Allow wide MARK values in tcclasses when WIDE_TC_MARKS=Yes

Fix class number assignment when WIDE_TC_MARKS=Yes
Remove superfluous line of code
2009-11-21 07:54:42 -08:00 · 2009-11-20 12:25:15 -08:00 · 2009-11-19 10:54:58 -08:00 · 2009-11-19 10:35:25 -08:00 · 2009-11-18 20:08:50 -08:00 · 2009-11-18 19:59:21 -08:00
110 changed files with 3717 additions and 2657 deletions
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -34,9 +34,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -191,6 +191,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/one-interface/zones
+++ b/Samples/one-interface/zones
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
--- a/Samples/three-interfaces/policy
+++ b/Samples/three-interfaces/policy
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

--- a/Samples/three-interfaces/routestopped
+++ b/Samples/three-interfaces/routestopped
@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -34,9 +34,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -191,6 +191,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/three-interfaces/zones
+++ b/Samples/three-interfaces/zones
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@@ -10,10 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
-#
-# For additional information, see
-# http://shorewall.net/Documentation.htm#Interfaces
-#
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-#
-# For additional information, see http://shorewall.net/Documentation.htm#Masq
-#
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
-#
-# See http://shorewall.net/Documentation.htm#Policy for additional information.
-#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST

--- a/Samples/two-interfaces/routestopped
+++ b/Samples/two-interfaces/routestopped
@@ -10,11 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
-#
-# See http://shorewall.net/Documentation.htm#Routestopped and
-# http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Rules
-#
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -41,9 +41,9 @@ SHOREWALL_COMPILER=

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -198,6 +198,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples/two-interfaces/zones
+++ b/Samples/two-interfaces/zones
@@ -10,9 +10,6 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
-#
-# For more information, see http://www.shorewall.net/Documentation.htm#Zones
-#
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -139,6 +139,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -139,6 +139,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -139,6 +139,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -21,4 +21,9 @@ startup=0

 OPTIONS=""

+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -15,9 +15,7 @@

 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
@@ -220,6 +220,11 @@ mkdir -p ${PREFIX}/var/lib/shorewall-lite
 chmod 755 ${PREFIX}/etc/shorewall-lite
 chmod 755 ${PREFIX}/usr/share/shorewall-lite

+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -304,6 +309,12 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall-lite"
+fi
+
+
 #
 # Create the version file
 #
--- a/Shorewall-lite/logrotate
+++ b/Shorewall-lite/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.2
-%define release 5
+%define version 4.4.4
+%define release 0base

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -79,6 +79,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite

+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
 %attr(0755,root,root) /sbin/shorewall-lite

 %attr(0644,root,root) /usr/share/shorewall-lite/version
@@ -98,16 +100,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Sat Oct 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-5
-* Fri Oct 23 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-4
-* Tue Oct 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-3
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-1
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -85,6 +85,7 @@ our %EXPORT_TAGS = (
 				       decr_cmd_level
 				       chain_base
 				       forward_chain
+				       rules_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
@@ -146,6 +147,7 @@ our %EXPORT_TAGS = (
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
+				       mark_firewall6_not_started
 				       get_interface_address
 				       get_interface_addresses
 				       get_interface_bcasts
@@ -165,7 +167,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_2';
+our $VERSION = '4.4_4';

 #
 # Chain Table
@@ -247,6 +249,7 @@ our $iprangematch;
 our $chainseq;
 our $idiotcount;
 our $idiotcount1;
+our $warningcount;

 our $global_variables;

@@ -357,6 +360,7 @@ sub initialize( $ ) {
    $global_variables   = 0;
    $idiotcount         = 0;
    $idiotcount1        = 0;
+    $warningcount       = 0;

 }

@@ -368,7 +372,7 @@ sub process_comment() {
 	( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
 	$comment =~ s/\s*$//;
    } else {
-	warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
+	warning_message "COMMENTs ignored -- require comment support in iptables/Netfilter" unless $warningcount++;
    }
 }

@@ -639,16 +643,15 @@ sub move_rules( $$ ) {
    my ($chain1, $chain2 ) = @_;

    if ( $chain1->{referenced} ) {
-	my @rules = @{$chain1->{rules}};
 	my $name  = $chain1->{name};
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
 	$name =~ s/\+/\\+/;

-	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @rules;
+	( s/\-([AI]) $name /-$1 $chain2->{name} / ) for @{$chain1->{rules}};

-	splice @{$chain2->{rules}}, 0, 0, @rules;
+	splice @{$chain2->{rules}}, 0, 0, @{$chain1->{rules}};

 	$chain2->{referenced} = 1;
 	$chain1->{referenced} = 0;
@@ -668,6 +671,13 @@ sub chain_base($) {
    $chain;
 }

+#
+# Name of canonical chain
+#
+sub rules_chain ($$) {
+    join "$config{ZONE2ZONE}", @_;
+}
+
 #
 # Forward Chain for an interface
 #
@@ -757,7 +767,7 @@ sub use_input_chain($) {
    #
    # Use the '<zone>2fw' chain if it is referenced.
    #
-    $chainref = $filter_table->{join( '' , $zone , '2' , firewall_zone )};
+    $chainref = $filter_table->{rules_chain( $zone, firewall_zone )};

    ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -801,7 +811,7 @@ sub use_output_chain($) {
    #
    # Use the 'fw2<zone>' chain if it is referenced.
    #
-    $chainref = $filter_table->{join( '', firewall_zone , '2', $interfaceref->{zone} )};
+    $chainref = $filter_table->{rules_chain( firewall_zone , $interfaceref->{zone} )};

    ! ( $chainref->{referenced} || $chainref->{is_policy} )
 }
@@ -811,7 +821,7 @@ sub use_output_chain($) {
 #
 sub masq_chain($)
 {
-     $_[0] . '_masq';
+    $_[0] . '_masq';
 }

 #
@@ -1173,7 +1183,7 @@ sub finish_section ( $ ) {

    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $chain_table{'filter'}{"${zone}2${zone1}"};
+	    my $chainref = $chain_table{'filter'}{rules_chain( $zone, $zone1 )};
 	    finish_chain_section $chainref, $sections if $chainref->{referenced};
 	}
    }
@@ -1200,12 +1210,12 @@ sub set_mss( $$$ ) {

    for my $z ( all_zones ) {
 	if ( $direction eq '_in' ) {
-	    set_mss1 "${zone}2${z}" , $mss;
+	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
 	} elsif ( $direction eq '_out' ) {
-	    set_mss1 "${z}2${zone}", $mss;
+	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
 	} else {
-	    set_mss1 "${z}2${zone}", $mss;
-	    set_mss1 "${zone}2${z}", $mss;
+	    set_mss1 rules_chain( ${z}, ${zone} ) , $mss;
+	    set_mss1 rules_chain( ${zone}, ${z} ) , $mss;
 	}
    }
 }
@@ -1725,6 +1735,7 @@ sub match_source_dev( $ ) {
    my $interface = shift;
    return '' if $interface eq '+';
    my $interfaceref =  known_interface( $interface );
+    $interface = $interfaceref->{physical} if $interfaceref;
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	"-i $interfaceref->{bridge} -m physdev --physdev-in $interface ";
    } else {
@@ -1739,6 +1750,7 @@ sub match_dest_dev( $ ) {
    my $interface = shift;
    return '' if $interface eq '+';
    my $interfaceref =  known_interface( $interface );
+    $interface = $interfaceref->{physical} if $interfaceref;
    if ( $interfaceref && $interfaceref->{options}{port} ) {
 	if ( $capabilities{PHYSDEV_BRIDGE} ) {
 	    "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
@@ -2114,7 +2126,11 @@ sub set_chain_variables() {
 # Emit code that marks the firewall as not started.
 #
 sub mark_firewall_not_started() {
-    emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
+    if ( $family == F_IPV4 ) {
+	emit ( 'qt1 $IPTABLES -L shorewall -n && qt1 $IPTABLES -F shorewall && qt1 $IPTABLES -X shorewall' );
+    } else {
+	emit ( 'qt1 $IPTABLES6 -L shorewall -n && qt1 $IPTABLES6 -F shorewall && qt1 $IPTABLES6 -X shorewall' );
+    }
 }

 ####################################################################################################################
@@ -2134,10 +2150,11 @@ sub interface_address( $ ) {
 # Record that the ruleset requires the first IP address on the passed interface
 #
 sub get_interface_address ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical( $logical );
    my $variable = interface_address( $interface );
-    my $function = interface_is_optional( $interface ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';
+    my $function = interface_is_optional( $logical ) ? 'find_first_interface_address_if_any' : 'find_first_interface_address';

    $global_variables |= ALL_COMMANDS;

@@ -2158,7 +2175,7 @@ sub interface_bcasts( $ ) {
 # Record that the ruleset requires the broadcast addresses on the passed interface
 #
 sub get_interface_bcasts ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $interface ) = get_physical $_[0];

    my $variable = interface_bcasts( $interface );

@@ -2181,7 +2198,7 @@ sub interface_acasts( $ ) {
 # Record that the ruleset requires the anycast addresses on the passed interface
 #
 sub get_interface_acasts ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $interface ) = get_physical $_[0];

    $global_variables |= NOT_RESTORE;

@@ -2204,15 +2221,16 @@ sub interface_gateway( $ ) {
 # Record that the ruleset requires the gateway address on the passed interface
 #
 sub get_interface_gateway ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );

    my $routine = $config{USE_DEFAULT_RT} ? 'detect_dynamic_gateway' : 'detect_gateway';

    $global_variables |= ALL_COMMANDS;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)\n);
    } else {
 	$interfacegateways{$interface} = qq([ -n "\$$variable" ] || $variable=\$($routine $interface)
@@ -2235,13 +2253,14 @@ sub interface_addresses( $ ) {
 # Record that the ruleset requires the IP addresses on the passed interface
 #
 sub get_interface_addresses ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical( $logical );
    my $variable = interface_addresses( $interface );

    $global_variables |= NOT_RESTORE;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)\n);
    } else {
 	$interfaceaddrs{$interface} = qq($variable=\$(find_interface_addresses $interface)
@@ -2264,13 +2283,14 @@ sub interface_nets( $ ) {
 # Record that the ruleset requires the networks routed out of the passed interface
 #
 sub get_interface_nets ( $ ) {
-    my ( $interface ) = $_[0];
+    my ( $logical ) = $_[0];

+    my $interface = get_physical( $logical );
    my $variable = interface_nets( $interface );

    $global_variables |= ALL_COMMANDS;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)\n);
    } else {
 	$interfacenets{$interface} = qq($variable=\$(get_routed_networks $interface)
@@ -2294,13 +2314,14 @@ sub interface_mac( $$ ) {
 # Record the fact that the ruleset requires MAC address of the passed gateway IP routed out of the passed interface for the passed provider number
 #
 sub get_interface_mac( $$$ ) {
-    my ( $ipaddr, $interface , $table ) = @_;
+    my ( $ipaddr, $logical , $table ) = @_;

+    my $interface = get_physical( $logical );
    my $variable = interface_mac( $interface , $table );

    $global_variables |= NOT_RESTORE;

-    if ( interface_is_optional $interface ) {
+    if ( interface_is_optional $logical ) {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)\n);
    } else {
 	$interfacemacs{$table} = qq($variable=\$(find_mac $ipaddr $interface)
@@ -2872,15 +2893,6 @@ sub emitr( $ ) {
    }
 }

-#
-# Simple version that only handles rules
-#
-sub emitr1( $ ) {
-    my $rule = $_[0];
-
-    emit_unindented $rule;
-}
-
 #
 # Generate the netfilter input
 #
@@ -3168,7 +3180,7 @@ sub create_stop_load( $ ) {
 	# Then emit the rules
 	#
 	for my $chainref ( @chains ) {
-	    emitr1 $_ for @{$chainref->{rules}};
+	    emit_unindented $_ for @{$chainref->{rules}};
 	}
 	#
 	# Commit the changes to the table
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -43,7 +43,7 @@ use Shorewall::Raw;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_4';

 our $export;

@@ -90,14 +90,24 @@ sub generate_script_1() {
 	}
    }

+    my $lib = find_file 'lib.private';
+
+    if ( -f $lib ) {
+	emit <<'EOF';
+################################################################################
+# Functions imported from lib.private
+################################################################################
+EOF
+
+	copy1 $lib;
+	emit "\n";
+    }
+
    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
-    my $lib = find_file 'lib.private';
-
-    copy1 $lib, emit "\n" if -f $lib;

    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
@@ -129,7 +139,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.

 sub generate_script_2() {

@@ -204,8 +214,7 @@ sub generate_script_2() {

    emit ( '[ -n "${COMMAND:=restart}" ]',
 	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
-	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );

    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;

@@ -303,7 +312,7 @@ sub generate_script_2() {
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the object file.
+#          than those related to writing to the output script file.
 #
 sub generate_script_3($) {

@@ -412,23 +421,10 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};

    } else {
-	emit ( '#',
-	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
-	       '#',
-	       'qt1 $IP6TABLES -N foox1234',
-	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
-	       'result=$?',
-	       'qt1 $IP6TABLES -F foox1234',
-	       'qt1 $IP6TABLES -X foox1234',
-	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', 
 	       '' );
-
-	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
-		   '',
-	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
-	       ''
-	     );
-
+	mark_firewall_not_started;
+	emit '';
    }

    emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -450,6 +446,10 @@ sub generate_script_3($) {
    dump_zone_contents;
    emit_unindented '__EOF__';

+    emit 'cat > ${VARDIR}/policies << __EOF__';
+    save_policies;
+    emit_unindented '__EOF__';
+
    pop_indent;

    emit "fi\n";
@@ -536,8 +536,8 @@ EOF
 #
 sub compiler {

-    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
-       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1 );

    $export = 0;
    $test   = 0;
@@ -557,7 +557,8 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
    }

-    my %parms = ( object        => { store => \$objectfile },
+    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -608,9 +609,9 @@ sub compiler {
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
-	create_temp_object( $objectfile , $export );
+	create_temp_script( $scriptfilename , $export );
    } else {
 	set_command( 'check', 'Checking', 'Checked' );
    }
@@ -656,11 +657,11 @@ sub compiler {
    #
    setup_notrack;

-    enable_object;
+    enable_script;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
-	# Place Header in the object
+	# Place Header in the script
 	#
 	generate_script_1;
 	#
@@ -694,24 +695,24 @@ sub compiler {
    #
    setup_proxy_arp;
    #
-    # Handle MSS setings in the zones file
+    # Handle MSS settings in the zones file
    #
    setup_zone_mss;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	emit 'return 0';
 	pop_indent;
 	emit '}';
    }

-    disable_object;
+    disable_script;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
-    enable_object;
+    enable_script;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -729,12 +730,12 @@ sub compiler {
    #
    setup_tc;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	pop_indent;
 	emit "}\n";
    }

-    disable_object;
+    disable_script;
    #
    #                                       N E T F I L T E R
    #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -790,13 +791,13 @@ sub compiler {
    #
    setup_accounting;

-    if ( $objectfile ) {
+    if ( $scriptfilename ) {
 	#
 	# Generate the zone by zone matrix
 	#
 	generate_matrix;

-	enable_object;
+	enable_script;
 	#
 	#                             I N I T I A L I Z E
 	#           (Writes the initialize() function to the compiled script)
@@ -819,7 +820,7 @@ sub compiler {
 	#
 	compile_stop_firewall( $test );
 	#
-	# Copy the footer to the object
+	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -829,15 +830,15 @@ sub compiler {
 	    }
 	}

-	disable_object;
+	disable_script;
 	#
-	# Close, rename and secure the object
+	# Close, rename and secure the script
 	#
-	finalize_object ( $export );
+	finalize_script ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_object, generate_aux_config if $export;
+	enable_script, generate_aux_config if $export;
    } else {
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -24,7 +24,7 @@
 #   It also exports functions for generating warning and error messages.
 #   The get_configuration function parses the shorewall.conf, capabilities and
 #   modules files during compiler startup. The module also provides the basic
-#   output file services such as creation of temporary 'object' files, writing
+#   output file services such as creation of temporary 'script' files, writing
 #   into those files (emitters) and finalizing those files (renaming
 #   them to their final name and setting their mode appropriately).
 #
@@ -54,10 +54,10 @@ our @EXPORT = qw(

 our @EXPORT_OK = qw( $shorewall_dir initialize read_a_line1 set_config_path shorewall);

-our %EXPORT_TAGS = ( internal => [ qw( create_temp_object
-				       finalize_object
-				       enable_object
-				       disable_object
+our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
+				       finalize_script
+				       enable_script
+				       disable_script
 		                       numeric_value
 		                       numeric_value1
 		                       hex_value
@@ -127,7 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_object

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_2';
+our $VERSION = '4.4_4';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -146,13 +146,13 @@ our ( $log, $log_verbosity );
 #
 our $timestamp;
 #
-# Object file handle
+# Script (output) file handle
 #
-our $object;
+our $script;
 #
-# When 'true', writes to the object are enabled. Used to catch code emission between functions
+# When 'true', writes to the script are enabled. Used to catch code emission between functions
 #
-our $object_enabled;
+our $script_enabled;
 #
 # True, if last line emitted is blank
 #
@@ -170,7 +170,7 @@ our $indent2;
 #
 our $indent;
 #
-# Object's Directory and File
+# Script's Directory and File
 #
 our ( $dir, $file );
 #
@@ -186,10 +186,9 @@ our %globals;
 #
 our %config;
 #
-# Config options and global settings that are to be copied to object script
+# Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOGFORMAT SUBSYSLOCK LOCKFILE /;
-our @propagateenv    = qw/ LOGLIMIT LOGTAGONLY LOGRULENUMBERS /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX SUBSYSLOCK /;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -262,8 +261,8 @@ our $currentline;             # Current config file line image
 our $currentfile;             # File handle reference
 our $currentfilename;         # File NAME
 our $currentlinenumber;       # Line number
-our $scriptfile;              # File Handle Reference to current temporary file being written by an in-line Perl script
-our $scriptfilename;          # Name of that file.
+our $perlscript;              # File Handle Reference to current temporary file being written by an in-line Perl script
+our $perlscriptname;          # Name of that file.
 our @tempfiles;               # Files that need unlinking at END
 our $first_entry;             # Message to output or function to call on first non-blank line of a file

@@ -308,13 +307,13 @@ sub initialize( $ ) {
    $log = undef;              # File reference for log file
    $log_verbosity = -1;       # Verbosity of log.
    $timestamp = '';           # If true, we are to timestamp each progress message
-    $object = 0;               # Object (script) file Handle Reference
-    $object_enabled = 0;       # Object (script) file Handle Reference
+    $script = 0;               # Script (output) file Handle Reference
+    $script_enabled = 0;       # Writing to output file is disabled initially
    $lastlineblank = 0;        # Avoid extra blank lines in the output
    $indent1       = '';       # Current indentation tabs
    $indent2       = '';       # Current indentation spaces
    $indent        = '';       # Current total indentation
-    ( $dir, $file ) = ('',''); # Object's Directory and File
+    ( $dir, $file ) = ('',''); # Script's Directory and Filename
    $tempfile = '';            # Temporary File Name

    #
@@ -328,7 +327,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.2.5",
+		    VERSION => "4.4.4",
 		    CAPVERSION => 40402 ,
 		  );

@@ -440,6 +439,8 @@ sub initialize( $ ) {
 	      FAST_STOP => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
+	      TRACK_PROVIDERS => undef,
+	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -546,6 +547,8 @@ sub initialize( $ ) {
 	      MANGLE_ENABLED => undef ,
 	      AUTOMAKE => undef ,
 	      WIDE_TC_MARKS => undef,
+	      TRACK_PROVIDERS => undef,
+	      ZONE2ZONE => undef,
 	      #
 	      # Packet Disposition
 	      #
@@ -685,14 +688,14 @@ sub cleanup() {
    #
    # Close files first in case we're running under Cygwin
    #
-    close  $object, $object = undef         if $object;
-    close  $scriptfile, $scriptfile = undef if $scriptfile;
+    close  $script, $script = undef         if $script;
+    close  $perlscript, $perlscript = undef if $perlscript;
    close  $log, $log = undef               if $log;
    #
    # Unlink temporary files
    #
    unlink ( $tempfile ), $tempfile = undef             if $tempfile;
-    unlink ( $scriptfilename ), $scriptfilename = undef if $scriptfilename;
+    unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
    unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
 }

