_file $globals{TC_SCRIPT};
    } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
-    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
-	setup_simple_traffic_shaping;
    }

    if ( $config{TC_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-			  target    => 'RETURN' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
-			  target    => 'sticky' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-			  target    => 'IPMARK' ,
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-			  target    => 'MARK --or-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-			  target    => 'TPROXY',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-		      );
-
 	if ( my $fn = open_file 'tcrules' ) {

-	    first_entry "$doing $fn...";
+	    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );

 	    process_tc_rule while read_a_line;

@@ -1616,20 +1267,9 @@ sub setup_tc() {
 	}
    }

-    if ( $config{MANGLE_ENABLED} ) {
-	if ( my $fn = open_file 'secmarks' ) {
-
-	    first_entry "$doing $fn...";
-
-	    process_secmark_rule while read_a_line;
-	
-	    clear_comment;
-	}
-
    add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;

    handle_stickiness( $sticky );
-    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_13';
+our $VERSION = '4.3_7';

 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}

-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my $options = $globals{UNTRACKED} ? '-m state --state NEW,UNTRACKED -j ACCEPT' : '-m state --state NEW -j ACCEPT';

 	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
@@ -86,7 +86,7 @@ sub setup_tunnels() {
 		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
 		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

-		unless ( have_ipsec ) {
+		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
 		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -36,7 +36,6 @@
 #         --log=<filename>            # Log file
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
-#         --preview                   # Preview the ruleset.
 #
 use strict;
 use FindBin;
@@ -45,6 +44,7 @@ use Shorewall::Compiler;
 use Getopt::Long;

 sub usage( $ ) {
+    my $returnval = shift @_;

    print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]

@@ -58,11 +58,10 @@ sub usage( $ ) {
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
-    [ --preview ]
    [ --family={4|6} ]
 ';

-    exit shift @_;
+    exit $returnval;
 }

 #
@@ -79,7 +78,6 @@ my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
-my $preview       = 0;

 Getopt::Long::Configure ('bundling');

@@ -100,7 +98,6 @@ my $result = GetOptions('h'               => \$help,
 			'l=s'             => \$log,
 			'log_verbosity=i' => \$log_verbose,
 			'test'            => \$test,
-			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 		       );
@@ -108,7 +105,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;

-compiler( script          => $ARGV[0] || '',
+compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
@@ -118,5 +115,4 @@ compiler( script          => $ARGV[0] || '',
 	  log             => $log,
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
-	  preview         => $preview,
 	  family          => $family );
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,16 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
+    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
    exit $1
 }
 ################################################################################
@@ -32,17 +23,6 @@ if [ $# -gt 1 ]; then
 	shift
    fi
 fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING

 initialize

@@ -71,78 +51,17 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
+			VERBOSE=$(($VERBOSE + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
+			VERBOSE=$(($VERBOSE - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
 		    *)
 			usage 1
 			;;
@@ -158,14 +77,16 @@ done

 COMMAND="$1"

+[ -n "${PRODUCT:=Shorewall}" ]
+
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    error_message "$g_product is already Running"
+	    error_message "$PRODUCT is already Running"
 	    status=0
 	else
-	    progress_message3 "Starting $g_product...."
+	    progress_message3 "Starting $PRODUCT...."
 	    detect_configuration
 	    define_firewall
 	    status=$?
@@ -175,7 +96,7 @@ case "$COMMAND" in
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
+	progress_message3 "Stopping $PRODUCT...."
 	detect_configuration
 	stop_firewall
 	status=0
@@ -184,7 +105,7 @@ case "$COMMAND" in
 	;;
    reset)
 	if ! shorewall_is_started ; then
-	    error_message "$g_product is not running"
+	    error_message "$PRODUCT is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
 	    $IPTABLES -Z
@@ -192,7 +113,7 @@ case "$COMMAND" in
 	    $IPTABLES -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
-	    progress_message3 "$g_product Counters Reset"
+	    progress_message3 "$PRODUCT Counters Reset"
 	else
 	    shift
 	    status=0
@@ -214,11 +135,10 @@ case "$COMMAND" in
    restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Restarting $g_product...."
+	    progress_message3 "Restarting $PRODUCT...."
 	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
+	    error_message "$PRODUCT is not running"
+	    progress_message3 "Starting $PRODUCT...."
 	fi

 	detect_configuration
@@ -232,13 +152,13 @@ case "$COMMAND" in
    refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
+	    progress_message3 "Refreshing $PRODUCT...."
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
 	else
-	    echo "$g_product is not running" >&2
+	    echo "$PRODUCT is not running" >&2
 	    status=2
 	fi
 	;;
@@ -253,30 +173,28 @@ case "$COMMAND" in
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
+	progress_message3 "Clearing $PRODUCT...."
 	clear_firewall
 	status=0
-	if [ -n "$SUBSYSLOCK" ]; then
-	    rm -f $SUBSYSLOCK
-	fi
+	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	progress_message3 "done."
 	;;
    status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started; then
-	    echo "$g_product is running"
+	    echo "$PRODUCT is running"
 	    status=0
 	else
-	    echo "$g_product is stopped"
+	    echo "$PRODUCT is stopped"
 	    status=4
 	fi

 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -286,16 +204,9 @@ case "$COMMAND" in
 	echo "State:$state"
 	echo
 	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
-	;;
    version)
 	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
+	echo $VERSION
 	status=0
 	;;
    help)
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -5,16 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
+    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
    exit $1
 }
 ################################################################################
@@ -32,17 +23,6 @@ if [ $# -gt 1 ]; then
 	shift
    fi
 fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING

 initialize

@@ -71,77 +51,19 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
+			VERBOSE=$(($VERBOSE + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
+			VERBOSE=$(($VERBOSE - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
 		    *)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
+			usage 1
 			;;
 		esac
 	    done
@@ -155,19 +77,21 @@ done

 COMMAND="$1"

-kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+[ -n "${PRODUCT:=Shorewall6}" ]
+
+kernel=$(printf "%2d%02d%02d\n" $(echo $(uname -r) 2> /dev/null | sed 's/-.*//' | tr '.' ' ' ) | head -n1)
 if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
    status=2
 else
    case "$COMMAND" in
 	start)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		error_message "$g_product is already Running"
+		error_message "$PRODUCT is already Running"
 		status=0
 	    else
-		progress_message3 "Starting $g_product...."
+		progress_message3 "Starting $PRODUCT...."
 		detect_configuration
 		define_firewall
 		status=$?
@@ -177,7 +101,7 @@ else
 	    ;;
 	stop)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Stopping $g_product...."
+	    progress_message3 "Stopping $PRODUCT...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
@@ -186,14 +110,14 @@ else
 	    ;;
 	reset)
 	    if ! shorewall6_is_started ; then
-		error_message "$g_product is not running"
+		error_message "$PRODUCT is not running"
 		status=2
 	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
-		progress_message3 "$g_product Counters Reset"
+		progress_message3 "$PRODUCT Counters Reset"
 	    else
 		shift
 		status=0
@@ -215,11 +139,10 @@ else
 	restart)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Restarting $g_product...."
+		progress_message3 "Restarting $PRODUCT...."
 	    else
-		error_message "$g_product is not running"
-		progress_message3 "Starting $g_product...."
-		COMMAND=start
+		error_message "$PRODUCT is not running"
+		progress_message3 "Starting $PRODUCT...."
 	    fi

 	    detect_configuration
@@ -233,13 +156,13 @@ else
 	refresh)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Refreshing $g_product...."
+		progress_message3 "Refreshing $PRODUCT...."
 		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
 	    else
-		echo "$g_product is not running" >&2
+		echo "$PRODUCT is not running" >&2
 		status=2
 	    fi
 	    ;;
@@ -254,23 +177,21 @@ else
 	    ;;
 	clear)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Clearing $g_product...."
+	    progress_message3 "Clearing $PRODUCT...."
 	    clear_firewall
 	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	    ;;
 	status)
 	    [ $# -ne 1 ] && usage 2
-	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	    echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
 	    echo
 	    if shorewall6_is_started; then
-		echo "$g_product is running"
+		echo "$PRODUCT is running"
 		status=0
 	    else
-		echo "$g_product is stopped"
+		echo "$PRODUCT is stopped"
 		status=4
 	    fi

