Pass $CONFIG_PATH to compiler.pl

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Merge branch 'master' into 4.4.26
2011-12-02 09:31:26 -08:00 · 2011-12-01 13:07:46 -08:00 · 2011-12-01 13:04:53 -08:00 · 2011-12-01 12:58:38 -08:00 · 2011-12-01 12:14:58 -08:00 · 2011-12-01 11:23:50 -08:00
282 changed files with 18311 additions and 11985 deletions
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -21,181 +21,173 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-LOGFILE=
+BLACKLIST_LOGLEVEL=

-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
 MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
 IPTABLES=

 IP=

-TC=
-
 IPSET=

+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=restore
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-IP_FORWARDING=On
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=Yes
+
+DISABLE_IPV6=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=Yes
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=Yes
+
+LEGACY_FASTSTART=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=15
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=Yes
+
+RESTORE_DEFAULT_ROUTE=Yes
+
 RETAIN_ALIASES=No

+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-USE_ACTIONS=Yes
-
-OPTIMIZE=15
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
+TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=Yes
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -204,6 +196,31 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+################################################################################
+#                            L E G A C Y  O P T I O N
+#                      D O  N O T  D E L E T E  O R  A L T E R
+################################################################################
+
+IPSECFILE=zones
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW

 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -32,181 +32,173 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
+BLACKLIST_LOGLEVEL=

-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
 MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
 IPTABLES=

 IP=

-TC=
-
 IPSET=

+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=restore
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-IP_FORWARDING=Off
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DISABLE_IPV6=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
+IP_FORWARDING=Off
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=Yes
+
+LEGACY_FASTSTART=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
 RETAIN_ALIASES=No

+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
+TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -215,6 +207,31 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+################################################################################
+#                            L E G A C Y  O P T I O N
+#                      D O  N O T  D E L E T E  O R  A L T E R
+################################################################################
+
+IPSECFILE=zones
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -3,6 +3,7 @@
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
 # Copyright (C) 2006 by the Shorewall Team
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -17,9 +18,6 @@
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
-#		       S T A R T U P   E N A B L E D
-###############################################################################
-
 STARTUP_ENABLED=No

 ###############################################################################
@@ -32,181 +30,173 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
+BLACKLIST_LOGLEVEL=

-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
 MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
 IPTABLES=

 IP=

-TC=
-
 IPSET=

+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=restore
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-IP_FORWARDING=On
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=Yes
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DISABLE_IPV6=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=Yes
+
+LEGACY_FASTSTART=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
 RETAIN_ALIASES=No

+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=Yes
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
+TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -215,6 +205,31 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+################################################################################
+#                            L E G A C Y  O P T I O N
+#                      D O  N O T  D E L E T E  O R  A L T E R
+################################################################################
+
+IPSECFILE=zones
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -3,6 +3,7 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
+#               2011 by Thomas M. Eastep            
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -28,192 +29,177 @@ STARTUP_ENABLED=No

 VERBOSITY=1

-###############################################################################
-#                              C O M P I L E R
-#      (setting this to 'perl' requires installation of Shorewall-perl)
-###############################################################################
-
-SHOREWALL_COMPILER=
-
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
+BLACKLIST_LOGLEVEL=

-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
 MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
 IPTABLES=

 IP=

-TC=
-
 IPSET=

+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=restore
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-IP_FORWARDING=On
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=Yes
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DISABLE_IPV6=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LOAD_HELPERS_ONLY=Yes
+
+LEGACY_FASTSTART=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
 RETAIN_ALIASES=No

+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=Yes
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
+TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
-TRACK_PROVIDERS=Yes
-
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -222,6 +208,31 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+################################################################################
+#                            L E G A C Y  O P T I O N
+#                      D O  N O T  D E L E T E  O R  A L T E R
+################################################################################
+
+IPSECFILE=zones
+
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -22,149 +22,173 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-LOGFILE=
-
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=

 LOG_VERBOSITY=2

-LOGFORMAT="Shorewall:%s:%s:"
+LOGALLNEW=

-LOGTAGONLY=No
+LOGFILE=
+
+LOGFORMAT="Shorewall:%s:%s:"

 LOGLIMIT=

-LOGALLNEW=
+LOGTAGONLY=No

-BLACKLIST_LOGLEVEL=
+MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

+STARTUP_LOG=/var/log/shorewall6-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
 IP6TABLES=

 IP=

-TC=
-
 IPSET=

+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=Yes
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
 IP_FORWARDING=Off

+KEEP_RT_TABLES=Yes
+
+LEGACY_FASTSTART=No
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=15
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=Yes
+
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=Yes
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=15
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes

+USE_DEFAULT_RT=No
+
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-DYNAMIC_BLACKLIST=Yes
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=Yes
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=Yes
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

+MACLIST_DISPOSITION=REJECTTTT
+
+SFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW

 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -1,19 +1,11 @@
 ###############################################################################
 #
-# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
-# The manpage is also online at 
-# http://shorewall.net/manpages6/shorewall6.conf.html
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -30,143 +22,173 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
-
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=

 LOG_VERBOSITY=2

-LOGFORMAT="Shorewall:%s:%s:"
+LOGALLNEW=

-LOGTAGONLY=No
+LOGFILE=
+
+LOGFORMAT="Shorewall:%s:%s:"

 LOGLIMIT=

-LOGALLNEW=
+LOGTAGONLY=No

-BLACKLIST_LOGLEVEL=
+MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

+STARTUP_LOG=/var/log/shorewall6-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
 IP6TABLES=

+IP=
+
+IPSET=
+
+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=No
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
 IP_FORWARDING=Off

+KEEP_RT_TABLES=Yes
+
+LEGACY_FASTSTART=No
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=No
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes

+USE_DEFAULT_RT=No
+
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
-##############################################################################
+###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

+MACLIST_DISPOSITION=REJECT
+
+SFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -1,19 +1,11 @@
 ###############################################################################
 #
-# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
-# The manpage is also online at 
-# http://shorewall.net/manpages6/shorewall6.conf.html
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -30,143 +22,173 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
-
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=

 LOG_VERBOSITY=2

-LOGFORMAT="Shorewall:%s:%s:"
+LOGALLNEW=

-LOGTAGONLY=No
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"

 LOGLIMIT=

-LOGALLNEW=
+LOGTAGONLY=No

-BLACKLIST_LOGLEVEL=
+MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

+STARTUP_LOG=/var/log/shorewall6-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
 IP6TABLES=

+IP=
+
+IPSET=
+
+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall
-
-RESTOREFILE=
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
 IP_FORWARDING=On

+KEEP_RT_TABLES=Yes
+
+LEGACY_FASTSTART=No
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes

+USE_DEFAULT_RT=No
+
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

+MACLIST_DISPOSITION=REJECT
+
+SFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Samples6/three-interfaces/zones
+++ b/Samples6/three-interfaces/zones
@@ -15,6 +15,6 @@
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
-net	ipv4
-loc	ipv4
-dmz	ipv4
+net	ipv6
+loc	ipv6
+dmz	ipv6
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,19 +1,11 @@
 ###############################################################################
 #
-# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
-#
-# This library is free software; you can redistribute it and/or
-# modify it under the terms of the GNU Lesser General Public
-# License as published by the Free Software Foundation; either
-# version 2.1 of the License, or (at your option) any later version.
-#
-# See the file README.txt for further details.
+#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
 #
 #  For information about the settings in this file, type "man shorewall6.conf"
 #
-# The manpage is also online at 
-# http://shorewall.net/manpages6/shorewall6.conf.html
+#  Manpage also online at
+#  http://www.shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -30,143 +22,173 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
-
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=

 LOG_VERBOSITY=2

-LOGFORMAT="Shorewall:%s:%s:"
+LOGALLNEW=

-LOGTAGONLY=No
+LOGFILE=/var/log/messages
+
+LOGFORMAT="Shorewall:%s:%s:"

 LOGLIMIT=

-LOGALLNEW=
+LOGTAGONLY=No

-BLACKLIST_LOGLEVEL=
+MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

+STARTUP_LOG=/var/log/shorewall6-init.log
+
+TCP_FLAGS_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
 IP6TABLES=

+IP=
+
+IPSET=
+
+MODULESDIR=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+RESTOREFILE=
+
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
-
-RESTOREFILE=
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
+DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
+QUEUE_DEFAULT="none"
+REJECT_DEFAULT="Reject"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter
+
+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=No
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
 IP_FORWARDING=On

+KEEP_RT_TABLES=Yes
+
+LEGACY_FASTSTART=No
+
+LOAD_HELPERS_ONLY=Yes
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MUTEX_TIMEOUT=60
+
+OPTIMIZE=1
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=1
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=No
-
-KEEP_RT_TABLES=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=Yes
-
 TRACK_PROVIDERS=Yes

+USE_DEFAULT_RT=No
+
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=Yes
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

+MACLIST_DISPOSITION=REJECT
+
+SFILTER_DISPOSITION=DROP
+
+SMURF_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Shorewall-init/COPYING
+++ b/Shorewall-init/COPYING
@@ -2,7 +2,8 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -0,0 +1,121 @@
+#! /bin/bash
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+prog="shorewall-init"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/shorewall-init"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Get startup options (override default)
+OPTIONS=
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+else
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
+fi
+
+# Initialize the firewall
+start () {
+    local product
+    local vardir
+
+    if [ -z "$PRODUCTS" ]; then
+	echo "No firewalls configured for shorewall-init"
+	failure
+	return 6 #Not configured
+    fi
+
+    echo -n "Initializing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	touch $lockfile 
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+# Clear the firewall
+stop () {
+    local product
+    local vardir
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	rm -f $lockfile
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	echo "Not implemented"
+	exit 3
+	;;
+    condrestart|try-restart)
+	echo "Not implemented"
+	exit 3
+        ;;
+    status)
+	status $prog
+	;;
+  *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+esac
+
+exit 0
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:
+# Default-Stop:   6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -69,6 +69,10 @@ shorewall_start () {
      fi
  done

+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
  return 0
 }

@@ -86,6 +90,13 @@ shorewall_stop () {
      fi
  done

+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
  return 0
 }

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.19.1
+VERSION=xxx #The Build script inserts the actual version.

 usage() # $1 = exit status
 {
@@ -88,9 +88,6 @@ install_file() # $1 = source $2 = target $3 = mode

 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

-#
-# Parse the run line
-#
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
@@ -124,7 +121,16 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=share}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
 #
 # Determine where to install the firewall script
 #
@@ -154,6 +160,8 @@ elif [ -f /etc/debian_version ]; then
    DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
    SUSE=Yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
    echo "Shorewall-init is currently not supported on Slackware" >&2
    exit 1
@@ -175,6 +183,14 @@ else
    exit 1
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -196,6 +212,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
@@ -204,6 +222,14 @@ fi

 echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+fi
+
 #
 # Create /usr/share/shorewall-init if needed
 #
@@ -260,9 +286,9 @@ fi
 # Install the ifupdown script
 #

-mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-init
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init

-install_file ifupdown.sh ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown 0544
+install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
@@ -291,7 +317,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall Init will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -333,7 +363,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
 	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
 	done
    elif [ -n "$REDHAT" ]; then
 	#
@@ -343,13 +373,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 	    FILE=${DESTDIR}/etc/ppp/$file
 	    if [ -f $FILE ]; then
 		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		else
 		    echo "$FILE already exists -- ppp devices will not be handled"
 		    break
 		fi
 	    else
-		cp -fp ${DESTDIR}/usr/${LIBEXEC}/shorewall-init/ifupdown $FILE
+		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 	    fi
 	done
    fi
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,250 +0,0 @@
-%define name shorewall-init
-%define version 4.4.19
-%define release 1
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-    if [ -d /etc/ppp ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p /etc/ppp/$directory
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/$directory/shorewall
-	done
-    fi
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/ppp ]; then
-	if [ -f /etc/ppp/ip-up.local -o -f /etc/ppp/ip-down.local ]; then
-	    if ! grep -q Shorewall-based /etc/ppp/ip-up.local || ! grep -q Shorewall-based /etc/ppp//ip-down.local; then
-		echo "WARNING: /etc/ppp/ip-up.local and/or /etc/ppp/ip-down.local already exist; ppp devices will not be handled" >&2
-	    fi
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-up.local
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-down.local
-	fi
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    [ -f /etc/ppp/ip-up.local ]   && grep -q Shorewall-based /etc/ppp/ip-up.local   && rm -f /etc/ppp/ip-up.local
-    [ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
- Initial version
-
-
-
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -10,3 +10,9 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,10 +1,10 @@
-#!/bin/sh
+\#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.19.1
+VERSION=xxx  #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -60,7 +60,7 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=share}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]

 echo "Uninstalling Shorewall Init $VERSION"

@@ -73,6 +73,8 @@ if [ -n "$INITSCRIPT" ]; then
        insserv -r $INITSCRIPT
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
@@ -93,6 +95,7 @@ remove_file /etc/network/if-down.d/shorewall

 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
+remove_file /lib/systemd/system/shorewall.service

 if [ -d /etc/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
@@ -107,7 +110,7 @@ if [ -d /etc/ppp ]; then
 fi

 rm -rf /usr/share/shorewall-init
-rm -rf /usr/${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXEC}/shorewall-init

 echo "Shorewall Init Uninstalled"

--- a/Shorewall-lite/COPYING
+++ b/Shorewall-lite/COPYING
@@ -2,7 +2,8 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -109,6 +109,11 @@ shorewall_refresh () {
  return 0
 }

+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall_start
@@ -122,8 +127,11 @@ case "$1" in
  force-reload|restart)
     shorewall_restart
     ;;
+  status)
+     shorewall_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.19.1
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -123,11 +123,19 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=share}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
 #
 # Determine where to install the firewall script
 #
-DEBIAN=
 CYGWIN=
 INSTALLD='-D'
 T='-T'
@@ -164,6 +172,8 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
@@ -173,6 +183,14 @@ elif [ -f /etc/arch-release ] ; then
      ARCHLINUX=yes
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -214,12 +232,13 @@ echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-
+    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi

 echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
@@ -229,7 +248,7 @@ echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
 #
 mkdir -p ${DESTDIR}/etc/shorewall-lite
 mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
 mkdir -p ${DESTDIR}/var/lib/shorewall-lite

 chmod 755 ${DESTDIR}/etc/shorewall-lite
@@ -240,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+fi
+
 #
 # Install the config file
 #
@@ -282,20 +309,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"

 #
 # Install wait4ifup
 #

 if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup 0755
+    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755

    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall-lite/wait4ifup"
+    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
 fi

 #
@@ -380,7 +407,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall Lite will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-lite; then
+		    echo "Shorewall Lite will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-lite ; then
 		    echo "Shorewall Lite will start automatically at boot"
 		else
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.1
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -365,8 +365,10 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   clear"
    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
+    echo "   enable <interface>"
    echo "   forget [ <file name> ]"
    echo "   help"
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
@@ -664,7 +666,7 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
@@ -754,6 +756,14 @@ case "$COMMAND" in
 	shift
 	add_command $@
 	;;
+    disable|enable)
+	get_config Yes
+	if shorewall_is_started; then
+	    run_it ${VARDIR}/firewall $g_debugging $@
+	else
+	    fatal_error "Shorewall is not running"
+	fi
+	;;
    save)
 	[ -n "$debugging" ] && set -x

--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,461 +0,0 @@
-%define name shorewall-lite
-%define version 4.4.19
-%define release 1
-
-Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Lite is a companion product to Shorewall that allows network
-administrators to centralize the configuration of Shorewall-based firewalls.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%pre
-
-if [ -f /etc/shorewall-lite/shorewall.conf ]; then
-    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
-fi
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-lite;
-    fi
-elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
-    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
-    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
-    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
-    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-lite
-    fi
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0755,root,root) %dir /etc/shorewall-lite
-%attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
-%attr(0644,root,root) /etc/shorewall-lite/Makefile
-%attr(0544,root,root) /etc/init.d/shorewall-lite
-%attr(0755,root,root) %dir /usr/share/shorewall-lite
-%attr(0700,root,root) %dir /var/lib/shorewall-lite
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
-%attr(0755,root,root) /sbin/shorewall-lite
-
-%attr(0644,root,root) /usr/share/shorewall-lite/version
-%attr(0644,root,root) /usr/share/shorewall-lite/configpath
-%attr(-   ,root,root) /usr/share/shorewall-lite/functions
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.base
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
-%attr(0644,root,root) /usr/share/shorewall-lite/modules*
-%attr(0644,root,root) /usr/share/shorewall-lite/helpers
-%attr(0544,root,root) /usr/share/shorewall-lite/shorecap
-%attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
-
-%attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
-%attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
-
-%attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-0base
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.12-0base
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.5-0base
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
-* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.3-0base
-* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.2-0base
-* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.1-0base
-* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0base
-* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC4
-* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC3
-* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC2
-* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC1
-* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta3
-* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta2
-* Wed May 07 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta1
-* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.8-0base
-* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.7-0base
-* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.6-0base
-* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.5-0base
-* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.4-0base
-* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-0base
-* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
-* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
-* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.1-1
-* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.0-1
-* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-1
-* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC3
-* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC2
-* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC1
-* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
-* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
-* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
-* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.2-1
-* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
-* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-1
-* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC2
-* Mon Jul 02 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC1
-* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta7
-* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta6
-* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta5
-* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
-* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3
-* Tue May 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta1
-* Fri May 11 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.7-1
-* Sat May 05 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.6-1
-* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.5-1
-* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.4-1
-* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.3-1
-* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.2-1
-* Sat Apr 07 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.1-1
-* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.1-1
-* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-1
-* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC3
-* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC2
-* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC1
-* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta3
-* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta2
- Handle rename of shorewall.conf
-* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta1
-* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
- Added shorewall-exclusion(5)
- Updated to 3.3.6-1
-* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.5-1
-* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.4-1
-* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.3-1
-* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.2-1
-* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.1-1
-* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.0-1
-* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.0-1
-
-
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.19.1
+VERSION=xxx  #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -72,7 +72,7 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=share}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]

 echo "Uninstalling Shorewall Lite $VERSION"