@@ -815,14 +818,14 @@ sub in_hexp( $ ) {
 }

 #
-# Write the arguments to the object file (if any) with the current indentation.
+# Write the arguments to the script file (if any) with the current indentation.
 #
 # Replaces leading spaces with tabs as appropriate and suppresses consecutive blank lines.
 #
 sub emit {
-    assert( $object_enabled );
+    assert( $script_enabled );

-    if ( $object ) {
+    if ( $script ) {
 	#
 	# 'compile' as opposed to 'check'
 	#
@@ -832,10 +835,10 @@ sub emit {
 		$line =~ s/^\n// if $lastlineblank;
 		$line =~ s/^/$indent/gm if $indent;
 		$line =~ s/        /\t/gm;
-		print $object "$line\n";
+		print $script "$line\n";
 		$lastlineblank = ( substr( $line, -1, 1 ) eq "\n" );
 	    } else {
-		print $object "\n" unless $lastlineblank;
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    }
 	}
@@ -843,26 +846,26 @@ sub emit {
 }

 #
-# Write passed message to the object with newline but no indentation.
+# Write passed message to the script with newline but no indentation.
 #
 sub emit_unindented( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );

-    print $object "$_[0]\n" if $object;
+    print $script "$_[0]\n" if $script;
 }

 #
 # Write a progress_message2 command with surrounding blank lines to the output file.
 #
 sub save_progress_message( $ ) {
-    emit "\nprogress_message2 @_\n" if $object;
+    emit "\nprogress_message2 @_\n" if $script;
 }

 #
 # Write a progress_message command to the output file.
 #
 sub save_progress_message_short( $ ) {
-    emit "progress_message $_[0]" if $object;
+    emit "progress_message $_[0]" if $script;
 }

 #
@@ -1036,12 +1039,12 @@ sub pop_indent() {
 }

 #
-# Functions for copying files into the object
+# Functions for copying files into the script
 #
 sub copy( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );

-    if ( $object ) {
+    if ( $script ) {
 	my $file = $_[0];

 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1049,7 +1052,7 @@ sub copy( $ ) {
 	while ( <IF> ) {
 	    chomp;
 	    if ( /^\s*$/ ) {
-		print $object "\n" unless $lastlineblank;
+		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
 	    } else {
 		if  ( $indent ) {
@@ -1057,8 +1060,8 @@ sub copy( $ ) {
 		    s/        /\t/ if $indent2;
 		}

-		print $object $_;
-		print $object "\n";
+		print $script $_;
+		print $script "\n";
 		$lastlineblank = 0;
 	    }
 	}
@@ -1071,11 +1074,11 @@ sub copy( $ ) {
 # This one handles line continuation and 'here documents'

 sub copy1( $ ) {
-    assert( $object_enabled );
+    assert( $script_enabled );

    my $result = 0;

-    if ( $object ) {
+    if ( $script ) {
 	my $file = $_[0];

 	open IF , $file or fatal_error "Unable to open $file: $!";
@@ -1086,8 +1089,8 @@ sub copy1( $ ) {
 	    chomp;

 	    if ( /^${here_documents}\s*$/ ) {
-		print $object $here_documents if $here_documents;
-		print $object "\n";
+		print $script $here_documents if $here_documents;
+		print $script "\n";
 		$do_indent = 1;
 		$here_documents = '';
 		next;
@@ -1098,8 +1101,8 @@ sub copy1( $ ) {
 		s/^(\s*)/$indent1$1$indent2/;
 		s/        /\t/ if $indent2;
 		$do_indent = 0;
-		print $object $_;
-		print $object "\n";
+		print $script $_;
+		print $script "\n";
 		$result = 1;
 		next;
 	    }
@@ -1109,8 +1112,8 @@ sub copy1( $ ) {
 		s/        /\t/ if $indent2;
 	    }

-	    print $object $_;
-	    print $object "\n";
+	    print $script $_;
+	    print $script "\n";
 	    $do_indent = ! ( $here_documents || /\\$/ );

 	    $result = 1 unless $result || /^\s*$/ || /^\s*#/;
@@ -1125,23 +1128,23 @@ sub copy1( $ ) {
 }

 #
-# Create the temporary object file -- the passed file name is the name of the final file.
+# Create the temporary script file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
 #
-sub create_temp_object( $$ ) {
-    my ( $objectfile, $export ) = @_;
+sub create_temp_script( $$ ) {
+    my ( $scriptfile, $export ) = @_;
    my $suffix;

-    if ( $objectfile eq '-' ) {
+    if ( $scriptfile eq '-' ) {
 	$verbosity = -1;
-	$object = undef;
-	open( $object, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
+	$script = undef;
+	open( $script, '>&STDOUT' ) or fatal_error "Open of STDOUT failed";
 	$file = '-';
 	return 1;
    }

    eval {
-	( $file, $dir, $suffix ) = fileparse( $objectfile );
+	( $file, $dir, $suffix ) = fileparse( $scriptfile );
    };

    cleanup, die if $@;
@@ -1149,14 +1152,14 @@ sub create_temp_object( $$ ) {
    fatal_error "$dir is a Symbolic Link"        if -l $dir;
    fatal_error "Directory $dir does not exist"  unless -d _;
    fatal_error "Directory $dir is not writable" unless -w _;
-    fatal_error "$objectfile is a Symbolic Link" if -l $objectfile;
-    fatal_error "$objectfile is a Directory"     if -d _;
-    fatal_error "$objectfile exists and is not a compiled script" if -e _ && ! -x _;
+    fatal_error "$scriptfile is a Symbolic Link" if -l $scriptfile;
+    fatal_error "$scriptfile is a Directory"     if -d _;
+    fatal_error "$scriptfile exists and is not a compiled script" if -e _ && ! -x _;
    fatal_error "An exported \u$globals{PRODUCT} compiled script may not be named '$globals{PRODUCT}'" if $export && "$file" eq $globals{PRODUCT} && $suffix eq '';

    eval {
 	$dir = abs_path $dir unless $dir =~ m|^/|; # Work around http://rt.cpan.org/Public/Bug/Display.html?id=13851
-	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };

    fatal_error "Unable to create temporary file in directory $dir" if $@;
@@ -1168,12 +1171,12 @@ sub create_temp_object( $$ ) {
 }

 #
-# Finalize the object file
+# Finalize the script file
 #
-sub finalize_object( $ ) {
+sub finalize_script( $ ) {
    my $export = $_[0];
-    close $object;
-    $object = 0;
+    close $script;
+    $script = 0;

    if ( $file ne '-' ) {
 	rename $tempfile, $file or fatal_error "Cannot Rename $tempfile to $file: $!";
@@ -1187,7 +1190,7 @@ sub finalize_object( $ ) {
 #
 sub create_temp_aux_config() {
    eval {
-	( $object, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
+	( $script, $tempfile ) = tempfile ( 'tempfileXXXX' , DIR => $dir );
    };

    cleanup, die if $@;
@@ -1197,24 +1200,24 @@ sub create_temp_aux_config() {
 # Finalize the aux config file.
 #
 sub finalize_aux_config() {
-    close $object;
-    $object = 0;
+    close $script;
+    $script = 0;
    rename $tempfile, "$file.conf" or fatal_error "Cannot Rename $tempfile to $file.conf: $!";
    progress_message3 "Shorewall configuration compiled to $file";
 }

 #
-# Enable writes to the object file
+# Enable writes to the script file
 #
-sub enable_object() {
-    $object_enabled = 1;
+sub enable_script() {
+    $script_enabled = 1;
 }

 #
-# Disable writes to the object file
+# Disable writes to the script file
 #
-sub disable_object() {
-    $object_enabled = 0;
+sub disable_script() {
+    $script_enabled = 0;
 }

 #
@@ -1431,19 +1434,19 @@ sub pop_open() {
 # processed as regular file input.
 #
 sub shorewall {
-    unless ( $scriptfile ) {
+    unless ( $perlscript ) {
 	fatal_error "shorewall() may not be called in this context" unless $currentfile;

 	$dir ||= '/tmp/';

 	eval {
-	    ( $scriptfile, $scriptfilename ) = tempfile ( 'scriptfileXXXX' , DIR => $dir );
+	    ( $perlscript, $perlscriptname ) = tempfile ( 'perlscriptXXXX' , DIR => $dir );
 	};

 	fatal_error "Unable to create temporary file in directory $dir" if $@;
    }

-    print $scriptfile "@_\n";
+    print $perlscript "@_\n";
 }

 #
@@ -1545,21 +1548,21 @@ sub embedded_perl( $ ) {
 	fatal_error "Perl Script Returned False";
    }

-    if ( $scriptfile ) {
+    if ( $perlscript ) {
 	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;

-	close $scriptfile or assert(0);
+	close $perlscript or assert(0);

-	$scriptfile = undef;
+	$perlscript = undef;

 	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
 	$currentfile = undef;

-	open $currentfile, '<', $scriptfilename or fatal_error "Unable to open Perl Script $scriptfilename";
+	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";

-	push @tempfiles, $scriptfilename unless unlink $scriptfilename; #unlink fails on Cygwin
+	push @tempfiles, $perlscriptname unless unlink $perlscriptname; #unlink fails on Cygwin

-	$scriptfilename = '';
+	$perlscriptname = '';

 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
@@ -2405,10 +2408,19 @@ sub get_configuration( $ ) {
    default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
    default_yes_no 'AUTOMAKE'                   , '';
    default_yes_no 'WIDE_TC_MARKS'              , '';
+    default_yes_no 'TRACK_PROVIDERS'            , '';
+
+    my $val;
+
+    if ( defined ( $val = $config{ZONE2ZONE} ) ) {
+	fatal_error "Invalid ZONE2ZONE value ( $val )" unless $val =~ /^[2-]$/;
+    } else {
+	$config{ZONE2ZONE} = '2';
+    }

    $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

-    default 'BLACKLIST_DISPOSITION'             , 'DROP';
+    default 'BLACKLIST_DISPOSITION'    , 'DROP';

    default_log_level 'BLACKLIST_LOGLEVEL',  '';
    default_log_level 'MACLIST_LOG_LEVEL',   '';
@@ -2420,8 +2432,6 @@ sub get_configuration( $ ) {
    default_log_level 'SMURF_LOG_LEVEL',     '';
    default_log_level 'LOGALLNEW',           '';

-    my $val;
-
    $globals{MACLIST_TARGET} = 'reject';

    if ( $val = $config{MACLIST_DISPOSITION} ) {
@@ -2532,18 +2542,13 @@ sub get_configuration( $ ) {
 }

 #
-# The values of the options in @propagateconfig are copied to the object file in OPTION=<value> format.
+# The values of the options in @propagateconfig are copied to the script file in OPTION=<value> format.
 #
 sub propagateconfig() {
    for my $option ( @propagateconfig ) {
 	my $value = $config{$option} || '';
 	emit "$option=\"$value\"";
    }
-
-    for my $option ( @propagateenv ) {
-	my $value = $globals{$option} || '';
-	emit "$option=\"$value\"";
-    }
 }

 #
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -476,6 +476,7 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
+	return 1 if @address eq ':';
    } else {
 	$max = 8;
    }
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_4';

 our @addresses_to_add;
 our %addresses_to_add;
@@ -195,7 +195,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

 	unless ( $interfaceref->{root} ) {
-	    $rule .= "-o $interface ";
+	    $rule .= match_dest_dev( $interface );
 	    $interface = $interfaceref->{name};
 	}

@@ -367,8 +367,8 @@ sub do_one_nat( $$$$$ )
    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

    unless ( $interfaceref->{root} ) {
-	$rulein  = "-i $interface ";
-	$ruleout = "-o $interface ";
+	$rulein  = match_source_dev $interface;
+	$ruleout = match_dest_dev $interface;
 	$interface = $interfaceref->{name};
    }

@@ -460,8 +460,8 @@ sub setup_netmap() {
 	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );

 	    unless ( $interfaceref->{root} ) {
-		$rulein  = "-i $interface ";
-		$ruleout = "-o $interface ";
+		$rulein  = match_source_dev $interface;
+		$ruleout = match_dest_dev $interface;
 		$interface = $interfaceref->{name};
 	    }

@@ -481,12 +481,13 @@ sub setup_netmap() {

 sub add_addresses () {
    if ( @addresses_to_add ) {
+	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;

-	while ( @addresses_to_add ) {
-	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addresses_to_add;
+	while ( @addrs ) {
+	    my $addr      = shift @addrs;
+	    my $interface = shift @addrs;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -32,9 +32,9 @@ use Shorewall::Actions;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies );
 our @EXPORT_OK = qw(  );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 # @policy_chains is a list of references to policy chains in the filter table

@@ -68,7 +68,7 @@ sub new_policy_chain($$$$)
 {
    my ($source, $dest, $policy, $optional) = @_;

-    my $chainref = new_chain( 'filter', "${source}2${dest}" );
+    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );

    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );

@@ -119,7 +119,7 @@ use constant { OPTIONAL => 1 };

 sub add_or_modify_policy_chain( $$ ) {
    my ( $zone, $zone1 ) = @_;
-    my $chain    = "${zone}2${zone1}";
+    my $chain    = rules_chain( ${zone}, ${zone1} );
    my $chainref = $filter_table->{$chain};

    if ( $chainref ) {
@@ -211,7 +211,7 @@ sub process_a_policy() {
 	}
    }

-    my $chain = "${client}2${server}";
+    my $chain = rules_chain( ${client}, ${server} );
    my $chainref;

    if ( defined $filter_table->{$chain} ) {
@@ -252,19 +252,19 @@ sub process_a_policy() {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
-		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
-		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
-	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}

@@ -273,6 +273,21 @@ sub process_a_policy() {
    }
 }

+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } elsif ( $zone1 ne $zone2 ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
+	    }
+	}
+    }
+}	    
+
 sub validate_policy()
 {
    our %validpolicies = (
@@ -334,7 +349,7 @@ sub validate_policy()

    for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
 	}
    }
 }
@@ -409,7 +424,7 @@ sub apply_policy_rules() {
 		ensure_filter_chain $name, 1;
 	    }

-	    if ( $name =~ /^all2|2all$/ ) {
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
@@ -418,7 +433,7 @@ sub apply_policy_rules() {

    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
-	    my $chainref = $filter_table->{"${zone}2${zone1}"};
+	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};

 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
@@ -444,7 +459,7 @@ sub complete_standard_chain ( $$$$ ) {

    run_user_exit $stdchainref;

-    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
+    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;

--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.3_12';
+our $VERSION = '4.4_4';

 #
 # ARP Filtering
@@ -56,27 +56,35 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 	    my $value = get_interface_option $interface, 'arp_filter';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";

 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}

 	for my $interface ( @$interfaces1 ) {
-	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 	    my $value = get_interface_option $interface, 'arp_ignore';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";

 	    assert( defined $value );

 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
    }
@@ -106,13 +114,17 @@ sub setup_route_filtering() {
 	}

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 	    my $value = get_interface_option $interface, 'routefilter';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";

 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}

@@ -153,14 +165,18 @@ sub setup_martian_logging() {
 	}

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 	    my $value = get_interface_option $interface, 'logmartians';
+	    my $optional = interface_is_optional $interface;
+                           
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";

 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );

 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
 	    emit   "fi\n";
 	}
    }
@@ -180,13 +196,17 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';

 	for my $interface ( @$interfaces ) {
-	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 	    my $value = get_interface_option $interface, 'sourceroute';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";

 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
    }
@@ -227,13 +247,17 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';

 	    for my $interface ( @$interfaces ) {
-		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 		my $value = get_interface_option $interface, 'forward';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
+		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";

 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_4';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -96,7 +96,7 @@ sub initialize( $ ) {
 sub setup_route_marking() {
    my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';

-    require_capability( $_ , 'the provider \'track\' option' , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
+    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

    add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

@@ -108,33 +108,21 @@ sub setup_route_marking() {

    for my $providerref ( @routemarked_providers ) {
 	my $interface = $providerref->{interface};
+	my $physical  = $providerref->{physical};
 	my $mark      = $providerref->{mark};
-	my $base      = uc chain_base $interface;
-
-	if ( $providerref->{optional} ) {
-	    if ( $providerref->{shared} ) {
-		add_commands( $chainref, qq(if [ interface_is_usable $interface -a -n "$providerref->{mac}" ]; then) );
-	    } else {
-		add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
-	    }
-
-	    incr_cmd_level( $chainref );
-	}

 	unless ( $marked_interfaces{$interface} ) {
-	    add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
-	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $interface -m mark --mark  $mark/$mask ";
+	    add_rule $mangle_table->{PREROUTING} , "-i $physical -m mark --mark 0/$mask -j routemark";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
 	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}

 	if ( $providerref->{shared} ) {
-	    add_rule $chainref, " -i $interface -m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_rule $chainref, " -i $interface -j MARK --set-mark $providerref->{mark}";
+	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
 	}
-
-	decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
    }

    add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
@@ -142,7 +130,9 @@ sub setup_route_marking() {

 sub copy_table( $$$ ) {
    my ( $duplicate, $number, $realm ) = @_;
-
+    #
+    # Hack to work around problem in iproute
+    #
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';

    if ( $realm ) {
@@ -164,11 +154,21 @@ sub copy_table( $$$ ) {

 sub copy_and_edit_table( $$$$ ) {
    my ( $duplicate, $number, $copy, $realm) = @_;
-    
+    #
+    # Hack to work around problem in iproute
+    #    
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    #
+    # Map physical names in $copy to logical names
+    #
+    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+    #
+    # Shell and iptables use a different wildcard character
+    #
+    $copy =~ s/\+/*/;

    if ( $realm ) {
-	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
    } else {
 	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -274,9 +274,10 @@ sub add_a_provider( ) {
    }

    fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
+    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

-    my $provider    = chain_base $table;
-    my $base        = uc chain_base $interface;
+    my $physical    = get_physical $interface;
+    my $base        = uc chain_base $physical;
    my $gatewaycase = '';

    if ( $gateway eq 'detect' ) {
@@ -320,12 +321,15 @@ sub add_a_provider( ) {

    }

-    my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu ) = 
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
 		$track = 1;
+	    } elsif ( $option eq 'notrack' ) {
+		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
 		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
@@ -376,6 +380,7 @@ sub add_a_provider( ) {
 			   number      => $number ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
+			   physical    => $physical ,
 			   optional    => $optional ,
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
@@ -403,19 +408,19 @@ sub add_a_provider( ) {
    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } else {
 	if ( $optional ) {
 	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $interface; then" );
+	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}

 	$provider_interfaces{$interface} = $table;

-	emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
+	emit "run_ip route add default dev $physical table $number" if $gatewaycase eq 'none';
    }

    if ( $mark ne '-' ) {
@@ -434,8 +439,7 @@ sub add_a_provider( ) {
 	    if ( $copy eq 'none' ) {
 		$copy = $interface;
 	    } else {
-		$copy =~ tr/,/|/;
-		$copy = "$interface|$copy";
+		$copy = "$interface,$copy";
 	    }

 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
@@ -447,28 +451,28 @@ sub add_a_provider( ) {

    if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	emit "run_ip route replace $gateway src $address dev $interface ${mtu}table $number $realm";
-	emit "run_ip route add default via $gateway src $address dev $interface ${mtu}table $number $realm";
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
    }

-    balance_default_route $balance , $gateway, $interface, $realm if $balance;
+    balance_default_route $balance , $gateway, $physical, $realm if $balance;

    if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $interface, $realm;
+	balance_fallback_route $default , $gateway, $physical, $realm;
    } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    emit qq(run_ip route replace default via $gateway src $address dev $interface table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $interface metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $interface table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
+	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	}
    }

    if ( $loose ) {
 	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $interface | while read address; do",
+	    emit ( "\nfind_interface_addresses $physical | while read address; do",
 		   "    qt \$IP -$family rule del from \$address",
 		   'done'
 		 );
@@ -482,7 +486,7 @@ sub add_a_provider( ) {

 	emit "\nrulenum=0\n";

-	emit  ( "find_interface_addresses $interface | while read address; do" );
+	emit  ( "find_interface_addresses $physical | while read address; do" );
 	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
 		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
@@ -498,15 +502,15 @@ sub add_a_provider( ) {

    if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
-	} else {
 	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
+	} else {
+	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
 	}
    } else {
 	if ( $shared ) {
 	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
 	}
    }