@@ -287,16 +208,9 @@ else
 	    echo "State:$state"
 	    echo
 	    ;;
-	up|down)
-	    [ $# -eq 1 ] && exit 0
-	    shift
-	    [ $# -ne 1 ] && usage 2
-	    updown $1
-	    status=0
-	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
-	    echo $SHOREWALL_VERSION
+	    echo $VERSION
 	    status=0
 	    ;;
 	help)
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,18 +1,11 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -29,6 +22,14 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -37,12 +38,12 @@ progress_message() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -53,12 +54,12 @@ progress_message2() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSITY -gt 0 ]; then
+    if [ $LOG_VERBOSE -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -69,17 +70,93 @@ progress_message3() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }

+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+qt1()
+{
+    local status
+
+    while [ 1 ]; do
+	"$@" >/dev/null 2>&1
+	status=$?
+	[ $status -ne 4 ] && return $status
+    done
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall_is_started() {
+    qt1 $IPTABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
 #
 # Set a standard chain's policy
 #
@@ -89,17 +166,272 @@ setpolicy() # $1 = name of chain, $2 = policy
 }

 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }

 #
-# Generate a list of all network interfaces on the system that have an ipv4 address
+# Flush one of the NAT table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushnat() # $1 = name of chain
+{
+    run_iptables -t nat -F $1
+}
+
+#
+# Flush one of the Mangle table chains
+#
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmetic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
+#
+
+LEFTSHIFT='<<'
+
+#
+# Convert an IP address in dot quad format to an integer
+#
+decodeaddr() {
+    local x
+    local temp
+    temp=0
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
+    done
+
+    echo $temp
+
+    IFS=$ifs
+}
+
+#
+# convert an integer to dot quad format
+#
+encodeaddr() {
+    addr=$1
+    local x
+    local y
+    y=$(($addr & 255))
+
+    for x in 1 2 3 ; do
+	addr=$(($addr >> 8))
+	y=$(($addr & 255)).$y
+    done
+
+    echo $y
+}
+
+#
+# Netmask from CIDR
+#
+ip_netmask() {
+    local vlsm
+    vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
+}
+
+#
+# Network address from CIDR
+#
+ip_network() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+
+    echo $(encodeaddr $(($decodedaddr & $netmask)))
+}
+
+#
+# The following hack is supplied to compensate for the fact that many of
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+#
+ip_broadcast() {
+    local x
+    x=$(( 32 - ${1#*/} ))
+
+    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
+}
+
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+    local broadcast
+    broadcast=$(ip_broadcast $1)
+
+    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
+}
+
+#
+# Test for network membership
+#
+in_network() # $1 = IP address, $2 = CIDR network
+{
+    local netmask
+    netmask=$(ip_netmask $2)
+    #
+    # Use string comparison to work around a broken BusyBox ash in OpenWRT
+    #
+    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IPTABLES -L $1 -n
 }

 #
@@ -202,6 +534,32 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }

+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Determine if Interface is up
 #
@@ -209,12 +567,45 @@ interface_is_up() {
    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }

+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+}
+
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }

@@ -267,6 +658,71 @@ get_interface_bcasts() # $1 = interface
    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }

+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
 #
 # Delete IP address
 #
@@ -419,6 +875,16 @@ disable_ipv6() {
    fi
 }

+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
 #
 # Clear the current traffic shaping configuration
 #
@@ -484,7 +950,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {

-    if [ -z "$g_noroutes"  ]; then
+    if [ -z "$NOROUTES"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -508,12 +974,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-    
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1

 	while read route ; do
@@ -552,6 +1017,25 @@ restore_default_route() {
    return $result
 }

+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(mywhich echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -574,11 +1058,11 @@ find_mac() # $1 = IP address, $2 = interface
 }

 #
-# Flush the conntrack table if $g_purge is non-empty
+# Flush the conntrack table if $PURGE is non-empty
 #
 conditionally_flush_conntrack() {

-    if [ -n "$g_purge" ]; then
+    if [ -n "$PURGE" ]; then
 	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
@@ -594,13 +1078,13 @@ delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
+    fi

    rm -f ${VARDIR}/proxyarp
-    fi
 }

 #
@@ -614,12 +1098,11 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT

    run_iptables -F
-    qt $IPTABLES -t raw -F

    echo 1 > /proc/sys/net/ipv4/ip_forward

    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IP6TABLES ]; then
+	if [ -x $IPTABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
@@ -630,7 +1113,7 @@ clear_firewall() {

    set_state "Cleared"

-    logger -p kern.info "$g_product Cleared"
+    logger -p kern.info "$PRODUCT Cleared"
 }

 #
@@ -640,7 +1123,7 @@ fatal_error()
 {
    echo "   ERROR: $@" >&2

-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
@@ -656,36 +1139,30 @@ fatal_error()
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
 	    ;;
    esac

-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "

 	case $COMMAND in
 	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
@@ -751,6 +1228,34 @@ run_tc() {
    fi
 }

+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Get a list of all configured broadcast addresses on the system
 #
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,18 +1,11 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -29,6 +22,14 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -37,12 +38,12 @@ progress_message() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -53,12 +54,12 @@ progress_message2() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSITY -gt 0 ]; then
+    if [ $LOG_VERBOSE -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -69,17 +70,117 @@ progress_message3() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSITY -ge 0 ]; then
+    if [ $LOG_VERBOSE -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }

+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+qt1()
+{
+    local status
+
+    while [ 1 ]; do
+	"$@" >/dev/null 2>&1
+	status=$?
+	[ $status -ne 4 ] && return $status
+    done
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
 #
 # Set a standard chain's policy
 #
@@ -89,17 +190,152 @@ setpolicy() # $1 = name of chain, $2 = policy
 }

 #
-# Generate a list of all network interfaces on the system
+# Set a standard chain to enable established and related connections
 #
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+setcontinue() # $1 = name of chain
+{
+    run_iptables -A $1 -m state --state ESTABLISHED,RELATED -j ACCEPT
 }

 #
-# Generate a list of all network interfaces on the system that have an ipv6 address
+# Flush one of the Mangle table chains
 #
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+flushmangle() # $1 = name of chain
+{
+    run_iptables -t mangle -F $1
+}
+
+#
+# Flush and delete all user-defined chains in the filter table
+#
+deleteallchains() {
+    run_iptables -F
+    run_iptables -X
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall6
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IP6TABLES -L $1 -n
 }

 #
@@ -164,11 +400,71 @@ find_default_interface() {
    done
 }

+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Determine if Interface is up
 #
 interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
 }

 #
@@ -176,7 +472,6 @@ interface_is_up() {
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }

@@ -386,6 +681,71 @@ get_all_acasts()
    find_interface_full_addresses | convert_to_anycast | sort -u
 }

+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
 #
 # Detect the gateway through an interface
 #
@@ -411,6 +771,20 @@ detect_gateway() # $1 = interface
    [ -n "$gateway" ] && echo $gateway
 }

+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
 delete_tc1()
 {
    clear_one_tc() {
@@ -472,7 +846,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {

-    if [ -z "$g_noroutes"  ]; then
+    if [ -z "$NOROUTES"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -496,12 +870,11 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    local result
-    
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	local result
 	result=1

 	while read route ; do
@@ -560,11 +933,11 @@ find_echo() {
 }

 #
-# Flush the conntrack table if $g_purge is non-empty
+# Flush the conntrack table if $PURGE is non-empty
 #
 conditionally_flush_conntrack() {

-    if [ -n "$g_purge" ]; then
+    if [ -n "$PURGE" ]; then
 	if [ -n $(which conntrack) ]; then
            conntrack -F
 	else
@@ -584,7 +957,6 @@ clear_firewall() {
    setpolicy OUTPUT ACCEPT

    run_iptables -F
-    qt $IP6TABLES -t raw -F

    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding

@@ -592,7 +964,7 @@ clear_firewall() {

    set_state "Cleared"

-    logger -p kern.info "$g_product Cleared"
+    logger -p kern.info "$PRODUCT Cleared"
 }

 #
@@ -602,7 +974,7 @@ fatal_error()
 {
    echo "   ERROR: $@" >&2

-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
@@ -618,36 +990,30 @@ fatal_error()
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
 	    ;;
    esac

-    if [ $LOG_VERBOSITY -gt 1 ]; then
+    if [ $LOG_VERBOSE -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "

 	case $COMMAND in
 	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
@@ -713,6 +1079,34 @@ run_tc() {
    fi
 }

+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,292 +1,23 @@
-Changes in Shorewall 4.4.13.2
+Changes in Shorewall 4.4.4.3

-1) Fix Debian -lite init scripts.
+1)  Fix DONT_LOAD vs 'reload -c'

-2) Clamp VERBOSITY to valid range.
+Changes in Shorewall 4.4.4.2

-Changes in Shorewall 4.4.13.1
+1)  Disallow port 0

-1)  Make log messages uniform.
+2)  Improve IPv6 address validation and range checking.