@@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -109,9 +111,10 @@ rm -rf /etc/shorewall-lite-*.bkout
 rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
-rm -rf /usr/${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
+rm -f  /lib/systemd/system/shorewall-lite.service

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/COPYING
+++ b/Shorewall/COPYING
@@ -2,7 +2,8 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -0,0 +1,15 @@
+#
+# Shorewall version 4 - Audited AllowICMPs Macro
+#
+# /usr/share/shorewall/macro.AAllowICMPs
+#
+#	This macro A_ACCEPTs needed ICMP types
+#
+###############################################################################
+#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#					PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Needed ICMP types
+
+A_ACCEPT       -	-	icmp	fragmentation-needed
+A_ACCEPT       -	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Audited DropDNSrep Macro
+#
+# /usr/share/shorewall/macro.ADropDNSrep
+#
+#	This macro silently audites and drops DNS UDP replies
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT Late DNS Replies
+
+A_DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - ADropUPnP Macro
+#
+# /usr/share/shorewall/macro.ADropUPnP
+#
+#	This macro silently drops UPnP probes on UDP port 1900
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+COMMENT UPnP
+
+A_DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -11,5 +11,6 @@

 COMMENT Needed ICMP types

-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
+DEFAULT ACCEPT
+PARAM	-	-	icmp	fragmentation-needed
+PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -11,4 +11,5 @@

 COMMENT Late DNS Replies

-DROP	-	-	udp	-	53
+DEFAULT DROP
+PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -11,4 +11,5 @@

 COMMENT UPnP

-DROP	-	-	udp	1900
+DEFAULT DROP
+PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.MSNP
+++ b/Shorewall/Macros/macro.MSNP
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - MSNP Macro
+#
+# /usr/share/shorewall/macro.MSNP
+#
+#	This macro handles MSNP (MicroSoft Notification Protocol)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1863
--- a/Shorewall/Macros/macro.Syslog
+++ b/Shorewall/Macros/macro.Syslog
@@ -3,9 +3,10 @@
 #
 # /usr/share/shorewall/macro.Syslog
 #
-#	This macro handles syslog UDP traffic.
+#	This macro handles syslog traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
+PARAM	-	-	tcp	514
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,21 +35,22 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.18';
+our $VERSION = 'MODULEVERSION';

 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-our %tables;
+my %tables;

-our $jumpchainref;
-our %accountingjumps;
-our $asection;
-our $defaultchain;
-our $defaultrestriction;
-our $restriction;
-our $accounting_commands = { COMMENT => 0, SECTION => 2 };
-our $sectionname;
+my $jumpchainref;
+my %accountingjumps;
+my $asection;
+my $defaultchain;
+my $defaultrestriction;
+my $restriction;
+my $accounting_commands = { COMMENT => 0, SECTION => 2 };
+my $sectionname;
+my $acctable;

 #
 # Sections in the Accounting File
@@ -57,15 +58,21 @@ our $sectionname;

 use constant {
 	      LEGACY      => 0,
-	      INPUT   => 1,
-	      OUTPUT  => 2,
-	      FORWARD => 3 };
+	      PREROUTING  => 1,
+	      INPUT       => 2,
+	      OUTPUT      => 3,
+	      FORWARD     => 4,
+	      POSTROUTING => 5
+	  };
 #
 # Map names to values
 #
-our %asections = ( INPUT   => INPUT,
+our %asections = ( PREROUTING  => PREROUTING,
+		   INPUT       => INPUT,
 		   FORWARD     => FORWARD,
-		   OUTPUT  => OUTPUT );
+		   OUTPUT      => OUTPUT,
+		   POSTROUTING => POSTROUTING
+		 );

 #
 # Called by the compiler to [re-]initialize this module's state
@@ -108,9 +115,18 @@ sub process_section ($) {
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
-    } else {
+    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
+     } else {
+	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
+	 if ( $sectionname eq 'PREROUTING' ) {
+	     $defaultchain = 'accountpre';
+	     $defaultrestriction = PREROUTE_RESTRICT;
+	 } else {
+	     $defaultchain = 'accountpost';
+	     $defaultrestriction = POSTROUTE_RESTRICT;
+	 }
     }

    $asection = $newsect;
@@ -121,9 +137,14 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {

+    $acctable = $config{ACCOUNTING_TABLE};
+
    $jumpchainref = 0;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -140,7 +161,7 @@ sub process_accounting_rule( ) {
    our $disposition = '';

    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out)|ipsecin|ipsecout)$/;
+	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out|pre|post)|ipsecin|ipsecout)$/;
    }

    sub ipsec_chain_name($) {
@@ -187,7 +208,7 @@ sub process_accounting_rule( ) {
 		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
 		my ( $table, $net, $rest ) = split/,/, $1;
 		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
-		fatal_error "Missing Table Name"                       unless defined $table && $table ne '';;
+		fatal_error "Missing Table Name"                       unless supplied $table;
 		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
 		fatal_error "Missing Network Address"                  unless defined $net;
 		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
@@ -206,6 +227,8 @@ sub process_accounting_rule( ) {
 	    } else {
 		fatal_error "Invalid ACCOUNT Action";
 	    }
+	} elsif ( $action =~ /^NFLOG/ ) {
+	    $target = validate_level $action;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;

@@ -261,7 +284,7 @@ sub process_accounting_rule( ) {
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }

-    my $chainref = $filter_table->{$chain};
+    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
    my $dir;

    if ( ! $chainref ) {
@@ -376,41 +399,51 @@ sub setup_accounting() {
 	clear_comment;

 	if ( $nonEmpty ) {
+	    my $tableref = $chain_table{$acctable};
+
 	    if ( have_bridges || $asection ) {
-		if ( $filter_table->{accountin} ) {
-		    add_jump( $filter_table->{INPUT}, 'accountin', 0, '', 0, 0 );
+		if ( $tableref->{accountin} ) {
+		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
 		}

-		if ( $filter_table->{accounting} ) {
+		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
 		}

-		if ( $filter_table->{accountfwd} ) {
-		    add_jump( $filter_table->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		if ( $tableref->{accountfwd} ) {
+		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
 		}

-		if ( $filter_table->{accountout} ) {
-		    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		if ( $tableref->{accountout} ) {
+		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
 		}
-	    } elsif ( $filter_table->{accounting} ) {
+
+		if ( $tableref->{accountpre} ) {
+		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
+		}
+
+		if ( $tableref->{accountpost} ) {
+		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
+		}
+	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
 	    }

-	    if ( $filter_table->{accipsecin} ) {
+	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
 		}
 	    }

-	    if ( $filter_table->{accipsecout} ) {
+	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
 		}
 	    }

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -38,24 +38,26 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;

+use strict;
+
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_19';
+our $VERSION = 'MODULEVERSION';

-our $export;
+my $export;

-our $test;
+my $test;

-our $family;
+my $family;

 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub initialize_package_globals( $ ) {
    Shorewall::Config::initialize($family);
-    Shorewall::Chains::initialize ($family, 1);
-    Shorewall::Zones::initialize ($family);
+    Shorewall::Chains::initialize ($family, 1, $export );
+    Shorewall::Zones::initialize ($family, shift);
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
@@ -81,11 +83,11 @@ sub generate_script_1( $ ) {

    if ( $script ) {
 	if ( $test ) {
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;

-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
@@ -108,7 +110,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF

-    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -116,7 +118,7 @@ EOF
 	emit '}';
    }

-    for my $exit qw/isusable findgw/ {
+    for my $exit ( qw/isusable findgw/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';
@@ -263,9 +265,9 @@ sub generate_script_2() {
 	push_indent;

 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh)' );
+	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
-	    emit( 'start|restart|refresh|restore)' );
+	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}

 	push_indent;
@@ -354,9 +356,9 @@ sub generate_script_3($) {

    emit '';

-    if ( $family == F_IPV4 ) {
    load_ipsets;

+    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
 	       '   run_refresh_exit' ,
 	       'else' ,
@@ -430,6 +432,10 @@ sub generate_script_3($) {
    save_policies;
    emit_unindented '__EOF__';

+    emit 'cat > ${VARDIR}/marks << __EOF__';
+    dump_mark_layout;
+    emit_unindented '__EOF__';
+
    pop_indent;

    emit "fi\n";
@@ -523,8 +529,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');

    $export = 0;
    $test   = 0;
@@ -556,7 +562,12 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview },
+		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
+		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
+		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
+		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
+		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  config_path   => { store => \$config_path } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -574,7 +585,9 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals;
+    initialize_package_globals( $update );
+
+    set_config_path( $config_path ) if $config_path;

    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
@@ -586,11 +599,11 @@ sub compiler {
    set_verbosity( $verbosity );
    set_log($log, $log_verbosity) if $log;
    set_timestamp( $timestamp );
-    set_debug( $debug );
+    set_debug( $debug , $confess );
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export );
+    get_configuration( $export , $update , $annotate );

    report_capabilities unless $config{LOAD_HELPERS_ONLY};

@@ -609,8 +622,7 @@ sub compiler {
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # shorewall.conf has been processed and the capabilities have been determined.
    #
-    initialize_chain_table;
-
+    initialize_chain_table(1);
    #
    # Allow user to load Perl modules
    #
@@ -635,7 +647,7 @@ sub compiler {
    #
    # Do action pre-processing.
    #
-    process_actions1;
+    process_actions;
    #
    #                                        P O L I C Y
    #                           (Produces no output to the compiled script)
@@ -669,15 +681,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules;
-    #
-    # Process policy actions
-    #
-    disable_script;
-
-    process_actions2;
-
-    enable_script;
+    add_common_rules( $convert );
    #
    # More /proc
    #
@@ -700,7 +704,7 @@ sub compiler {
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
-	emit '}';
+	emit '}'; # End of setup_common_rules()
    }

    disable_script;
@@ -709,7 +713,17 @@ sub compiler {
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
-
+    #
+    # Validate the TC files so that the providers will know what interfaces have TC
+    #
+    my $tcinterfaces = process_tc;
+    #
+    # Generate a function to bring up each provider
+    #
+    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
@@ -719,9 +733,7 @@ sub compiler {

 	push_indent;
    }
-    #
-    # [Re-]establish Routing
-    #
+
    setup_providers;
    #
    # TCRules and Traffic Shaping
@@ -730,7 +742,7 @@ sub compiler {

    if ( $scriptfilename || $debug ) {
 	pop_indent;
-	emit "}\n";
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }

    disable_script;
@@ -753,12 +765,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
+    }
+
    #
    # Setup NETMAP
    #
    setup_netmap;
-    }
-
    #
    # MACLIST Filtration
    #
@@ -790,7 +802,7 @@ sub compiler {
 	#
 	generate_matrix;

-	if ( $config{OPTIMIZE} & 0xE ) {
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -799,7 +811,7 @@ sub compiler {
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -817,8 +829,8 @@ sub compiler {
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
-	Shorewall::Chains::initialize( $family, 0 );
-	initialize_chain_table;
+	Shorewall::Chains::initialize( $family, 0 , $export );
+	initialize_chain_table(0);
 	#
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
@@ -859,7 +871,7 @@ sub compiler {
 	    #
 	    generate_matrix;

-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    if ( $config{OPTIMIZE} & 0x1E ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -868,7 +880,7 @@ sub compiler {
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	    }

 	    enable_script if $debug;
@@ -881,8 +893,8 @@ sub compiler {
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
-	Shorewall::Chains::initialize( $family , 0 );
-	initialize_chain_table;
+	Shorewall::Chains::initialize( $family , 0 , $export );
+	initialize_chain_table(0);

 	if ( $debug ) {
 	    compile_stop_firewall( $test, $export );
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -80,25 +80,25 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_19';
+our $VERSION = 'MODULEVERSION';

 #
 # Some IPv4/6 useful stuff
 #
-our @allipv4 = ( '0.0.0.0/0' );
-our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our @nilipv4 = ( '0.0.0.0' );
-our @nilipv6 = ( '::' );
-our $nilip;
-our @nilip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $validate_range;
-our $validate_host;
-our $family;
+my @allipv4 = ( '0.0.0.0/0' );
+my @allipv6 = ( '::/0' );
+my $allip;
+my @allip;
+my @nilipv4 = ( '0.0.0.0' );
+my @nilipv6 = ( '::' );
+my $nilip;
+my @nilip;
+my $valid_address;
+my $validate_address;
+my $validate_net;
+my $validate_range;
+my $validate_host;
+my $family;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -121,7 +121,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };

-our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

 #
 # Note: initialize() is declared at the bottom of the file
@@ -530,12 +530,13 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
+	return 1 if $address eq ':';
    } else {
 	$max = 8;
    }

    return 0 if @address > $max;
+    return 0 unless $address =~ /^[a-fA-F:\d]+$/;
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,10 +36,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_17';
+our $VERSION = 'MODULEVERSION';

-our @addresses_to_add;
-our %addresses_to_add;
+my @addresses_to_add;
+my %addresses_to_add;

 #
 # Called by the compiler
@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
    }

+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
@@ -163,8 +166,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
+		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
+		$addresses =~ s/:random$//     and $randomize  = ' --random ';

 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;

@@ -374,7 +377,7 @@ sub setup_nat() {

 	while ( read_a_line ) {

-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,8 +386,11 @@ sub setup_nat() {

 		$digit = defined $digit ? ":$digit" : '';

+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 		}

@@ -403,35 +409,103 @@ sub setup_netmap() {

    if ( my $fn = open_file 'netmap' ) {

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";

 	while ( read_a_line ) {

-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

 	    $net3 = ALLIP if $net3 eq '-';

 	    for my $interface ( split_list $interfacelist, 'interface' ) {

-		my $rulein = '';
-		my $ruleout = '';
 		my $iface = $interface;

 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

+		my @rule = do_iproto( $proto, $dport, $sport );
+
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;
+		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
-		    $rulein  = match_source_dev( $interface );
-		    $ruleout = match_dest_dev( $interface );
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
 		    }

+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
 		    if ( $type eq 'DNAT' ) {
-		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
 		    } elsif ( $type eq 'SNAT' ) {
-		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface ); 
+			$interface = $interfaceref->{name};
+		    }
+			
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+		    
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
+		} else {
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
+		}
 		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,8 +40,8 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our @EXPORT_OK = qw( setup_interface_proc );
+our $VERSION = 'MODULEVERSION';

 #
 # ARP Filtering
@@ -106,7 +106,7 @@ sub setup_route_filtering() {

 	my $val = '';

-	if ( $config{ROUTE_FILTER} ne '' ) {
+	if ( $config ne '' ) {
 	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;

 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
@@ -227,6 +227,10 @@ sub setup_forwarding( $$ ) {
 	}

 	emit '';
+
+	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	       ''
+	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
@@ -238,6 +242,10 @@ sub setup_forwarding( $$ ) {

 	emit '';

+	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	       ''
+	     ) if have_bridges;
+
 	my $interfaces = find_interfaces_by_option 'forward';

 	if ( @$interfaces ) {
@@ -269,4 +277,45 @@ sub setup_forwarding( $$ ) {
    }
 }

+sub setup_interface_proc( $ ) {
+    my $interface = shift;
+    my $physical  = get_physical $interface;
+    my $value;
+    my @emitted;
+
+    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
+    }
+	 
+    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
+    }
+
+    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
+    }
+
+    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( @emitted ) {
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );
+	push_indent;
+	emit "$_" for @emitted;
+	pop_indent;
+	emit "fi\n";
+    }
+}
+	 
+
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_19';
+our $VERSION = 'MODULEVERSION';

 our @proxyarp;