@@ -517,9 +521,32 @@ sub add_a_provider( ) {
    progress_message "   Provider \"$currentline\" $done";
 }

+#
+# Begin an 'if' statement testing whether the passed interface is available
+#
+sub start_new_if( $ ) {
+    our $current_if = shift;
+
+    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
+    push_indent;
+}
+  
+#
+# Complete any current 'if' statement in the output script
+#
+sub finish_current_if() {
+    if ( our $current_if ) {
+	pop_indent;
+	emit ( "fi\n" );
+	$current_if = '';
+    }
+}
+
 sub add_an_rtrule( ) {
    my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';

+    our $current_if;
+
    unless ( $providers{$provider} ) {
 	my $found = 0;

@@ -554,6 +581,7 @@ sub add_an_rtrule( ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
 	    validate_net ( $source, 0 );
+	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
 	    validate_net ( $source, 0 );
@@ -564,6 +592,7 @@ sub add_an_rtrule( ) {
    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
 	validate_net ($source, 0);
+	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
    } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
 	validate_net ( $source, 0 );
@@ -576,21 +605,21 @@ sub add_an_rtrule( ) {

    $priority = "priority $priority";

-    emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
+    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};

    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );

    if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{interface} );
-	emit ( '', "if [ -n \$${base}_IS_USABLE ]; then" );
-	push_indent;
+	my $base = uc chain_base( $providers{$provider}{physical} );
+	finish_current_if if $base ne $current_if;
+	start_new_if( $base ) unless $current_if;
+  } else {
+	finish_current_if;
    }

    emit ( "run_ip rule add $source $dest $priority table $number",
 	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );

-    pop_indent, emit ( "fi\n" ) if $optional;
-
    progress_message "   Routing rule \"$currentline\" $done";
 }

@@ -724,12 +753,15 @@ sub setup_providers() {
 	my $fn = open_file 'route_rules';

 	if ( $fn ) {
+	    our $current_if = '';

 	    first_entry "$doing $fn...";

 	    emit '';

 	    add_an_rtrule while read_a_line;
+
+	    finish_current_if;
 	}

 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
@@ -785,18 +817,21 @@ sub lookup_provider( $ ) {
 }

 #
-# This function is called by the compiler when it is generating the initialize() function.
+# This function is called by the compiler when it is generating the detect_configuration() function.
 # The function emits code to set the ..._IS_USABLE interface variables appropriately for the
 # optional interfaces
 #
+# Returns true if there were optional interfaces
+#
 sub handle_optional_interfaces() {

    my $interfaces = find_interfaces_by_option 'optional';

    if ( @$interfaces ) {
 	for my $interface ( @$interfaces ) {
-	    my $base  = uc chain_base( $interface );
 	    my $provider = $provider_interfaces{$interface};
+	    my $physical = get_physical $interface;
+	    my $base     = uc chain_base( $physical );

 	    emit '';

@@ -807,15 +842,15 @@ sub handle_optional_interfaces() {
 		my $providerref = $providers{$provider};

 		if ( $providerref->{gatewaycase} eq 'detect' ) {
-		    emit qq(if interface_is_usable $interface && [ -n "$providerref->{gateway}" ]; then);
+		    emit qq(if interface_is_usable $physical && [ -n "$providerref->{gateway}" ]; then);
 		} else {
-		    emit qq(if interface_is_usable $interface; then);
+		    emit qq(if interface_is_usable $physical; then);
 		}
 	    } else {
 		#
 		# Not a provider interface
 		#
-		emit qq(if interface_is_usable $interface; then);
+		emit qq(if interface_is_usable $physical; then);
 	    }

 	    emit( "    ${base}_IS_USABLE=Yes" ,
@@ -845,9 +880,8 @@ sub handle_stickiness( $ ) {
    if ( $havesticky ) {
 	fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;

-
 	for my $providerref ( @routemarked_providers ) {
-	    my $interface = $providerref->{interface};
+	    my $interface = $providerref->{physical};
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};

@@ -857,9 +891,6 @@ sub handle_stickiness( $ ) {
 		my $list = sprintf "sticky%03d" , $sticky++;

 		for my $chainref ( $stickyref, $setstickyref ) {
-
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
@@ -878,9 +909,6 @@ sub handle_stickiness( $ ) {
 			$rule2 =~ s/-A tcpre //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
-
 		}
 	    }

@@ -890,8 +918,6 @@ sub handle_stickiness( $ ) {
 		my $stickoref = ensure_mangle_chain 'sticko';

 		for my $chainref ( $stickoref, $setstickoref ) {
-		    add_commands( $chainref, qq(if [ -n "\$${base}_IS_USABLE" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
 			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
@@ -910,8 +936,6 @@ sub handle_stickiness( $ ) {
 			$rule2 =~ s/-A tcout //;
 			add_rule $chainref, $rule2;
 		    }
-
-		    decr_cmd_level( $chainref), add_commands( $chainref, "fi" ) if $providerref->{optional};
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 our @proxyarp;

@@ -117,6 +117,8 @@ sub setup_proxy_arp() {
 		    $first_entry = 0;
 		}

+		$interface = get_physical $interface;
+
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};

@@ -143,10 +145,14 @@ sub setup_proxy_arp() {

 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
@@ -158,10 +164,14 @@ sub setup_proxy_arp() {

 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyndp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
 		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
 		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -24,6 +24,7 @@
 #
 package Shorewall::Rules;
 require Exporter;
+
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
@@ -45,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_2';
+our $VERSION = '4.4_4';

 #
 # Set to one if we find a SECTION
@@ -198,8 +199,8 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );

-		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp -o $interface ";
-		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp -o $interface ";
+		add_jump $mangle_table->{POSTROUTING} , $chainref, 0, "-p tcp " . match_dest_dev( $interface );
+		add_jump $mangle_table->{OUTPUT},       $chainref, 0, "-p tcp " . match_dest_dev( $interface );
 	    }

 	    for my $host ( @hosts ) {
@@ -330,20 +331,22 @@ sub process_routestopped() {
 	}

 	unless ( $options eq '-' ) {
-	    my $chainref = $filter_table->{FORWARD};

 	    for my $option (split /,/, $options ) {
 		if ( $option eq 'routeback' ) {
 		    if ( $routeback ) {
 			warning_message "Duplicate 'routeback' option ignored";
 		    } else {
+			my $chainref = $filter_table->{FORWARD};
+
 			$routeback = 1;

 			for my $host ( split /,/, $hosts ) {
-			    my $source = match_source_net $host;
-			    my $dest   = match_dest_net   $host;
-
-			    add_rule $chainref , "-i $interface -o $interface $source $dest -j ACCEPT";
+			    add_rule( $chainref , 
+				      match_source_dev( $interface ) . 
+				      match_dest_dev( $interface ) .
+				      match_source_net( $host ) .
+				      match_dest_net( $host ) );
 			    clearrule;
 			}
 		    }
@@ -377,24 +380,24 @@ sub process_routestopped() {
 	my $desti   = match_dest_dev $interface;
 	my $rule    = shift @rule;

-	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT";
-	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	add_rule $filter_table->{INPUT},  "$sourcei $source $rule -j ACCEPT", 1;
+	add_rule $filter_table->{OUTPUT}, "$desti $dest $rule -j ACCEPT", 1 unless $config{ADMINISABSENTMINDED};

 	my $matched = 0;

 	if ( $source{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT";
+	    add_rule $filter_table->{FORWARD}, "$sourcei $source $rule -j ACCEPT", 1;
 	    $matched = 1;
 	}

 	if ( $dest{$host} ) {
-	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT";
+	    add_rule $filter_table->{FORWARD}, "$desti $dest $rule -j ACCEPT", 1;
 	    $matched = 1;
 	}

 	if ( $notrack{$host} ) {
-	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK";
-	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK";
+	    add_rule $raw_table->{PREROUTING}, "$sourcei $source $rule -j NOTRACK", 1;
+	    add_rule $raw_table->{OUTPUT},     "$desti $dest $rule -j NOTRACK", 1;
 	}

 	unless ( $matched ) {
@@ -403,7 +406,7 @@ sub process_routestopped() {
 		    my ( $interface1, $h1 , $seq1 ) = split /\|/, $host1;
 		    my $dest1 = match_dest_net $h1;
 		    my $desti1 = match_dest_dev $interface1;
-		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT";
+		    add_rule $filter_table->{FORWARD}, "$sourcei $desti1 $source $dest1 $rule -j ACCEPT", 1;
 		    clearrule;
 		}
 	    }
@@ -549,7 +552,11 @@ sub add_common_rules() {
 		add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
 	    }

-	    add_rule $filter_table->{forward_chain $interface} , "-p udp -o $interface --dport $ports -j ACCEPT" if get_interface_option( $interface, 'bridge' );
+	    add_rule( $filter_table->{forward_chain $interface} , 
+		      "-p udp " .
+		      match_dest_dev( $interface ) .
+		      "--dport $ports -j ACCEPT" )
+		if get_interface_option( $interface, 'bridge' );
 	}
    }

@@ -633,10 +640,10 @@ sub add_common_rules() {
 		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "\$${base}_IS_USABLE" -a -n "$variable" ]; then) ,
-				  qq(    echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) ,
+				  qq(    echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) ,
 				  qq(fi) );
 		} else {
-		    add_commands( $chainref, qq(echo -A $chainref->{name} -i $interface -s $variable -p udp -j ACCEPT >&3) );
+		    add_commands( $chainref, qq(echo -A $chainref->{name} ) . match_source_dev( $interface ) . qq(-s $variable -p udp -j ACCEPT >&3) );
 		}
 	    }
 	}
@@ -1125,7 +1132,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    }
 	}

-	$chain    = "${sourcezone}2${destzone}";
+	$chain    = rules_chain( ${sourcezone}, ${destzone} );
 	$chainref = ensure_chain 'filter', $chain;
 	$policy   = $chainref->{policy};

@@ -1322,7 +1329,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? "-i $_ " : '';
+		    add_jump $chn, $nat_table->{$ichain}, 0, @interfaces > 1 ? match_source_dev( $_ )  : '';
 		}
 	    }

@@ -1373,7 +1380,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
 	    #
 	    # And move the rules from the nonat chain to the zone dnat chain
 	    #
-	    add_rule( $nonat_chain, "-j $tgt" ) unless move_rules ( $chn, $nonat_chain );
+	    move_rules ( $chn, $nonat_chain );
 	}
    }

@@ -1612,7 +1619,7 @@ sub add_interface_jumps {
    # Loopback
    #
    my $fw = firewall_zone;
-    my $chainref = $filter_table->{"${fw}2${fw}"};
+    my $chainref = $filter_table->{rules_chain( ${fw}, ${fw} )};

    add_rule $filter_table->{OUTPUT} , "-o lo -j " . ($chainref->{referenced} ? "$chainref->{name}" : 'ACCEPT' );
    add_rule $filter_table->{INPUT} , '-i lo -j ACCEPT';
@@ -1620,7 +1627,7 @@ sub add_interface_jumps {

 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, generate_matrix makes a sow's ear out of a silk purse.
+# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
@@ -1636,7 +1643,7 @@ sub generate_matrix() {
    #
    sub rules_target( $$ ) {
 	my ( $zone, $zone1 ) = @_;
-	my $chain = "${zone}2${zone1}";
+	my $chain = rules_chain( ${zone}, ${zone1} );
 	my $chainref = $filter_table->{$chain};

 	return $chain   if $chainref && $chainref->{referenced};
@@ -1679,13 +1686,20 @@ sub generate_matrix() {
    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
-	my $zoneref    = find_zone( $zone );
+	my $zoneref = find_zone( $zone );

 	next if @zones <= 2 && ! $zoneref->{options}{complex};
-
+	#
+	# Complex zone and we have more than one non-firewall zone -- create a zone forwarding chain
+	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

 	if ( $capabilities{POLICY_MATCH} ) {
+	    #
+	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
+	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
+	    #
 	    my $type       = $zoneref->{type};
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

@@ -1762,7 +1776,7 @@ sub generate_matrix() {

 	    if ( $parenthasnat || $parenthasnotrack ) {
 		for my $zone1 ( all_zones ) {
-		    if ( $filter_table->{"${zone}2${zone1}"}->{policy} eq 'CONTINUE' ) {
+		    if ( $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy} eq 'CONTINUE' ) {
 			#
 			# This zone has a continue policy to another zone. We must
 			# send packets from this zone through the parent's DNAT/REDIRECT/NOTRACK chain.
@@ -1892,12 +1906,11 @@ sub generate_matrix() {
 	if ( $config{OPTIMIZE} > 0 ) {
 	    my @temp_zones;

-	  ZONE1:
 	    for my $zone1 ( @zones )  {
 		my $zone1ref = find_zone( $zone1 );
-		my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
+		my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};

-		next if $policy  eq 'NONE';
+		next if $policy eq 'NONE';

 		my $chain = rules_target $zone, $zone1;

@@ -1911,7 +1924,7 @@ sub generate_matrix() {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}

-		if ( $chain =~ /2all$/ ) {
+		if ( $chain =~ /(2all|-all)$/ ) {
 		    if ( $chain ne $last_chain ) {
 			$last_chain = $chain;
 			push @dest_zones, @temp_zones;
@@ -1942,12 +1955,10 @@ sub generate_matrix() {
 	# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	# @dest_zones is the list of destination zones that we need to handle from this source zone
 	#
-      ZONE1:
 	for my $zone1 ( @dest_zones ) {
 	    my $zone1ref = find_zone( $zone1 );
-	    my $policy   = $filter_table->{"${zone}2${zone1}"}->{policy};

-	    next if $policy  eq 'NONE';
+	    next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';

 	    my $chain = rules_target $zone, $zone1;

@@ -1956,22 +1967,22 @@ sub generate_matrix() {
 	    my $num_ifaces = 0;

 	    if ( $zone eq $zone1 ) {
-		next ZONE1 if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
+		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }

 	    if ( $zone1ref->{type} == BPORT ) {
-		next ZONE1 unless $zoneref->{bridge} eq $zone1ref->{bridge};
+		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }

-	    my $chainref    = $filter_table->{$chain};
-
-	    my $dest_hosts_ref = $zone1ref->{hosts};
+	    my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT

 	    if ( $frwd_ref ) {
-		for my $typeref ( values %$dest_hosts_ref ) {
+		#
+		# Simple case -- the source zone has it's own forwarding chain
+		#
+		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
-			my $arrayref = $typeref->{$interface};
-			for my $hostref ( @$arrayref ) {
+			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{sourceonly};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
@@ -1983,26 +1994,35 @@ sub generate_matrix() {
 		    }
 		}
 	    } else {
+		#
+		# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
+		#
 		for my $typeref ( values %$source_hosts_ref ) {
 		    for my $interface ( keys %$typeref ) {
-			my $arrayref = $typeref->{$interface};
 			my $chain3ref;
 			my $match_source_dev = '';
+			my $forwardchainref = $filter_table->{forward_chain $interface};

-			if ( use_forward_chain $interface ) {
-			    $chain3ref = $filter_table->{forward_chain $interface};
+			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
+			    #
+			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
+			    #
+			    $chain3ref = $forwardchainref;
 			    add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			} else {
+			    #
+			    # Don't use the interface's forward chain -- move any rules in that chain to this rules chain
+			    #
 			    $chain3ref  = $filter_table->{FORWARD};
 			    $match_source_dev = match_source_dev $interface;
-			    move_rules $filter_table->{forward_chain $interface}, $chainref;
+			    move_rules $forwardchainref, $chainref;
 			}

-			for my $hostref ( @$arrayref ) {
+			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{destonly};
 			    my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
 			    for my $net ( @{$hostref->{hosts}} ) {
-				for my $type1ref ( values %$dest_hosts_ref ) {
+				for my $type1ref ( values %{$zone1ref->{hosts}} ) {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
@@ -2034,13 +2054,13 @@ sub generate_matrix() {
 		    }
 		}
 	    }
-	    #
-	    #                                      E N D   F O R W A R D I N G
-	    #
-	    # Now add an unconditional jump to the last unique policy-only chain determined above, if any
-	    #
-	    add_jump $frwd_ref , $last_chain, 1 if $last_chain;
 	}
+	#
+	#                                      E N D   F O R W A R D I N G
+	#
+	# Now add an unconditional jump to the last unique policy-only chain determined above, if any
+	#
+	add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
    }

    add_interface_jumps @interfaces unless $interface_jumps_added;
@@ -2110,10 +2130,12 @@ sub setup_mss( ) {
 	for ( @$interfaces ) {
 	    my $mss      = get_interface_option( $_, 'mss' );
 	    my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
-	    add_rule $chainref, "-o $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "-o $_ -j RETURN" if $clampmss;
-	    add_rule $chainref, "-i $_ -p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
-	    add_rule $chainref, "-i $_ -j RETURN" if $clampmss;
+	    my $source   = match_source_dev $_;
+	    my $dest     = match_dest_dev $_;
+	    add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "${dest}-j RETURN" if $clampmss;
+	    add_rule $chainref, "${source}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${in_match}-j TCPMSS --set-mss $mss";
+	    add_rule $chainref, "${source}-j RETURN" if $clampmss;
 	}
    }

@@ -2270,12 +2292,12 @@ EOF
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';

 	for my $interface ( @$interfaces ) {
-	    add_rule $input,  "-p udp -i $interface --dport $ports -j ACCEPT";
-	    add_rule $output, "-p udp -o $interface --dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
+	    add_rule $input,  "-p udp " . match_source_dev( $interface ) . "--dport $ports -j ACCEPT";
+	    add_rule $output, "-p udp " . match_dest_dev( $interface )   . "--dport $ports -j ACCEPT" unless $config{ADMINISABSENTMINDED};
 	    #
 	    # This might be a bridge
 	    #
-	    add_rule $forward, "-p udp -i $interface -o $interface --dport $ports -j ACCEPT";
+	    add_rule $forward, "-p udp " . match_source_dev( $interface ) . match_dest_dev( $interface ) . "--dport $ports -j ACCEPT";
 	}
    }

@@ -2294,7 +2316,7 @@ EOF
 	}
    } else {
 	for my $interface ( all_bridges ) {
-	    emit "do_iptables -A FORWARD -p 58 -i $interface -o $interface -j ACCEPT";
+	    emit "do_iptables -A FORWARD -p 58 " . match_source_interface( $interface ) . match_dest_interface( $interface ) . "-j ACCEPT";
 	}

 	if ( $config{IP_FORWARDING} eq 'on' ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -153,7 +153,7 @@ our @deferred_rules;
 #
 # TCDevices Table
 #
-# %tcdevices { <interface> -> {in_bandwidth  => <value> ,
+# %tcdevices { <interface> => {in_bandwidth  => <value> ,
 #                              out_bandwidth => <value> ,
 #                              number        => <number>,
 #                              classify      => 0|1
@@ -531,6 +531,7 @@ sub validate_tc_device( ) {
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
 			    name          => $device,
+			    physical      => physical_name $device
 			  } ,

    push @tcdevices, $device;
@@ -647,15 +648,15 @@ sub validate_tc_class( ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    fatal_error "Invalid Mark ($mark)" unless $mark =~ /^([0-9]+|0x[0-9a-fA-F]+)$/ && numeric_value( $mark ) <= 0xff;
-
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;

+	    fatal_error "Invalid Mark ($mark)" unless $markval <= ( $config{WIDE_TC_MARKS} ? 0xffff : 0xff );
+
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $tcref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -713,6 +714,7 @@ sub validate_tc_class( ) {
 			       parent    => $parentclass,
 			       leaf      => 1,
 			       guarantee => 0,
+			       limit     => 127,
 			     };

    $tcref = $tcref->{$classnumber};
@@ -761,6 +763,10 @@ sub validate_tc_class( ) {

 		$tcref->{occurs} = $occurs;
 		$devref->{occurs} = 1;
+	    } elsif ( $option =~ /^limit=(\d+)$/ ) {
+		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
+		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
+		$tcref->{limit} = $1;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -789,6 +795,7 @@ sub validate_tc_class( ) {
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
+					       limit    => $tcref->{limit},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -825,7 +832,7 @@ sub process_tc_filter( ) {
    fatal_error "Unknown CLASS ($devclass)"                  unless $tcref && $tcref->{occurs};
    fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;