-2)  Fix blacklisting in simple configurations.
+3)  Correct Shorewall6 capabilities detection.

-Changes in Shorewall 4.4.13
+4)  Correct handling of DNS names in IPv6.

-1)  Allow zone lists in rules SOURCE and DEST.
+Changes in Shorewall 4.4.4.1

-2)  Fix exclusion in the blacklist file.
-
-3)  Correct several old exclusion bugs.
-
-4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
-
-5)  Re-implement optional interface handling.
-
-6)  Add secmark config file.
-
-7)  Split in and out blacklisting.
-
-8)  Correct handling of [{src|dst},...] in ipset invocation
-
-9)  Correct SAME.
-
-10) TC Enhancements:
-
-    <burst> in IN-BANDWIDTH columns.
-    OUT-BANDWIDTH column in tcinterfaces.
-
-11) Create dynamic zone ipsets on 'start'.
-
-12) Remove new blacklisting implementation.
-
-13) Implement an alternative blacklisting scheme.
-
-14) Use '-m state' for UNTRACKED.
-
-15) Clear raw table on 'clear'
-
-16) Correct port-range check in tcfilters.
-
-17) Disallow '*' in interface names.
-
-Changes in Shorewall 4.4.12
-
-1)  Fix IPv6 shorecap program.
-
-2)  Eradicate incorrect IPv6 Multicast Network
-
-3)  Add ADD/DEL support.
-
-4)  Allow :random to work with REDIRECT
-
-5)  Add per-ip log rate limiting.
-
-6)  Use new hashlimit match syntax if available.
-
-7)  Add Universal sample.
-
-8)  Add COMPLETE option.
-
-9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
-
-10) Support new set match syntax.
-
-11) Blacklisting by DEST IP.
-
-12) Fix duplicate rule generation with 'any'.
-
-13) Fix port range editing problem.
-
-14) Display the .conf file directory in response to the status command.
-
-15)  Correct AUTOMAKE
-
-Changes in Shorewall 4.4.11
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-3)  Fix start priority of shorewall-init on Debian
-
-4)  Make IPv6 log and connections output readable.
-
-5)  Add REQUIRE_INTERFACE to shorewall*.conf
-
-6)  Avoid run-time warnings when options are not listed in
-    shorewall.conf.
-
-7)  Implement Vserver zones.
-
-8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
-    hosts file.
-
-9)  Add CLEAR_FORWARD_MARK option.
-
-10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
-
-11) Add PERL option.
-
-12) Fix nets= in Shorewall6
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
-Changes in Shorewall 4.4.9
-
-1)  Auto-detection of bridges.
-
-2)  Correct handling of a logical interface name in the EXTERNAL column
-    of proxyarp.
-
-3)  More robust 'trace'.
-
-4)  Added IPv6 mDNS macro.
-
-5)  Fix find_first_interface_address() error reporting.
-
-6)  Fix propagation of zero-valued config variables.
-
-7)  Fix OPTIMIZE 4 bug.
-
-8)  Deallocate unused rules.
-
-9)  Keep rule arrays compressed during optimization.
-
-10) Remove remaining fallback scripts.
-
-11) Rationalize startup logs.
-
-12) Optimize 8.
-
-13) Don't create output chains for BPORT zones.
-
-14) Implement 'show log ip-addr' in /sbin/shorewall and
-    /sbin/shorewall-lite/
-
-15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
-
-16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
-
-17) Set IP before sourcing the params file.
-
-18) Fix rare optimization bug.
-
-19) Allow definition of an addressless bridge without a zone.
-
-20) In the routestopped file, assume 'routeback' if the interface has
-    'routeback'.
-
-21) Make Shorewall and Shorewall6 installable on OS X.
-
-Changes in Shorewall 4.4.8
-
-1)  Correct handling of RATE LIMIT on NAT rules.
-
-2)  Don't create a logging chain for rules with '-j RETURN'.
-
-3)  Avoid duplicate SFQ class numbers.
-
-4)  Fix low per-IP rate limits.
-
-5)  Fix Debian init script exit status
-
-6)  Fix NFQUEUE(queue-num) in policy
-
-7)  Implement -s option in install.sh
-
-8)  Add HKP Macro
-
-9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
-
-10) Eliminate up-cased variable names that aren't documented options.
-
-11) Don't show 'OLD' capabilities if they are not available.
-
-12) Attempt to flag use of '-' as a port-range separator.
-
-13) Add undocumented OPTIMIZE=-1 setting.
-
-14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
-    default optimizations.
-
-15) Add support for UDPLITE
-
-16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
-
-17) Issue warnings when 'blacklist' but no blacklist file entries.
-
-18) Don't optimize 'blacklst'.
-
-Changes in Shorewall 4.4.7
-
-1)  Backport optimization changes from 4.5.
-
-2)  Backport two new options from 4.5.
-
-3)  Backport TPROXY from 4.5
-
-4)  Add TC_PRIOMAP to shorewall*.conf
-
-5)  Implement LOAD_HELPERS_ONLY
-
-6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
-
-7)  Fix case where MARK target is unavailable.
-
-8)  Change default to ADD_IP_ALIASES=No
-
-9)  Correct defects in generate_matrix().
-
-10) Fix and optimize 'nosmurfs'.
-
-11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
-
-Changes in Shorewall 4.4.6
-
-1)  Fix for rp_filter and kernel 2.6.31.
-
-2)  Add a hack to work around a bug in Lenny + xtables-addons
-
-3)  Re-enable SAVE_IPSETS
-
-4)  Allow both <...> and [...] for IPv6 Addresses.
-
-5)  Port mark geometry change from 4.5.
-
-6)  Add Macro patch from Tuomo Soini
-
-7)  Add 'show macro' command.
-
-8)  Add -r option to check.
-
-9)  Port simplified TC from 4.5.
-
-Changes in Shorewall 4.4.5
-
-1)  Fix 15-port limit removal change.
+1)  Fix 15-port change.

 2)  Fix handling of interfaces with the 'bridge' option.

-3)  Generate error for port number 0
-
-4)  Allow zone::serverport in rules DEST column.
-
-5)  Fix 'show policies' in Shorewall6.
-
-6)  Auto-load tc modules.
-
-7)  Allow LOGFILE=/dev/null
-
-8)  Fix shorewall6-lite/shorecap
-
-9) Fix MODULE_SUFFIX.
-
-10) Fix ENHANCED_REJECT detection for IPv4.
-
-11) Fix DONT_LOAD vs 'reload -c'
-
-12) Fix handling of SOURCE and DEST vs macros.
-
-13) Remove silly logic in expand_rule().
-
-14) Add current and limit to Conntrack Table Heading.
-
 Changes in Shorewall 4.4.4

 1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#####################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
+#####################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -7,5 +7,4 @@
 # information.
 #
 ###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-
+#ADDRESS/SUBNET		PROTOCOL	PORT
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
 ###############################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+#TYPE	NET1			INTERFACE	NET2
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Secmarks File
-#
-# For information about entries in this file, type "man shorewall-secmarks"
-#
-############################################################################################################
-#SECMARK			CHAIN:	SOURCE		DEST		PROTO	DEST	SOURCE	USER/	MARK
-#				STATE						PORT(S)	PORT(S) GROUP
-
-
-
-
-								
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -1,10 +1,19 @@
 ###############################################################################
+#  /etc/shorewall/shorewall.conf Version 4 - Change the following variables to
+#  match your setup
 #
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#  This program is under GPL
+#  [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall
+#
+#  (c) 1999,2000,2001,2002,2003,2004,2005,
+#      2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
-#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
+#  Additional information is available at 
+#  http://www.shorewall.net/Documentation.htm#Conf
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -31,7 +40,9 @@ LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

-LOGLIMIT=
+LOGRATE=
+
+LOGBURST=

 LOGALLNEW=

@@ -57,8 +68,6 @@ TC=

 IPSET=

-PERL=/usr/bin/perl
-
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh
@@ -98,7 +107,7 @@ RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 IP_FORWARDING=On