@@ -83,7 +83,11 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	if ( $family == F_IPV4 ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
-	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/128 dev $physical";
+	    emit( 'if [ -z "$g_noroutes" ]; then',
+		  "    qt \$IP -6 route del $address/128 dev $physical".
+		  "    run_ip route add $address/128 dev $physical",
+		  'fi'
+		);
 	}

 	$haveroute = 1 if $persistent;
@@ -118,13 +122,15 @@ sub setup_proxy_arp() {

 	while ( read_a_line ) {

-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };

 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }

+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_14';
+our $VERSION = 'MODULEVERSION';

 #
 # Notrack
@@ -84,7 +84,7 @@ sub setup_notrack() {

 	while ( read_a_line ) {

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };

 	    if ( $source eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_18';
+our $VERSION = 'MODULEVERSION';

 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -62,22 +62,22 @@ sub setup_tunnels() {
 	    }
 	}

-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

-	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => 50, @$source;
+	add_tunnel_rule $outchainref, p => 50, @$dest;

 	unless ( $noah ) {
-	    add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-	    add_tunnel_rule $outchainref, "-p 51 $dest   -j ACCEPT";
+	    add_tunnel_rule $inchainref,  p => 51, @$source;
+	    add_tunnel_rule $outchainref, p => 51, @$dest;
 	}

 	if ( $kind eq 'ipsec' ) {
-	    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-	    add_tunnel_rule $outchainref, "-p udp $dest   --dport 500 $options";
+	    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+	    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
 	} else {
-	    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-	    add_tunnel_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";
+	    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+	    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
 	}

 	unless ( $gatewayzones eq '-' ) {
@@ -88,21 +88,21 @@ sub setup_tunnels() {
 		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 		unless ( have_ipsec ) {
-		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
+		    add_tunnel_rule $inchainref,  p => 50, @$source;
+		    add_tunnel_rule $outchainref, p => 50, @$dest;

 		    unless ( $noah ) {
-			add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-			add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
+			add_tunnel_rule $inchainref,  p => 51, @$source;
+			add_tunnel_rule $outchainref, p => 51, @$dest;
 		    }
 		}

 		if ( $kind eq 'ipsec' ) {
-		    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-		    add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
+		    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+		    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
 		} else {
-		    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-		    add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
+		    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+		    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
 		}
 	    }
 	}
@@ -111,24 +111,24 @@ sub setup_tunnels() {
    sub setup_one_other {
 	my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;

-	add_tunnel_rule $inchainref ,  "-p $protocol $source -j ACCEPT";
-	add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
+	add_tunnel_rule $inchainref ,  p => $protocol, @$source;
+	add_tunnel_rule $outchainref , p => $protocol, @$dest;
    }

    sub setup_pptp_client {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $outchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $inchainref,   "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $outchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
+	add_tunnel_rule $outchainref,  p => 47, @$dest;
+	add_tunnel_rule $inchainref,   p => 47, @$source;
+	add_tunnel_rule $outchainref,  p => 'tcp --dport 1723', @$dest;
    }

    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $inchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $inchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
+	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
 	}

    sub setup_one_openvpn {
@@ -141,10 +141,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -152,8 +152,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
    }

    sub setup_one_openvpn_client {
@@ -166,10 +166,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -177,8 +177,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source --sport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --sport $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
    }

    sub setup_one_openvpn_server {
@@ -191,10 +191,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -202,8 +202,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --dport $port" , @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --sport $port",  @$dest;
    }

    sub setup_one_l2tp {
@@ -211,8 +211,8 @@ sub setup_tunnels() {

 	fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;

-	add_tunnel_rule $inchainref,  "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p udp $dest   --sport 1701 --dport 1701 -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => 'udp --sport 1701 --dport 1701', @$source;
+	add_tunnel_rule $outchainref, p => 'udp --sport 1701 --dport 1701', @$dest;
    }

    sub setup_one_generic {
@@ -229,8 +229,8 @@ sub setup_tunnels() {
 	    ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol $port", @$dest;
    }

    sub setup_one_tunnel($$$$) {
@@ -238,28 +238,29 @@ sub setup_tunnels() {

 	my $zonetype = zone_type( $zone );

-	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
+	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 	$gateway = ALLIP if $gateway eq '-';

-	my $source = match_source_net $gateway;
-	my $dest   = match_dest_net   $gateway;
+	my @source = imatch_source_net $gateway;
+	my @dest   = imatch_dest_net   $gateway;

-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ $source, $dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ $source, $dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ $source, $dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, $source, $dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, $source, $dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, $source, $dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, $source, $dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, $source, $dest ] } ,
+	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
 			  );

 	$kind = "\L$kind";
@@ -284,7 +285,10 @@ sub setup_tunnels() {

 	while ( read_a_line ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';

 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
 		  defined_zone
 		  zone_type
 		  zone_interfaces
+		  zone_mark
 		  all_zones
 		  all_parent_zones
 		  complex_zones
@@ -73,7 +74,9 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
+		  interface_has_option
 		  set_interface_option
+		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
@@ -85,7 +88,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_19';
+our $VERSION = 'MODULEVERSION';

 #
 # IPSEC Option types
@@ -96,6 +99,14 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
@@ -129,11 +140,12 @@ use constant { NOTHING    => 'NOTHING',
 #
 #     $firewall_zone names the firewall zone.
 #
-our @zones;
-our %zones;
-our $firewall_zone;
+my @zones;
+my %zones;
+my %zonetypes;
+my $firewall_zone;

-our %reservedName = ( all => 1,
+my  %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -153,7 +165,7 @@ our %reservedName = ( all => 1,
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge>
+#                                     bridge      => <bridge name>
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@@ -167,24 +179,28 @@ our %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-our @interfaces;
-our %interfaces;
-our %roots;
-our @bport_zones;
-our %ipsets;
-our %physical;
-our %basemap;
-our %mapbase;
-our $family;
-our $have_ipsec;
-our $baseseq;
-our $minroot;
+my @interfaces;
+my %interfaces;
+my %roots;
+my @bport_zones;
+my %ipsets;
+my %physical;
+my %basemap;
+my %mapbase;
+my $family;
+my $upgrade;
+my $have_ipsec;
+my $baseseq;
+my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;

 use constant { FIREWALL => 1,
 	       IP       => 2,
-	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       BPORT    => 4,
+	       IPSEC    => 8,
+	       VSERVER  => 16 };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -202,13 +218,13 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };

-our %validinterfaceoptions;
+my %validinterfaceoptions;

-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );

-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );

-our %validhostoptions;
+my %validhostoptions;

 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -220,8 +236,8 @@ our %validhostoptions;
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $ ) {
-    $family = shift;
+sub initialize( $$ ) {
+    ( $family , $upgrade ) = @_;
    @zones = ();
    %zones = ();
    $firewall_zone = '';
@@ -255,6 +271,7 @@ sub initialize( $ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
@@ -273,6 +290,7 @@ sub initialize( $ ) {
 			     destonly => 1,
 			     sourceonly => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
@@ -284,6 +302,7 @@ sub initialize( $ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -297,6 +316,7 @@ sub initialize( $ ) {
 			     routeback => 1,
 			     tcpflags => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
 }

@@ -306,9 +326,10 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$\$$)
 {
    my %validoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
@@ -320,13 +341,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );

-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );

-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -359,11 +380,12 @@ sub parse_zone_option_list($$\$)
 	    my $key = $key{$e};

 	    if ( $key ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
+		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
-		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
+		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
@@ -399,19 +421,14 @@ sub process_zone( \$ ) {

    my @parents;

-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';

    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
 	@parents = split_list $2, 'zone';
-
-	for my $p ( @parents ) {
-	    fatal_error "Invalid Parent List ($2)" unless $p;
-	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
-	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
-	    push @{$zones{$p}{children}}, $zone;
-	}
    }

    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
@@ -424,10 +441,11 @@ sub process_zone( \$ ) {
 	$$ip = 1;
    } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	$type = IPSEC;
    } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
-	warning_message "Bridge Port zones should have a parent zone" unless @parents;
+	warning_message "Bridge Port zones should have a parent zone" unless @parents || $config{ZONE_BITS};
 	$type = BPORT;
 	push @bport_zones, $zone;
    } elsif ( $type eq 'firewall' ) {
@@ -446,11 +464,18 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)";
    }

-    if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
-	for ( @parents ) {
-	    set_super( $zones{$_} ) unless $zones{$_}{type} == IPSEC;
-	}
+    for my $p ( @parents ) {
+	fatal_error "Invalid Parent List ($2)" unless $p;
+	fatal_error "Unknown parent zone ($p)" unless $zones{$p};
+
+	my $ptype = $zones{$p}{type};
+
+	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
+	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+
+	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
+
+	push @{$zones{$p}{children}}, $zone;
    }

    my $complex = 0;
@@ -458,10 +483,10 @@ sub process_zone( \$ ) {
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
+						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -470,6 +495,28 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };

+    if ( $config{ZONE_BITS} ) {
+	my $mark;
+
+	if ( $type == FIREWALL ) {
+	    $mark = 0;
+	} else {
+	    unless ( $zoneref->{options}{in_out}{nomark} ) {
+		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
+		$mark      = $zonemark;
+		$zonemark += $zonemarkincr;
+		$zoneref->{options}{complex} = 1;
+	    }
+	}
+
+	if ( $zoneref->{options}{in_out}{nomark} ) {
+	    progress_message_nocompress "   Zone $zone:\tmark value not assigned";
+	} else {
+	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
+	}
+    }
+	
+
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -491,6 +538,10 @@ sub determine_zones()
    my @z;
    my $ip = 0;

+    $zonemark      = 1 << $globals{ZONE_OFFSET};
+    $zonemarkincr  = $zonemark;
+    $zonemarklimit = $zonemark << $config{ZONE_BITS};
+
    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
 	push @z, process_zone( $ip ) while read_a_line;
@@ -529,7 +580,7 @@ sub determine_zones()
 #
 sub haveipseczones() {
    for my $zoneref ( values %zones ) {
-	return 1 if $zoneref->{type} == IPSEC;
+	return 1 if $zoneref->{type} & IPSEC;
    }

    0;
@@ -542,22 +593,13 @@ sub zone_report()
 {
    progress_message2 "Determining Hosts in Zones...";

-    my @translate;
-
-    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
-    for my $zone ( @zones )
-    {
+    for my $zone ( @zones ) {
 	my $zoneref   = $zones{$zone};
 	my $hostref   = $zoneref->{hosts};
 	my $type      = $zoneref->{type};
 	my $optionref = $zoneref->{options};

-	progress_message_nocompress "   $zone ($translate[$type])";
+	progress_message_nocompress "   $zone ($zonetypes{$type})";

 	my $printed = 0;

@@ -589,7 +631,7 @@ sub zone_report()
 	}

 	unless ( $printed ) {
-	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
+	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
 	}

@@ -599,16 +641,7 @@ sub zone_report()
 #
 # This function is called to create the contents of the ${VARDIR}/zones file
 #
-sub dump_zone_contents()
-{
-    my @xlate;
-
-    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
+sub dump_zone_contents() {
    for my $zone ( @zones )
    {
 	my $zoneref    = $zones{$zone};
@@ -616,9 +649,10 @@ sub dump_zone_contents()
 	my $type       = $zoneref->{type};
 	my $optionref  = $zoneref->{options};

-	my $entry      =  "$zone $xlate[$type]";
+	my $entry      =  "$zone $zonetypes{$type}";

-	$entry .= ":$zoneref->{bridge}" if $type == BPORT;
+	$entry .= ":$zoneref->{bridge}" if $type & BPORT;
+	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
 	    for my $type ( sort keys %$hostref ) {
@@ -690,7 +724,7 @@ sub add_group_to_zone($$$$$)

 	$interfaceref->{nets}++;

-	fatal_error "Invalid Host List" unless defined $host and $host ne '';
+	fatal_error "Invalid Host List" unless supplied $host;

 	if ( substr( $host, 0, 1 ) eq '!' ) {
 	    fatal_error "Only one exclusion allowed in a host list" if $switched;
@@ -718,7 +752,7 @@ sub add_group_to_zone($$$$$)
 	}

 	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
@@ -729,7 +763,7 @@ sub add_group_to_zone($$$$$)

    $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};

-    my $gtype = $type == IPSEC ? 'ipsec' : 'ip';
+    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';

    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
@@ -741,8 +775,10 @@ sub add_group_to_zone($$$$$)

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
-			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
+			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
+
+    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
 }

 #
@@ -767,6 +803,12 @@ sub zone_interfaces( $ ) {
    find_zone( $_[0] )->{interfaces};
 }

+sub zone_mark( $ ) {
+    my $zoneref = find_zone( $_[0] );
+    fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
+    $zoneref->{mark};
+}
+
 sub defined_zone( $ ) {
    $zones{$_[0]};
 }
@@ -776,11 +818,11 @@ sub all_zones() {
 }

 sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }

 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }

 sub all_parent_zones() {
@@ -796,7 +838,7 @@ sub complex_zones() {
 }

 sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
+    grep ( $zones{$_}{type} & VSERVER, @zones );
 }

 sub firewall_zone() {
@@ -865,7 +907,8 @@ sub chain_base($) {
 sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my $filterref = [];
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    my $zoneref;
    my $bridge = '';

@@ -878,21 +921,23 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }

+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

-    if ( defined $port && $port ne '' ) {
+    if ( supplied $port ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};

 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};

 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	$interfaces{$interface}{ports}++;
-	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
+	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! ( $zoneref->{type} & BPORT );

 	if ( $zone ) {
 	    if ( $zoneref->{bridge} ) {
@@ -901,15 +946,15 @@ sub process_interface( $$ ) {
 		$zoneref->{bridge} = $interface;
 	    }

-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
+	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} & VSERVER;
 	}

 	$bridge = $interface;
 	$interface = $port;
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
-	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
+	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} & BPORT;
+	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} & VSERVER;

 	$bridge = $interface;
    }
@@ -975,7 +1020,7 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

 	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
@@ -1055,6 +1100,9 @@ sub process_interface( $$ ) {
 		    # Assume 'broadcast'
 		    #
 		    $hostoptions{broadcast} = 1;
+		} elsif ( $option eq 'sfilter' ) {
+		    $filterref = [ split_list $value, 'address' ];
+		    validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1079,7 +1127,7 @@ sub process_interface( $$ ) {
 	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};

 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = "${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1102,6 +1150,7 @@ sub process_interface( $$ ) {

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
+						       filter     => $filterref ,
 						       nets       => 0 ,
 						       number     => $nextinum ,
 						       root       => $root ,
@@ -1366,8 +1415,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;

-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
-			( grep $interfaces{$_}{root}, keys %interfaces ) ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -1401,6 +1449,22 @@ sub get_interface_option( $$ ) {
    
 }

+#
+# Return the value of an option for an interface
+#
+sub interface_has_option( $$\$ ) {
+    my ( $interface, $option, $value ) = @_;
+
+    my $ref = $interfaces{$interface};
+
+    $ref = known_interface( $interface ) unless $ref;
+
+    if ( exists $ref->{options}{$option} ) {
+	$$value = $ref->{options}{$option};
+	1;
+    }
+}
+
 #
 # Set an option for an interface
 #
@@ -1593,7 +1657,7 @@ sub compile_updown() {
    if ( @$ignore ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;

-	$interfaces =~ s/\+/*/;
+	$interfaces =~ s/\+/*/g;

 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
@@ -1605,7 +1669,7 @@ sub compile_updown() {
    if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;

-	my $wildcard = ( $interfaces =~ s/\+/*/ );
+	my $wildcard = ( $interfaces =~ s/\+/*/g );

 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
@@ -1644,17 +1708,26 @@ sub compile_updown() {
    }

    if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
-
-	$interfaces =~ s/\+/*/;
+	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
+	my $interfaces = join '|', @interfaces; 

+	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
 	    emit( "$interfaces)",
 		  '    if [ "$COMMAND" = up ]; then',
 		  '        echo 0 > ${VARDIR}/${1}.state',
 		  '    else',
 		  '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
+		  '    fi' );
+	} else {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  "        echo 0 > \${VARDIR}/$interfaces.state",
+		  '    else',
+		  "        echo 1 > \${VARDIR}/$interfaces.state",
+		  '    fi' );
+	}
+
+	emit( '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
@@ -1702,7 +1775,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';

    my $zoneref = $zones{$zone};
    my $type    = $zoneref->{type};
@@ -1716,27 +1792,29 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-
-	    if ( $hosts =~ /^\+/ ) {
-		$zoneref->{options}{complex} = 1;
-		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
-	    }
-
-	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
-	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+
 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
    } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts";
+	fatal_error "Invalid HOST(S) column contents: $hosts" 
    }