-    my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
+    my $rule = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32";

    if ( $source ne '-' ) {
 	my ( $net , $mask ) = decompose_net( $source );
@@ -896,7 +903,7 @@ sub process_tc_filter( ) {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;

-	    emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
+	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
@@ -906,7 +913,7 @@ sub process_tc_filter( ) {
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
-	$rule     = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";
+	$rule     = "filter add dev $devref->{physical} protocol ip parent $devnum:0 prio 10 u32 ht $tnum:0";

 	if ( $portlist eq '-' ) {
 	    fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
@@ -1033,12 +1040,15 @@ sub setup_traffic_shaping() {
    }

    for my $device ( @tcdevices ) {
-	my $dev     = chain_base( $device );
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};

+	$device = physical_name $device;
+
+	my $dev = chain_base( $device );
+
 	emit "if interface_is_up $device; then";

 	push_indent;
@@ -1121,12 +1131,14 @@ sub setup_traffic_shaping() {
 	my $classid  = join( ':', in_hexp $devicenumber, $classnum);
 	my $rate     = "$tcref->{rate}kbit";
 	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+	$classids{$classid}=$device;
+	$device = physical_name $device;
+
 	my $dev      = chain_base $device;
 	my $priority = $tcref->{priority} << 8;
 	my $parent   = in_hexp $tcref->{parent};

-	$classids{$classid}=$device;
-
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -1153,7 +1165,7 @@ sub setup_traffic_shaping() {
 	    }
 	}

-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit 127 perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
 	#
 	# add filters
 	#
@@ -1214,7 +1226,7 @@ sub setup_tc() {
 	    $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';

 	    for my $interface ( @routemarked_interfaces ) {
-		add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
+		add_rule $mangle_table->{PREROUTING} , match_source_dev( $interface ) . "-j tcpre";
 	    }
 	}

--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -83,8 +83,8 @@ sub setup_tunnels() {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-		$outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

 		unless ( $capabilities{POLICY_MATCH} ) {
 		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
@@ -239,8 +239,8 @@ sub setup_tunnels() {

 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;

-	my $inchainref  = ensure_filter_chain "${zone}2${fw}", 1;
-	my $outchainref = ensure_filter_chain "${fw}2${zone}", 1;
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

 	$gateway = ALLIP if $gateway eq '-';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -60,6 +60,8 @@ our @EXPORT = qw( NOTHING
 		  interface_number
 		  find_interface
 		  known_interface
+		  get_physical
+		  physical_name
 		  have_bridges
 		  port_to_bridge
 		  source_port_to_bridge
@@ -73,7 +75,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_4';

 #
 # IPSEC Option types
@@ -135,7 +137,8 @@ our %reservedName = ( all => 1,
 #
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
-#                                     options     => { <option1> = <val1> ,
+#                                     options     => { port => undef|1
+#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
@@ -143,6 +146,7 @@ our %reservedName = ( all => 1,
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
+#                                     physical    => <physical interface name>
 #                                   }
 #                 }
 #
@@ -150,6 +154,7 @@ our @interfaces;
 our %interfaces;
 our @bport_zones;
 our %ipsets;
+our %physical;
 our $family;

 use constant { FIREWALL => 1,
@@ -163,6 +168,8 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       NUMERIC_IF_OPTION  => 4,
 	       OBSOLETE_IF_OPTION => 5,
 	       IPLIST_IF_OPTION   => 6,
+	       STRING_IF_OPTION   => 7,
+
 	       MASK_IF_OPTION     => 7,

 	       IF_OPTION_ZONEONLY => 8,
@@ -193,6 +200,7 @@ sub initialize( $ ) {
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
+    %physical = ();

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -215,6 +223,7 @@ sub initialize( $ ) {
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION,
+				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -240,6 +249,7 @@ sub initialize( $ ) {
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    mss         => NUMERIC_IF_OPTION,
 				    forward     => NUMERIC_IF_OPTION,
+				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -496,17 +506,19 @@ sub zone_report()
 		my $interfaceref = $hostref->{$type};

 		for my $interface ( sort keys %$interfaceref ) {
+		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
-			my $exclusions = join ',', @{$groupref->{exclusions}};
 			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
+			    my $grouplist  = join ',', ( @$hosts );
+			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
+		
 			    if ( $family == F_IPV4 ) {
-				progress_message_nocompress "      $interface:$grouplist";
+				progress_message_nocompress "      $iref->{physical}:$grouplist";
 			    } else {
-				progress_message_nocompress "      $interface:<$grouplist>";
+				progress_message_nocompress "      $iref->{physical}:<$grouplist>";
 			    }
 			    $printed = 1;
 			}
@@ -524,6 +536,9 @@ sub zone_report()
    }
 }

+#
+# This function is called to create the contents of the ${VARDIR}/zones file
+#
 sub dump_zone_contents()
 {
    my @xlate;
@@ -550,20 +565,21 @@ sub dump_zone_contents()
 		my $interfaceref = $hostref->{$type};

 		for my $interface ( sort keys %$interfaceref ) {
+		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
-			my $exclusions = join ',', @{$groupref->{exclusions}};

 			if ( $hosts ) {
-			    my $grouplist = join ',', ( @$hosts );
+			    my $grouplist  = join ',', ( @$hosts );
+			    my $exclusions = join ',', @{$groupref->{exclusions}};

 			    $grouplist = join '!', ( $grouplist, $exclusions ) if $exclusions;

 			    if ( $family == F_IPV4 ) {
-				$entry .= " $interface:$grouplist";
+				$entry .= " $iref->{physical}:$grouplist";
 			    } else {
-				$entry .= " $interface:<$grouplist>";
+				$entry .= " $iref->{physical}:<$grouplist>";
 			    }
 			}
 		    }
@@ -708,8 +724,8 @@ sub firewall_zone() {
 #
 sub process_interface( $ ) {
    my $nextinum = $_[0];
-    my $nets;
-    my ($zone, $originalinterface, $networks, $options ) = split_line 2, 4, 'interfaces file';
+    my $netsref = '';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
    my $zoneref;
    my $bridge = '';

@@ -722,18 +738,21 @@ sub process_interface( $ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }

-    $networks = '' if $networks eq '-';
+    $bcasts = '' if $bcasts eq '-';
    $options  = '' if $options  eq '-';

    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

-    if ( defined $port ) {
+    if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
 	fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
+
+	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
+
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;

@@ -745,10 +764,6 @@ sub process_interface( $ ) {
 	    }
 	}

-	next if $port eq '';
-
-	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
-
 	$bridge = $interface;
 	$interface = $port;
    } else {
@@ -767,10 +782,11 @@ sub process_interface( $ ) {
 	$root = $interface;
    }

+    my $physical = $interface;
    my $broadcasts;

-    unless ( $networks eq '' || $networks eq 'detect' ) {
-	my @broadcasts = split_list $networks, 'address';
+    unless ( $bcasts eq '' || $bcasts eq 'detect' ) {
+	my @broadcasts = split_list $bcasts, 'address';

 	for my $address ( @broadcasts ) {
 	    fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
@@ -814,12 +830,12 @@ sub process_interface( $ ) {
 		$hostoptions{$option} = 1 if $hostopt;
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
-		fatal_error "Option value for $option must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
-		fatal_error "The $option option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
 		if ( $option eq 'arp_ignore' ) {
 		    if ( defined $value ) {
 			if ( $value =~ /^[1-3,8]$/ ) {
@@ -834,15 +850,13 @@ sub process_interface( $ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The $option option requires a value" unless defined $value;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
 		fatal_error "Invalid value ($value) for option $option" unless defined $numval;
 		$options{$option} = $numval;
 		$hostoptions{$option} = $numval if $hostopt;
 	    } elsif ( $type == IPLIST_IF_OPTION ) {
-		fatal_error "The $option option requires a value" unless defined $value;
-		fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
-		fatal_error "Duplicate $option option" if $nets;
+		fatal_error "The '$option' option requires a value" unless defined $value;
 		#
 		# Remove parentheses from address list if present
 		#
@@ -852,27 +866,54 @@ sub process_interface( $ ) {
 		#
 		$value = join ',' , ALLIP , $value if $value =~ /^!/;

-		if ( $value eq 'dynamic' ) {
-		    require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-		    $value = "+${zone}_${interface}";
-		    $hostoptions{dynamic} = 1;
-		    $ipsets{"${zone}_${interface}"} = 1;
+		if ( $option eq 'nets' ) {
+		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
+		    fatal_error "Duplicate $option option" if $netsref;
+		    if ( $value eq 'dynamic' ) {
+			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			$hostoptions{dynamic} = 1;
+			#
+			# Defer remaining processing until we have the final physical interface name
+			#
+			$netsref = 'dynamic';
+		    } else {
+			$hostoptions{multicast} = 1;
+			#
+			# Convert into a Perl array reference
+			#
+			$netsref = [ split_list $value, 'address' ];
+		    }
+		    #
+		    # Assume 'broadcast'
+		    #
+		    $hostoptions{broadcast} = 1;
 		} else {
-		    $hostoptions{multicast} = 1;
+		    assert(0);
+		}
+	    } elsif ( $type == STRING_IF_OPTION ) {
+		fatal_error "The '$option' option requires a value" unless defined $value;
+
+		if ( $option eq 'physical' ) {
+		    fatal_error "Invalid Physical interface name ($value)" unless $value =~ /^[\w.@%-]+\+?$/;
+
+		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );
+
+		    fatal_error "The type of 'physical' name ($value) doesn't match the type of interface name ($interface)" if $wildcard && ! $value =~ /\+$/;
+		    $physical = $value;
+		} else {
+		    assert(0);
 		}
-		#
-		# Convert into a Perl array reference
-		#
-		$nets = [ split_list $value, 'address' ];
-		#
-		# Assume 'broadcast'
-		#
-		$hostoptions{broadcast} = 1;
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
 	}

+	if ( $netsref eq 'dynamic' ) {
+	    my $ipset = "${zone}_" . chain_base $physical;
+	    $netsref = [ "+$ipset" ];
+	    $ipsets{$ipset} = 1;
+	}
+
 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};

 	if ( $options{bridge} ) {
@@ -884,19 +925,20 @@ sub process_interface( $ ) {

    }

-    $interfaces{$interface} = { name       => $interface ,
-				bridge     => $bridge ,
-				nets       => 0 ,
-				number     => $nextinum ,
-				root       => $root ,
-				broadcasts => $broadcasts ,
-				options    => \%options ,
-			        zone       => ''
-			      };
+    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
+						       bridge     => $bridge ,
+						       nets       => 0 ,
+						       number     => $nextinum ,
+						       root       => $root ,
+						       broadcasts => $broadcasts ,
+						       options    => \%options ,
+						       zone       => '',
+						       physical   => $physical
+						     };

    if ( $zone ) {
-	$nets ||= [ allip ];
-	add_group_to_zone( $zone, $zoneref->{type}, $interface, $nets, $hostoptionsref );
+	$netsref ||= [ allip ];
+	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
 	add_group_to_zone( $zone, 
 			   $zoneref->{type}, 
 			   $interface, 
@@ -949,6 +991,20 @@ sub validate_interfaces_file( $ ) {
    fatal_error "No network interfaces defined" unless @interfaces;
 }

+#
+# Map the passed name to the corresponding physical name in the passed interface
+#
+sub map_physical( $$ ) {
+    my ( $name, $interfaceref ) = @_;
+    my $physical = $interfaceref->{physical};
+    
+    return $physical if $name eq $interfaceref->{name};
+
+    $physical =~ s/\+$//;
+
+    $physical . substr( $name, length  $interfaceref->{root} );
+}  
+
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
@@ -963,13 +1019,17 @@ sub known_interface($)

    for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
-	my $val = $interfaceref->{root};
-	next if $val eq $i;
-	if ( substr( $interface, 0, length $val ) eq $val ) {
+	my $root = $interfaceref->{root};
+	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
 	    #
-	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
+	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces and we do not set the root;
 	    #
-	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
+	    return $interfaces{$interface} = { options  => $interfaceref->{options}, 
+					       bridge   => $interfaceref->{bridge} , 
+					       name     => $i , 
+					       number   => $interfaceref->{number} ,
+					       physical => map_physical( $interface, $interfaceref )
+					     };
 	}
    }

@@ -1009,6 +1069,23 @@ sub find_interface( $ ) {
    $interfaceref;
 }

+#
+# Returns the physical interface associated with the passed logical name
+#
+sub get_physical( $ ) {
+    $interfaces{ $_[0] }->{physical};
+}
+
+#
+# This one doesn't insist that the passed name be the name of a configured interface
+#
+sub physical_name( $ ) {
+    my $device = shift;
+    my $devref = known_interface $device;
+
+    $devref ? $devref->{physical} : $device;
+}
+
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1049,7 +1126,11 @@ sub find_interfaces_by_option( $ ) {
    my @ints = ();

    for my $interface ( @interfaces ) {
-	my $optionsref = $interfaces{$interface}{options};
+	my $interfaceref = $interfaces{$interface};
+	
+	next unless $interfaceref->{root};
+
+	my $optionsref = $interfaceref->{options};
 	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
@@ -1160,9 +1241,10 @@ sub process_host( ) {

    if ( $hosts eq 'dynamic' ) {
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	$hosts = "+${zone}_${interface}";
+	my $physical = physical_name $interface;
+	$hosts = "+${zone}_${physical}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${interface}"} = 1;
+	$ipsets{"${zone}_${physical}"} = 1;

    }

@@ -1182,7 +1264,7 @@ sub validate_hosts_file()

    my $fn = open_file 'hosts';

-    first_entry "doing $fn...";
+    first_entry "$doing $fn...";

    $ipsec |= process_host while read_a_line;

--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -61,7 +61,7 @@ sub usage( $ ) {
    [ --family={4|6} ]
 ';

-    $returnval;
+    exit $returnval;
 }

 #
@@ -105,7 +105,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;

-compiler( object          => defined $ARGV[0] ? $ARGV[0] : '',
+compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -1,283 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer
 ###############################################################################
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-    fi
-
-    rm -f ${VARDIR}/proxyarp
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IPTABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -304,6 +27,8 @@ fi
 initialize

 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -1,244 +1,6 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$PRODUCT Cleared"
-}
-
-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSE -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Restore the rules generated by 'drop','reject','logdrop', etc.
-#
-restore_dynamic_rules() {
-    if [ -f ${VARDIR}/save ]; then
-	progress_message2 "Setting up dynamic rules..."
-	rangematch='source IP range'
-	while read target ignore1 ignore2 address ignore3 rest; do
-	    case $target in
-		DROP|reject|logdrop|logreject)
-		    case $rest in
-			$rangematch*)
-			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
-			    ;;
-			*)
-			    if [ -z "$rest" ]; then
-				run_iptables -A dynamic -s $address -j $target
-			    else
-				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
-			    fi
-			    ;;
-		    esac
-		    ;;
-	    esac
-	done < ${VARDIR}/save
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 #
 # Give Usage Information
 #
@@ -265,6 +27,8 @@ fi
 initialize

 if [ -n "$STARTUP_LOG" ]; then
+    touch $STARTUP_LOG
+    chmod 0600 $STARTUP_LOG
    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1071,6 +1071,283 @@ conditionally_flush_conntrack() {
    fi
 }

+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+    fi
+
+    rm -f ${VARDIR}/proxyarp
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IPTABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IPTABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -4 $@; then
+	error_message "ERROR: Command \"$IP -4 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IPTABLES -t mangle -F
+    qt1 $IPTABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IPTABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t raw    -F
+    qt1 $IPTABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IPTABLES -t raw -P $chain ACCEPT
+    done
+
+    run_iptables -t nat -F
+    run_iptables -t nat -X
+
+    for chain in PREROUTING POSTROUTING OUTPUT; do
+	qt1 $IPTABLES -t nat -P $chain ACCEPT
+    done
+
+    qt1 $IPTABLES -t filter -F
+    qt1 $IPTABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IPTABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -946,6 +946,244 @@ conditionally_flush_conntrack() {
    fi
 }

+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$PRODUCT Cleared"
+}
+
+#
+# Issue a message and stop/restore the firewall
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSE -gt 1 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$IP6TABLES $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run iptables and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -6 $@; then
+	error_message "ERROR: Command \"$IP -6 $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Restore the rules generated by 'drop','reject','logdrop', etc.
+#
+restore_dynamic_rules() {
+    if [ -f ${VARDIR}/save ]; then
+	progress_message2 "Setting up dynamic rules..."
+	rangematch='source IP range'
+	while read target ignore1 ignore2 address ignore3 rest; do
+	    case $target in
+		DROP|reject|logdrop|logreject)
+		    case $rest in
+			$rangematch*)
+			    run_iptables -A dynamic -m iprange --src-range ${rest#source IP range} -j $target
+			    ;;
+			*)
+			    if [ -z "$rest" ]; then
+				run_iptables -A dynamic -s $address -j $target
+			    else
+				error_message "WARNING: Unable to restore dynamic rule \"$target $ignore1 $ignore2 $address $ignore3 $rest\""
+			    fi
+			    ;;
+		    esac
+		    ;;
+	    esac
+	done < ${VARDIR}/save
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $IP6TABLES -t mangle -F
+    qt1 $IP6TABLES -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t raw    -F
+    qt1 $IP6TABLES -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $IP6TABLES -t raw -P $chain ACCEPT
+    done
+
+    qt1 $IP6TABLES -t filter -F
+    qt1 $IP6TABLES -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $IP6TABLES -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,22 +1,63 @@
-Changes in Shorewall 4.4.2.4
+Changes in Shorewall 4.4.4

-1)  Correct optional interfaces.
+1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.

-Changes in Shorewall 4.4.2.3
+2)  Fix access to uninitialized variable.

-1)  Fix internal error with RETAIN_ALIASES=No.
+3)  Add logrotate scripts.

-2)  Only detect IP configuration when needed.
+4)  Allow long port lists in /etc/shorewall/routestopped.

-3)  Fix nested zones.
+5)  Implement 'physical' interface option.

-Changes in Shorewall 4.4.2.2
+6)  Implement ZONE2ZONE option.

-1)  Another fix for 'routeback' in routestopped.
+7)  Suppress duplicate COMMENT warnings.

-Changes in Shorewall 4.4.2.1
+8)  Implement 'show policies' command.

-1)  Fix 'routeback' in routestopped.
+9)  Fix route_rule suppression for down provider.
+
+10) Suppress redundant tests for provider availability in route rules
+    processing.
+
+11) Implement the '-l' option to the 'show' command.
+
+12) Fix class number assignment when WIDE_TC_MARKS=Yes
+
+13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+
+Changes in Shorewall 4.4.3
+
+1)  Move Debian INITLOG initialization to /etc/default/shorewall
+
+2)  Fix 'routeback' in /etc/shorewall/routestopped.
+
+3)  Rename 'object' to 'script' in compiler and config modules.
+
+4)  Correct RETAIN_ALIASES=No.
+
+5)  Fix detection of IP config.
+
+6)  Fix nested zones.
+
+7)  Move all function declarations from prog.footer to prog.header
+
+8)  Remove superfluous variables from generated script
+
+9)  Make 'track' the default.
+
+10)  Add TRACK_PROVIDERS option.
+
+11)  Fix IPv6 address parsing bug.
+
+12)  Add hack to work around iproute IPv6 bug in route handling
+
+13)  Correct messages issued when an optional provider is not usable.
+
+14)  Fix optional interfaces.
+
+15)  Add 'limit' option to tcclasses.