-ADD_IP_ALIASES=No
+ADD_IP_ALIASES=Yes

 ADD_SNAT_ALIASES=No

@@ -108,8 +117,6 @@ TC_ENABLED=Internal

 TC_EXPERT=No

-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-
 CLEAR_TC=Yes

 MARK_IN_FORWARD_CHAIN=No
@@ -128,7 +135,7 @@ BLACKLISTNEWONLY=Yes

 DELAYBLACKLISTLOAD=No

-MODULE_SUFFIX=ko
+MODULE_SUFFIX=

 DISABLE_IPV6=No

@@ -186,20 +193,6 @@ TRACK_PROVIDERS=No

 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=No
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=Yes
-
-COMPLETE=No
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -1,10 +0,0 @@
-#
-# Shorewall version 4 - Tcinterfaces File
-#
-# For information about entries in this file, type "man shorewall-tcinterfaces"
-#
-# See http://shorewall.net/simple_traffic_shaping.htm for additional
-# information.
-#
-###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
--- a/Shorewall/configfiles/tcpri
+++ b/Shorewall/configfiles/tcpri
@@ -1,13 +0,0 @@
-#
-# Shorewall version 4 - Tcpri File
-#
-# For information about entries in this file, type "man shorewall-tcpri"
-#
-# See http://shorewall.net/simple_traffic_shaping.htm for additional
-# information.
-#
-###############################################################################
-#BAND	PROTO	PORT(S)		ADDRESS		IN-INTERFACE	HELPER
-
-
-
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null

-#
-# Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -1,63 +0,0 @@
-#
-# Shorewall version 4 - Helpers File
-#
-# /usr/share/shorewall/helpers
-#
-#	This file loads the kernel helper modules.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-
-# Helpers
-#
-loadmodule ip_conntrack_amanda
-loadmodule ip_conntrack_ftp
-loadmodule ip_conntrack_h323
-loadmodule ip_conntrack_irc
-loadmodule ip_conntrack_netbios_ns
-loadmodule ip_conntrack_pptp
-loadmodule ip_conntrack_sip
-loadmodule ip_conntrack_tftp
-loadmodule ip_nat_amanda
-loadmodule ip_nat_ftp
-loadmodule ip_nat_h323
-loadmodule ip_nat_irc
-loadmodule ip_nat_pptp
-loadmodule ip_nat_sip
-loadmodule ip_nat_snmp_basic
-loadmodule ip_nat_tftp
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_macipmap
-loadmodule ip_set_portmap
-#
-# 2.6.20+ helpers
-#
-loadmodule nf_conntrack_ftp
-loadmodule nf_conntrack_h323
-loadmodule nf_conntrack_irc
-loadmodule nf_conntrack_netbios_ns
-loadmodule nf_conntrack_netlink
-loadmodule nf_conntrack_pptp
-loadmodule nf_conntrack_proto_gre
-loadmodule nf_conntrack_proto_sctp
-loadmodule nf_conntrack_sip         sip_direct_media=0
-loadmodule nf_conntrack_tftp
-loadmodule nf_conntrack_sane
-loadmodule nf_nat_amanda
-loadmodule nf_nat_ftp
-loadmodule nf_nat_h323
-loadmodule nf_nat_irc
-loadmodule nf_nat
-loadmodule nf_nat_pptp
-loadmodule nf_nat_proto_gre
-loadmodule nf_nat_sip
-loadmodule nf_nat_snmp_basic
-loadmodule nf_nat_tftp
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -38,7 +38,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

-  exit 1
 }

 not_configured () {
@@ -93,11 +92,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
  return 0
 }

--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,37 +1,45 @@
-1)  On systems running Upstart, shorewall-init cannot reliably start the
-    firewall before interfaces are brought up.
+1)  The change which removed the 15 port limitation on
+    /etc/shorewall/routestopped was incomplete. The result is that if
+    more than 15 ports are listed, an error is generated.

-2)  The date/time formatting in the STARTUP_LOG is not uniform.
+    This problem is corrected in Shorewall 4.4.4.1.

-    Fixed in 4.4.13.1
+2)  If any interfaces have the 'bridge' option specified, compilation
+    fails with the error:

-3)  The blacklisting change in 4.4.13 broke blacklisting in some simple
-    configurations with the effect that blacklisting was not enabled.
+    Undefined subroutine &Shorewall::Rules::match_source_interface called 
+    at /usr/share/shorewall/Shorewall/Rules.pm line 2319.

-    Fixed in 4.4.13.1
+    This problem is corrected in Shorewall 4.4.4.1.

-    The issue may also be worked around is follows.
+3)  The 'show policies' command doesn't work in Shorewall6 and
+    Shorewall6-lite.

-    If you currently have an entry similar to this in
-    /etc/shorewall/interfaces:
+    This problem is corrected in Shorewall 4.4.4.2.

-       #ZONE         INTERFACE BROADCAST        OPTIONS
-       net 	     eth0      detect		blacklist,...
+4)  In some contexts, DNS names are not accepted by Shorewall6.

-    then remove the 'blacklist' option from that entry and change the
-    'net' entry in /etc/shorewall/zones as follows:
+    This problem is corrected in Shorewall 4.4.4.2.
+
+5)  An iptables-restore error can occur if port 0 is specified in some
+    contexts. 
+
+    In Shorewall 4.4.4.2, port 0 is flagged as an error in all
+    contexts.
+
+6)  The Shorewall6-lite shorecap program is including the wrong
+    library. Also, Shorewall6 capabilities detection is determining the
+    presense of the mangle table before it ensures that ip6tables can
+    be located.
+
+    Fixed in Shorewall6 4.4.4.2 and Shorewall6-lite 4.4.4.2.
+
+7)  The command 'shorewall reload -c <host>' ignores the setting of
+    DONT_LOAD, causing unwanted modules to be loaded.
+
+    This defect is corrected in Shorewall 4.4.4.3.

-       #ZONE       TYPE       OPTIONS       IN_OPTIONS
-       net         ipv4       -             blacklist

-4)  The Debian init scripts for Shorewall-lite and Shorewall6-lite
-    contain a syntax error.
 
-    Fixed in 4.4.13.2.

-5)  If the -v or -q option is passed to /sbin/shorewall-lite or
-    /sbin/shorewall6-lite on a command that involves the compiled
-    script, then the command will fail if the effective verbosity is
-    > 2 or < -1.

-    Fixed in 4.4.13.2.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.2 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -24,17 +24,26 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
+# - It is loaded by /usr/share/shorewall/firewall.
 # - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
 #   and /usr/share/shorewall-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40413
+SHOREWALL_LIBVERSION=40000
+SHOREWALL_CAPVERSION=40402

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
 [ -n "${CONFDIR:=/etc/shorewall}" ]

+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
 #
 # Conditionally produce message
 #
@@ -43,8 +52,8 @@ progress_message() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 1 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
@@ -54,8 +63,8 @@ progress_message2() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -gt 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
@@ -65,12 +74,40 @@ progress_message3() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSE -ge 0 ]; then
+	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }

+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
 #
 # Undo the effect of 'separate_list()'
 #
@@ -87,6 +124,167 @@ combine_list()
    echo $o
 }

+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall_is_started() {
+    qt $IPTABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $MODULES $DONT_LOAD ; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir	
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
@@ -136,32 +334,12 @@ mutex_off()
 }

 #
-# Find the interface with the passed MAC address
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmetic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
 #

-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
+LEFTSHIFT='<<'

 #
 # Validate an IP address
@@ -191,6 +369,44 @@ valid_address() {
    return 0
 }

+#
+# Convert an IP address in dot quad format to an integer
+#
+decodeaddr() {
+    local x
+    local temp
+    temp=0
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
+    done
+
+    echo $temp
+
+    IFS=$ifs
+}
+
+#
+# convert an integer to dot quad format
+#
+encodeaddr() {
+    addr=$1
+    local x
+    local y
+    y=$(($addr & 255))
+
+    for x in 1 2 3 ; do
+	addr=$(($addr >> 8))
+	y=$(($addr & 255)).$y
+    done
+
+    echo $y
+}
+
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
@@ -291,6 +507,66 @@ ip_range_explicit() {
    done
 }