-    if ( $type == BPORT ) {
+    if ( $hosts =~ /^!?\+/ ) {
+	$zoneref->{options}{complex} = 1;
+	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+    }
+
+    if ( $type & BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
 	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
@@ -1762,14 +1840,14 @@ sub process_host( ) {
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}

-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} & VSERVER;

 	$optionsref = \%options;
    }
@@ -1790,19 +1868,19 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';

    if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
+	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = physical_name $interface;
-	$hosts = "+${zone}_${physical}";
+	my $physical = chain_base( physical_name $interface );
+	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${physical}"} = 1;
-
+	$ipsets{$set} = 1;
    }

    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
-    $interface = '%vserver%' if $type == VSERVER;
+    $interface = '%vserver%' if $type & VSERVER;

    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);

@@ -1825,6 +1903,8 @@ sub validate_hosts_file()

    $have_ipsec = $ipsec || haveipseczones;

+    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
+
 }

 #
@@ -1842,7 +1922,7 @@ sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;

-    for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
+    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --config_path=<path-list>   # Search path for config files
 #
 use strict;
 use FindBin;
@@ -54,12 +55,17 @@ sub usage( $ ) {
    [ --verbose={-1|0-2} ]
    [ --timestamp ]
    [ --debug ]
+    [ --confess ]
    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
    [ --preview ]
    [ --family={4|6} ]
+    [ --annotate ]
+    [ --update ]
+    [ --convert ]
+    [ --config_path=<path-list> ]
 ';

    exit shift @_;
@@ -73,13 +79,18 @@ my $shorewall_dir = '';
 my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
-my $chains        = '';
+my $confess       = 0;
+my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
 my $preview       = 0;
+my $annotate      = 0;
+my $update        = 0;
+my $convert       = 0;
+my $config_path   = '';

 Getopt::Long::Configure ('bundling');

@@ -103,6 +114,14 @@ my $result = GetOptions('h'               => \$help,
 			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
+			'c'               => \$confess,
+			'confess'         => \$confess,
+			'a'               => \$annotate,
+			'annotate'        => \$annotate,
+			'u'               => \$update,
+			'update'          => \$update,
+			'convert'         => \$convert,
+			'config_path=s'   => \$config_path,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -119,4 +138,10 @@ compiler( script          => $ARGV[0] || '',
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
 	  preview         => $preview,
-	  family          => $family );
+	  family          => $family,
+	  confess         => $confess,
+	  update          => $update,
+	  convert         => $convert,
+	  annotate        => $annotate,
+	  config_path     => $config_path,
+	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -20,9 +20,20 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-. /usr/share/shorewall/lib.base
-. /usr/share/shorewall/lib.cli
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
+if [ "$3" = 6 ]; then
+    . /usr/share/shorewall6/lib.base
+    . /usr/share/shorewall6/lib.cli
+else
+    . /usr/share/shorewall/lib.base
+    . /usr/share/shorewall/lib.cli
+fi

 CONFIG_PATH="$2"

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,7 +5,21 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] <command>"
+    echo 
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
    echo
    echo "Options are:"
    echo
@@ -295,6 +309,26 @@ case "$COMMAND" in
 	updown $@
 	status=0;
 	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
+	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -5,7 +5,21 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] <command>"
+    echo
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
    echo
    echo "Options are:"
    echo
@@ -21,7 +35,16 @@ usage() {
 checkkernelversion() {
    local kernel

-    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+    case "$kernel" in 
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac

    if [ $kernel -lt 20624 ]; then
 	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
@@ -321,6 +344,26 @@ case "$COMMAND" in
 	updown $1
 	status=0
 	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
+	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,8 +1,6 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -113,6 +111,17 @@ find_device() {
    done
 }

+#
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+
+find_weight() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xweight ] && echo $2 && return
+	shift
+    done
+}
+
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
@@ -272,7 +281,7 @@ get_interface_bcasts() # $1 = interface
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }

 # Add IP Aliases
@@ -483,6 +492,8 @@ get_device_mtu1() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
+    local undofiles
+    local f

    if [ -z "$g_noroutes"  ]; then
 	#
@@ -495,10 +506,16 @@ undo_routing() {
 	#
 	# Restore the rest of the routing table
 	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
            progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
 	fi
    fi

@@ -509,10 +526,10 @@ undo_routing() {
 #
 save_default_route() {
    awk \
-    'BEGIN        {default=0;}; \
-     /^default /  {default=1; print; next}; \
-     /nexthop/    {if (default == 1 ) {print ; next} }; \
-                  { default=0; };'
+    'BEGIN        {defroute=0;};
+     /^default /  {deroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
 }

 #
@@ -583,6 +600,60 @@ restore_default_route() # $1 = USE_DEFAULT_RT
    return $result
 }

+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
+    else
+	delta=$1
+
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
+	    fi
+	fi
+
+	run_ip route replace default scope global table $2 $route $delta
+    fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
+}
+
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -624,8 +695,8 @@ conditionally_flush_conntrack() {
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
-	    qt $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
+	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
@@ -807,11 +878,15 @@ debug_restore_input() {

    qt1 $IPTABLES -t raw     -F
    qt1 $IPTABLES -t raw     -X
+    qt1 $IPTABLES -t rawpost -F
+    qt1 $IPTABLES -t rawpost -X

    for chain in PREROUTING OUTPUT; do
 	qt1 $IPTABLES -t raw -P $chain ACCEPT
    done

+    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
+
    run_iptables -t nat -F
    run_iptables -t nat -X

@@ -861,6 +936,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,8 +1,6 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -198,6 +196,35 @@ find_interface_full_addresses() # $1 = interface
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }

+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -471,6 +498,8 @@ get_device_mtu1() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
+    local undofiles
+    local f

    if [ -z "$g_noroutes"  ]; then
 	#
@@ -483,10 +512,16 @@ undo_routing() {
 	#
 	# Restore the rest of the routing table
 	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall6-generated routing tables and routing rules removed"
 	fi
    fi

@@ -497,10 +532,10 @@ undo_routing() {
 #
 save_default_route() {
    awk \
-    'BEGIN        {default=0;}; \
-     /^default /  {default=1; print; next}; \
-     /nexthop/    {if (default == 1 ) {print ; next} }; \
-                  { default=0; };'
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
 }