 Changes in Shorewall 4.4.2

--- a/Shorewall/configfiles/findgw
+++ b/Shorewall/configfiles/findgw
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Filegw File
+# Shorewall version 4 - Findgw File
 #
 # /etc/shorewall/findgw
 #
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -189,6 +189,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=No

+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -21,4 +21,9 @@ startup=0

 OPTIONS=""

+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
-# Note, set INITLOG to /dev/null if you want to
-# use Shorewall's STARTUP_LOG feature.
-INITLOG=/var/log/shorewall-init.log
+test -n ${INITLOG:=/var/log/shorewall-init.log}

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -49,7 +47,7 @@ not_configured () {
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-common/README.Debian.gz."
+		echo "/usr/share/doc/shorewall/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
@@ -176,7 +176,7 @@ else
    fi

    if [ -z "$CYGWIN" ]; then
-	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+	if [ -f /etc/debian_version ]; then
 	    DEBIAN=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "installing Slackware specific configuration..."
@@ -242,6 +242,12 @@ mkdir -p ${PREFIX}/var/lib/shorewall
 chmod 755 ${PREFIX}/etc/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall
 chmod 755 ${PREFIX}/usr/share/shorewall/configfiles
+
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+    
 #
 # Install the config file
 #
@@ -792,6 +798,11 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall"
+fi
+
 if [ -z "$PREFIX" ]; then
    rm -rf /usr/share/shorewall-perl
    rm -rf /usr/share/shorewall-shell
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,39 +1 @@
-1)  'shorewall check' produces an internal error if 'routeback' appears
-    in /etc/shorewall/routestopped.
-
-    You can work around this problem by using 'source' rather than
-    'routeback'.
-
-    Corrected in Shorewall 4.4.2.1.
-
-2)  'routeback' appearing in /etc/shorewall/routestopped doesn't
-    work (routeback traffic is not allowed).
-
-    You can work around this problem by using 'source' rather than
-    'routeback'.
-
-    Corrected in Shorewall 4.4.2.2.
-
-3)  If an alias IP address was added and RETAIN_ALIASES=No in
-    shorewall.conf, a compiler internal error results.
-
-    You can work around this problem by setting RETAIN_ALIASES=Yes in
-    shorewall.conf.
-
-    Corrected in Shorewall 4.4.2.3.
-
-4)  Nested zones where the parent zone is defined by a wildcard in
-    /etc/shorewall/interfaces (interface names ends in +), don't always
-    work correctly.
-
-    Corrected in Shorewall 4.4.2.3.
-
-5)  Global IP configuration variables are not being set in IPv6
-    configurations. This could cause 'shorewall6 start' to fail.
-
-    Corrected in Shorewall 4.4.2.4.
-
-6)  Under certain circumstances, optional providers are not detected
-    as being usable.
-
-    Corrected in Shorewall 4.4.2.5.
+There are no known problems in Shorewall version 4.4.3
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -430,6 +430,10 @@ show_command() {
 			    option=
 			    shift
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -443,6 +447,8 @@ show_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ -n "$debugging" ] && set -x
    case "$1" in
 	connections)
@@ -560,6 +566,12 @@ show_command() {
 	vardir)
 	    echo $VARDIR;
 	    ;;
+	policies)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo
+	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
+	    ;;
 	*)
 	    if [ "$PRODUCT" = Shorewall ]; then
 		case $1 in
@@ -673,6 +685,10 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -686,6 +702,8 @@ dump_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ $VERBOSE -lt 2 ] && VERBOSE=2

    [ -n "$debugging" ] && set -x
--- a/Shorewall/logrotate
+++ b/Shorewall/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,4 +1,4 @@
-Shorewall 4.4.2 Patch Release 5.
+Shorewall 4.4.4

 ----------------------------------------------------------------------------
               R E L E A S E  4 . 4  H I G H L I G H T S
@@ -169,112 +169,46 @@ Shorewall 4.4.2 Patch Release 5.
    now, if the zone has <interface>:0.0.0.0/0 (even with exclusions),
    then it may have no additional members in /etc/shorewall/hosts.

----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 5
----------------------------------------------------------------------------
-
-1)  Under certain circumstances, optional providers were not detected
-    as being usable.
-
-    Additionally, messages issued when an optional provider was not
-    usable were confusing; the message intended to be issued when the
-    provider shared an interface ("WARNING: Gateway <gateway> is not
-    reachable -- Provider <name> (<number>) not Added") was being
-    issued when the provider did not share an interface. Similarly, the
-    message intended to be issued when the provider did not share an
-    interface ("WARNING: Interface <interface> is not usable --
-    Provider <name> (<number>) not Added") was being issued when the
-    provider did share an interface.
+13) Because the 'track' provider option is so useful, it is now the
+    default. If, for some reason, you don't want 'track' then specify
+    'notrack' for the provider.

 ----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 4
----------------------------------------------------------------------------
-1)  Global IP configuration variables were not being set in IPv6
-    configurations. This could cause 'shorewall6 start' to fail.
-
----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 3
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 4
 ----------------------------------------------------------------------------

-1)  If aliases were added and RETAIN_ALIASES=No in shorewall.conf, then
-    an internal error was generated.
+1)  In some simple one-interface configurations, the following Perl
+    run-time error messages were issued:

-2)  Previously, the generated script set its global IP configuration
-    variables, even when those variables were not required to execute the
-    requested command.  If detection of an IP address, route,
-    etc. failed, the command could needlessly fail. Now, these
-    variables are only set when their values are needed to correctly
-    execute the specified command.
+      Generating Rule Matrix...
+      Use of uninitialized value in concatenation (.) or string at
+      /usr/share/shorewall/Shorewall/Chains.pm line 649.
+      Use of uninitialized value in concatenation (.) or string at
+      /usr/share/shorewall/Shorewall/Chains.pm line 649.
+      Creating iptables-restore input...

-3)  Nested zones did not work correctly in some cases where the parent
-    zone was defined with a wild-card interface name (one ending in '+').
+2)  The Shorewall operations log (specified by STARTUP_LOG) is now
+    secured 0600.

----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 2
----------------------------------------------------------------------------
+3)  Previously, the compiler generated an incorrect test for interface
+    availability in the generated code for adding route rules. The
+    result was that the rules were always added, regardless of the
+    state of the provider's interface. Now, the rules are only added
+    when the interface is available.

-1)  'routeback' in /etc/shorewall/routestopped was ineffective.
+4)  When TC_WIDE_MARKS=Yes and class numbers are not explicitly
+    specified in /etc/shorewall/tcclasses, duplicate class numbers
+    result. A typical error message is:

----------------------------------------------------------------------------
-        P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2 . 1
----------------------------------------------------------------------------
+    	    ERROR: Command "tc class add dev eth3 parent 1:1 classid
+    	    1:1 htb rate 1024kbit ceil 100000kbit prio 1 quantum 1500"
+    	    Failed

-1)  'shorewall check' produced an internal error if 'routeback' was
-    specified in /etc/shorewall/routestopped.
+    Note that the class ID of the class being added is a duplicate of
+    the parent's class ID.

----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
----------------------------------------------------------------------------
-
-1)  Detection of Persistent SNAT was broken in the rules compiler. 
-
-2)  Initialization of the compiler's chain table was occurring before 
-    shorewall.conf had been read and before the capabilities had been
-    determined. This could lead to incorrect rules and Perl runtime
-    errors.
-
-3)  The 'shorewall check' command previously did not detect errors in
-    /etc/shorewall/routestopped.
-
-4)  In earlier versions, if a file with the same name as a built-in
-    action was present in the CONFIG_PATH, then the compiler would
-    process that file like it was an extension script.
-
-    The compiler now ignores the presence of such files.
-
-5)  Several configuration issues which previously produced an error or
-    warning are now handled differently.
-
-    a)  MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now
-        handled as they were by the old shell-based compiler. That is,
-        they cause pre-3.0 built-in actions to be mapped automatically
-        to the corresponding macro invocation.
-
-    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
-        warning.
-
-    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
-        a warning.
-
-    d)  RFC1918_STRICT=Yes no loger produces a fatal error -- it is now
-        a warning.
-
-6)  Previously, it was not possible to specify an IP address range in
-    the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee
-    Shrieve for the patch.
-
-7)  The 'wait4ifup' script included for Debian compatibility now runs
-    correctly with no PATH.
-
-8)  The new per-IP LIMIT feature now works with ancient iptables
-    releases (e.g., 1.3.5 as found on RHEL 5). This change required
-    testing for an additional capability which means that those who use
-    a capabilities file should regenerate that file after installing
-    4.4.2.
-
-9)  One unintended difference between Shorewall-shell and
-    Shorewall-perl was that Shorewall-perl did not support the MARK
-    column in action bodies. This has been corrected.
+    Also, when TC_WIDE_MARKS=Yes, values > 255 in the MARK column of
+    /etc/shorewall/tcclasses were rejected.

 ----------------------------------------------------------------------------
             K N O W N   P R O B L E M S   R E M A I N I N G
@@ -283,38 +217,103 @@ Shorewall 4.4.2 Patch Release 5.
 None.

 ----------------------------------------------------------------------------
-                N E W   F E A T U R E S   I N   4 . 4 . 2
+                N E W   F E A T U R E S   I N   4 . 4 . 4
 ----------------------------------------------------------------------------

-1)  Prior to this release, line continuation has taken precedence over 
-    #-style comments. This prevented us from doing the following:
+1)  The Shorewall packages now include a logrotate configuration file.

-    	    ACCEPT    net:206.124.146.176,\   #Gateway
-	    	          206.124.146.177,\   #Mail
-			  206.124.146.178\    #Server
-			  		      ...
-    
-    Now, unless a line ends with '\', any trailing comment is stripped
-    off (including any white-space preceding the '#'). Then if the line
-    ends with '\', it is treated as a continuation line as normal.
+2)  The limit of 15 entries in a port list has been relaxed in
+    /etc/shorewall/routestopped.

-2)  Three new columns have been added to FORMAT-2 macro bodies.
+3)  The following seemingly valid configuration produces a fatal
+    error reporting "Duplicate interface name (p+)"

-    	  MARK
-	  CONNLIMIT
-	  TIME
+    /etc/shorewall/zones:

-    These three columns correspond to the similar columns in
-    /etc/shorewall/rules and must be empty in macros invoked from an
-    action.
+       #ZONE		TYPE	
+       fw		firewall
+       world		ipv4
+       z1:world		bport4
+       z2:world		bport4

-3)  Accounting chains may now have extension scripts. Simply place your
-    Perl script in the file /etc/shorewall/<chain> and when the
-    accounting chain named <chain> is created, your script will be
-    invoked.
+    /etc/shorewall/interfaces:

-    As usual, the variable $chainref will contain a reference to the
-    chain's table entry.
+       #ZONE		INTERFACE	BROADCAST	OPTIONS
+       world		br0		-		bridge
+       world		br1		-		bridge
+       z1		br0:p+
+       z2		br1:p+
+
+    This error occurs because the Shorewall implementation requires
+    that each bridge port must have a unique name.
+
+    To work around this problem, a new 'physical' interface option has
+    been created. The above configuration may be defined using the
+    following in /etc/shorewall/interfaces:
+
+       #ZONE		INTERFACE	BROADCAST	OPTIONS
+       world		br0		-		bridge
+       world		br1		-		bridge
+       z1		br0:x+		-		physical=p+
+       z2		br1:y+		-		physical=p+
+
+    In this configuration, 'x+' is the logical name for ports p+ on
+    bridge br0 while 'y+' is the logical name for ports p+ on bridge
+    br1.
+
+    If you need to refer to a particular port on br1 (for example
+    p1023), you write it as y1023; Shorewall will translate that name
+    to p1023 when needed.
+
+    It is allowed to have a physical name ending in '+' with a logical
+    name that does not end with '+'. The reverse is not allowed; if the
+    logical name ends in '+' then the physical name must also end in
+    '+'.
+
+    This feature is not restricted to bridge ports. Beginning with this
+    release, the interface name in the INTERFACE column can be
+    considered a logical name for the interface, and the actual
+    interface name is specified using the 'physical' option. If no
+    'physical' option is present, then the physical name is assumed to
+    be the same as the logical name. As before, the logical interface
+    name is used throughout the rest of the configuration to refer to
+    the interface.
+
+4)  Previously, Shorewall has used the character '2' to form the name
+    of chains involving zones and/or the word 'all' (e.g., fw2net,
+    all2all). When zones names are given numeric suffixes, these
+    generated names are hard to read (e.g., foo1232bar). To make these
+    names clearer, a ZONE2ZONE option has been added.
+
+    ZONE2ZONE has a default value of "2" but can also be given the
+    value "-" (e.g., ZONE2ZONE="-") which causes Shorewall to separate
+    the two parts of the name with a hyphen (e.g., foo123-bar).
+
+5)  Only one instance of the following warning is now generated;
+    previously, one instance of a similar warning was generated for
+    each COMMENT encountered.
+
+	COMMENTs ignored -- require comment support in iptables/Netfilter
+
+6)  The shorewall and shorewall6 utilities now support a 'show
+    policies' command. Once Shorewall or Shorewall6 has been restarted
+    using a script generated by this version, the 'show policies'
+    command will list each pair of zones and give the applicable
+    policy. If the policy is enforced in a chain, the name of the chain
+    is given.
+
+    Example:
+
+	net 	=>	loc	DROP using chain net2all
+
+    Note that implicit intrazone ACCEPT policies are not displayed for
+    zones associated with a single network where that network
+    doesn't specify 'routeback'.
+
+7)  The 'show' and 'dump' commands now support an '-l' option which
+    causes chain displays to include the rule number of each rule.
+
+    (Type 'iptables -h' and look for '--line-number')

 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 0
@@ -326,7 +325,7 @@ None.
    The new packages are:

    - Shorewall.   Includes the former Shorewall-common and
-                   Shorewall-perl packages. Has everything needed
+                   Shorewall-perl packages. Includes everything needed
                   to create an IPv4 firewall.

 		   Shorewall-shell is no longer available.
@@ -1058,3 +1057,161 @@ None.
 5)  A flaw in the parsing logic for the zones file allowed most zone
    types containing the character string 'ip' to be accepted as a
    synonym for 'ipv4' (or ipv6 if compiling an IPv6 configuration).
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Detection of Persistent SNAT was broken in the rules compiler. 
+
+2)  Initialization of the compiler's chain table was occurring before 
+    shorewall.conf had been read and before the capabilities had been
+    determined. This could lead to incorrect rules and Perl runtime
+    errors.
+
+3)  The 'shorewall check' command previously did not detect errors in
+    /etc/shorewall/routestopped.
+
+4)  In earlier versions, if a file with the same name as a built-in
+    action were present in the CONFIG_PATH, then the compiler would
+    process that file like it was an extension script.
+
+    The compiler now ignores the presence of such files.
+
+5)  Several configuration issues which previously produced an error or
+    warning are now handled differently.
+
+    a)  MAPOLDACTIONS=Yes and MAPOLDACTIONS= in shorewall.conf are now
+        handled as they were by the old shell-based compiler. That is,
+        they cause pre-3.0 built-in actions to be mapped automatically
+        to the corresponding macro invocation.
+
+    b)  SAVE_IPSETS=Yes no longer produces a fatal error -- it is now a
+        warning.
+
+    c)  DYNAMIC_ZONES=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+    d)  RFC1918_STRICT=Yes no longer produces a fatal error -- it is now
+        a warning.
+
+6)  Previously, it was not possible to specify an IP address range in
+    the ADDRESS column of /etc/shorewall/masq. Thanks go to Jessee
+    Shrieve for the patch.
+
+7)  The 'wait4ifup' script included for Debian compatibility now runs
+    correctly with no PATH.
+
+8)  The new per-IP LIMIT feature now works with ancient iptables
+    releases (e.g., 1.3.5 as found on RHEL 5). This change required
+    testing for an additional capability which means that those who use
+    a capabilities file should regenerate that file after installing
+    4.4.2.
+
+9)  One unintended difference between Shorewall-shell and
+    Shorewall-perl was that Shorewall-perl did not support the MARK
+    column in action bodies. This has been corrected.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 2
+----------------------------------------------------------------------------
+
+1)  Prior to this release, line continuation has taken precedence over 
+    #-style comments. This prevented us from doing the following:
+
+    	    ACCEPT    net:206.124.146.176,\   #Gateway
+	    	          206.124.146.177,\   #Mail
+			  206.124.146.178\    #Server
+			  		      ...
+    
+    Now, unless a line ends with '\', any trailing comment is stripped
+    off (including any white-space preceding the '#'). Then if the line
+    ends with '\', it is treated as a continuation line as normal.
+
+2)  Three new columns have been added to FORMAT-2 macro bodies.
+
+    	  MARK
+	  CONNLIMIT
+	  TIME
+
+    These three columns correspond to the similar columns in
+    /etc/shorewall/rules and must be empty in macros invoked from an
+    action.
+
+3)  Accounting chains may now have extension scripts. Simply place your
+    Perl script in the file /etc/shorewall/<chain> and when the
+    accounting chain named <chain> is created, your script will be
+    invoked.
+
+    As usual, the variable $chainref will contain a reference to the
+    chain's table entry.
+
+----------------------------------------------------------------------------
+          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 3
+----------------------------------------------------------------------------
+
+1.  Previously, if 'routeback' was specified in /etc/shorewall/routestopped:
+
+    a) 'shorewall check' produced an internal error
+    b) The 'routeback' option didn't work
+
+2)  If an alias IP address was added and RETAIN_ALIASES=No in
+    shorewall.conf, then a compiler internal error resulted.
+
+3)  Previously, the generated script would try to detect the values
+    for all run-time variables (such as IP addresses), regardless of
+    what command was being executed. Now, this information is only
+    detected when it is needed.
+
+4)  Nested zones where the parent zone was defined by a wildcard
+    interface (name ends with +) in /etc/shorewall/interfaces did
+    not work correctly in some cases.
+
+5)  IPv4 addresses embedded in IPv6 (e.g., ::192.168.1.5) were
+    incorrectly reported as invalid.
+
+6)  Under certain circumstances, optional providers were not detected
+    as being usable.
+
+    Additionally, the messages issued when an optional provider was not
+    usable were confusing; the message intended to be issued when the
+    provider shared an interface ("WARNING: Gateway <gateway> is not
+    reachable -- Provider <name> (<number>) not Added") was being
+    issued when the provider did not share an interface. Similarly, the
+    message intended to be issued when the provider did not share an
+    interface ("WARNING: Interface <interface> is not usable --
+    Provider <name> (<number>) not Added") was being issued when the
+    provider did share an interface.
+
+----------------------------------------------------------------------------
+                N E W   F E A T U R E S   I N   4 . 4 . 3
+----------------------------------------------------------------------------
+
+1)  On Debian systems, a default installation will now set
+    INITLOG=/dev/null in /etc/default/shorewall. In all configurations,
+    the default values for the log variables are changed to:
+
+    	STARTUP_LOG=/var/log/shorewall-init.log
+	LOG_VERBOSITY=2
+
+    The effect is much the same as the old defaults, with the exception 
+    that:
+
+	a) Start, stop, etc. commands issued through /sbin/shorewall
+	   will be logged.
+	b) Logging will occur at maximum verbosity.
+	c) Log entries will be date/time stamped.
+
+    On non-Debian systems, new installs will now log all Shorewall 
+    commands to /var/log/shorewall-init.log.
+
+2)  A new TRACK_PROVIDERS option has been added in shorewall.conf.
+    The value of this option becomes the default for the 'track'
+    provider option in /etc/shorewall/providers.
+
+3)  A new 'limit' option has been added to
+    /etc/shorewall/tcclasses. This option specifies the number of
+    packets that are allowed to be queued within the class. Packets
+    exceeding this limit are dropped. The default value is 127 which is
+    the value that earlier versions of Shorewall used.  The option is
+    ignored with a warning if the 'pfifo' option has been specified.
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -971,7 +971,7 @@ safe_commands() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $command; then
+    if ${VARDIR}/.$command $debugging $command; then

 	echo -n "Do you want to accept the new firewall configuration? [y/n] "

@@ -1387,6 +1387,7 @@ usage() # $1 = exit status
    echo "   show [ -m ] log"
    echo "   show macros"
    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show policies"
    echo "   show tc"
    echo "   show vardir"
    echo "   show zones"
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.2
-%define release 5
+%define version 4.4.4
+%define release 0base

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -77,6 +77,8 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall/*
 %attr(0600,root,root) /etc/shorewall/Makefile

+%attr(0644,root,root) /etc/logrotate.d/shorewall
+
 %attr(0755,root,root) /sbin/shorewall

 %attr(0644,root,root) /usr/share/shorewall/version
@@ -104,16 +106,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
-* Sat Oct 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-5
-* Fri Oct 23 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-4
-* Tue Oct 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-3
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-1
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/default.debian
+++ b/Shorewall6-lite/default.debian
@@ -21,4 +21,9 @@ startup=0

 OPTIONS=""