+#
+# Netmask from CIDR
+#
+ip_netmask() {
+    local vlsm
+    vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
+}
+
+#
+# Network address from CIDR
+#
+ip_network() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+
+    echo $(encodeaddr $(($decodedaddr & $netmask)))
+}
+
+#
+# The following hack is supplied to compensate for the fact that many of
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+#
+ip_broadcast() {
+    local x
+    x=$(( 32 - ${1#*/} ))
+
+    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
+}
+
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+    local broadcast
+    broadcast=$(ip_broadcast $1)
+
+    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
+}
+
+#
+# Test for network membership
+#
+in_network() # $1 = IP address, $2 = CIDR network
+{
+    local netmask
+    netmask=$(ip_netmask $2)
+    #
+    # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
+    #
+    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
+}
+
 #
 # Netmask to VLSM
 #
@@ -314,6 +590,90 @@ ip_vlsm() {
    fi
 }

+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt $IPTABLES -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1 
+    local first 
+    local second
+    local rest
+    local dev
+
+    ip link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+}
+
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 #
 # Set default config path
 #
@@ -330,6 +690,32 @@ ensure_config_path() {
    fi
 }

+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs= 
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
 #
 # Get fully-qualified name of file
 #
@@ -364,11 +750,359 @@ resolve_file() # $1 = file name
    esac
 }

+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Determine which optional facilities are supported by iptables/netfilter
+#
+determine_capabilities() {
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
+    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
+    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
+    CONNTRACK_MATCH=
+    NEW_CONNTRACK_MATCH=
+    OLD_CONNTRACK_MATCH=
+    MULTIPORT=
+    XMULTIPORT=
+    POLICY_MATCH=
+    PHYSDEV_MATCH=
+    PHYSDEV_BRIDGE=
+    IPRANGE_MATCH=
+    RECENT_MATCH=
+    OWNER_MATCH=
+    IPSET_MATCH=
+    CONNMARK=
+    XCONNMARK=
+    CONNMARK_MATCH=
+    XCONNMARK_MATCH=
+    RAW_TABLE=
+    IPP2P_MATCH=
+    OLD_IPP2P_MATCH=
+    LENGTH_MATCH=
+    CLASSIFY_TARGET=
+    ENHANCED_REJECT=
+    USEPKTTYPE=
+    KLUDGEFREE=
+    MARK=
+    XMARK=
+    MANGLE_FORWARD=
+    COMMENTS=
+    ADDRTYPE=
+    TCPMSS_MATCH=
+    HASHLIMIT_MATCH=
+    NFQUEUE_TARGET=
+    REALM_MATCH=
+    HELPER_MATCH=
+    CONNLIMIT_MATCH=
+    TIME_MATCH=
+    GOTO_TARGET=
+    LOGMARK_TARGET=
+    IPMARK_TARGET=
+    LOG_TARGET=Yes
+    PERSISTENT_SNAT=
+
+    chain=fooX$$
+
+    if [ -n "$NAT_ENABLED" ]; then
+	if qt $IPTABLES -t nat -N $chain; then
+	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+	    qt $IPTABLES -t nat -F $chain
+	    qt $IPTABLES -t nat -X $chain
+	fi
+    fi
+
+    qt $IPTABLES -F $chain
+    qt $IPTABLES -X $chain
+    if ! $IPTABLES -N $chain; then
+	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2
+	exit 1
+    fi
+
+    chain1=${chain}1
+
+    qt $IPTABLES -F $chain1
+    qt $IPTABLES -X $chain1
+    if ! $IPTABLES -N $chain1; then
+	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2
+	exit 1
+    fi
+
+    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
+	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
+	exit 1
+    fi
+
+    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+
+    if [ -n "$CONNTRACK_MATCH" ]; then
+	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
+	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
+    fi
+
+    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
+	MULTIPORT=Yes
+	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
+    fi
+
+    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
+
+    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
+	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
+	IPRANGE_MATCH=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
+
+    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
+	CONNMARK_MATCH=Yes
+	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
+    fi
+
+    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
+    if [ -n "$IPP2P_MATCH" ]; then
+	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
+    fi
+
+    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
+    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
+
+    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
+
+    if [ -n "$MANGLE_ENABLED" ]; then
+	qt $IPTABLES -t mangle -N $chain
+
+	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
+	    MARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	fi
+
+	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
+	    CONNMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
+	fi
+
+	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IPTABLES -t mangle -F $chain
+	qt $IPTABLES -t mangle -X $chain
+	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
+    fi
+
+    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
+
+    if qt mywhich ipset; then
+	qt ipset -X $chain # Just in case something went wrong the last time
+
+	if qt ipset -N $chain iphash ; then
+	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    fi
+	    qt ipset -X $chain
+	fi
+    fi
+
+    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
+    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
+    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && NEW_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
+    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
+    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+    qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
+    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+
+    qt $IPTABLES -F $chain
+    qt $IPTABLES -X $chain
+    qt $IPTABLES -F $chain1
+    qt $IPTABLES -X $chain1
+
+    CAPVERSION=$SHOREWALL_CAPVERSION
+}
+
+report_capabilities() {
+    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
+    {
+	local setting
+	setting=
+
+	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
+
+	echo "  " $1: $setting
+    }
+
+    if [ $VERBOSE -gt 1 ]; then
+	echo "Shorewall has detected the following iptables/netfilter capabilities:"
+	report_capability "NAT" $NAT_ENABLED
+	report_capability "Packet Mangling" $MANGLE_ENABLED
+	report_capability "Multi-port Match" $MULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	if [ -n "$CONNTRACK_MATCH" ]; then
+	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
+	    report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	fi
+	report_capability "Packet Type Match" $USEPKTTYPE
+	report_capability "Policy Match" $POLICY_MATCH
+	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
+	report_capability "Packet length Match" $LENGTH_MATCH
+	report_capability "IP range Match" $IPRANGE_MATCH
+	report_capability "Recent Match" $RECENT_MATCH
+	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Ipset Match" $IPSET_MATCH
+	report_capability "CONNMARK Target" $CONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
+	report_capability "Connmark Match" $CONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
+	report_capability "Raw Table" $RAW_TABLE
+	report_capability "IPP2P Match" $IPP2P_MATCH
+	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
+	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
+	report_capability "Extended REJECT" $ENHANCED_REJECT
+	report_capability "Repeat match" $KLUDGEFREE
+	report_capability "MARK Target" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
+	report_capability "Comments" $COMMENTS
+	report_capability "Address Type Match" $ADDRTYPE
+	report_capability "TCPMSS Match" $TCPMSS_MATCH
+	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
+	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
+	report_capability "Realm Match" $REALM_MATCH
+	report_capability "Helper Match" $HELPER_MATCH
+	report_capability "Connlimit Match" $CONNLIMIT_MATCH
+	report_capability "Time Match" $TIME_MATCH
+	report_capability "Goto Support" $GOTO_TARGET
+	report_capability "LOGMARK Target" $LOGMARK_TARGET
+	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOG Target" $LOG_TARGET
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
+    fi
+
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
+}
+
+report_capabilities1() {
+    report_capability1() # $1 = Capability
+    {
+	eval echo $1=\$$1
+    }
+
+    echo "#"
+    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capability1 NAT_ENABLED
+    report_capability1 MANGLE_ENABLED
+    report_capability1 MULTIPORT
+    report_capability1 XMULTIPORT
+    report_capability1 CONNTRACK_MATCH
+    report_capability1 NEW_CONNTRACK_MATCH
+    report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
+    report_capability1 POLICY_MATCH
+    report_capability1 PHYSDEV_MATCH
+    report_capability1 PHYSDEV_BRIDGE
+    report_capability1 LENGTH_MATCH
+    report_capability1 IPRANGE_MATCH
+    report_capability1 RECENT_MATCH
+    report_capability1 OWNER_MATCH
+    report_capability1 IPSET_MATCH
+    report_capability1 CONNMARK
+    report_capability1 XCONNMARK
+    report_capability1 CONNMARK_MATCH
+    report_capability1 XCONNMARK_MATCH
+    report_capability1 RAW_TABLE
+    report_capability1 IPP2P_MATCH
+    report_capability1 OLD_IPP2P_MATCH
+    report_capability1 CLASSIFY_TARGET
+    report_capability1 ENHANCED_REJECT
+    report_capability1 KLUDGEFREE
+    report_capability1 MARK
+    report_capability1 XMARK
+    report_capability1 MANGLE_FORWARD
+    report_capability1 COMMENTS
+    report_capability1 ADDRTYPE
+    report_capability1 TCPMSS_MATCH
+    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
+    report_capability1 NFQUEUE_TARGET
+    report_capability1 REALM_MATCH
+    report_capability1 HELPER_MATCH
+    report_capability1 CONNLIMIT_MATCH
+    report_capability1 TIME_MATCH
+    report_capability1 GOTO_TARGET
+    report_capability1 LOGMARK_TARGET
+    report_capability1 IPMARK_TARGET
+    report_capability1 LOG_TARGET
+    report_capability1 PERSISTENT_SNAT
+    
+    echo CAPVERSION=$SHOREWALL_CAPVERSION
+}
+
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
 #