 #
@@ -824,6 +859,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -0,0 +1,56 @@
+#
+# Shorewall version 4 - Drop Action
+#
+# /usr/share/shorewall/action.A_Drop
+#
+#	The audited default DROP common rules
+#
+#	This action is invoked before a DROP policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
+#	   DROP. Otherwise, you may experience problems establishing
+#	   connections with servers that use auth.
+#	c) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+#
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Reject 'auth'
+#
+Auth(A_REJECT)
+#
+# Don't log broadcasts
+#
+dropBcast(audit)
+#
+# ACCEPT critical ICMP types
+#
+A_AllowICMPs	-	-	icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log.
+#
+dropInvalid(audit)
+#
+# Drop Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_DROP)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@@ -0,0 +1,54 @@
+#
+# Shorewall version 4 - Reject Action
+#
+# /usr/share/shorewall/action.A_Reject
+#
+#	The audited default REJECT action common rules
+#
+#	This action is invoked before a REJECT policy is enforced. The purpose
+#	of the action is:
+#
+#	a) Avoid logging lots of useless cruft.
+#	b) Ensure that certain ICMP packets that are necessary for successful
+#	   internet operation are always ACCEPTed.
+#
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO
+#
+# Count packets that come through here
+#
+COUNT
+#
+# Don't log 'auth' -- REJECT
+#
+Auth(A_REJECT)
+#
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
+#
+dropBcast(audit)
+#
+# ACCEPT critical ICMP types
+#
+A_AllowICMPs	-	-	icmp
+#
+# Drop packets that are in the INVALID state -- these are usually ICMP packets
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
+#
+dropInvalid(audit)
+#
+# Reject Microsoft noise so that it doesn't clutter up the log.
+#
+SMB(A_REJECT)
+A_DropUPnP
+#
+# Drop 'newnotsyn' traffic so that it doesn't get logged.
+#
+dropNotSyn(audit)	-	-	tcp
+#
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
+#
+A_DropDNSrep
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -0,0 +1,73 @@
+#
+# Shorewall 4 - Broadcast Action
+#
+#    /usr/share/shorewall/action.Broadcast
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Broadcast[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
+
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+    }	
+
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
+} else {
+    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+    
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
+
+1;
+
+END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -15,9 +15,49 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
@@ -26,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth($2)
 #
 # Don't log broadcasts
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
-DropUPnP
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -0,0 +1,85 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS -
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $audit ) = get_action_params( 1 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+my $target;
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    'DROP',
+		    '',
+		    $tag,
+		    'add',
+		    '' );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
+    } 
+	
+    add_ijump( $logchainref, j => 'DROP' );
+
+    $target = $logchainref;
+} else {
+    $target = 'DROP';
+}
+		    
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 ) {
+	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
+    } else {
+	add_ijump $chainref , j => 'RETURN', s => '::';
+    }
+
+    add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
+} else {
+    if ( $family == F_IPV4 ) {
+	add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } else {
+	add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+    
+    incr_cmd_level $chainref;
+    add_ijump( $chainref, g => $target, s => '$address' );
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+
+if ( $family == F_IPV4 ) {
+    add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
+} else {
+    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
+}
+
+END PERL;
+
+
+    
+
+
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - Invalid Action
+#
+#    /usr/share/shorewall/action.Invalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Invalid[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
+
+$chainref->{dont_optimize} = 0;
+
+1;
+
+END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - NotSyn Action
+#
+#    /usr/share/shorewall/action.NotSyn
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   NotSyn[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 ! --syn ';
+
+$chainref->{dont_optimize} = 0;
+
+1;
+
+END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -12,8 +12,48 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
@@ -22,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth($2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
-DropUPnP
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+
+
+my ( $disposition, $audit ) = get_action_params( 2 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+
+fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    $disposition,
+		    '',
+		    $tag,
+		    'add',
+		    '' ) if $level;
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
+    } 
+
+    add_ijump( $logchainref, g => $disposition );
+
+    $disposition = $logchainref;
+}
+		    
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
+add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+
+END PERL;
+
+
+    
+
+
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,6 +8,9 @@
 #
 # Builtin Actions are:
 #
+#    A_ACCEPT           # Audits then accepts a connection request
+#    A_DROP             # Audits then drops a connection request
+#    A_REJECT		# Audits then drops a connection request
 #    allowBcast		# Silently Allow Broadcast/multicast
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
@@ -30,5 +33,12 @@
 #
 ###############################################################################
 #ACTION
+A_Drop 		    # Audited Default Action for DROP policy
+A_Reject	    # Audited Default action for REJECT policy
+Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+DropSmurfs          # Drop smurf packets
+Invalid             # Handles packets in the INVALID conntrack state
+NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,941 +0,0 @@
-Changes in Shorewall 4.4.19.1
-
-1)  Eliminate silly duplicate rule when stopped.
-
-2)  Don't believe that all nexthop routes are default routes.
-
-3)  Restore :<low port>-<high port> in masq file.
-
-4)  Correct default route safe/restore.
-
-Changes in Shorewall 4.4.19 Final
-
-1)  Update release documents.
-
-2)  Correct split_line() error message for the proxyndp line.
-
-Changes in Shorewall 4.4.19 RC 1
-
-1)  Correct release notes.
-
-2)  Display mangle table in the output from 'shorewall show tc'.
-
-3)  Allow simple TC to work on both IPv4 and IPv6
-
-4)  Fix an optimizer bug in Shorewall::Chains::replace_references().
-
-5)  Correct missing jump to 'dnat'.
-
-Changes in Shorewall 4.4.19 Beta 5
-
-1)  Fix logical naming and bridge.
-
-Changes in Shorewall 4.4.19 Beta 4
-
-1)  Handle mis-configured ipsec host group on a bridge.
-
-2)  Significantly improve bridge/ports handling.
-
-3)  Allow port-lists in /etc/shorewall/rules.
-
-Changes in Shorewall 4.4.19 Beta 3
-
-1)  Allow /usr executables to be installed in a designated location.
-
-2)  Allow Shorewall perl modules to be installed in a designated
-    location.
-
-Changes in Shorewall 4.4.19 Beta 2
-
-1)  Minor rework of init-log creation in the installer.
-
-2)  Add VRRP macro.
-
-3)  Fix more params processing bugs.
-
-4)  Do a better job of editing ICMP type lists.
-
-5)  Allow /usr executables to be installed in a designated location.
-
-6)  Allow Shorewall perl modules to be installed in a designated
-    location.
-
-Changes in Shorewall 4.4.19 Beta 1
-
-1)  Place ACK packets in the highest priority band.
-
-2)  Break ICMP lists into individual rules.
-
-Changes in Shorewall 4.4.18 Final
-
-1)  Correct handling of IPv6 host address in a net context.
-
-2)  Restore <burst> in tcdevices.
-
-3)  Correct handling of non-present interfaces and tcfilters.
-
-Changes in Shorewall 4.4.18 RC 1
-
-1)  Update Version.
-
-Changes in Shorewall 4.4.18 Beta 4
-
-1)  Fix trivalue handling AGAIN.
-
-2)  Change default value of MODULE_PREFIX.
-
-3)  Combine Policy and Rules Modules
-
-4)  Move section processing to the Rules modules.
-
-Changes in Shorewall 4.4.18 Beta 3
-
-1)  Change default chain in FORWARD section of the accounting file.
-
-2)  Restrict USER/GROUP to OUTPUT section.
-
-3)  Restore prohibition of MAC addresses in unsectioned config.
-
-4)  Fix several optimizer problems.
-
-Changes in Shorewall 4.4.18 Beta 2
-
-1)  Fix the 'local' Provider option in IPv6
-
-2)  Remove hardcoded 0.0.0.0/0 from Providers.pm
-
-3)  Correct an optimizer defect having to do with jumps containing a
-    comment.
-
-Changes in Shorewall 4.4.18 Beta 1
-
-1)  Split up modules file.
-
-2)  Add sections to the accounting file.
-
-Changes in Shorewall 4.4.17
-
-1)  Secure helper and modules files for non-root access.
-
-2)  Rename USE_LOCAL_MODULES to EXPORTMODULES
-
-Changes in Shorewall 4.4.17
-
-1)  Added sch_tbf to the modules files.
-
-Changes in Shorewall 4.4.17 RC 1
-
-1)  Documentation and release notes cleanup.
-
-2)  Ensure that manual and accounting chains aren't too long.
-
-3)  Tighten up the editing of ACCOUNT(...).
-
-4)  Add 'show ipa' command.
-
-5)  Several fixes to IPv6 tcfilters.
-
-6)  Correct three issues in per-IP accounting.
-
-Changes in Shorewall 4.4.17 Beta 3
-
-1)  Allow run-time address variables in the masq file.
-
-2)  Fix silly bug in expand_rule().
-
-3)  Correct two defects in compiler module loading.
-
-4)  Implement per-IP module loading.
-
-Changes in Shorewall 4.4.17 Beta 2
-
-1)  Handle line containing only INCLUDE.
-
-2)  Fix empty SHELL variable handling with bash.
-
-3)  Correct 'check -r' with OPTIMIZE=8
-
-4)  Add sch_prio to modules file.
-
-5)  Add 'USE_LOCAL_MODULES' option.
-
-6)  Implement run-time address variables (&interface)
-
-Changes in Shorewall 4.4.17 Beta 1
-
-1)  Improve readability of logging logic in expand_rule().
-
-2)  Improve efficency of oddball targets in process_rule1().
-
-3)  Export (param,value) pairs with EXPORTPARAMS=No.
-
-4)  Only produce 'done.' progress message on success.
-
-5)  Support INCLUDE in user exits.
-
-6)  Use updaterc.d during uninstall on Debian.
-
-Changes in Shorewall 4.4.16 RC 1
-
-1) Fix logging for jump to nat chain.
-
-Changes in Shorewall 4.4.16 Beta 8
-
-1)  Complete parameterized actions.
-
-2)  Fix issue in expand_rule().
-
-3)  Eliminate Actions module.
-
-4)  Eliminate process_actions3().
-
-5)  Validate BLACKLIST_DISPOSITION.
-
-Changes in Shorewall 4.4.16 Beta 7
-
-1)  Parameterized actions.
-
-Changes in Shorewall 4.4.16 Beta 6
-
-1)  Don't let root match wildcard.
-
-2)  Fix use of wildcard names in the notrack file.
-
-3)  Fix use of wildcard names in the proxyarp file
-
-4)  Prevent perl runtime warnings with cached interface entries.
-
-Changes in Shorewall 4.4.16 Beta 5
-
-1)  Fix broken logical naming with Proxy ARP.
-
-2)  Add support for proxyndp.
-
-3)  Move mid-level rule processing to the Actions module.
-
-4)  Implement format-2 actions.
-
-5)  Allow DNAT and REDIRECT in actions.
-
-6)  Remove kludgy restrictions regarding Macros and Actions.
-
-Changes in Shorewall 4.4.16 Beta 4
-
-1)  Only issue get_params() warnings under 'trace'
-
-2)  Add ppp support to Shorewall-init
-
-Changes in Shorewall 4.4.16 Beta 3
-
-1)  Integrate bug catcher into 'trace' and correct handling of
-    getparams on old (RHEL 5) shells.
-
-Changes in Shorewall 4.4.16 Beta 2
-
-1)  Install bug catcher.
-
-Changes in Shorewall 4.4.16 Beta 1
-
-1)  Handle multi-line ENV values
-
-2)  Fix for absent params file.
-
-Changes in Shorewall 4.4.15
-
-1)  Add macros from Tuomo Soini.
-
-2)  Corrected macro.JAP.
-
-3)  Added fatal_error() functions to the -lite CLIs.
-
-RC 1
-
-1)  Another Perl 5.12 warning.
-
-2)  Avoid anomalous behavior regarding syn flood chains.
-
-3)  Add HEADERS column for IPv6
-
-Beta 2
-
-1)  Tweaks to IPv6 tcfilters
-
-2)  Add support for explicit provider routes
-
-3)  Fix shared TC tcfilters handling.
-
-Beta 1
-
-1)  Handle exported VERBOSE.
-
-2)  Modernize handling of the params file.
-
-3)  Fix NULL_ROUTE_RFC1918
-
-4)  Fix problem of appending incorrect files.
-
-5)  Implement shared TC.
-
-Changes in Shorewall 4.4.14
-
-1)  Support ipset lists.
-
-2)  Use conntrack in 'shorewall connections'
-
-3)  Clean up Shorewall6 error messages when running on a kernel <
-    2.6.24
-
-4)  Clean up ipset related error reporting out of validate_net().
-
-5)  Dramatically reduce the amount of CPU time spent in optimization.
-
-6)  Add 'scfilter' script.
-
-7)  Fix -lite init scripts.
-
-8)  Clamp VERBOSITY to valid range.
-
-9)  Delete obsolete options from shorewall.conf.
-
-10) Change value of FORWARD_CLEAR_MARK in *.conf.
-
-11) Use update-rc.d to install init symlinks.
-
-12) Fix split_list().
-
-13) Fix 10+ TC Interfaces.
-
-14) Insure that VERBOSITY=0 when interrogating compiled script's version
-
-Changes in Shorewall 4.4.13
-
-1)  Allow zone lists in rules SOURCE and DEST.
-
-2)  Fix exclusion in the blacklist file.
-
-3)  Correct several old exclusion bugs.
-
-4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
-
-5)  Re-implement optional interface handling.
-
-6)  Add secmark config file.
-
-7)  Split in and out blacklisting.
-
-8)  Correct handling of [{src|dst},...] in ipset invocation
-
-9)  Correct SAME.
-
-10) TC Enhancements:
-
-    <burst> in IN-BANDWIDTH columns.
-    OUT-BANDWIDTH column in tcinterfaces.
-
-11) Create dynamic zone ipsets on 'start'.
-
-12) Remove new blacklisting implementation.
-
-13) Implement an alternative blacklisting scheme.
-
-14) Use '-m state' for UNTRACKED.
-
-15) Clear raw table on 'clear'
-
-16) Correct port-range check in tcfilters.
-
-17) Disallow '*' in interface names.
-
-Changes in Shorewall 4.4.12
-
-1)  Fix IPv6 shorecap program.
-
-2)  Eradicate incorrect IPv6 Multicast Network
-
-3)  Add ADD/DEL support.
-
-4)  Allow :random to work with REDIRECT
-
-5)  Add per-ip log rate limiting.
-
-6)  Use new hashlimit match syntax if available.
-
-7)  Add Universal sample.
-
-8)  Add COMPLETE option.
-
-9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
-
-10) Support new set match syntax.
-
-11) Blacklisting by DEST IP.
-
-12) Fix duplicate rule generation with 'any'.
-
-13) Fix port range editing problem.
-
-14) Display the .conf file directory in response to the status command.
-
-15)  Correct AUTOMAKE
-
-Changes in Shorewall 4.4.11
-
-1)  Apply patch from Gabriel.
-
-2)  Fix IPSET match detection when a pathname is specified for IPSET.
-
-3)  Fix start priority of shorewall-init on Debian
-
-4)  Make IPv6 log and connections output readable.
-
-5)  Add REQUIRE_INTERFACE to shorewall*.conf
-
-6)  Avoid run-time warnings when options are not listed in
-    shorewall.conf.
-
-7)  Implement Vserver zones.
-
-8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
-    hosts file.
-
-9)  Add CLEAR_FORWARD_MARK option.
-
-10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
-
-11) Add PERL option.
-
-12) Fix nets= in Shorewall6
-
-Changes in Shorewall 4.4.10
-
-1)  Fix regression with scripts.
-
-2)  Log startup errors.
-
-3)  Implement Shorewall-init.
-
-4)  Add SAFESTOP option to /etc/default/shorewall*
-
-5)  Restore -a functionality to the version command.
-
-6)  Correct Optimization issue
-
-7)  Rename PREFIX to DESTDIR in install scripts
-
-8)  Correct handling of optional/required interfaces with wildcard names.
-
-Changes in Shorewall 4.4.9
-
-1)  Auto-detection of bridges.
-
-2)  Correct handling of a logical interface name in the EXTERNAL column
-    of proxyarp.
-
-3)  More robust 'trace'.
-
-4)  Added IPv6 mDNS macro.
-
-5)  Fix find_first_interface_address() error reporting.
-
-6)  Fix propagation of zero-valued config variables.
-
-7)  Fix OPTIMIZE 4 bug.
-
-8)  Deallocate unused rules.
-
-9)  Keep rule arrays compressed during optimization.
-
-10) Remove remaining fallback scripts.
-
-11) Rationalize startup logs.
-
-12) Optimize 8.
-
-13) Don't create output chains for BPORT zones.
-
-14) Implement 'show log ip-addr' in /sbin/shorewall and
-    /sbin/shorewall-lite/
-
-15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
-
-16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
-
-17) Set IP before sourcing the params file.
-
-18) Fix rare optimization bug.
-
-19) Allow definition of an addressless bridge without a zone.
-
-20) In the routestopped file, assume 'routeback' if the interface has
-    'routeback'.
-
-21) Make Shorewall and Shorewall6 installable on OS X.
-
-Changes in Shorewall 4.4.8
-
-1)  Correct handling of RATE LIMIT on NAT rules.
-
-2)  Don't create a logging chain for rules with '-j RETURN'.
-
-3)  Avoid duplicate SFQ class numbers.
-
-4)  Fix low per-IP rate limits.
-
-5)  Fix Debian init script exit status
-
-6)  Fix NFQUEUE(queue-num) in policy
-
-7)  Implement -s option in install.sh
-
-8)  Add HKP Macro
-
-9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
-
-10) Eliminate up-cased variable names that aren't documented options.
-
-11) Don't show 'OLD' capabilities if they are not available.
-
-12) Attempt to flag use of '-' as a port-range separator.
-
-13) Add undocumented OPTIMIZE=-1 setting.
-
-14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
-    default optimizations.
-
-15) Add support for UDPLITE
-
-16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
-
-17) Issue warnings when 'blacklist' but no blacklist file entries.
-
-18) Don't optimize 'blacklst'.
-
-Changes in Shorewall 4.4.7
-
-1)  Backport optimization changes from 4.5.
-
-2)  Backport two new options from 4.5.
-
-3)  Backport TPROXY from 4.5
-
-4)  Add TC_PRIOMAP to shorewall*.conf
-
-5)  Implement LOAD_HELPERS_ONLY
-
-6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
-
-7)  Fix case where MARK target is unavailable.
-
-8)  Change default to ADD_IP_ALIASES=No
-
-9)  Correct defects in generate_matrix().
-
-10) Fix and optimize 'nosmurfs'.
-
-11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
-
-Changes in Shorewall 4.4.6
-
-1)  Fix for rp_filter and kernel 2.6.31.
-
-2)  Add a hack to work around a bug in Lenny + xtables-addons
-
-3)  Re-enable SAVE_IPSETS
-
-4)  Allow both <...> and [...] for IPv6 Addresses.
-
-5)  Port mark geometry change from 4.5.
-
-6)  Add Macro patch from Tuomo Soini
-
-7)  Add 'show macro' command.
-
-8)  Add -r option to check.
-
-9)  Port simplified TC from 4.5.
-
-Changes in Shorewall 4.4.5
-
-1)  Fix 15-port limit removal change.
-
-2)  Fix handling of interfaces with the 'bridge' option.
-
-3)  Generate error for port number 0
-
-4)  Allow zone::serverport in rules DEST column.
-
-5)  Fix 'show policies' in Shorewall6.
-
-6)  Auto-load tc modules.
-
-7)  Allow LOGFILE=/dev/null
-
-8)  Fix shorewall6-lite/shorecap
-
-9) Fix MODULE_SUFFIX.
-
-10) Fix ENHANCED_REJECT detection for IPv4.
-
-11) Fix DONT_LOAD vs 'reload -c'
-
-12) Fix handling of SOURCE and DEST vs macros.
-
-13) Remove silly logic in expand_rule().
-
-14) Add current and limit to Conntrack Table Heading.
-
-Changes in Shorewall 4.4.4
-
-1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
-
-2)  Fix access to uninitialized variable.
-
-3)  Add logrotate scripts.
-
-4)  Allow long port lists in /etc/shorewall/routestopped.
-
-5)  Implement 'physical' interface option.
-
-6)  Implement ZONE2ZONE option.
-
-7)  Suppress duplicate COMMENT warnings.
-
-8)  Implement 'show policies' command.
-
-9)  Fix route_rule suppression for down provider.
-
-10) Suppress redundant tests for provider availability in route rules
-    processing.
-
-11) Implement the '-l' option to the 'show' command.
-
-12) Fix class number assignment when WIDE_TC_MARKS=Yes
-
-13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
-
-Changes in Shorewall 4.4.3
-
-1)  Move Debian INITLOG initialization to /etc/default/shorewall
-
-2)  Fix 'routeback' in /etc/shorewall/routestopped.
-
-3)  Rename 'object' to 'script' in compiler and config modules.
-
-4)  Correct RETAIN_ALIASES=No.
-
-5)  Fix detection of IP config.
-
-6)  Fix nested zones.
-
-7)  Move all function declarations from prog.footer to prog.header
-
-8)  Remove superfluous variables from generated script
-
-9)  Make 'track' the default.
-
-10)  Add TRACK_PROVIDERS option.
-
-11)  Fix IPv6 address parsing bug.
-
-12)  Add hack to work around iproute IPv6 bug in route handling
-
-13)  Correct messages issued when an optional provider is not usable.
-
-14)  Fix optional interfaces.
-
-15)  Add 'limit' option to tcclasses.
-
-Changes in Shorewall 4.4.2
-
-1)  BUGFIX: Correct detection of Persistent SNAT support
-
-2)  BUGFIX: Fix chain table initialization
-
-3)  BUGFIX: Validate routestopped file on 'check'
-
-4)  Let the Actions module add the builtin actions to
-    %Shorewall::Chains::targets. Much better modularization that way.
-
-5)  Some changes to make Lenny->Squeeze less painful.
-
-6)  Allow comments at the end of continued lines.
-
-7)  Call process_routestopped() during 'check' rather than
-    'compile_stop_firewall()'.
-
-8)  Don't look for an extension script for built-in actions.
-
-9)  Apply Jesse Shrieve's patch for SNAT range.
-
-10) Add -<family> to 'ip route del default' command.
-
-11) Add three new columns to macro body.
-
-12) Change 'wait4ifup' so that it requires no PATH
-
-13) Allow extension scripts for accounting chains.
-
-14) Allow per-ip LIMIT to work on ancient iptables releases.
-
-15) Add 'MARK' column to action body.
-
-Changes in Shorewall 4.4.1
-
-1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
-
-2)  Deleted superfluous export from Chains.pm.
-
-3)  Added support for --persistent.
-
-4)  Don't do module initialization in an INIT block.
-
-5)  Minor performance improvements.
-
-6)  Add 'clean' target to Makefile.
-
-7)  Redefine 'full' for sub-classes.
-
-8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
-
-9)  Fix nested ipsec zones.
-
-10) Change one-interface sample to IP_FORWARDING=Off.
-
-11) Allow multicast to non-dynamic zones defined with nets=.
-
-12) Allow zones with nets= to be extended by /etc/shorewall/hosts
-    entries.
-
-13) Don't allow nets= in a multi-zone interface definition.
-
-14) Fix rule generated by MULTICAST=Yes
-
-15) Fix silly hole in zones file parsing.
-
-16) Tighen up zone membership checking.
-
-17) Combine portlist-spitting routines into a single function.
-
-Changes in Shorewall 4.4.0
-
-1)  Fix 'compile ... -' so that it no longer requires '-v-1'
-
-2)  Fix rule generation for logging nat rules with no exclusion.
-
-3)  Fix log record formatting.
-
-4)  Restore ipset binding
-
-5)  Fix 'upnpclient' with required interfaces.
-
-6)  Fix provider number in masq file.
-
-Changes in Shorewall 4.4.0-RC2
-
-1)  Fix capabilities file with Shorewall6.
-
-2)  Allow Shorewall6 to recognize TC, IP and IPSET
-
-3)  Make 'any' a reserved zone name.
-
-4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
-
-Changes in Shorewall 4.4.0-RC1
-
-1)  Delete duplicate Git macro.
-
-2)  Fix routing when no providers.
-
-3)  Add 'any' as a SOURCE/DEST in rules.
-
-4)  Fix NONAT on child zone.
-
-5)  Fix rpm -U from earlier versions
-
-6)  Generate error on 'status' by non-root.
-
-7)  Get rid of prog.functions and prog.functions6
-
-Changes in Shorewall 4.4.0-Beta4
-
-1)  Add more macros.
-
-2)  Correct broadcast address detection
-
-3) Fix 'show dynamic'
-
-4) Fix BGP and OSFP macros.
-
-5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
-
-Changes in Shorewall 4.4.0-Beta3
-
-1)  Add new macros.
-
-2)  Work around mis-configured interfaces.
-
-3)  Fix 'show dynamic'.
-
-4)  Check for xt_LOG.
-
-5)  Fix 'findgw'
-
-Changes in Shorewall 4.4.0-Beta2
-
-1)  The 'find_first_interface_address()' and
-    'find_first_interface_address_if_any()' functions have been restored to
-    lib.base.
-
-2)  Integerize r2q before inserting it into 'tc qdisc add root'
-    command.
-
-3)  Remove '-h' from the help text for install.sh in Shorewall and
-    Shorewall6.
-
-4)  Delete the 'continue' file from the Shorewall package.
-
-5)  Add 'upnpclient' interface option.
-
-6)  Fix handling of optional interfaces.
-
-7)  Add 'iptrace' and 'noiptrace' command.
-
-8)  Add 'USER/GROUP' column to masq file.
-
-9)  Added lib.private.
-
-Changes in Shorewall 4.4.0-Beta1
-
-1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
-
-2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
-
-Changes in Shorewall 4.3.12
-
-1) Eliminate 'large quantum' warnings.
-
-2) Add HFSC support.
-
-3) Delete support for ipset binding. Jozsef has removed the capability
-   from ipset.
-
-4) Add TOS and LENGTH columns to tcfilters file.
-
-5) Fix 'reset' command.
-
-6) Fix 'findgw'.
-
-7) Remove 'norfc1918' support.
-
-Changes in Shorewall 4.3.11
-
-1) Reduce the number of arguments passed in may cases.
-
-2) Fix SCTP source port handling in tcfilters.
-
-3) Add 'findgw' user exit.
-
-4) Add macro.Trcrt
-
-Changes in Shorewall 4.3.10
-
-1) Fix handling of shared optional providers.
-
-2) Add WIDE_TC_MARKS option.
-
-3) Allow compile to STDOUT.
-
-4) Fix handling of class IDs.
-
-5) Deprecate use of an interface in the SOURCE column of
-   /etc/shorewall/masq.
-
-6) Fix handling of 'all' in the SOURCE of DNAT- rules.
-
-7) Fix compile for export.
-
-8) Optimize IPMARK.
-
-9) Implement nested HTB classes.
-
-10) Fix 'iprange' command.
-
-11) Make traffic shaping work better with IPv6.
-
-12) Externalize 'flow'.
-
-13) Fix 'start' with AUTOMAKE=Yes
-
-Changes in Shorewall 4.3.9
-
-1) Logging rules now create separate chain.
-
-2) Fix netmask genereation in tcfilters.
-
-3) Allow Shorewall6 with kernel 2.6.24
-
-4) Avoid 'Invalid BROADCAST address' errors.
-
-5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
-
-6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
-
-7) Add IPMARK support
-
-Changes in Shorewall 4.3.8
-
-1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
-
-2) Use 'startup_error' for those errors caught early.
-
-3) Fix swping
-
-4) Detect gateway via dhclient leases file.
-
-5) Suppress leading whitespace on certain continuation lines.
-
-6) Use iptables[6]-restore to stop the firewall.
-
-7) Add AUTOMAKE option
-
-8) Remove SAME support.
-
-9) Allow 'compile' without a pathname.
-
-10) Fix LOG_MARTIANS=Yes.
-
-11) Adapt I. Buijs's hashlimit patch.
-
-Changes in Shorewall 4.3.7
-
-1)  Fix forward treatment of interface options.
-
-2)  Replace $VARDIR/.restore with $VARDIR/firewall
-
-3)  Fix DNAT- parsing of DEST column.
-
-4)  Implement dynamic zones
-
-5)  Allow 'HOST' options on bridge ports.
-
-6)  Deprecate old macro parameter syntax.
-
-Changes in Shorewall 4.3.6
-
-1)  Add SAME tcrules target.
-
-2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
-
-3)  Fix split_list1()
-
-4)  Fix Shorewall6 file location bugs.
-
-Changes in Shorewall 4.3.5
-
-1)  Remove support for shorewall-shell.
-
-2)  Combine shorewall-common and shorewall-perl to produce shorewall.
-
-3)  Add nets= OPTION in interfaces file.
-
-
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###################################################################################################################################################################################################
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#									PORT	PORT(S)		DEST		LIMIT		GROUP
+
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-###############################################################################
+#############################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)
--- a/Shorewall/configfiles/route_rules
+++ b/Shorewall/configfiles/route_rules
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-route_rules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
-##############################################################################
-#SOURCE			DEST			PROVIDER	PRIORITY
+####################################################################################
+#SOURCE			DEST			PROVIDER	PRIORITY	MASK
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,9 +6,11 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION BLACKLIST
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -1,12 +1,10 @@
-#! /bin/sh
 #
 # Shorewall version 4 - Show Connections Filter
 #
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
-#       'show connections. Unlike other extension scripts, this file
-#       must be executable before Shorewall will use it.
+#       'show connections.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -21,181 +21,173 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-LOGFILE=/var/log/messages
+BLACKLIST_LOGLEVEL=