+#
+# Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
+#
+INITLOG=/dev/null
+
 # EOF
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -15,9 +15,7 @@

 SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-lite-init.log
+test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

 [ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

@@ -25,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
@@ -219,6 +219,11 @@ mkdir -p ${PREFIX}/var/lib/shorewall6-lite
 chmod 755 ${PREFIX}/etc/shorewall6-lite
 chmod 755 ${PREFIX}/usr/share/shorewall6-lite

+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -303,6 +308,11 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6-lite
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6-lite"
+fi
+
 #
 # Create the version file
 #
--- a/Shorewall6-lite/logrotate
+++ b/Shorewall6-lite/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall6-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.2
-%define release 5
+%define version 4.4.4
+%define release 0base

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -70,6 +70,8 @@ fi
 %attr(0755,root,root) %dir /usr/share/shorewall6-lite
 %attr(0700,root,root) %dir /var/lib/shorewall6-lite

+%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
+
 %attr(0755,root,root) /sbin/shorewall6-lite

 %attr(0644,root,root) /usr/share/shorewall6-lite/version
@@ -89,16 +91,14 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Sat Oct 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-5
-* Fri Oct 23 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-4
-* Tue Oct 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-3
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-2
-* Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-1
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -15,13 +15,11 @@
 SRWL=/sbin/shorewall6
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall6/wait4ifup
-# Note, set INITLOG to /dev/null if you do not want to
-# keep logs of the firewall (not recommended)
-INITLOG=/var/log/shorewall6-init.log
+test -n ${INITLOG:=/var/log/shorewall6-init.log}

 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n $INITLOG || {
+test -n "$INITLOG" || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
@@ -234,6 +234,12 @@ mkdir -p ${PREFIX}/var/lib/shorewall6
 chmod 755 ${PREFIX}/etc/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6
 chmod 755 ${PREFIX}/usr/share/shorewall6/configfiles
+
+if [ -n "$PREFIX" ]; then
+    mkdir -p ${PREFIX}/etc/logrotate.d
+    chmod 755 ${PREFIX}/etc/logrotate.d
+fi
+
 #
 # Install the config file
 #
@@ -642,6 +648,11 @@ cd ..

 echo "Man Pages Installed"

+if [ -d ${PREFIX}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${PREFIX}/etc/logrotate.d/shorewall6
+    echo "Logrotate file installed as ${PREFIX}/etc/logrotate.d/shorewall6"
+fi
+
 if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
    if [ -n "$DEBIAN" ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -383,6 +383,10 @@ show_command() {
 			    option=
 			    shift
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -396,6 +400,8 @@ show_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ -n "$debugging" ] && set -x
    case "$1" in
 	connections)
@@ -602,6 +608,10 @@ dump_command() {
 			    SHOWMACS=Yes
 			    option=${option#m}
 			    ;;
+			l*)
+			    IPT_OPTIONS1="--line-numbers"
+			    option=${option#l}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -615,6 +625,8 @@ dump_command() {
 	esac
    done

+    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+
    [ $VERBOSE -lt 2 ] && VERBOSE=2

    [ -n "$debugging" ] && set -x
--- a/Shorewall6/logrotate
+++ b/Shorewall6/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall6-init.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -1289,7 +1289,7 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|raw|routing|tc|vardir|zones} ]"
+    echo "   show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|nat|policies|raw|routing|tc|vardir|zones} ]"
    echo "   start [ -f ] [ -n ] [ <directory> ]"
    echo "   stop [ -f ]"
    echo "   status"
--- a/Shorewall6/shorewall6.conf
+++ b/Shorewall6/shorewall6.conf
@@ -32,9 +32,9 @@ VERBOSITY=1

 LOGFILE=/var/log/messages

-STARTUP_LOG=
+STARTUP_LOG=/var/log/shorewall6-init.log

-LOG_VERBOSITY=
+LOG_VERBOSITY=2

 LOGFORMAT="Shorewall:%s:%s:"

@@ -145,6 +145,10 @@ AUTOMAKE=No

 WIDE_TC_MARKS=No

+TRACK_PROVIDERS=No
+
+ZONE2ZONE=2
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.2
-%define release 5
+%define version 4.4.4
+%define release 0base

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -69,6 +69,8 @@ fi
 %attr(0644,root,root) %config(noreplace) /etc/shorewall6/*
 %attr(0600,root,root) /etc/shorewall6/Makefile

+%attr(0644,root,root) /etc/logrotate.d/shorewall6
+
 %attr(0755,root,root) /sbin/shorewall6

 %attr(0644,root,root) /usr/share/shorewall6/version
@@ -93,16 +95,14 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
-* Sat Oct 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-5
-* Fri Oct 23 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-4
-* Tue Oct 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-3
-* Sat Oct 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-2
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
 * Fri Oct 02 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-1
+- Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.2.5
+VERSION=4.4.4

 usage() # $1 = exit status
 {
--- a/docs/ConnectionRate.xml
+++ b/docs/ConnectionRate.xml
@@ -20,6 +20,8 @@
    <copyright>
      <year>2008</year>

+      <year>2009</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -520,6 +520,10 @@ eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlistin
        <programlisting>#ACTION         SOURCE        DEST        PROTO        DEST
 #                                                      PORT(S)
 REDIRECT        net           22          tcp          9022</programlisting>
+
+        <para>Note that the above rule will also allow connections from the
+        net on TCP port 22. If you don't want that, see <link
+        linkend="faq1e">FAQ 1e</link>.</para>
      </section>
    </section>

@@ -534,7 +538,13 @@ REDIRECT        net           22          tcp          9022</programlisting>
      to go the opposite direction from SNAT/MASQUERADE. So if you masquerade
      or use SNAT from your local network to the Internet then you will need
      to use DNAT rules to allow connections from the Internet to your local
-      network. You also want to use DNAT rules when you intentionally want to
+      network.<note>
+          <para>If you use both 1:1 NAT and SNAT/MASQUERADE, those connections
+          that are subject to 1:1 NAT should use ACCEPT rather than DNAT.
+          Note, however, that DNAT can be used to override 1:1 NAT so as to
+          redirect a connection to a different internal system or port than
+          would be the case using 1:1 NAT.</para>
+        </note> You also want to use DNAT rules when you intentionally want to
      rewrite the destination IP address or port number. In all other cases,
      you use ACCEPT unless you need to hijack connections as they go through
      your firewall and handle them on the firewall box itself; in that case,
@@ -2544,30 +2554,53 @@ REJECT    fw            net:216.239.39.99    all</programlisting>Given that
      <command>shorewall[-lite] show capabilities</command> command at a root
      prompt.</para>

-      <programlisting>gateway:~# shorewall show capabilities
-Loading /usr/share/shorewall/functions...
-Processing /etc/shorewall/params ...
-Processing /etc/shorewall/shorewall.conf...
-Loading Modules...
+      <programlisting>gateway:~# <command>shorewall show capabilities</command>
 Shorewall has detected the following iptables/netfilter capabilities:
   NAT: Available
   Packet Mangling: Available
   Multi-port Match: Available
   Extended Multi-port Match: Available
   Connection Tracking Match: Available
+   Extended Connection Tracking Match Support: Available
+   Old Connection Tracking Match Syntax: Not available
   Packet Type Match: Available
   Policy Match: Available
   Physdev Match: Available
+   Physdev-is-bridged Support: Available
+   Packet length Match: Available
   IP range Match: Available
   Recent Match: Available
   Owner Match: Available
   Ipset Match: Available
-   ROUTE Target: Available
-   Extended MARK Target: Available
   CONNMARK Target: Available
+   Extended CONNMARK Target: Available
   Connmark Match: Available
+   Extended Connmark Match: Available
   Raw Table: Available
-gateway:~#</programlisting>
+   IPP2P Match: Available
+   Old IPP2P Match Syntax: Not available
+   CLASSIFY Target: Available
+   Extended REJECT: Available
+   Repeat match: Available
+   MARK Target: Available
+   Extended MARK Target: Available
+   Mangle FORWARD Chain: Available
+   Comments: Available
+   Address Type Match: Available
+   TCPMSS Match: Available
+   Hashlimit Match: Available
+   Old Hashlimit Match: Not available
+   NFQUEUE Target: Available
+   Realm Match: Available
+   Helper Match: Available
+   Connlimit Match: Available
+   Time Match: Available
+   Goto Support: Available
+   LOGMARK Target: Available
+   IPMARK Target: Available
+   LOG Target: Available
+   Persistent SNAT: Available
+gateway:~# </programlisting>
    </section>

    <section id="faq19">
--- a/docs/IPSEC-2.6.xml
+++ b/docs/IPSEC-2.6.xml
@@ -57,26 +57,31 @@
    release.</emphasis></para>
  </caution>

+  <important>
+    <para><emphasis role="bold">Shorewall does not configure IPSEC for
+    you</emphasis> -- it rather configures netfilter to accomodate your IPSEC
+    configuration.</para>
+  </important>
+
  <important>
    <para>The information in this article is only applicable if you plan to
    have IPSEC end-points on the same system where Shorewall is used.</para>
  </important>

  <important>
-    <para>While this article shows configuration of IPSEC using ipsec-tools,
-    Shorewall configuration is exactly the same when using OpenSwan or
+    <para>While this <emphasis role="bold">article shows configuration of
+    IPSEC using ipsec-tools</emphasis>, <emphasis role="bold">Shorewall
+    configuration is exactly the same when using OpenSwan</emphasis> or
    FreeSwan.</para>
  </important>

  <warning>
    <para>When running a Linux kernel prior to 2.6.20, the Netfilter+ipsec and
    policy match support are broken when used with a bridge device. The
-    problem has been reported to the responsible Netfilter developer who has
-    confirmed the problem. The problem was corrected in Kernel 2.6.20 as a
-    result of the removal of deferred FORWARD/OUTPUT processing of traffic
-    destined for a bridge. See the <ulink
-    url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and Bridged
-    Firewalls</emphasis>"</ulink> article.</para>
+    problem was corrected in Kernel 2.6.20 as a result of the removal of
+    deferred FORWARD/OUTPUT processing of traffic destined for a bridge. See
+    the <ulink url="bridge-Shorewall-perl.html">"<emphasis>Shorewall-perl and
+    Bridged Firewalls</emphasis>"</ulink> article.</para>
  </warning>

  <section id="Overview">
@@ -132,12 +137,12 @@

    <para>Under the 2.4 Linux Kernel, the association of unencrypted traffic
    and zones was made easy by the presence of IPSEC pseudo-interfaces with
-    names of the form <filename class="devicefile">ipsecn</filename> (e.g.
+    names of the form <filename class="devicefile">ipsecN</filename> (e.g.
    <filename class="devicefile">ipsec0</filename>). Outgoing unencrypted
    traffic (case 1.) was send through an <filename
-    class="devicefile">ipsecn</filename> device while incoming unencrypted
+    class="devicefile">ipsecN</filename> device while incoming unencrypted
    traffic (case 2) arrived from an <filename
-    class="devicefile">ipsecn</filename> device. The 2.6 kernel-based
+    class="devicefile">ipsecN</filename> device. The 2.6 kernel-based
    implementation does away with these pseudo-interfaces. Outgoing traffic
    that is going to be encrypted and incoming traffic that has been decrypted
    must be matched against policies in the SPD and/or the appropriate
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -167,8 +167,7 @@ dmz                    Demilitarized Zone</programlisting>
 fw      firewall
 net     ipv4
 loc     ipv4
-dmz     ipv4
-#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
+dmz     ipv4</programlisting>

    <para>Note that Shorewall recognizes the firewall system as its own zone.
    The name of the zone designating the firewall itself (usually 'fw' as
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -433,46 +433,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
        non-comment line in your macro file.</para>

        <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
-        included and is different from the IP address given in the SERVER
-        column, then connections destined for that address will be forwarded
-        to the IP and port specified in the DEST column.</para>
-
-        <para>A comma-separated list of addresses may also be used. This is
-        most useful with the REDIRECT target where you want to redirect
-        traffic destined for particular set of hosts. Finally, if the list of
-        addresses begins with "!" (exclusion) then the rule will be followed
-        only if the original destination address in the connection request
-        does not match any of the addresses listed.</para>
-
-        <para>For other actions, this column may be included and may contain
-        one or more addresses (host or network) separated by commas. Address
-        ranges are not allowed. When this column is supplied, rules are
-        generated that require that the original destination address matches
-        one of the listed addresses. This feature is most useful when you want
-        to generate a filter rule that corresponds to a DNAT- or REDIRECT-
-        rule. In this usage, the list of addresses should not begin with
-        "!".</para>
-
-        <para>It is also possible to specify a set of addresses then exclude
-        part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
-        specifies the addresses 192.168.1.0-182.168.1.15 and
-        192.168.1.32-192.168.1.255. See <ulink
-        url="manpages/shorewall_exclusion.html">shorewall-exclusion</ulink>(5).</para>
-
-        <para>See <ulink
-        url="http://shorewall.net/PortKnocking.html">http://shorewall.net/PortKnocking.html</ulink>
-        for an example of using an entry in this column with a user-defined
-        action rule.</para>
-      </listitem>
-
-      <listitem>
-        <para>ORIGINAL DEST (Shorewall-perl 4.2.0 and later)</para>
-
-        <para>To use this column, you must include 'FORMAT 2' as the first
-        non-comment line in your macro file.</para>
-
-        <para>If ACTION is DNAT[-] or REDIRECT[-] then if this column is
-        included and is different from the IP address given in the SERVER
+        included and is different from the IP address given in the DEST
        column, then connections destined for that address will be forwarded
        to the IP and port specified in the DEST column.</para>

@@ -617,7 +578,7 @@ ACCEPT           fw       loc             tcp      135,139,445</programlisting>
        connections is then taken over all hosts in the subnet
        <replaceable>source-address</replaceable>/<replaceable>mask</replaceable>.
        When ! is specified, the rule matches when the number of connection
-        exceeds the limit. </para>
+        exceeds the limit.</para>
      </listitem>

      <listitem>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -329,9 +329,18 @@
                <term>track</term>

                <listitem>
-                  <para>If specified, connections FROM this interface are to
-                  be tracked so that responses may be routed back out this
-                  same interface.</para>
+                  <para><important>
+                      <para>Beginning with Shorwall 4.3.3, <emphasis
+                      role="bold">track</emphasis> defaults to the setting of
+                      the <option>TRACK_PROVIDERS</option> option in <ulink
+                      url="manpages/shorewall.conf">shorewall.conf
+                      </ulink>(5). To disable this option when you have
+                      specified TRACK_PROVIDERS=Yes, you must specify
+                      <emphasis role="bold">notrack</emphasis> (see
+                      below).</para>
+                    </important>If specified, connections FROM this interface
+                  are to be tracked so that responses may be routed back out
+                  this same interface.</para>

                  <para>You want to specify 'track' if Internet hosts will be
                  connecting to local servers through this provider. Any time
@@ -350,7 +359,8 @@
                  support</emphasis>).</para>

                  <important>
-                    <para>If you are using
+                    <para>If you are running a version of Shorewall earlier
+                    than 4.4.3 and are using
                    <filename>/etc/shorewall/providers</filename> because you
                    have multiple Internet connections, we recommend that you
                    specify <emphasis role="bold">track</emphasis> even if you
@@ -441,6 +451,15 @@
                </listitem>
              </varlistentry>

+              <varlistentry>
+                <term>notrack</term>
+
+                <listitem>
+                  <para>Added in Shorewall 4.4.3. This option turns off the
+                  <emphasis role="bold">track</emphasis> option.</para>
+                </listitem>
+              </varlistentry>
+
              <varlistentry>
                <term>optional</term>

@@ -1363,19 +1382,85 @@ fi</programlisting></para>
        supported. This allows additional files to be sourced in from the main
        configuration file.</para>

+        <para>LSM monitors the status of the links defined in its
+        configuration file and runs a user-provided script when the status of
+        a link changes. The script name is specified in the
+        <firstterm>eventscript</firstterm> option in the configuration file.
+        Key arguments to the script are as follows:</para>
+
+        <variablelist>
+          <varlistentry>
+            <term>$1</term>
+
+            <listitem>
+              <para>The state of the link ('up' or 'down')</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$2</term>
+
+            <listitem>
+              <para>The name of the connection as specified in the
+              configuration file.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$4</term>
+
+            <listitem>
+              <para>The name of the network interface associated with the
+              connection.</para>
+            </listitem>
+          </varlistentry>
+
+          <varlistentry>
+            <term>$5</term>
+
+            <listitem>
+              <para>The email address of the person specified to receive
+              notifications. Specified in the
+              <firstterm>warn_email</firstterm> option in the configuration
+              file.</para>
+            </listitem>
+          </varlistentry>
+        </variablelist>
+
+        <para>It is the responsibility of the script to perform any action
+        needed in reaction to the connection state change. The default script
+        supplied with LSM composes an email and sends it to $5.</para>
+
        <para>I personally use LSM here at shorewall.net (configuration is
        described <link linkend="Complete">below</link>). I have set things up
-        so that Shorewall [re]starts lsm during processing of the
-        <command>start</command> and <command>restore</command> commands. I
-        don't have Shorewall restart lsm during Shorewall
-        <command>restart</command> because I restart Shorewall much more often
-        than the average user is likely to do. I have Shorewall start lsm
-        because I have a dynamic IP address from one of my providers
-        (Comcast); Shorewall detects the default gateway to that provider and
-        creates a secondary configuration file
-        (<filename>/etc/lsm/shorewall.conf</filename>) that contains the link
-        configurations. That file is included by
-        <filename>/etc/lsm/lsm.conf</filename>.B</para>
+        so that:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>Shorewall [re]starts lsm during processing of the
+            <command>start</command> and <command>restore</command> commands.
+            I don't have Shorewall restart lsm during Shorewall
+            <command>restart</command> because I restart Shorewall much more
+            often than the average user is likely to do.</para>
+          </listitem>
+
+          <listitem>
+            <para>Shorewall starts lsm because I have a dynamic IP address
+            from one of my providers (Comcast); Shorewall detects the default
+            gateway to that provider and creates a secondary configuration
+            file (<filename>/etc/lsm/shorewall.conf</filename>) that contains
+            the link configurations. That file is included by
+            <filename>/etc/lsm/lsm.conf</filename>.</para>
+          </listitem>
+
+          <listitem>
+            <para>The script run by LSM during state change
+            (<filename>/etc/lsm/script) </filename>writes a<filename>
+            ${VARDIR}/xxx.status</filename> file when the status of an
+            interface changes. Those files are read by the
+            <filename>isusable</filename> extension script (see below).</para>
+          </listitem>
+        </itemizedlist>

        <para>Below are my relevant configuration files.</para>

@@ -1386,12 +1471,10 @@ fi</programlisting></para>

        <para><filename>/etc/shorewall/isusable</filename>:</para>

-        <para>Note that <filename>/etc/lsm/script </filename>writes
-        a<filename> ${VARDIR}/xxx.status</filename> file when the status of an
-        interface changes.</para>
-
        <programlisting>local status=0
-
+#
+# Read the status file (if any) created by /etc/lsm/script
+#
 [ -f ${VARDIR}/${1}.status ] &amp;&amp; status=$(cat ${VARDIR}/${1}.status)

 return $status</programlisting>
@@ -1404,7 +1487,16 @@ return $status</programlisting>
 # Start lsm
 ###############################################################################
 start_lsm() {
+   #
+   # Kill any existing lsm process(es)
+   #
   killall lsm 2&gt; /dev/null
+   #
+   # Create the Shorewall-specific part of the LSM configuration. This file is
+   # included by /etc/lsm/lsm.conf
+   #
+   # Avvanta has a static gateway while Comcast's is dynamic
+   #
   cat &lt;&lt;EOF &gt; /etc/lsm/shorewall.conf
 connection {
    name=Avvanta
@@ -1420,13 +1512,20 @@ connection {
    ttl=1
 }
 EOF
+   #
+   # Since LSM assumes that interfaces start in the 'up' state, remove any
+   # existing status files that might have an interface in the down state
+   #
   rm -f /etc/shorewall/*.status
+   #
+   # Run LSM -- by default, it forks into the background
+   #
   /usr/sbin/lsm /etc/lsm/lsm.conf &gt;&gt; /var/log/lsm
 }</programlisting>