+truncate() # $1 = length
+{
+    cut -b -${1}
+}
+
+#
+# Determine how to do "echo -e"
+#
+
 find_echo() {
    local result

--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -1,549 +0,0 @@
-#!/bin/sh
-#
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-# The purpose of this library is to hold those functions used by both the CLI and by the
-# generated firewall scripts. To avoid versioning issues, it is copied into generated
-# scripts rather than loaded at run-time.
-#
-
-#
-# Get the Shorewall version of the passed script
-#
-get_script_version() { # $1 = script
-    local temp
-    local version
-    local ifs
-    local digits
-
-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
-
-    if [ $? -ne 0 ]; then
-	version=0
-    else
-	ifs=$IFS
-	IFS=.
-	temp=$(echo $temp)
-	IFS=$ifs
-	digits=0
-
-	for temp in $temp; do
-	    version=${version}$(printf '%02d' $temp)
-	    digits=$(($digits + 1))
-	    [ $digits -eq 3 ] && break
-	done
-    fi
-
-    echo $version
-}
-
-#
-# Do required exports or create the required option string and run the passed script using
-# $SHOREWALL_SHELL
-#
-run_it() {
-    local script
-    local options
-    local version
-
-    export VARDIR
-
-    script=$1
-    shift
-
-    version=$(get_script_version $script)
-
-    if [ $version -lt 040408 ]; then
-	#
-	# Old script that doesn't understand 4.4.8 script options
-	#
-	export RESTOREFILE
-	export VERBOSITY
-	export NOROUTES=$g_noroutes
-	export PURGE=$g_purge
-	export TIMESTAMP=$g_timestamp
-	export RECOVERING=$g_recovering
-
-	if [ "$g_product" != Shorewall ]; then
-	    #
-	    # Shorewall Lite
-	    #
-	    export LOGFORMAT
-	    export IPTABLES
-	fi
-    else
-	#
-	# 4.4.8 or later -- no additional exports required
-	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
-
-	[ -n "$g_noroutes" ]   && options=${options}n
-	[ -n "$g_timestamp" ]  && options=${options}t
-	[ -n "$g_purge" ]      && options=${options}p
-	[ -n "$g_recovering" ] && options=${options}r
-
-	options="${options}V $VERBOSITY"
-
-	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
-    fi
-
-    $SHOREWALL_SHELL $script $options $@
-}
-
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
-#
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
-#
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
-#
-
-LEFTSHIFT='<<'
-
-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # Use string comparison to work around a broken BusyBox ash in OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state $2 
-{
-    if [ $# -gt 1 ]; then
-	echo "$1 ($(date)) from $2" > ${VARDIR}/state
-    else
-	echo "$1 ($(date))" > ${VARDIR}/state
-    fi
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
--- a/Shorewall/modules
+++ b/Shorewall/modules
@@ -54,8 +54,6 @@ loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
 loadmodule xt_tcpmss
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
 #
 # Helpers
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.13
-%define release 2
+%define version 4.4.4
+%define release 3

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
 Obsoletes: shorewall-common shorewall-perl shorewall-shell

 %description
@@ -29,7 +28,7 @@ a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -76,6 +75,7 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall/configfiles
 %attr(0700,root,root) %dir /var/lib/shorewall
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
+%attr(0600,root,root) /etc/shorewall/Makefile

 %attr(0644,root,root) /etc/logrotate.d/shorewall

@@ -89,10 +89,8 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall/functions
 %attr(0644,root,root) /usr/share/shorewall/lib.base
 %attr(0644,root,root) /usr/share/shorewall/lib.cli
-%attr(0644,root,root) /usr/share/shorewall/lib.common
 %attr(0644,root,root) /usr/share/shorewall/macro.*
 %attr(0644,root,root) /usr/share/shorewall/modules
-%attr(0644,root,root) /usr/share/shorewall/helpers
 %attr(0644,root,root) /usr/share/shorewall/configpath
 %attr(0755,root,root) /usr/share/shorewall/wait4ifup

@@ -103,118 +101,18 @@ fi
 %attr(0644,root,root) /usr/share/shorewall/configfiles/*

 %attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
+%attr(0644,root,root) %{_mandir}/man8/shorewall.8.gz

 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta2
-* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
- Add /usr/share/shorewall/helpers
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0base
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0Beta2
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.2
+VERSION=4.4.4.3

 usage() # $1 = exit status
 {
@@ -79,7 +79,7 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
 fi

 if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
+    FIREWALL=$(ls -l /usr/share/shorewall/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall
 fi
@@ -108,7 +108,6 @@ rm -rf /usr/share/shorewall
 rm -rf /usr/share/shorewall-*.bkout
 rm -rf /usr/share/man/man5/shorewall*
 rm -rf /usr/share/man/man8/shorewall*
-rm -f  /etc/logrotate.d/shorewall

 echo "Shorewall Uninstalled"

--- a/Shorewall6-lite/README.txt
+++ b/Shorewall6-lite/README.txt
@@ -1 +1 @@
-This is the Shorewall6-lite stable 4.4 branch of Git.
+This is the Shorewall6-lite development 4.3 branch of SVN.
--- a/Shorewall6-lite/default.debian
+++ b/Shorewall6-lite/default.debian
@@ -26,11 +26,4 @@ OPTIONS=""
 #
 INITLOG=/dev/null

-#
-# Set this to 1 to cause '/etc/init.d/shorewall6-lite stop' to place the firewall in
-# a safe state rather than to open it
-#
-
-SAFESTOP=0
-
 # EOF
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -0,0 +1,104 @@
+#!/bin/sh
+#
+# Script to back out the installation of Shorewall Lite and to restore the previous version of
+# the program
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to back out the installation of the version
+#       shown below. Simply run this script to revert to your prior version of
+#       Shoreline Firewall.
+
+VERSION=4.4.4.3
+
+usage() # $1 = exit status
+{
+    echo "usage: $(basename $0)"
+    exit $1
+}
+
+restore_directory() # $1 = directory to restore
+{
+    if [ -d ${1}-${VERSION}.bkout ]; then
+	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
+	    echo
+	    echo "$1 restored"
+	    rm -rf ${1}-${VERSION}
+	else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+	fi
+    fi
+}
+
+restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
+{
+    if [ -n "$2" ]; then
+	local file
+	file=$(basename $1)
+
+	if [ -f $2/$file ]; then
+	    if mv -f $2/$file $1 ; then
+		echo
+		echo "$1 restored"
+		return
+	    fi
+
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+
+    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
+	if (mv -f ${1}-${VERSION}.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    echo "ERROR: Could not restore $1"
+	    exit 1
+        fi
+    fi
+}
+
+if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
+    echo "Shorewall Version $VERSION is not installed"
+    exit 1
+fi
+
+echo "Backing Out Installation of Shorewall $VERSION"
+
+if [ -L /usr/share/shorewall-lite/init ]; then
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
+    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
+else
+    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
+fi
+
+restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
+
+restore_directory /etc/shorewall-lite
+restore_directory /usr/share/shorewall-lite
+restore_directory /var/lib/shorewall-lite
+
+echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
+
+
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -2,8 +2,8 @@

 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network $remote_fs
-# Required-Stop:     $network $remote_fs
+# Required-Start:    $network
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

 export SHOREWALL_INIT_SCRIPT

@@ -42,7 +42,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

-  exit 1
 }

 not_configured () {
@@ -88,11 +87,7 @@ shorewall6_start () {
 # stop the firewall
 shorewall6_stop () {
  echo -n "Stopping \"Shorewall6 Lite firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
-      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  else
  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
-  fi
  return 0
 }

--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.13.2
+VERSION=4.4.4.3

 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete

 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
+# RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall6-lite"
 fi