-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes

 LOG_VERBOSITY=2

+LOGALLNEW=
+
+LOGFILE=/var/log/messages
+
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

-LOGALLNEW=
-
-BLACKLIST_LOGLEVEL=
-
 MACLIST_LOG_LEVEL=info

-TCP_FLAGS_LOG_LEVEL=info
+SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
+
+TCP_FLAGS_LOG_LEVEL=info

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
+
 IPTABLES=

 IP=

-TC=
-
 IPSET=

+MODULESDIR=
+
+PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
+
 PERL=/usr/bin/perl

-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+RESTOREFILE=restore

 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=/var/lock/subsys/shorewall

-MODULESDIR=
-
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
-RESTOREFILE=
-
-IPSECFILE=zones
-
-LOCKFILE=
+TC=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-DROP_DEFAULT="Drop"
-REJECT_DEFAULT="Reject"
-ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT="none"
-NFQUEUE_DEFAULT="none"
+ACCEPT_DEFAULT=none
+DROP_DEFAULT=Drop
+NFQUEUE_DEFAULT=none
+QUEUE_DEFAULT=none
+REJECT_DEFAULT=Reject

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
+RSH_COMMAND='ssh ${root}@${system} ${command}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-IP_FORWARDING=On
+ACCOUNTING=Yes
+
+ACCOUNTING_TABLE=filter

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

+ADMINISABSENTMINDED=Yes
+
+AUTO_COMMENT=Yes
+
+AUTOMAKE=No
+
+BLACKLISTNEWONLY=Yes
+
+CLAMPMSS=No
+
+CLEAR_TC=Yes
+
+COMPLETE=No
+
+DELETE_THEN_ADD=Yes
+
+DETECT_DNAT_IPADDRS=No
+
+DISABLE_IPV6=No
+
+DONT_LOAD=
+
+DYNAMIC_BLACKLIST=Yes
+
+EXPAND_POLICIES=Yes
+
+EXPORTMODULES=Yes
+
+FASTACCEPT=No
+
+FORWARD_CLEAR_MARK=
+
+IMPLICIT_CONTINUE=No
+
+IP_FORWARDING=On
+
+KEEP_RT_TABLES=No
+
+LEGACY_FASTSTART=Yes
+
+LOAD_HELPERS_ONLY=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+MANGLE_ENABLED=Yes
+
+MAPOLDACTIONS=No
+
+MARK_IN_FORWARD_CHAIN=No
+
+MODULE_SUFFIX=ko
+
+MULTICAST=No
+
+MUTEX_TIMEOUT=60
+
+NULL_ROUTE_RFC1918=No
+
+OPTIMIZE=0
+
+OPTIMIZE_ACCOUNTING=No
+
+REQUIRE_INTERFACE=No
+
+RESTORE_DEFAULT_ROUTE=Yes
+
 RETAIN_ALIASES=No

+ROUTE_FILTER=No
+
+SAVE_IPSETS=No
+
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-CLEAR_TC=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-CLAMPMSS=No
-
-ROUTE_FILTER=No
-
-DETECT_DNAT_IPADDRS=No
-
-MUTEX_TIMEOUT=60
-
-ADMINISABSENTMINDED=Yes
-
-BLACKLISTNEWONLY=Yes
-
-MODULE_SUFFIX=ko
-
-DISABLE_IPV6=No
-
-DYNAMIC_ZONES=No
-
-PKTTYPE=Yes
-
-NULL_ROUTE_RFC1918=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-SAVE_IPSETS=No
-
-MAPOLDACTIONS=No
-
-FASTACCEPT=No
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-OPTIMIZE=0
-
-EXPORTPARAMS=No
-
-EXPAND_POLICIES=Yes
-
-KEEP_RT_TABLES=No
-
-DELETE_THEN_ADD=Yes
-
-MULTICAST=No
-
-DONT_LOAD=
-
-AUTO_COMMENT=Yes
-
-MANGLE_ENABLED=Yes
+TRACK_PROVIDERS=No

 USE_DEFAULT_RT=No

-RESTORE_DEFAULT_ROUTE=Yes
-
-AUTOMAKE=No
-
-WIDE_TC_MARKS=No
-
-TRACK_PROVIDERS=No
-
 ZONE2ZONE=2

-ACCOUNTING=Yes
-
-DYNAMIC_BLACKLIST=Yes
-
-OPTIMIZE_ACCOUNTING=No
-
-LOAD_HELPERS_ONLY=No
-
-REQUIRE_INTERFACE=No
-
-FORWARD_CLEAR_MARK=
-
-COMPLETE=No
-
-EXPORTMODULES=Yes
-
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -204,6 +196,29 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+SMURF_DISPOSITION=DROP
+
+SFILTER_DISPOSITION=DROP
+
 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
+################################################################################
+#                            L E G A C Y  O P T I O N
+#                      D O  N O T  D E L E T E  O R  A L T E R
+################################################################################
+
+IPSECFILE=zones
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -115,6 +115,11 @@ shorewall_refresh () {
  return 0
 }

+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall_start
@@ -128,8 +133,11 @@ case "$1" in
  force-reload|restart)
     shorewall_restart
     ;;
+  status)
+     shorewall_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2009,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.19.1
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -30,6 +30,8 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -f"
    exit $1
 }

@@ -94,7 +96,6 @@ install_file() # $1 = source $2 = target $3 = mode
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
 T="-T"

 if [ -z "$DEST" ] ; then
@@ -105,10 +106,28 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall"
 fi

+ANNOTATED=
 SPARSE=
 MANDIR=${MANDIR:-"/usr/share/man"}
-[ -n "${LIBEXEC:=share}" ]
-[ -n "${PERLLIB:=share/shorewall}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+MACHOST=
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
+case "$PERLLIB" in
+    /*)
+	;;
+    *)
+	PERLLIB=/usr/${PERLLIB}
+	;;
+esac

 INSTALLD='-D'

@@ -134,6 +153,7 @@ case $(uname) in
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
+        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -145,24 +165,49 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-while [ $# -gt 0 ] ; do
-    case "$1" in
-	-h|help|?)
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
 			usage 0
 			;;
-        -v)
+		    v)
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
-	-s)
+		    s*)
 			SPARSE=Yes
+			option=${option#s}
+			;;
+		    a*)
+			ANNOTATED=Yes
+			option=${option#a}
+			;;
+		    p*)
+			ANNOTATED=
+			option=${option#p}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
+	    done
+
 	    shift
-    ARGS="yes"
+	    ;;
+	*)
+	    [ -n "$option" ] && usage 1
+	    finished=1
+	    ;;
+    esac
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -203,6 +248,9 @@ else
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	    SPARSE=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
@@ -217,6 +265,14 @@ else
    fi
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -236,8 +292,14 @@ fi
 if [ -z "$CYGWIN" ]; then
   install_file shorewall ${DESTDIR}/sbin/shorewall 0755
   echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
+
+   if [ -z "$MACHOST" ]; then
       eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
       eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
+   else
+       eval sed -i \'\' -e  \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall 
+       eval sed -i \'\' -e  \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
+   fi
 else
   install_file shorewall ${DESTDIR}/bin/shorewall 0755
   echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
@@ -250,6 +312,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 elif [ -n "$SLACKWARE" ]; then
@@ -265,8 +329,8 @@ fi
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
 mkdir -p ${DESTDIR}/etc/shorewall
-mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall
-mkdir -p ${DESTDIR}/usr/${PERLLIB}/Shorewall
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+mkdir -p ${DESTDIR}${PERLLIB}/Shorewall
 mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
 mkdir -p ${DESTDIR}/var/lib/shorewall

@@ -274,21 +338,32 @@ chmod 755 ${DESTDIR}/etc/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall/configfiles

+run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall.service ${DESTDIR}/lib/systemd/system/shorewall.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall.service"
+fi
+
+if [ -n "$ANNOTATED" ]; then
+    suffix=.annotated
+else
+    suffix=
+fi
 #
 # Install the config file
 #
-run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${DESTDIR}/usr/share/shorewall/configfiles
-
-perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${DESTDIR}/usr/share/shorewall/configfiles/shorewall.conf
-perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall-lite-init.log|;' ${DESTDIR}/usr/share/shorewall/configfiles/shorewall.conf
-
 if [ ! -f ${DESTDIR}/etc/shorewall/shorewall.conf ]; then
-   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${DESTDIR}/etc/shorewall
+   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf${suffix} ${DESTDIR}/etc/shorewall/shorewall.conf

   if [ -n "$DEBIAN" ]; then
       #
@@ -307,9 +382,10 @@ fi
 # Install the zones file
 #
 run_install $OWNERSHIP -m 0644 configfiles/zones           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/zones.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/zones${suffix} ${DESTDIR}/etc/shorewall/zones
    echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi

@@ -331,27 +407,29 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
 # Install wait4ifup
 #

-install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755

 echo
-echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"

 #
 # Install the policy file
 #
-install_file configfiles/policy ${DESTDIR}/usr/share/shorewall/configfiles/policy 0644
+run_install -m 0644 configfiles/policy           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install -m 0644 configfiles/policy.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/policy ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/policy ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/policy${suffix} ${DESTDIR}/etc/shorewall/policy
    echo "Policy file installed as ${DESTDIR}/etc/shorewall/policy"
 fi
 #
 # Install the interfaces file
 #
 run_install $OWNERSHIP -m 0644 configfiles/interfaces           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/interfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/interfaces ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/interfaces${suffix} ${DESTDIR}/etc/shorewall/interfaces
    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall/interfaces"
 fi

@@ -359,92 +437,102 @@ fi
 # Install the hosts file
 #
 run_install $OWNERSHIP -m 0644 configfiles/hosts           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/hosts.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/hosts ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/hosts ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/hosts${suffix} ${DESTDIR}/etc/shorewall/hosts
    echo "Hosts file installed as ${DESTDIR}/etc/shorewall/hosts"
 fi
 #
 # Install the rules file
 #
 run_install $OWNERSHIP -m 0644 configfiles/rules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/rules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/rules ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/rules${suffix} ${DESTDIR}/etc/shorewall/rules
    echo "Rules file installed as ${DESTDIR}/etc/shorewall/rules"
 fi
 #
 # Install the NAT file
 #
 run_install $OWNERSHIP -m 0644 configfiles/nat           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/nat.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/nat ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/nat ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/nat${suffix} ${DESTDIR}/etc/shorewall/nat
    echo "NAT file installed as ${DESTDIR}/etc/shorewall/nat"
 fi
 #
 # Install the NETMAP file
 #
 run_install $OWNERSHIP -m 0644 configfiles/netmap           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/netmap.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/netmap ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/netmap ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/netmap${suffix} ${DESTDIR}/etc/shorewall/netmap
    echo "NETMAP file installed as ${DESTDIR}/etc/shorewall/netmap"
 fi
 #
 # Install the Parameters file
 #
 run_install $OWNERSHIP -m 0644 configfiles/params           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/params.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -f ${DESTDIR}/etc/shorewall/params ]; then
    chmod 0644 ${DESTDIR}/etc/shorewall/params
 else
-    run_install $OWNERSHIP -m 0644 configfiles/params ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/params${suffix} ${DESTDIR}/etc/shorewall/params
    echo "Parameter file installed as ${DESTDIR}/etc/shorewall/params"
 fi
 #
 # Install the proxy ARP file
 #
 run_install $OWNERSHIP -m 0644 configfiles/proxyarp           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/proxyarp.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/proxyarp ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/proxyarp ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/proxyarp${suffix} ${DESTDIR}/etc/shorewall/proxyarp
    echo "Proxy ARP file installed as ${DESTDIR}/etc/shorewall/proxyarp"
 fi
 #
 # Install the Stopped Routing file
 #
 run_install $OWNERSHIP -m 0644 configfiles/routestopped           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/routestopped.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/routestopped ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/routestopped${suffix} ${DESTDIR}/etc/shorewall/routestopped
    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall/routestopped"
 fi
 #
 # Install the Mac List file
 #
 run_install $OWNERSHIP -m 0644 configfiles/maclist           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/maclist.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/maclist ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/maclist ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/maclist${suffix} ${DESTDIR}/etc/shorewall/maclist
    echo "MAC list file installed as ${DESTDIR}/etc/shorewall/maclist"
 fi
 #
 # Install the Masq file
 #
 run_install $OWNERSHIP -m 0644 configfiles/masq           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/masq.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/masq ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/masq ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/masq${suffix} ${DESTDIR}/etc/shorewall/masq
    echo "Masquerade file installed as ${DESTDIR}/etc/shorewall/masq"
 fi
 #
 # Install the Notrack file
 #
 run_install $OWNERSHIP -m 0644 configfiles/notrack           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/notrack.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/notrack ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/notrack ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/notrack${suffix} ${DESTDIR}/etc/shorewall/notrack
    echo "Notrack file installed as ${DESTDIR}/etc/shorewall/notrack"
 fi
 #
@@ -468,9 +556,10 @@ echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall/helpers"
 # Install the TC Rules file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcrules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcrules ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcrules${suffix} ${DESTDIR}/etc/shorewall/tcrules
    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall/tcrules"
 fi

@@ -478,9 +567,10 @@ fi
 # Install the TC Interfaces file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces${suffix} ${DESTDIR}/etc/shorewall/tcinterfaces
    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall/tcinterfaces"
 fi

@@ -488,9 +578,10 @@ fi
 # Install the TC Priority file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcpri           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcpri.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcpri${suffix} ${DESTDIR}/etc/shorewall/tcpri
    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall/tcpri"
 fi

@@ -498,30 +589,38 @@ fi
 # Install the TOS file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tos           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tos.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tos ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tos ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tos${suffix} ${DESTDIR}/etc/shorewall/tos
    echo "TOS file installed as ${DESTDIR}/etc/shorewall/tos"
 fi
 #
 # Install the Tunnels file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tunnels           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tunnels.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tunnels ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tunnels${suffix} ${DESTDIR}/etc/shorewall/tunnels
    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall/tunnels"
 fi
-#
-# Install the blacklist file
-#
-run_install $OWNERSHIP -m 0644 configfiles/blacklist ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/blacklist ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/blacklist${suffix} ${DESTDIR}/etc/shorewall/blacklist
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
 fi
 #
+# Install the blacklist rules file
+#
+run_install $OWNERSHIP -m 0644 configfiles/blrules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blrules ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/blrules${suffix} ${DESTDIR}/etc/shorewall/blrules
+    echo "Blacklist rules file installed as ${DESTDIR}/etc/shorewall/blrules"
+fi
+#
 # Install the findgw file
 #
 run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles
@@ -553,9 +652,10 @@ delete_file ${DESTDIR}/usr/share/shorewall/xmodules
 # Install the Providers file
 #
 run_install $OWNERSHIP -m 0644 configfiles/providers           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/providers.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/providers ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/providers ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/providers${suffix} ${DESTDIR}/etc/shorewall/providers
    echo "Providers file installed as ${DESTDIR}/etc/shorewall/providers"
 fi