        <para>eth3 has a dynamic IP address so I need to use the
        Shorewall-detected gateway address ($ETH3_GATEWAY). I supply a default
-        value in the event that detection fails.</para>
+        value to be used in the event that detection fails.</para>

        <para><filename>/etc/shorewall/started</filename>:</para>

@@ -1532,11 +1631,11 @@ EOM

 echo $state &gt; ${VARDIR}/${DEVICE}.status

-/sbin/shorewall -f restart &gt;&gt; /var/log/lsm 2&gt;&amp;1
+/sbin/shorewall restart -f &gt;&gt; /var/log/lsm 2&gt;&amp;1

 /sbin/shorewall show routing &gt;&gt; /var/log/lsm

-exit 0;
+exit 0

 #EOF</programlisting>:</para>
      </section>
--- a/docs/NetfilterOverview.xml
+++ b/docs/NetfilterOverview.xml
@@ -119,34 +119,38 @@
    </important>

    <para>The above diagram should help you understand the output of
-    <quote>shorewall status</quote>. You may also wish to refer to <ulink
+    <quote>shorewall dump</quote>. You may also wish to refer to <ulink
    url="PacketHandling.html">this article</ulink> that describes the flow of
    packets through a Shorewall-generated firewall.</para>

-    <para>Here are some excerpts from <quote>shorewall status</quote> on a
+    <para>Here are some excerpts from <quote>shorewall dump</quote> on a
    server with one interface (eth0):</para>

-    <programlisting>[root@lists html]# shorewall status
+    <programlisting>[root@tipper ~]# shorewall dump
 
-Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003
-                                                                                                                                                                                    
-Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
+Shorewall 4.4.2.2 Dump at tipper - Fri Oct 16 07:38:16 PDT 2009
+
+Counters reset Thu Oct  8 00:38:06 PDT 2009</programlisting>

    <para>The first table shown is the <emphasis role="bold">Filter</emphasis>
    table.</para>

    <programlisting>Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
- 679K  182M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
- 785K   93M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID</programlisting>
+ 6428 1417K dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW 
+ 967K  629M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
+   49  3896 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED</programlisting>
+
+    <para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
+    is done.</para>

    <para>The following rule indicates that all traffic destined for the
    firewall that comes into the firewall on eth0 is passed to a chain called
    <quote>eth0_in</quote>. That chain will be shown further down.</para>

    <programlisting> 785K   93M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
                                                                                                                                                                                    
@@ -155,87 +159,87 @@ Chain FORWARD (policy DROP 0 packets, 0 bytes)
    0     0 accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'
    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0
                                                                                                                                                                                    
 Chain OUTPUT (policy DROP 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination
- 679K  182M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
- 922K  618M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID
- 922K  618M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0
-    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'
-    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0</programlisting>
+ 895K  181M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
+   49  3896 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:' 
+    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
+</programlisting>

    <para>Here is the eth0_in chain:</para>

    <programlisting>Chain eth0_in (1 references)
 pkts bytes target     prot opt in     out     source               destination
- 785K   93M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 785K   93M net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0</programlisting>
-
-    <para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
-    is done.</para>
+   49  3896 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
+    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
+    0     0 Reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:' 
+    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0           [goto] 
+</programlisting>

    <para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>

    <programlisting>NAT Table
- 
-Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)
- pkts bytes target     prot opt in     out     source               destination
-20005 1314K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0
- 
-Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain net_dnat (1 references)
- pkts bytes target     prot opt in     out     source               destination
-  638 32968 REDIRECT   tcp  --  *      *       0.0.0.0/0           !206.124.146.177    tcp dpt:80 redir ports 3128
-</programlisting>

-    <para>And finally, the <emphasis role="bold">Mangle</emphasis>
-    table:</para>
+Chain PREROUTING (policy ACCEPT 5593 packets, 1181K bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain POSTROUTING (policy ACCEPT 11579 packets, 771K bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 11579 packets, 771K bytes)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
+
+    <para>Next, the <emphasis role="bold">Mangle</emphasis> table:</para>

    <programlisting>Mangle Table
- 
-Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)
- pkts bytes target     prot opt in     out     source               destination
-1464K  275M pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 
-Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
+
+Chain PREROUTING (policy ACCEPT 967K packets, 629M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 967K  629M tcpre      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain INPUT (policy ACCEPT 967K packets, 629M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)
- pkts bytes target     prot opt in     out     source               destination
-1601K  800M outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0
- 
-Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)
- pkts bytes target     prot opt in     out     source               destination
- 
-Chain outtos (1 references)
- pkts bytes target     prot opt in     out     source               destination
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10
- 315K  311M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10
-  683 59143 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10
- 3667 5357K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08
- 
-Chain pretos (1 references)
- pkts bytes target     prot opt in     out     source               destination
- 271K   15M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10
-  730 41538 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10
-    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08
- 2065  111K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08</programlisting>
+ pkts bytes target     prot opt in     out     source               destination         
+    0     0 tcfor      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain OUTPUT (policy ACCEPT 895K packets, 181M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 895K  181M tcout      all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain POSTROUTING (policy ACCEPT 895K packets, 181M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+ 895K  181M tcpost     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+Chain tcfor (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcout (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcpost (1 references)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain tcpre (1 references)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
+
+    <para>And finally, the <emphasis role="bold">Raw</emphasis> table:</para>
+
+    <programlisting>Raw Table
+
+Chain PREROUTING (policy ACCEPT 1004K packets, 658M bytes)
+ pkts bytes target     prot opt in     out     source               destination         
+
+Chain OUTPUT (policy ACCEPT 926K packets, 186M bytes)
+ pkts bytes target     prot opt in     out     source               destination</programlisting>
  </section>
 </article>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -670,15 +670,15 @@ DNAT-              net                192.168.1.3      tcp          21</programl
  <section id="Modules">
    <title>The Shorewall Perl Modules</title>

-    <para>Shorewall's Perl modules are installed in
-    /usr/share/shorewall-perl/Shorewall and the names of the packages are of
-    the form Shorewall::<firstterm>name</firstterm>. So by using this
-    directive<programlisting>use lib '/usr/share/shorewall-perl';</programlisting></para>
+    <para>In Shorewall 4.4 and later, Shorewall's Perl modules are installed
+    in /usr/share/shorewall/Shorewall and the names of the packages are of the
+    form Shorewall::<firstterm>name</firstterm>. So by using this
+    directive<programlisting>use lib '/usr/share/shorewall';</programlisting></para>

    <para>You can then load the modules via normal Perl use statements.</para>

    <section id="compiler.pl">
-      <title>/usr/share/shorewall-perl/compiler.pl</title>
+      <title>/usr/share/shorewall/compiler.pl</title>

      <para>While the compiler is normally run indirectly using
      /sbin/shorewall, it can be run directly as well.<programlisting><command>compiler.pl</command> [ <emphasis>option</emphasis> ... ] [ <emphasis>filename</emphasis> ]</programlisting></para>
@@ -734,25 +734,25 @@ DNAT-              net                192.168.1.3      tcp          21</programl
          role="bold">--log</emphasis>=&lt;logfile&gt;</member>
        </simplelist></para>

-      <para>Added in Shorewall 4.2. If given, compiler will log to this file
-      provider that --log_verbosity is &gt; -1.<simplelist>
+      <para>If given, compiler will log to this file provider that
+      --log_verbosity is &gt; -1.<simplelist>
          <member><emphasis
          role="bold">--log_verbosity</emphasis>=-1|0|1|2</member>
        </simplelist></para>

-      <para>Added in Shorewall 4.1. If given, controls the verbosity of
-      logging to the log specified by the --log parameter.</para>
+      <para>If given, controls the verbosity of logging to the log specified
+      by the --log parameter.</para>

      <simplelist>
        <member><emphasis role="bold">--family=</emphasis>4|6</member>
      </simplelist>

-      <para>Added in Shorewall 4.2.4. Specifies whether an IPv4 or an IPv6
-      firewall is to be created.</para>
+      <para>Specifies whether an IPv4 or an IPv6 firewall is to be
+      created.</para>

      <para>Example (compiles the configuration in the current directory
      generating a script named 'firewall' and using VERBOSITY
-      2).<programlisting><emphasis role="bold">/usr/share/shorewall-perl/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
+      2).<programlisting><emphasis role="bold">/usr/share/shorewall/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
          <para>The Perl-based compiler does not process
          <filename>/etc/shorewall/params</filename>. To include definitions
          in that file, you would need to do something like the
@@ -760,216 +760,135 @@ DNAT-              net                192.168.1.3      tcp          21</programl
 set -a                           # Export all variables set in /etc/shorewall/params
 . /etc/shorewall/params
 set +a
-/usr/share/shorewall-perl/compiler.pl ...</command></programlisting></para>
+/usr/share/compiler.pl ...</command></programlisting></para>
        </note></para>
    </section>

    <section id="Compiler">
      <title>Shorewall::Compiler</title>

-      <section id="Compiler-4.0">
-        <title>Shorewall 4.0</title>
+      <para>To avoid a proliferation of parameters to
+      Shorewall::Compiler::compile(), that function uses named parameters.
+      Parameter names are:</para>

-        <para><programlisting> use lib '/usr/share/shorewall-perl';
- use Shorewall::Compiler;
-        
- compiler $filename, $directory, $verbose, $options $chains</programlisting>Arguments
-        to the compiler are:</para>
+      <variablelist>
+        <varlistentry>
+          <term>script ('object' is also accepted but deprecated)</term>

-        <variablelist>
-          <varlistentry>
-            <term>$filename</term>
+          <listitem>
+            <para>Output script file. If omitted or '', the configuration is
+            syntax checked.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>Name of the compiled script to be created. If the
-              arguments evaluates to false, the configuration is syntax
-              checked.</para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>directory</term>

-          <varlistentry>
-            <term>$directory</term>
+          <listitem>
+            <para>Directory. If omitted or '', configuration files are located
+            using CONFIG_PATH. Otherwise, the directory named by this
+            parameter is searched first.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>The directory containing the configuration. If passed as
-              '', then <filename class="directory">/etc/shorewall/</filename>
-              is assumed.</para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>verbosity</term>

-          <varlistentry>
-            <term>$verbose</term>
+          <listitem>
+            <para>Verbosity; range -1 to 2</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>The verbosity level that the compiler will run with
-              (0-2).<note>
-                  <para>The VERBOSITY setting in the
-                  <filename>shorewall.conf</filename> file read by the
-                  compiler will determine the default verbosity for the
-                  compiled program.</para>
-                </note></para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>timestamp</term>

-          <varlistentry>
-            <term>$options</term>
+          <listitem>
+            <para>0|1 -- timestamp messages.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>A bitmap of options. Shorewall::Compiler exports three
-              constants to help building this argument:<simplelist>
-                  <member>EXPORT = 0x01</member>
+        <varlistentry>
+          <term>debug</term>

-                  <member>TIMESTAMP = 0x02</member>
+          <listitem>
+            <para>0|1 -- include stack trace in warning/error messages.</para>
+          </listitem>
+        </varlistentry>

-                  <member>DEBUG = 0x04</member>
-                </simplelist></para>
-            </listitem>
-          </varlistentry>
+        <varlistentry>
+          <term>export</term>

-          <varlistentry>
-            <term>$chains</term>
+          <listitem>
+            <para>0|1 -- compile for export.</para>
+          </listitem>
+        </varlistentry>

-            <listitem>
-              <para>A comma-separated list of chains that the generated
-              script's 'refresh' command will reload. If passed as an empty
-              string, then 'blacklist' is assumed.</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
+        <varlistentry>
+          <term>chains</term>

-        <para>The compiler raises an exception with 'die' if it encounters an
-        error; $@ contains the 'ERROR' messages describing the problem. The
-        compiler function can be called repeatedly with different
-        inputs.</para>
-      </section>
+          <listitem>
+            <para>List of chains to be reloaded by 'refresh'</para>
+          </listitem>
+        </varlistentry>

-      <section>
-        <title>Shorewall 4.2 and Later</title>
+        <varlistentry>
+          <term>log</term>

-        <para>To avoid a proliferation of parameters to
-        Shorewall::Compiler::compile(), that function has been changed to use
-        named parameters. Parameter names are:</para>
+          <listitem>
+            <para>File to log compiler messages to.</para>
+          </listitem>
+        </varlistentry>

-        <variablelist>
-          <varlistentry>
-            <term>object</term>
+        <varlistentry>
+          <term>log_verbosity</term>

-            <listitem>
-              <para>Object file. If omitted or '', the configuration is syntax
-              checked.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Log Verbosity; range -1 to 2.</para>
+          </listitem>
+        </varlistentry>

-          <varlistentry>
-            <term>directory</term>
+        <varlistentry>
+          <term>family</term>

-            <listitem>
-              <para>Directory. If omitted or '', configuration files are
-              located using CONFIG_PATH. Otherwise, the directory named by
-              this parameter is searched first.</para>
-            </listitem>
-          </varlistentry>
+          <listitem>
+            <para>Address family: 4 or 6</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>

-          <varlistentry>
-            <term>verbosity</term>
+      <para>Those parameters that are supplied must have defined values.
+      Defaults are: <simplelist>
+          <member>script '' ('check' command)</member>

-            <listitem>
-              <para>Verbosity; range -1 to 2</para>
-            </listitem>
-          </varlistentry>
+          <member>directory ''</member>

-          <varlistentry>
-            <term>timestamp</term>
+          <member>verbosity 1</member>

-            <listitem>
-              <para>0|1 -- timestamp messages.</para>
-            </listitem>
-          </varlistentry>
+          <member>timestamp 0</member>

-          <varlistentry>
-            <term>debug</term>
+          <member>debug 0</member>

-            <listitem>
-              <para>0|1 -- include stack trace in warning/error
-              messages.</para>
-            </listitem>
-          </varlistentry>
+          <member>export 0</member>

-          <varlistentry>
-            <term>export</term>
+          <member>chains ''</member>

-            <listitem>
-              <para>0|1 -- compile for export.</para>
-            </listitem>
-          </varlistentry>
+          <member>log ''</member>

-          <varlistentry>
-            <term>chains</term>
+          <member>log_verbosity -1</member>

-            <listitem>
-              <para>List of chains to be reloaded by 'refresh'</para>
-            </listitem>
-          </varlistentry>
+          <member>family 4</member>
+        </simplelist></para>

-          <varlistentry>
-            <term>log</term>
-
-            <listitem>
-              <para>File to log compiler messages to.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>log_verbosity</term>
-
-            <listitem>
-              <para>Log Verbosity; range -1 to 2.</para>
-            </listitem>
-          </varlistentry>
-
-          <varlistentry>
-            <term>family</term>
-
-            <listitem>
-              <para>Address family: 4 or 6</para>
-            </listitem>
-          </varlistentry>
-        </variablelist>
-
-        <para>Those parameters that are supplied must have defined values.
-        Defaults are: <simplelist>
-            <member>object '' ('check' command)</member>
-
-            <member>directory ''</member>
-
-            <member>verbosity 1</member>
-
-            <member>timestamp 0</member>
-
-            <member>debug 0</member>
-
-            <member>export 0</member>
-
-            <member>chains ''</member>
-
-            <member>log ''</member>
-
-            <member>log_verbosity -1</member>
-
-            <member>family 4</member>
-          </simplelist></para>
-
-        <para>Example: <programlisting>use lib '/usr/share/shorewall-perl/';
+      <para>Example: <programlisting>use lib '/usr/share/shorewall/';
 use Shorewall::Compiler;

-compiler( object =&gt; '/root/firewall', log =&gt; '/root/compile.log', log_verbosity =&gt; 2 ); </programlisting></para>
-      </section>
+compiler( script =&gt; '/root/firewall', log =&gt; '/root/compile.log', log_verbosity =&gt; 2 ); </programlisting></para>
    </section>

    <section id="Chains">
      <title>Shorewall::Chains</title>

-      <para><programlisting>use lib '/usr/share/shorewall-perl';
+      <para><programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Chains;

 my $chainref1 = chain_new $table, $name1;
@@ -1208,7 +1127,7 @@ my $chainref7 = $filter_table{$name};</programlisting>Shorewall::Chains is
    <section id="Config">
      <title>Shorewall::Config</title>

-      <para><programlisting>use lib '/usr/share/shorewall-perl';
+      <para><programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Config;

 warning message "This entry is bogus";
@@ -1218,7 +1137,7 @@ progress_message  "This will only be seen if VERBOSITY &gt;= 2";
 progress_message2 "This will only be seen if VERBOSITY &gt;= 1";
 progress_message3 "This will be seen unless VERBOSITY &lt; 0";
 </programlisting>The <emphasis role="bold">shorewall()</emphasis> function may
-      be optionally included:<programlisting>use lib '/usr/share/shorewall-perl';
+      be optionally included:<programlisting>use lib '/usr/share/shorewall';
 use Shorewall::Config qw/shorewall/;

 shorewall $config_file_entry;</programlisting>The Shorewall::Config module
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -226,5 +226,15 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>

      <para>Re-enables traffic from 192.0.2.125.</para>
    </example>
+
+    <example>
+      <title>Displaying the Dynamic Blacklist</title>
+
+      <programlisting>    <command>shorewall show dynamic</command></programlisting>
+
+      <para>Displays the 'dynamic' chain which contains rules for the dynamic
+      blacklist. The <firstterm>source</firstterm> column contains the set of
+      blacklisted addresses.</para>
+    </example>
  </section>
 </article>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -619,6 +619,60 @@ br0             192.168.1.0/24  routeback
    firewall rules.</para>
  </section>

+  <section id="Multiple">
+    <title>Multiple Bridges with Wildcard Ports</title>
+
+    <para>It is sometimes required to configure multiple bridges on a single
+    firewall/gateway. The following seemingly valid configuration results in a
+    compile-time error</para>
+
+    <simplelist>
+      <member>ERROR: Duplicate Interface Name (p+)</member>
+    </simplelist>
+
+    <para><filename>/etc/shorewall/zones</filename>:</para>
+
+    <programlisting>       #ZONE            TYPE    
+       fw               firewall
+       world            ipv4
+       z1:world         bport4
+       z2:world         bport4</programlisting>
+
+    <para><filename>/etc/shorewall/interfaces</filename>:</para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:p+
+       z2               br1:p+</programlisting>
+
+    <para>The reason is that the Shorewall implementation requires each bridge
+    port to have a unique name. The <option>physical</option> interface option
+    was added in Shorewall 4.4.4 to work around this problem. The above
+    configuration may be defined using the following in
+    <filename>/etc/shorewall/interfaces</filename>: </para>
+
+    <programlisting>       #ZONE            INTERFACE       BROADCAST       OPTIONS
+       world            br0             -               bridge
+       world            br1             -               bridge
+       z1               br0:x+          -               physical=p+
+       z2               br1:y+          -               physical=p+</programlisting>
+
+    <para>In this configuration, 'x+' is the logical name for ports p+ on
+    bridge br0 while 'y+' is the logical name for ports p+ on bridge
+    br1.</para>
+
+    <para>If you need to refer to a particular port on br1 (for example
+    p1023), you write it as y1023; Shorewall will translate that name to p1023
+    when needed.</para>
+
+    <para>Example from /etc/shorewall/rules:</para>
+
+    <programlisting>       #ACTION    SOURCE    DEST       PROTO    DEST
+       #                                        PORT(S)
+       REJECT     z1:x1023  z1:x1024   tcp      1234</programlisting>
+  </section>
+
  <section id="bridge-router">
    <title>Combination Router/Bridge</title>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -37,7 +37,8 @@
  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.5then please see the documentation for that release.</emphasis></para>
+    4.3.5 then please see the documentation for that
+    release.</emphasis></para>
  </caution>

  <caution>
@@ -712,8 +713,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
    Perl-based compiler, <firstterm>Embedded scripts</firstterm> offer a
    richer and more flexible extension capability.</para>

-    <para>While inline scripts scripts may be written in either Shell or Perl,
-    those written in Perl have a lot more power.</para>
+    <para>While inline scripts may be written in either Shell or Perl, those
+    written in Perl have a lot more power.</para>

    <para>Embedded scripts can be either single-line or multi-line. Single
    line scripts take one of the following forms:</para>
@@ -739,17 +740,18 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
 ACCEPT loc fw tcp 22
 ACCEPT dmz fw tcp 22</programlisting></para>