+if [ -z "$RUNLEVELS" ] ; then
+	RUNLEVELS=""
+fi
+
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@@ -126,12 +129,11 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
-INSTALLD='-D'
-T='-T'
+DEBIAN=

 case $(uname) in
    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -139,10 +141,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-     Darwin)
-	INSTALLD=
-	T=
-	;;	   
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -151,14 +149,14 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
 elif [ -f /etc/slackware-version ] ; then
@@ -180,184 +178,161 @@ echo "Installing Shorewall6 Lite Version $VERSION"
 #
 # Check for /etc/shorewall6-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall6-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall6-lite ]; then
+    first_install=""
    [ -f /etc/shorewall6-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall6-lite/shorewall.conf /etc/shorewall6-lite/shorewall6-lite.conf
-else
-    rm -rf ${DESTDIR}/etc/shorewall6-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
-fi
-
-#
-# Check for /sbin/shorewall6-lite
-#
-if [ -f ${DESTDIR}/sbin/shorewall6-lite ]; then
-    first_install=""
 else
    first_install="Yes"
+    rm -rf ${PREFIX}/etc/shorewall6-lite
+    rm -rf ${PREFIX}/usr/share/shorewall6-lite
+    rm -rf ${PREFIX}/var/lib/shorewall6-lite
 fi

-delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall6-lite/xmodules

-install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544
+install_file shorewall6-lite ${PREFIX}/sbin/shorewall6-lite 0544 ${PREFIX}/var/lib/shorewall6-lite-${VERSION}.bkout

-echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"
+echo "Shorewall6 Lite control program installed in ${PREFIX}/sbin/shorewall6-lite"

 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall6-lite 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout

 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall6-lite-${VERSION}.bkout
 fi

-echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall6 Lite script installed in ${PREFIX}${DEST}/$INIT"

 #
 # Create /etc/shorewall6-lite, /usr/share/shorewall6-lite and /var/lib/shorewall6-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall6-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall6-lite
+mkdir -p ${PREFIX}/etc/shorewall6-lite
+mkdir -p ${PREFIX}/usr/share/shorewall6-lite
+mkdir -p ${PREFIX}/var/lib/shorewall6-lite

-chmod 755 ${DESTDIR}/etc/shorewall6-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall6-lite
+chmod 755 ${PREFIX}/etc/shorewall6-lite
+chmod 755 ${PREFIX}/usr/share/shorewall6-lite

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
-   install_file shorewall6-lite.conf ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/shorewall6-lite/shorewall6-lite.conf"
+if [ ! -f ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf ]; then
+   run_install $OWNERSHIP -m 0744 shorewall6-lite.conf ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf
+   echo "Config file installed as ${PREFIX}/etc/shorewall6-lite/shorewall6-lite.conf"
 fi

 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall6-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall6-lite/shorewall.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall6-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall6-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6-lite/Makefile
+echo "Makefile installed as ${PREFIX}/etc/shorewall6-lite/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall6-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall6-lite/configpath"
+install_file configpath ${PREFIX}/usr/share/shorewall6-lite/configpath 0644
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6-lite/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall6-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall6-lite/$f"
+	install_file $f ${PREFIX}/usr/share/shorewall6-lite/$f 0644
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall6-lite/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall6-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall6-lite/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall6-lite/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall6-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall6-lite/shorecap"

 #
 # Install wait4ifup
 #

-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755
+install_file wait4ifup ${PREFIX}/usr/share/shorewall6-lite/wait4ifup 0755

-    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
-fi
+echo
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6-lite/wait4ifup"

-if [ -f modules ]; then
-    #
-    # Install the Modules file
-    #
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
-fi
+#
+# Install the Modules file
+#
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall6-lite/modules
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall6-lite/modules"

-if [ -d manpages ]; then
-    #
-    # Install the Man Pages
-    #
+#
+# Install the Man Pages
+#

-    cd manpages
+cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
-
-    for f in *.5; do
+for f in *.5; do
    gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
+done

-    for f in *.8; do
+for f in *.8; do
    gzip -c $f > $f.gz
-	run_install $INSTALLD -m 644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
-    done
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
+done

-    cd ..
+cd ..

-    echo "Man Pages Installed"
-fi
+echo "Man Pages Installed"

-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall6-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall6-lite"
+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
 fi

 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall6-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall6-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall6-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall6-lite/version
 #
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    rm -f /usr/share/shorewall6-lite/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall6-lite/init
 fi

-if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall6-lite-init.log
-
-    if [ -n "$first_install" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall6-lite
-	    else
 	ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
-	    fi
-
 	echo "Shorewall6 Lite will start automatically at boot"
+	touch /var/log/shorewall-init.log
    else
 	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall6-lite ; then
@@ -382,7 +357,6 @@ if [ -z "$DESTDIR" ]; then
 	    cant_autostart
 	fi
    fi
-    fi
 fi

 #
--- a/Shorewall6-lite/logrotate
+++ b/Shorewall6-lite/logrotate
@@ -1,4 +1,4 @@
-/var/log/shorewall6-lite-init.log {
+/var/log/shorewall6-init.log {
  missingok
  notifempty
  create 0600 root root
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,19 +48,18 @@
 SHAREDIR=/usr/share/shorewall6-lite
 VARDIR=/var/lib/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
-g_product="Shorewall Lite"
+PRODUCT="Shorewall Lite"

 . /usr/share/shorewall6-lite/lib.base
-. /usr/share/shorewall6-lite/lib.cli
 . /usr/share/shorewall6-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)
+VERSION=$(cat /usr/share/shorewall6-lite/version)

-[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
+[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

-VERBOSITY=0
+VERBOSE=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -95,7 +95,7 @@ get_config() {

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
 	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
@@ -117,6 +117,8 @@ get_config() {

    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"

+    export LOGFORMAT
+
    if [ -n "$IP6TABLES" ]; then
 	if [ ! -x "$IP6TABLES" ]; then
 	    echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
@@ -125,11 +127,13 @@ get_config() {
    else
 	IP6TABLES=$(mywhich ip6tables 2> /dev/null)
 	if [ -z "$IP6TABLES" ] ; then
-	    echo "   ERROR: Can't find ip6tables executable" >&2
+	    echo "   ERROR: Can't find iptables executable" >&2
 	    exit 2
 	fi
    fi

+    export IP6TABLES
+
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -141,39 +145,29 @@ get_config() {

    validate_restorefile RESTOREFILE

+    export RESTOREFILE
+
    [ -n "${VERBOSITY:=2}" ]

-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))

-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
+    export VERBOSE

-    g_hostname=$(hostname 2> /dev/null)
+    [ -n "${HOSTNAME:=$(hostname)}" ]

-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
 }

 #
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
+    if [ ! -f $FIREWALL ]; then
 	echo "   ERROR: Shorewall6 Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
+	if [ -L $FIREWALL ]; then
+	    echo "          $FIREWALL is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $g_firewall does not exist" >&2
+	    echo "          The file $FIREWALL does not exist" >&2
 	fi
 	
 	exit 2
@@ -193,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on

 	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
+	    ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -225,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    g_fast=Yes
+			    FAST=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -250,24 +244,40 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1	    ;;
+	    usage 1
+	    ;;
    esac

-    if [ -n "$g_fast" ]; then
+    export NOROUTES
+
+    if [ -n "$FAST" ]; then
 	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
+	    #
+	    # RESTOREFILE is exported by get_config()
+	    #
+	    make -qf ${CONFDIR}/Makefile || FAST=
 	fi

-	if [ -n "$g_fast" ]; then
+	if [ -n "$FAST" ]; then

-	    g_restorepath=${VARDIR}/$RESTOREFILE
+	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+
+	    if [ -x $RESTOREPATH ]; then
+		if [ -x ${RESTOREPATH}-ipsets ]; then
+		    echo Restoring Ipsets...
+		    #
+		    # We must purge iptables to be sure that there are no
+		    # references to ipsets
+		    #
+		    iptables -F
+		    iptables -X
+		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
+		fi

-	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall6 Lite...
-		run_it $g_restorepath restore
+		$SHOREWALL_SHELL $RESTOREPATH restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall6 Lite restored from $g_restorepath
+		progress_message3 Shorewall6 Lite restored from $RESTOREPATH
 	    else
 		do_it
 	    fi
@@ -303,12 +313,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -332,10 +342,12 @@ restart_command() {
 	    ;;
    esac

+    export NOROUTES
+
    [ -n "$nolock" ] || mutex_on

    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
+	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
 	rc=$?
    else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -360,74 +372,27 @@ usage() # $1 = exit status
    echo "   dump [ -x ]"
    echo "   forget [ <file name> ]"
    echo "   help"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   hits [ -t ]"
+    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
+    echo "   ipdecimal { <address> | <integer> }"
+    echo "   iprange <address>-<address>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
-    echo "   refresh [ <chain>... ]"
    echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -f ]"
+    echo "   reset"
+    echo "   restart [ -n ] [ -p ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]capabilities|classifiers|config|connections|filters|ip|log [<regex>]|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
-    echo "   start [ -f ] [ <directory> ]"
+    echo "   show [ -x ] [ -m ] [ -f ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|capabilities|classifiers|config|connections|filters|ip|log|mangle|nat|routing|tc|vardir|zones} ]"
+    echo "   start [ -f ] [ -n ] [ -p ]"
    echo "   stop"
    echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
    echo
    exit $1
 }