@@ -563,9 +663,10 @@ fi
 # Install the Route Rules file
 #
 run_install $OWNERSHIP -m 0644 configfiles/route_rules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/route_rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/route_rules ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/route_rules${suffix} ${DESTDIR}/etc/shorewall/route_rules
    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall/route_rules"
 fi

@@ -573,9 +674,10 @@ fi
 # Install the tcclasses file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcclasses           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcclasses.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcclasses ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcclasses${suffix} ${DESTDIR}/etc/shorewall/tcclasses
    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall/tcclasses"
 fi

@@ -583,9 +685,10 @@ fi
 # Install the tcdevices file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcdevices           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcdevices.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcdevices ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcdevices${suffix} ${DESTDIR}/etc/shorewall/tcdevices
    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall/tcdevices"
 fi

@@ -593,9 +696,10 @@ fi
 # Install the tcfilters file
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcfilters           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcfilters.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcfilters ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/tcfilters${suffix} ${DESTDIR}/etc/shorewall/tcfilters
    echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi

@@ -603,9 +707,10 @@ fi
 # Install the secmarks file
 #
 run_install $OWNERSHIP -m 0644 configfiles/secmarks           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/secmarks.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks${suffix} ${DESTDIR}/etc/shorewall/secmarks
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
 fi

@@ -663,18 +768,20 @@ fi
 # Install the ECN file
 #
 run_install $OWNERSHIP -m 0644 configfiles/ecn           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/ecn.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/ecn ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/ecn ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/ecn${suffix} ${DESTDIR}/etc/shorewall/ecn
    echo "ECN file installed as ${DESTDIR}/etc/shorewall/ecn"
 fi
 #
 # Install the Accounting file
 #
 run_install $OWNERSHIP -m 0644 configfiles/accounting           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/accounting.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/accounting ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/accounting ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0600 configfiles/accounting${suffix} ${DESTDIR}/etc/shorewall/accounting
    echo "Accounting file installed as ${DESTDIR}/etc/shorewall/accounting"
 fi
 #
@@ -768,9 +875,10 @@ echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall/actions
 # Install the Actions file
 #
 run_install $OWNERSHIP -m 0644 configfiles/actions           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/actions.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/actions ]; then
-    run_install $OWNERSHIP -m 0644 configfiles/actions ${DESTDIR}/etc/shorewall
+    run_install $OWNERSHIP -m 0644 configfiles/actions${suffix} ${DESTDIR}/etc/shorewall/actions
    echo "Actions file installed as ${DESTDIR}/etc/shorewall/actions"
 fi

@@ -824,23 +932,23 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
 #
 cd Perl

-install_file compiler.pl ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl 0755
+install_file compiler.pl ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl 0755

 echo
-echo "Compiler installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall/compiler.pl"
+echo "Compiler installed in ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl"
 #
 # Install the params file helper
 #
-install_file getparams ${DESTDIR}/usr/${LIBEXEC}/shorewall/getparams 0755
+install_file getparams ${DESTDIR}${LIBEXEC}/shorewall/getparams 0755

 echo
-echo "Params file helper installed in ${DESTDIR}/usr/share/shorewall/getparams"
+echo "Params file helper installed in ${DESTDIR}${LIBEXEC}/shorewall/getparams"
 #
 # Install the libraries
 #
 for f in Shorewall/*.pm ; do
-    install_file $f ${DESTDIR}/usr/${PERLLIB}/$f 0644
-    echo "Module ${f%.*} installed as ${DESTDIR}/usr/${PERLLIB}/$f"
+    install_file $f ${DESTDIR}${PERLLIB}/$f 0644
+    echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIB}/$f"
 done
 #
 # Install the program skeleton files
@@ -901,7 +1009,7 @@ fi
 if [ -z "$DESTDIR" ]; then
    rm -rf /usr/share/shorewall-perl
    rm -rf /usr/share/shorewall-shell
-    [ "$PERLLIB" != share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
+    [ "$PERLLIB" != /usr/share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
 fi

 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
@@ -915,7 +1023,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	touch /var/log/shorewall-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
    else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	if [ -n "$SYSTEMD" ]; then
+	    if systemctl enable shorewall; then
+		echo "Shorewall will start automatically at boot"
+	    fi
+	elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall ; then
 		echo "shorewall will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,22 +0,0 @@
-1)  On systems running Upstart, shorewall-init cannot reliably secure
-    the firewall before interfaces are brought up.
-
-    Corrected in Shorewall 4.4.19.1
-
-2)  There is a harmless duplicate ACCEPT rule in the INPUT filter chain
-    when the firewall is stopped.
-
-    Corrected in Shorewall 4.4.19.1
-
-3)  Shorewall interprets all 'nexthop' routes as default routes when
-    analyzing the pre-start routing configuration. This can lead to
-    unwanted default routes when the firewall was started or stopped.
-
-    Corrected in Shorewall 4.4.19.1
-
-3)  A defect introduced in Shorewall 4.4.17 broke the ability to
-    specify ':<low port>-<high port>' in the ADDRESS column of 
-    /etc/shorewall/masq.
-
-    Corrected in Shorewall 4.4.19.1 
-
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.base
 #
@@ -29,7 +28,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40417
+SHOREWALL_CAPVERSION=40426

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -102,6 +101,7 @@ mutex_on()
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -109,8 +109,22 @@ mutex_on()

 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.cli.
 #
@@ -30,7 +29,7 @@
 #
 fatal_error() # $@ = Message
 {
-    echo "   $@" >&2
+    echo "   ERROR: $@" >&2
    exit 2
 }

@@ -339,7 +338,7 @@ do_save() {
                    #
                    # Don't save an 'empty' file
                    #
-		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 	    fi
 	    ;;
@@ -399,6 +398,11 @@ show_routing() {
 	    heading "Table $table:"
 	    ip route list table $table
 	done
+
+	if [ -n "$g_routecache" ]; then
+	    heading "Route Cache"
+	    ip -4 route list cache
+	fi
    else
 	heading "Routing Table"
 	ip route list
@@ -422,7 +426,9 @@ list_zone() {

    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"

-    sets=$(find_sets $1)
+    sets=$(ipset -L -n | grep '^$1_');
+
+    [ -n "$sets" ] || sets=$(find_sets $1)

    for setname in $sets; do
 	echo "${setname#${1}_}:"
@@ -519,7 +525,7 @@ show_command() {
 			    [ $# -eq 1 ] && usage 1

 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -535,6 +541,10 @@ show_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
+			c*)
+			    g_routecache=Yes
+			    option=${option#c}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -592,6 +602,13 @@ show_command() {
 	    show_reset
 	    $IPTABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IPTABLES -t rawpost -L $g_ipt_options
+	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
@@ -734,11 +751,20 @@ show_command() {
 	    [ $# -gt 1 ] && usage 1
 	    perip_accounting
 	    ;;
+	marks)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
+	    echo
+	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
+	    ;;
 	*)
 	    if [ "$g_product" = Shorewall ]; then
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
+			echo "A_ACCEPT            # Audit and accept the connection"
+			echo "A_DROP              # Audit and drop the connection"
+			echo "A_REJECT            # Audit and reject the connection "
 			echo "allowBcast          # Silently Allow Broadcast/multicast"
 			echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
 			echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
@@ -746,12 +772,8 @@ show_command() {
 			echo "dropBcast           # Silently Drop Broadcast/multicast"
 			echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
 			echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
-			echo "drop1918src         # Drop packets with an RFC 1918 source address"
-			echo "drop1918dst         # Drop packets with an RFC 1918 original dest address"
 			echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
 			echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
-			echo "rej1918src          # Reject packets with an RFC 1918 source address"
-			echo "rej1918dst          # Reject packets with an RFC 1918 original dest address"

 			if [ -f ${CONFDIR}/actions ]; then
 			    cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
@@ -914,6 +936,10 @@ do_dump_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
+			c*)
+			    g_routecache=Yes
+			    option=${option#c}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -972,6 +998,11 @@ do_dump_command() {
 	$IPTABLES -t raw -L $g_ipt_options
    fi

+    if qt $IPTABLES -t rawpost -L -n; then
+	heading "Rawpost Table"
+	$IPTABLES -t rawpost -L $g_ipt_options
+    fi
+
    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)

@@ -1487,6 +1518,7 @@ hits_command() {
 	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
+	    [ -z "$port" ] && port=0
 	    printf '%7d %-15s %d\n' $count $address $port
 	done

@@ -1671,11 +1703,13 @@ determine_capabilities() {
    OWNER_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
+    IPSET_V5=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
+    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -1701,12 +1735,18 @@ determine_capabilities() {
    LOGMARK_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
+    ULOG_TARGET=
+    NFLOG_TARGET=
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
    HEADER_MATCH=
    ACCOUNT_TARGET=
+    AUDIT_TARGET=
+    CONDITION_MATCH=
+    IPTABLES_S=
+    BASIC_FILTER=

    chain=fooX$$

@@ -1811,11 +1851,21 @@ determine_capabilities() {
    fi

    qt $IPTABLES -t raw	    -L -n && RAW_TABLE=Yes
+    qt $IPTABLES -t rawpost -L -n && RAWPOST_TABLE=Yes

    if qt mywhich ipset; then
 	qt ipset -X $chain # Just in case something went wrong the last time

-	if qt ipset -N $chain iphash ; then
+	local have_ipset
+
+	if qt ipset -N $chain hash:ip family inet; then
+	    IPSET_V5=Yes
+	    have_ipset=Yes
+	elif qt ipset -N $chain iphash ; then
+	    have_ipset=Yes
+	fi
+
+	if [ -n "$have_ipset" ]; then
 	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
@@ -1844,19 +1894,34 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IPTABLES -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $IPTABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
-
+    qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IPTABLES -S INPUT && IPTABLES_S=Yes
    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
    qt $IPTABLES -F $chain1
    qt $IPTABLES -X $chain1

    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
-    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+   
+    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+    case "$KERNELVERSION" in 
+	*.*.*)
+	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac
 }

 report_capabilities() {
@@ -1898,6 +1963,7 @@ report_capabilities() {
 	report_capability "Connmark Match" $CONNMARK_MATCH
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
+	report_capability "Rawpost Table" $RAWPOST_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
@@ -1921,6 +1987,8 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "ULOG Target" $ULOG_TARGET
+	report_capability "NFLOG Target" $NFLOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
@@ -1928,6 +1996,11 @@ report_capabilities() {
 	report_capability "Mark in any table" $MARK_ANYWHERE
 	report_capability "Header Match" $HEADER_MATCH
        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
+	report_capability "AUDIT Target" $AUDIT_TARGET
+	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "iptables -S" $IPTABLES_S
+	report_capability "Basic Filter" $BASIC_FILTER
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1965,6 +2038,7 @@ report_capabilities1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -1988,6 +2062,8 @@ report_capabilities1() {
    report_capability1 LOGMARK_TARGET
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
+    report_capability1 ULOG_TARGET
+    report_capability1 NFLOG_TARGET
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
@@ -1995,6 +2071,11 @@ report_capabilities1() {
    report_capability1 MARK_ANYWHERE
    report_capability1 HEADER_MATCH
    report_capability1 ACCOUNT_TARGET
+    report_capability1 AUDIT_TARGET
+    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
+    report_capability1 BASIC_FILTER

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.common.
 #
@@ -164,12 +163,21 @@ qt()
    "$@" >/dev/null 2>&1
 }

+#
+# Suppress all output and input - mainly for preventing leaked file descriptors
+# to avoid SELinux denials
+#
+qtnoin()
+{
+    "$@" </dev/null >/dev/null 2>&1
+}
+
 qt1()
 {
    local status

    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
+	"$@" </dev/null >/dev/null 2>&1
 	status=$?
 	[ $status -ne 4 ] && return $status
    done
@@ -179,7 +187,7 @@ qt1()
 # Determine if Shorewall is "running"
 #
 shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
+    qt1 $IPTABLES -L shorewall -n
 }

 #
@@ -217,7 +225,31 @@ loadmodule() # $1 = module name, $2 - * arguments
    local modulefile
    local suffix

-    if ! list_search $modulename $DONT_LOAD $MODULES; then
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
+		done
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift

 	for suffix in $MODULE_SUFFIX ; do
@@ -264,7 +296,7 @@ reload_kernel_modules() {
 	uname=$(uname -r) && \
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

-    MODULES=$(lsmod | cut -d ' ' -f1)
+    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -310,7 +342,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)

    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
+	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 	progress_message "Loading Modules..."
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
--- a/Shorewall/modules.ipset
+++ b/Shorewall/modules.ipset
@@ -13,6 +13,7 @@
 #  copy.
 #
 ###############################################################################
+loadmodule xt_set
 loadmodule ip_set
 loadmodule ip_set_iphash
 loadmodule ip_set_ipmap
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -22,4 +22,5 @@ loadmodule sch_tbf
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow
+loadmodule cls_basic
 loadmodule act_police
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -13,6 +13,7 @@
 #  copy.
 #
 ###############################################################################
+loadmodule xt_AUDIT
 loadmodule xt_CLASSIFY
 loadmodule xt_connmark
 loadmodule xt_CONNMARK
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -4,7 +4,8 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#         Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -25,7 +26,7 @@
 #
 #       For a list of supported commands, type 'shorewall help'
 #
-#####################################################################################################
+################################################################################################
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -298,10 +299,26 @@ get_config() {
 	    fi
 	    ;;
    esac
+
+    case $LEGACY_FASTSTART in
+	Yes|yes)
+	    ;;
+	No|no)
+	    LEGACY_FASTSTART=
+	    ;;
+	*)
+	    if [ -n "$LEGACY_FASTSTART" ]; then
+		echo "   ERROR: Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)" >&2
+		exit 1
+	    fi
+
+	    LEGACY_FASTSTART=Yes
+	    ;;
+    esac
 }

 #
-# Fatal error
+# Issue an error message and die
 #
 startup_error() {
    echo "   ERROR: $@" >&2
@@ -309,10 +326,36 @@ startup_error() {
    exit 1
 }

+#
+# Determine if there are config files newer than the passed object
+#
+uptodate() {
+    [ -x $1 ] || return 1
+
+    local dir
+    local ifs
+
+    ifs="$IFS"
+    IFS=':'
+
+    for dir in $CONFIG_PATH; do
+	if [ -n "$(find ${dir} -newer $1)" ]; then
+	    IFS="$ifs"
+	    return 1;
+	fi
+    done
+
+    IFS="$ifs"
+
+    return 0
+}
+
 #
 # Run the compiler
 #
 compiler() {
+    local pc
+    pc=$g_libexec/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
@@ -323,6 +366,10 @@ compiler() {
    # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH
    #
    ensure_config_path
+    #
+    # Get the config from $SHOREWALL_DIR
+    #
+    [ -n "$SHOREWALL_DIR" -a "$SHOREWALL_DIR" != /etc/shorewall ] && get_config

    case $COMMAND in
 	*start|try|refresh)
@@ -343,7 +390,7 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift

-    options="--verbose=$VERBOSITY"
+    options="--verbose=$VERBOSITY --config_path=$CONFIG_PATH"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -353,6 +400,10 @@ compiler() {
    [ -n "$g_preview" ] && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
+    [ -n "$g_confess" ] && options="$options --confess"
+    [ -n "$g_update" ] && options="$options --update"
+    [ -n "$g_convert" ] && options="$options --convert"
+    [ -n "$g_annotate" ] && options="$options --annotate"

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -363,10 +414,12 @@ compiler() {
 	PERL=/usr/bin/perl
    fi

-    if [ $g_perllib = share/shorewall ]; then
-	$PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
+    if [ $g_perllib = ${g_libexec}/shorewall ]; then
+	$PERL $debugflags $pc $options $@
    else
-	PERL5LIB=$g_perllib $PERL $debugflags /usr/$g_libexec/shorewall/compiler.pl $options $@
+	PERL5LIB=$g_perllib
+	export PERL5LIB
+	$PERL $debugflags $pc $options $@
    fi
 }

@@ -376,12 +429,11 @@ compiler() {
 start_command() {
    local finished
    finished=0
-    local restorefile
-
-    do_it() {
+    local object
    local rc
    rc=0

+    do_it() {
 	if [ -n "$AUTOMAKE" ]; then
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/firewall $g_debugging start
@@ -436,6 +488,10 @@ start_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
+			c*)
+			    AUTOMAKE=
+			    option=${option#c}
+			    ;;			    
 			*)
 			    usage 1
 			    ;;
@@ -472,40 +528,32 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if qt mywhich make; then
-	    restorefile=$RESTOREFILE
-
-	    if [ -z "$g_fast" ]; then
+	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
 	    #
-		# Automake -- use the last compiled script
+	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
 	    #
-		RESTOREFILE=firewall
-	    fi
-
-	    export RESTOREFILE
-
-	    if ! make -qf ${CONFDIR}/Makefile; then
-		g_fast=
-		AUTOMAKE=
-	    fi
-
-	    RESTOREFILE=$restorefile
+	    object=firewall
 	else
+	    #
+	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
+	    #
+	    object=$RESTOREFILE
+	fi
+
+	if ! uptodate ${VARDIR}/$object; then
 	    g_fast=
 	    AUTOMAKE=
 	fi

-	if [ -n "$g_fast" ]; then
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
+	if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then
+	    g_restorepath=${VARDIR}/$object
+	    [ -n "$nolock" ] || mutex_on
 	    echo Restoring Shorewall...
 	    run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall restored from $g_restorepath
-	    else
-		do_it
-	    fi
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	    [ $rc -eq 0 ] && progress_message3 "Shorewall restored from $g_restorepath"
+	    exit $rc
 	else
 	    do_it
 	fi
@@ -549,6 +597,10 @@ compile_command() {
 			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			-)
 			    finished=1
 			    option=
@@ -631,9 +683,17 @@ check_command() {
 			    option=${option#d}
 			    ;;
 			r*)
-			    g_preview=Yes;
+			    g_preview=Yes
 			    option=${option#r}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			a*)
+			    g_annotate=Yes
+			    option=${option#a}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -673,6 +733,94 @@ check_command() {
    compiler $g_debugging $nolock check
 }

+#
+# Update Command Executor
+#
+update_command() {
+    local finished
+    finished=0
+
+    g_update=Yes
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			e*)
+			    g_export=Yes
+			    option=${option#e}
+			    ;;
+			p*)
+			    g_profile=Yes
+			    option=${option#p}
+			    ;;
+			d*)
+			    g_debug=Yes;
+			    option=${option#d}
+			    ;;
+			r*)
+			    g_preview=Yes
+			    option=${option#r}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			a*)
+			    g_annotate=Yes
+			    option=${option#a}
+			    ;;
+			b*)
+			    g_convert=Yes
+			    option=${option#b}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    ;;
+	1)
+	    [ -n "$SHOREWALL_DIR" ] && usage 2
+
+	    if [ ! -d $1 ]; then
+		if [ -e $1 ]; then
+		    echo "$1 is not a directory" >&2 && exit 2
+		else
+		    echo "Directory $1 does not exist" >&2 && exit 2
+		fi
+	    fi
+
+	    SHOREWALL_DIR=$(resolve_file $1)
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+
+    progress_message3 "Updating..."
+
+    compiler $g_debugging $nolock check
+}
+
 #
 # Restart Command Executor
 #
@@ -703,6 +851,10 @@ restart_command() {
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
+			c*)
+			    AUTOMAKE=
+			    option=${option#c}
+			    ;;			    
 			n*)
 			    g_noroutes=Yes
 			    option=${option#n}
@@ -751,15 +903,7 @@ restart_command() {
    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	if qt mywhich make; then
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
-	    restorefile=$RESTOREFILE
-	    RESTOREFILE=firewall
-	    make -qf ${CONFDIR}/Makefile && g_fast=Yes
-	    RESTOREFILE=$restorefile
-	fi
+	uptodate ${VARDIR}/firewall && g_fast=Yes
    fi

    if [ -z "$g_fast" ]; then
@@ -825,6 +969,8 @@ refresh_command() {
 	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
+    else
+	g_refreshchains=:refresh:
    fi

    shorewall_is_started || fatal_error "Shorewall is not running"
@@ -851,6 +997,7 @@ refresh_command() {
 safe_commands() {
    local finished
    finished=0
+    local command

    # test is the shell supports timed read
    read -t 0 junk 2> /dev/null
@@ -953,7 +1100,7 @@ safe_commands() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $g_debugging $command; then
+    if run_it ${VARDIR}/.$command $g_debugging $command; then

 	echo -n "Do you want to accept the new firewall configuration? [y/n] "

@@ -961,9 +1108,9 @@ safe_commands() {
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" ]; then
-		${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe restore
 	    else
-		${VARDIR}/.$command clear
+		run_it ${VARDIR}/.$command clear
 	    fi

 	    [ -n "$nolock" ] || mutex_off
@@ -1089,13 +1236,13 @@ try_command() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout

 	if [ "$command" = "restart" ]; then
-	    ${VARDIR}/.try restore
+	    run_it ${VARDIR}/.try restore
 	else
-	    ${VARDIR}/.$command clear
+	    run_it ${VARDIR}/.$command clear
 	fi
    fi

@@ -1140,7 +1287,7 @@ reload_command() # $* = original arguments less the command.
    local root
    root=root
    local libexec
-    libexec=share
+    libexec=/usr/share

    litedir=/var/lib/shorewall-lite

@@ -1203,7 +1350,16 @@ reload_command() # $* = original arguments less the command.

    temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')

-    [ -n "$temp" ] && libexec="$temp"
+    if [ -n "$temp" ]; then
+	case $temp in
+	    /*)
+		libexec="$temp"
+		;;
+	    *)
+		libexec=/usr/$temp
+		;;
+	esac
+    fi

    if [ -z "$getcaps" ]; then
 	SHOREWALL_DIR=$(resolve_file $directory)
@@ -1212,17 +1368,22 @@ reload_command() # $* = original arguments less the command.
 	[ -f $capabilities ] || getcaps=Yes
    fi

-    if [ -n "$getcaps" ]; then
    if [ -f $directory/shorewall.conf ]; then
+	if [ -f $directory/params ]; then
+	    . $directory/params
+	fi
+
 	. $directory/shorewall.conf
+	
 	ensure_config_path
    fi

+    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"

 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/$libexec/shorewall-lite/shorecap" > $directory/capabilities; then
-	    fatal_error "ERROR: Capturing capabilities on system $system failed"
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then
+	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi

@@ -1303,7 +1464,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
 	    ;;
    esac

@@ -1338,12 +1499,14 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check [ -e ] [ -r ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
    echo "   clear"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
+    echo "   enable <interface>"
    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"
@@ -1361,10 +1524,12 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
+    echo "   safe-restart [ <directory> ]"
+    echo "   safe-start [ <directory> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show actions"
    echo "   show [ -f ] capabilities"
    echo "   show classifiers"
@@ -1377,18 +1542,18 @@ usage() # $1 = exit status
    echo "   show [ -m ] log [<regex>]"
    echo "   show macro <macro>"
    echo "   show macros"
-    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show marks"
+    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   show policies"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
-    echo "   stop"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
    echo "   status"
+    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
+    echo "   update [ -b ] [ -r ] [ -T ] [ <directory> ]"
    echo "   version [ -a ]"
-    echo "   safe-start [ <directory> ]"
-    echo "   safe-restart [ <directory> ]"
    echo
    exit $1
 }
@@ -1469,7 +1634,11 @@ g_verbose_offset=0
 g_use_verbosity=
 g_debug=
 g_export=
-g_refreshchains=
+g_refreshchains=:none:
+g_confess=
+g_update=
+g_convert=
+g_annotate=

 #
 # Make sure that these variables are cleared
@@ -1584,8 +1753,8 @@ CONFDIR=/etc/shorewall
 g_product="Shorewall"
 g_recovering=
 g_timestamp=
-g_libexec=share
-g_perllib=share/shorewall
+g_libexec=/usr/share
+g_perllib=/usr/share/shorewall

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir

@@ -1641,8 +1810,8 @@ case "$COMMAND" in
 	start_command $@
 	;;
    stop|clear)
-	get_config
 	[ $# -ne 1 ] && usage 1
+	get_config
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
 	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $g_debugging $COMMAND
@@ -1676,6 +1845,19 @@ case "$COMMAND" in
 	shift
 	check_command $@
 	;;
+    update)
+	get_config Yes
+	shift
+	update_command $@
+	;;
+    disable|enable)
+	get_config Yes
+	if shorewall_is_started; then
+	    run_it ${VARDIR}/firewall $g_debugging $@
+	else
+	    fatal_error "Shorewall is not running"
+	fi
+	;;
    show|list)
 	get_config Yes No Yes
    	shift
@@ -1693,7 +1875,7 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	get_config
 	echo "Shorewall-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,504 +0,0 @@
-%define name shorewall
-%define version 4.4.19
-%define release 1
-
-Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables iproute perl
-Provides: shoreline_firewall = %{version}-%{release}
-Obsoletes: shorewall-common shorewall-perl shorewall-shell
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv /etc/rc.d/shorewall
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --add shorewall;
-	fi
-fi
-
-%preun
-
-if [ $1 = 0 ]; then
-	if [ -x /sbin/insserv ]; then
-		/sbin/insserv -r /etc/init.d/shorewall
-	elif [ -x /sbin/chkconfig ]; then
-		/sbin/chkconfig --del shorewall
-	fi
-
-	rm -f /etc/shorewall/startup_disabled
-
-fi
-
-%triggerpostun  -- shorewall-common < 4.4.0
-
-if [ -x /sbin/insserv ]; then
-    /sbin/insserv /etc/rc.d/shorewall
-elif [ -x /sbin/chkconfig ]; then
-    /sbin/chkconfig --add shorewall;
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0544,root,root) /etc/init.d/shorewall
-%attr(0755,root,root) %dir /etc/shorewall
-%attr(0755,root,root) %dir /usr/share/shorewall
-%attr(0755,root,root) %dir /usr/share/shorewall/configfiles
-%attr(0700,root,root) %dir /var/lib/shorewall
-%attr(0644,root,root) %config(noreplace) /etc/shorewall/*
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall
-
-%attr(0755,root,root) /sbin/shorewall
-
-%attr(0644,root,root) /usr/share/shorewall/version
-%attr(0644,root,root) /usr/share/shorewall/actions.std
-%attr(0644,root,root) /usr/share/shorewall/action.Drop
-%attr(0644,root,root) /usr/share/shorewall/action.Reject
-%attr(0644,root,root) /usr/share/shorewall/action.template
-%attr(-   ,root,root) /usr/share/shorewall/functions
-%attr(0644,root,root) /usr/share/shorewall/lib.base
-%attr(0644,root,root) /usr/share/shorewall/lib.cli
-%attr(0644,root,root) /usr/share/shorewall/lib.common
-%attr(0644,root,root) /usr/share/shorewall/macro.*
-%attr(0644,root,root) /usr/share/shorewall/modules*
-%attr(0644,root,root) /usr/share/shorewall/helpers
-%attr(0644,root,root) /usr/share/shorewall/configpath
-%attr(0755,root,root) /usr/share/shorewall/wait4ifup
-
-%attr(755,root,root) /usr/share/shorewall/compiler.pl
-%attr(755,root,root) /usr/share/shorewall/getparams
-%attr(0644,root,root) /usr/share/shorewall/prog.*
-%attr(0644,root,root) /usr/share/shorewall/Shorewall/*.pm
-
-%attr(0644,root,root) /usr/share/shorewall/configfiles/*
-
-%attr(0644,root,root) %{_mandir}/man5/*
-%attr(0644,root,root) %{_mandir}/man8/*
-
-%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
-
-%changelog
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta2
-* Sun Nov 14 2010 Tom Eastep tom@shorewall.net
- Added getparams to installed files
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta2
-* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
- Add /usr/share/shorewall/helpers
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0base
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-0base
-* Sun Aug 09 2009 Tom Eastep tom@shorewall.net
- Made Perl a dependency
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.12-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
- Remove 'rfc1918' file
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.5-0base
-* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.7-0base
-* Thu Feb 05 2009 Tom Eastep tom@shorewall.net
- Add 'restored' script
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
-* Fri Jan 30 2009 Tom Eastep tom@shorewall.net
- Added swping files to the doc directory
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
-* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC2
-* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0RC1
-* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.4-0base
-* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.3-0base
-* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.2-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.1-0base
-* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.1-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
- Updated to 4.3.0-0base
-* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
- Updated to 2.3.0-0base
-* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.3-0base
-* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.2-0base
-* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.1-0base
-* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0base
-* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC4
-* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC3
-* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC2
-* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC1
-* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta3
-* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta2
-* Wed May 07 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta1
-* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.8-0base
-* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.7-0base
-* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.6-0base
-* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.5-0base
-* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.4-0base
-* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-0base
-* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
-* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
-* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.1-1
-* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.0-1
-* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-1
-* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC3
-* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC2
-* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC1
-* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
-* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
-* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
-* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.2-1
-* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
-* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-1
-* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC2
-* Fri Jun 29 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC1
-* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta7
-* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta6
-* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta5
-* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
-* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3
-* Tue May 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta1
-* Fri May 11 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.7-1
-* Sat May 05 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.6-1
-* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.5-1
-* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.4-1
-* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.3-1
-* Mon Apr 16 2007 Tom Eastep tom@shorewall.net
- Moved lib.dynamiczones from Shorewall-shell
-* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.2-1
-* Tue Apr 03 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.1-1
-* Thu Mar 24 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.2-1
-* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.1-1
-* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-1
-* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC3
-* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC2
-* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC1
-* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta3
-* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta2
-* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta1
-* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
- Added shorewall-exclusion(5)
- Updated to 3.3.6-1
-* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.5-1
-* Sat Nov 18 2006 Tom Eastep tom@shorewall.net
- Add Man Pages.
-* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.4-1
-* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.3-1
-* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.2-1
-* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.1-1
-* Sun Aug 27 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.0-1
-* Fri Aug 25 2006 Tom Eastep tom@shorewall.net
- Updated to 3.2.3-1
-
-
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.19.1
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -72,8 +72,8 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=share}" ]
-[ -n "${PERLLIB:=share/shorewall}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]

 echo "Uninstalling shorewall $VERSION"

@@ -92,6 +92,8 @@ if [ -n "$FIREWALL" ]; then
 	updaterc.d shorewall remove
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
    else
@@ -109,13 +111,14 @@ rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
-rm -rf /usr/$PERLLIB}/Shorewall/*
-rm -rf /usr/${LIBEXEC}/shorewall
+rm -rf $PERLLIB}/Shorewall/*
+rm -rf ${LIBEXEC}/shorewall
 rm -rf /usr/share/shorewall
 rm -rf /usr/share/shorewall-*.bkout
 rm -rf /usr/share/man/man5/shorewall*
 rm -rf /usr/share/man/man8/shorewall*
 rm -f  /etc/logrotate.d/shorewall
+rm -f  /lib/systemd/system/shorewall.service

 echo "Shorewall Uninstalled"

--- a/Shorewall6-lite/COPYING
+++ b/Shorewall6-lite/COPYING
@@ -2,7 +2,8 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -110,6 +110,11 @@ shorewall6_refresh () {
  return 0
 }

+# status of the firewall
+shorewall6_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall6_start
@@ -123,8 +128,11 @@ case "$1" in
  force-reload|restart)
     shorewall6_restart
     ;;
+  status)
+     shorewall6_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall6-lite {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall6-lite {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall6-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall6-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.19.1
+VERSION=xxx #The build script will insert the actual version

 usage() # $1 = exit status
 {
@@ -123,7 +123,16 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=share}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
 #
 # Determine where to install the firewall script
 #
@@ -162,6 +171,8 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
@@ -171,6 +182,14 @@ elif [ -f /etc/arch-release ] ; then
      ARCHLINUX=yes
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -188,7 +207,7 @@ else
    rm -rf ${DESTDIR}/etc/shorewall6-lite
    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap
 fi

 #
@@ -213,6 +232,8 @@ echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-li
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh /etc/init.d/shorewall6-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544

@@ -227,7 +248,7 @@ echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
 #
 mkdir -p ${DESTDIR}/etc/shorewall6-lite
 mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall6-lite
 mkdir -p ${DESTDIR}/var/lib/shorewall6-lite

 chmod 755 ${DESTDIR}/etc/shorewall6-lite
@@ -238,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall6-lite.service ${DESTDIR}/lib/systemd/system/shorewall6-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6-lite.service"
+fi
+
 #
 # Install the config file
 #
@@ -280,20 +309,20 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/funct
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall6-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall6-lite/shorecap"

 #
 # Install wait4ifup
 #

 if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup 0755
+    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall6-lite/wait4ifup 0755

    echo
-    echo "wait4ifup installed in ${DESTDIR}/usr/${LIBEXEC}/shorewall6-lite/wait4ifup"
+    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall6-lite/wait4ifup"
 fi

 #
@@ -371,7 +400,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall6-lite; then
+		    echo "Shorewall6 Lite will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall6-lite ; then
 		    echo "Shorewall6 Lite will start automatically at boot"
 		else
--- a/Show More
+++ b/Show More