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -445,14 +410,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
    shift
 fi

-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_purge=
+IPT_OPTIONS="-nv"
+FAST=
+VERBOSE_OFFSET=0
+USE_VERBOSITY=
+NOROUTES=
+EXPORT=
+export TIMESTAMP=
+noroutes=

 finished=0

@@ -471,48 +436,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			g_ipt_options="-xnv"
+			IPT_OPTIONS="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			g_fast=Yes
+			FAST=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				g_use_verbosity=-1
+				USE_VERBOSITY=-1
 				option=${option#-1}
 				;;
 			    0*)
-				g_use_verbosity=0
+				USE_VERBOSITY=0
 				option=${option#0}
 				;;
 			    1*)
-				g_use_verbosity=1
+				USE_VERBOSITY=1
 				option=${option#1}
 				;;
 			    2*)
-				g_use_verbosity=2
+				USE_VERBOSITY=2
 				option=${option#2}
 				;;
 			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
+				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
+				USE_VERBOSITY=
 				;;
 			esac
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
 		    t*)
-			g_timestamp=Yes
+			TIMESTAMP=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -537,11 +502,12 @@ if [ $# -eq 0 ]; then
 fi

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+export PATH
 MUTEX_TIMEOUT=

 SHAREDIR=/usr/share/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
-g_product="Shorewall6 Lite"
+export PRODUCT="Shorewall6 Lite"

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

@@ -549,10 +515,17 @@ g_product="Shorewall6 Lite"

 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"

-version_file=$SHAREDIR/version
+LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
+VERSION_FILE=$SHAREDIR/version
+HELP=$SHAREDIR/help

-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
+for library in $LIBRARIES; do
+    if [ -f $library ]; then
+	. $library
+    else
+	echo "Installation error: $library does not exist!" >&2
+	exit 2
+    fi
 done

 ensure_config_path
@@ -572,6 +545,7 @@ else
 fi

 ensure_config_path
+export CONFIG_PATH

 LITEDIR=${VARDIR}

@@ -579,17 +553,17 @@ LITEDIR=${VARDIR}

 get_config

-g_firewall=$LITEDIR/firewall
+FIREWALL=$LITEDIR/firewall

-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
+if [ -f $VERSION_FILE ]; then
+    version=$(cat $VERSION_FILE)
 else
    echo "   ERROR: Shorewall6 Lite is not properly installed" >&2
-    echo "          The file $SHOREWALL_VERSION_FILE does not exist" >&2
+    echo "          The file $VERSION_FILE does not exist" >&2
    exit 1
 fi

-banner="Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname -"
+banner="Shorewall6 Lite $version Status at $HOSTNAME -"

 case $(echo -e) in
    -e*)
@@ -621,9 +595,8 @@ case "$COMMAND" in
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	export NOROUTES
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
 	;;
    restart)
 	shift
@@ -636,7 +609,7 @@ case "$COMMAND" in
    status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo "Shorewall6 Lite $version Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall6_is_started ; then
 	    echo "Shorewall6 Lite is running"
@@ -649,7 +622,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -670,8 +643,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	shift
-	version_command $@
+	echo $version Lite
 	;;
    logwatch)
 	logwatch_command $@
@@ -730,7 +702,7 @@ case "$COMMAND" in
 	    ;;
 	esac

-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE

 	[ "$nolock" ] || mutex_on

@@ -752,20 +724,20 @@ case "$COMMAND" in
 	esac


-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE

-	if [ -x $g_restorepath ]; then
+	if [ -x $RESTOREPATH ]; then

-	    if [ -x ${g_restorepath}-ipsets ]; then
-		rm -f ${g_restorepath}-ipsets
-		echo "    ${g_restorepath}-ipsets removed"
+	    if [ -x ${RESTOREPATH}-ipsets ]; then
+		rm -f ${RESTOREPATH}-ipsets
+		echo "    ${RESTOREPATH}-ipsets removed"
 	    fi

-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall6 configuration"
+	    rm -f $RESTOREPATH
+	    rm -f ${RESTOREPATH}-iptables
+	    echo "    $RESTOREPATH removed"
+	elif [ -f $RESTOREPATH ]; then
+	    echo "   $RESTOREPATH exists and is not a saved Shorewall6 configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
--- a/Shorewall6-lite/shorewall6-lite.conf
+++ b/Shorewall6-lite/shorewall6-lite.conf
@@ -1,14 +1,15 @@
 ###############################################################################
-#  /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following 
+#  /etc/shorewall6-lite/shorewall-lite.conf Version 4 - Change the following 
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  For information about the settings in this file, type
-#  "man shorewall6-lite.conf"
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#  This file should be placed in /etc/shorewall-lite
+#
+#  (c) 2006,2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6-lite.conf.html.
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.13
-%define release 2
+%define version 4.4.4
+%define release 3

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -14,7 +14,6 @@ URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}

 %description

@@ -32,7 +31,7 @@ administrators to centralize the configuration of Shorewall6-based firewalls.
 %build

 %install
-export DESTDIR=$RPM_BUILD_ROOT ; \
+export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
@@ -80,7 +79,6 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall6-lite/functions
 %attr(0644,root,root) /usr/share/shorewall6-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall6-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall6-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall6-lite/modules
 %attr(0544,root,root) /usr/share/shorewall6-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall6-lite/wait4ifup
@@ -93,111 +91,13 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-2
-* Wed Sep 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-1
-* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0base
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
+* Tue Dec 08 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-3
+* Sun Dec 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-2
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-1
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0Beta2
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.13.2
+VERSION=4.4.4.3

 usage() # $1 = exit status
 {
@@ -67,7 +67,7 @@ if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
 fi

 if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall6-lite/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall6-lite
 fi
@@ -94,7 +94,6 @@ rm -rf /var/lib/shorewall6-lite
 rm -rf /var/lib/shorewall6-lite-*.bkout
 rm -rf /usr/share/shorewall6-lite
 rm -rf /usr/share/shorewall6-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall6-lite

 echo "Shorewall6 Lite Uninstalled"

--- a/Shorewall6/README.txt
+++ b/Shorewall6/README.txt
@@ -1 +1 @@
-This is the Shorewall6 stable 4.4 branch of Git.
+This is the Shorewall6 development 4.3 branch of SVN.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	305e97d154	Update for 4.4.4.3, if needed	2009-12-08 08:45:10 -08:00
Tom Eastep	b209986089	Update the known problem list	2009-12-08 08:36:09 -08:00
Tom Eastep	6c2050cbea	Fix DONT_LOAD vs 'reload -c'	2009-12-07 14:46:10 -08:00
Tom Eastep	3c6054d842	Fix ENHANCED_REJECT and MODULE_SUFFIX	2009-12-07 13:51:08 -08:00
Tom Eastep	1155af38ab	Copy DONT_LOAD setting to generated script	2009-12-07 12:53:29 -08:00
Tom Eastep	69387f60f3	Update release notes version	2009-12-06 09:48:06 -08:00
Tom Eastep	db6280d780	Shorewall 4.4.4.2	2009-12-06 08:48:09 -08:00
Tom Eastep	61b3afb3c6	Fix Shorewall6 capability detection	2009-12-06 08:39:45 -08:00
Tom Eastep	bca984c544	Remove incorrect migration consideration	2009-12-03 07:02:45 -08:00
Tom Eastep	8581c53b9f	Move some fixes from 4.4.5 to 4.4.4.2	2009-11-24 08:51:46 -08:00
Tom Eastep	c02ab429e6	Port a couple of fixes to 4.4.4	2009-11-23 14:00:25 -08:00
Tom Eastep	51b905eed4	Fix 'bridge' compilation error	2009-11-21 15:37:22 -08:00
Tom Eastep	446dff6ec5	Fix 15-port removal change	2009-11-21 14:29:11 -08:00
Tom Eastep	824dea615e	Prepare 4.4.4.1	2009-11-21 09:15:09 -08:00
				`@@ -1 +0,0 @@`
				`This is the Shorewall-init stable 4.4 branch of Git.`