-    <para>Perl scripts run in the context of of the compiler process. To
-    produce output that will be processed by the compiler as if it were
-    embedded in the file at the point of the script, pass that output to the
-    shorewall() function. The Perl equivalent of the above SHELL script would
-    be:<programlisting>PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }</programlisting>Perl
-    scripts are implicitly prefixed by the following:</para>
+    <para>Perl scripts run in the context of of the compiler process using
+    Perl's eval() function. Perl scripts are implicitly prefixed by the
+    following:</para>

    <programlisting>package Shorewall::User;
 use Shorewall::Config qw/shorewall/;</programlisting>

-    <para>A couple of more points should be mentioned:</para>
+    <para>To produce output that will be processed by the compiler as if it
+    were embedded in the file at the point of the script, pass that output to
+    the Shorewall::Config::shorewall() function. The Perl equivalent of the
+    above SHELL script would be:<programlisting>PERL for ( qw/net loc dmz/ ) { shorewall "ACCEPT $_ fw tcp 22"; }</programlisting>A
+    couple of more points should be mentioned:</para>

    <orderedlist>
      <listitem>
@@ -1005,8 +1007,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
   Packet Type Match: Not available
   Policy Match: Available
   Physdev Match: Available
-   <emphasis role="bold">IP range Match: Available &lt;-------------- 
-</emphasis></programlisting>
+   <emphasis role="bold">IP range Match: Available &lt;--------------</emphasis></programlisting>
  </section>

  <section id="Ports">
@@ -1026,6 +1027,79 @@ Shorewall has detected the following iptables/netfilter capabilities:
    "!tcp").</para>
  </section>

+  <section id="ICMP">
+    <title>ICMP and ICMP6 Types and Codes</title>
+
+    <para>When dealing with ICMP, the DEST PORT specifies the type or type and
+    code. You may specify the numeric type, the numeric type and code
+    separated by a slash (e.g., 3/4) or you may use a type name.</para>
+
+    <para>Type names for IPv4 and their corresponding type or type/code
+    are:</para>
+
+    <programlisting>echo-reply'                  =&gt; 0
+destination-unreachable      =&gt; 3
+    network-unreachable      =&gt; 3/0
+    host-unreachable         =&gt; 3/1
+protocol-unreachable         =&gt; 3/2
+port-unreachable             =&gt; 3/3
+fragmentation-needed         =&gt; 3/4
+source-route-failed          =&gt; 3/5
+network-unknown              =&gt; 3/6
+host-unknown                 =&gt; 3/7
+network-prohibited           =&gt; 3/9
+host-prohibited              =&gt; 3/10
+TOS-network-unreachable      =&gt; 3/11
+TOS-host-unreachable         =&gt; 3/12
+communication-prohibited     =&gt; 3/13
+host-precedence-violation    =&gt; 3/14
+precedence-cutoff            =&gt; 3/15
+source-quench                =&gt; 4
+redirect                     =&gt; 5
+   network-redirect          =&gt; 5/0
+   host-redirect             =&gt; 5/1
+   TOS-network-redirect      =&gt; 5/2
+   TOS-host-redirect         =&gt; 5/3
+echo-request                 =&gt; 8
+router-advertisement         =&gt; 9
+router-solicitation          =&gt; 10
+time-exceeded                =&gt; 11
+   ttl-zero-during-transit   =&gt; 11/0
+   ttl-zero-during-reassembly=&gt; 11/1
+parameter-problem            =&gt; 12
+   ip-header-bad             =&gt; 12/0
+   required-option-missing   =&gt; 12/1
+timestamp-request            =&gt; 13
+timestamp-reply              =&gt; 14
+address-mask-request         =&gt; 17
+address-mask-reply           =&gt; 18</programlisting>
+
+    <para>Type names for IPv6 and their corresponding type or type/code
+    are:</para>
+
+    <programlisting>destination-unreachable       =&gt; 1
+   no-route'                  =&gt; 1/0
+   communication-prohibited   =&gt; 1/1
+   address-unreachable'       =&gt; 1/2
+   port-unreachable'          =&gt; 1/3
+packet-too-big                =&gt;  2
+time-exceeded'                =&gt;  3
+ttl-exceeded'                 =&gt;  3
+   ttl-zero-during-transit    =&gt; 3/0
+   ttl-zero-during-reassembly =&gt; 3/1
+parameter-problem             =&gt;  4
+   bad-header                 =&gt; 4/0
+   unknown-header-type        =&gt; 4/1
+   unknown-option             =&gt; 4/2
+echo-request                  =&gt; 128
+echo-reply                    =&gt; 129
+router-solicitation           =&gt; 133
+router-advertisement          =&gt; 134
+neighbour-solicitation        =&gt; 135
+neighbour-advertisement       =&gt; 136
+redirect                      =&gt; 137</programlisting>
+  </section>
+
  <section id="Ranges">
    <title>Port Ranges</title>

@@ -1058,7 +1132,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    <para>Also, unless otherwise documented, a port list can be preceded by
    '!' to specify "All ports except these" (e.g., "!80,443").</para>

-    <para>Port lists appearing in the <ulink
+    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
    file may specify no more than 15 ports; port ranges appearing in a list
    count as two ports each.</para>
@@ -1105,6 +1179,66 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    </note>
  </section>

+  <section id="Logical">
+    <title>Logical Interface Names</title>
+
+    <para>When dealing with a complex configuration, it is often awkward to
+    use physical interface names in the Shorewall configuration.</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>You need to remember which interface is which.</para>
+      </listitem>
+
+      <listitem>
+        <para>If you move the configuration to another firewall, the interface
+        names might not be the same.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.4.4, you can use logical interface names
+    which are mapped to the actual interface using the
+    <option>physical</option> option in <ulink
+    url="manpages/shorewall-interfaces.html">shorewall-interfraces</ulink>
+    (5).</para>
+
+    <para>Here is an example:</para>
+
+    <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
+net    COM_IF     detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
+net    EXT_IF     detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
+loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
+dmz    VPS_IF     detect    logmartians=1,routefilter=0,routeback,physical=venet0
+loc    TUN_IF     detect    physical=tun+</programlisting>
+
+    <para>In this example, COM_IF is a logical interface name that refers to
+    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
+    a logical interface name that refers to Ethernet interface <filename
+    class="devicefile">eth2</filename>, and so on.</para>
+
+    <para>Here are a couple of more files from the same configuration:</para>
+
+    <para><ulink url="manpages/shorewall-masq.html">shorewall-masq</ulink>
+    (5):</para>
+
+    <programlisting>#INTERFACE SOURCE                    ADDRESS
+
+COMMENT Masquerade Local Network
+COM_IF     0.0.0.0/0
+EXT_IF     !206.124.146.0/24         206.124.146.179:persistent</programlisting>
+
+    <para><ulink
+    url="manpages/shorewall-providers.html">shorewall-providers</ulink>
+    (5)</para>
+
+    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
+Avvanta 1        0x10000 main       EXT_IF     206.124.146.254 loose,fallback        INT_IF,VPS_IF,TUN_IF
+Comcast 2        0x20000 main       COM_IF     detect          balance               INT_IF,VPS_IF,TUN_IF</programlisting>
+
+    <para>Note in particular that Shorewall translates TUN_IF to <filename
+    class="devicefile">tun*</filename> in the COPY column.</para>
+  </section>
+
  <section id="Levels">
    <title>Shorewall Configurations</title>

--- a/docs/images/Netfilter.png
+++ b/docs/images/Netfilter.png
--- a/docs/images/Netfilter.vdx
+++ b/docs/images/Netfilter.vdx
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -278,11 +278,11 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis

  <section id="Contents">
    <title>Understanding the Contents of Shorewall Log Messages</title>
-
+	<!--
    <para>For general information on the contents of Netfilter log messages,
    see <ulink
 		url="http://moser-willi.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html">http://moser-willi.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html</ulink>.</para>
-
+-->
    <para>For Shorewall-specific information, see <ulink
    url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
  </section>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -645,6 +645,20 @@ ppp0           6000kbit         500kbit</programlisting>
              that means that we want to use the source IP address
              <emphasis>before SNAT</emphasis> as the key.</para>
            </listitem>
+
+            <listitem>
+              <para>pfifo - When specified for a leaf class, the pfifo queing
+              discipline is applied to the class rather than the sfq queuing
+              discipline.</para>
+            </listitem>
+
+            <listitem>
+              <para>limit=<emphasis>number</emphasis> - Added in Shorewall
+              4.4.3. When specified for a leaf class, specifies the maximum
+              number of packets that may be queued within the class. The
+              <emphasis>number</emphasis> must be &gt; 2 and less than 128. If
+              not specified, the value 127 is assumed</para>
+            </listitem>
          </itemizedlist>
        </listitem>
      </itemizedlist>
@@ -1181,6 +1195,188 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
 /sbin/shorewall refresh</programlisting>
    </section>

+    <section id="perIP">
+      <title>Per-IP Traffic Shaping</title>
+
+      <para>Some network administrators feel that they have to divy up their
+      available bandwidth by IP address rather than by prioritizing the
+      traffic based on the type of traffic. This gets really awkward when
+      there are a large number of local IP addresses.</para>
+
+      <para>This section describes the Shorewall facility for making this
+      configuration less tedious (and a lot more efficient). Note that it
+      requires that you <ulink url="Dynamic.html#xtables-addons">install
+      xtables-addons</ulink>. So before you try this facility, we suggest that
+      first you add the following OPTION to each external interface described
+      in /etc/shorewall/tcdevices:</para>
+
+      <programlisting>flow=nfct-src</programlisting>
+
+      <para>If you shape traffic on your internal interface(s), then add this
+      to their entries:</para>
+
+      <programlisting>flow=dst</programlisting>
+
+      <para>You may find that this simple change is all that is needed to
+      control bandwidth hogs like Bit Torrent. If it doesn't, then proceed as
+      described in this section.</para>
+
+      <para>The facility has two components:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>An IPMARK MARKing command in
+          <filename>/etc/shorewall/tcrules</filename>.</para>
+        </listitem>
+
+        <listitem>
+          <para>An <emphasis role="bold">occurs</emphasis> OPTION in
+          /etc/shorewall/tcclasses.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>The facility is currently only available with IPv4.</para>
+
+      <para>In a sense, the IPMARK target is more like an IPCLASSIFY target in
+      that the mark value is later interpreted as a class ID. A packet mark is
+      32 bits wide; so is a class ID. The <emphasis>major</emphasis> class
+      occupies the high-order 16 bits and the <emphasis>minor</emphasis> class
+      occupies the low-order 16 bits. So the class ID 1:4ff (remember that
+      class IDs are always in hex) is equivalent to a mark value of 0x104ff.
+      Remember that Shorewall uses the interface number as the
+      <emphasis>major</emphasis> number where the first interface in tcdevices
+      has <emphasis>major</emphasis> number 1, the second has
+      <emphasis>major</emphasis> number 2, and so on.</para>
+
+      <para>The IPMARK target assigns a mark to each matching packet based on
+      the either the source or destination IP address. By default, it assigns
+      a mark value equal to the low-order 8 bits of the source address.</para>
+
+      <para>The syntax is as follows:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">IPMARK</emphasis>[<emphasis
+        role="bold">(</emphasis>[{<emphasis
+        role="bold">src</emphasis>|<emphasis
+        role="bold">dst</emphasis>}][<emphasis
+        role="bold">,</emphasis>[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][<emphasis
+        role="bold">,</emphasis>[<emphasis>shift</emphasis>]]]]<emphasis
+        role="bold">)</emphasis>]</para>
+      </blockquote>
+
+      <para>Default values are:</para>
+
+      <simplelist>
+        <member>src</member>
+
+        <member>mask1 = 0xFF</member>
+
+        <member>mask2 = 0x00</member>
+
+        <member>shift = 0</member>
+      </simplelist>
+
+      <para><emphasis role="bold">src</emphasis> and <emphasis
+      role="bold">dst</emphasis> specify whether the mark is to be based on
+      the source or destination address respectively. The selected address is
+      first shifted right by <emphasis>shift</emphasis>, then LANDed with
+      <emphasis>mask1</emphasis> and then LORed with
+      <emphasis>mask2</emphasis>. The <emphasis>shift</emphasis> argument is
+      intended to be used primarily with IPv6 addresses.</para>
+
+      <para>Example:</para>
+
+      <programlisting>IPMARK(src,0xff,0x10100)
+
+Source IP address is 192.168.4.3 = 0xc0a80403
+
+        0xc0a80403 &gt;&gt; 0         = 0xc0a80403
+        0xc0a80403 LAND 0xFF    = 0x03
+        0x03       LOR  0x10100 = 0x10103
+
+        So the mark value is 0x10103 which corresponds to class id 1:103.</programlisting>
+
+      <para>It is important to realize that, while class IDs are composed of a
+      <emphasis>major</emphasis> and a <emphasis>minor</emphasis> value, the
+      set of <emphasis>minor</emphasis> values must be unique. You must keep
+      this in mind when deciding how to map IP addresses to class IDs. For
+      example, suppose that your internal network is 192.168.1.0/29 (host IP
+      addresses 192.168.1.1 - 192.168.1.6). Your first notion might be to use
+      IPMARK(src,0xFF,0x10000) so as to produce class IDs 1:1 through 1:6. But
+      1:1 is the class ID of the base HTB class on interface 1. So you might
+      chose instead to use IPMARK(src,0xFF,0x10100) as shown in the example
+      above so as to avoid minor class 1.</para>
+
+      <para>The <emphasis role="bold">occurs</emphasis> option in
+      <filename>/etc/shorewall/tcclasses</filename> causes the class
+      definition to be replicated many times.</para>
+
+      <para>The synax is:</para>
+
+      <blockquote>
+        <para><emphasis
+        role="bold">occurs=</emphasis><emphasis>number</emphasis></para>
+      </blockquote>
+
+      <para>When <emphasis role="bold">occurs</emphasis> is used:</para>
+
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>The associated device may not have the <emphasis
+          role="bold">classify</emphasis> option.</para>
+        </listitem>
+
+        <listitem>
+          <para>The class may not be the default class.</para>
+        </listitem>
+
+        <listitem>
+          <para>The class may not have any <emphasis
+          role="bold">tos=</emphasis> options (including <emphasis
+          role="bold">tcp-ack</emphasis>).</para>
+        </listitem>
+      </orderedlist>
+
+      <para>The class should not specify a MARK value. Any MARK value given is
+      ignored with a warning. The RATE and CEIL parameters apply to each
+      instance of the class. So the total RATE represented by an entry with
+      <emphasis role="bold">occurs</emphasis> will be the listed RATE
+      multiplied by <emphasis>number</emphasis>.</para>
+
+      <para>Example:</para>
+
+      <para><filename>/etc/shorewall/tcdevices</filename>:</para>
+
+      <programlisting>#INTERFACE IN-BANDWIDTH OUT-BANDWIDTH
+eth0       100mbit      100mbit</programlisting>
+
+      <para><filename>/etc/shorewall/tcclasses</filename>:</para>
+
+      <programlisting>#DEVICE   MARK RATE     CEIL PRIORITY    OPTIONS
+eth0:101     - 1kbit 230kbit        4    occurs=6</programlisting>
+
+      <para>The above defines 6 classes with class IDs 0x101-0x106. Each class
+      has a guaranteed rate of 1kbit/second and a ceiling of 230kbit.</para>
+
+      <para><filename>/etc/shoreall/tcrules</filename>:</para>
+
+      <programlisting>#MARK                      SOURCE         DEST
+IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
+
+      <para>This facility also alters the way in which Shorewall generates a
+      class number when none is given. Prior to the implementation of this
+      facility, the class number was constructed by concatinating the MARK
+      value with the either '1' or '10'. '10' was used when there were more
+      than 10 devices defined in
+      <filename>/etc/shorewall/tcdevices</filename>.</para>
+
+      <para>With this facility, a new method is added; class numbers are
+      assigned sequentially beginning with 2. The WIDE_TC_MARKS option in
+      <filename>shorewall.conf</filename> selects which construction to use.
+      WIDE_TC_MARKS=No (the default) produces pre-Shorewall 4.4 behavior.
+      WIDE_TC_MARKS=Yes produces the new behavior.</para>
+    </section>
+
    <section id="Real">
      <title>Real life examples</title>

@@ -2038,4 +2234,4 @@ class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 1900 rate 76000bit ceil 2300
    <para>At least one Shorewall user has found this tool helpful: <ulink
    url="http://e2epi.internet2.edu/network-performance-toolkit.html">http://e2epi.internet2.edu/network-performance-toolkit.html</ulink></para>
  </section>
-</article>
+</article>
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -63,10 +63,12 @@ loc     eth2            -</programlisting>
        role="bold">]</emphasis></term>

        <listitem>
-          <para>Name of interface. Each interface may be listed only once in
-          this file. You may NOT specify the name of a "virtual" interface
-          (e.g., eth0:0) here; see <ulink
-          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
+          <para>Logical name of interface. Each interface may be listed only
+          once in this file. You may NOT specify the name of a "virtual"
+          interface (e.g., eth0:0) here; see <ulink
+          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink>.
+          If the <option>physical</option> option is not specified, then the
+          logical name is also the name of the actual interface.</para>

          <para>You may use wildcards here by specifying a prefix followed by
          the plus sign ("+"). For example, if you want to make an entry that
@@ -123,7 +125,7 @@ loc     eth2            -</programlisting>
          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you if your iptables and kernel include Address Type
-          Match support. </para>
+          Match support.</para>

          <para>If your iptables and/or kernel lack Address Type Match support
          then you may list the broadcast address(es) for the network(s) to
@@ -161,7 +163,7 @@ loc     eth2            -</programlisting>

                <para>Only those interfaces with the
                <option>arp_filter</option> option will have their setting
-                changes; the value assigned to the setting will be the value
+                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

                <para></para>
@@ -188,7 +190,8 @@ loc     eth2            -</programlisting>

                <para>2 - reply only if the target IP address is local address
                configured on the incoming interface and the sender's IP
-                address is part from same subnet on this interface</para>
+                address is part from same subnet on this interface's
+                address</para>

                <para>3 - do not reply for local addresses configured with
                scope host, only resolutions for global and link</para>
@@ -290,11 +293,12 @@ loc     eth2            -</programlisting>
                role="bold">logmartians</emphasis>. Even if you do not specify
                the <option>routefilter</option> option, it is a good idea to
                specify <option>logmartians</option> because your distribution
-                may be enabling route filtering without you knowing it.</para>
+                may have enabled route filtering without you knowing
+                it.</para>

                <para>Only those interfaces with the
                <option>logmartians</option> option will have their setting
-                changes; the value assigned to the setting will be the value
+                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

                <para>To find out if route filtering is set on a given
@@ -433,6 +437,28 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>physical=<emphasis
+              role="bold"><emphasis>name</emphasis></emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. When specified, the interface
+                or port name in the INTERFACE column is a logical name that
+                refers to the name given in this option. It is useful when you
+                want to specify the same wildcard port name on two or more
+                bridges. See <ulink
+                url="http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple">http://www.shorewall.net/bridge-Shorewall-perl.html#Multiple</ulink>.</para>
+
+                <para>If the <emphasis>interface</emphasis> name is a wildcard
+                name (ends with '+'), then the physical
+                <emphasis>name</emphasis> must also end in '+'.</para>
+
+                <para>If <option>physical</option> is not specified, then it's
+                value defaults to the <emphasis>interface</emphasis>
+                name.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">proxyarp[={0|1}]</emphasis></term>

@@ -510,12 +536,12 @@ loc     eth2            -</programlisting>
                (sets
                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
                to 1). Only set this option if you know what you are doing.
-                This might represent a security risk and is not usually
-                needed.</para>
+                This might represent a security risk and is usually
+                unneeded.</para>

                <para>Only those interfaces with the
                <option>sourceroute</option> option will have their setting
-                changes; the value assigned to the setting will be the value
+                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

                <para></para>
@@ -579,7 +605,7 @@ loc     eth2            -</programlisting>
        <listitem>
          <para>Suppose you have eth0 connected to a DSL modem and eth1
          connected to your local network and that your local subnet is
-          192.168.1.0/24. The interface gets it's IP address via DHCP from
+          192.168.1.0/24. The interface gets its IP address via DHCP from
          subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
          using eth2.</para>

--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -409,7 +409,7 @@
          <para>Only locally-generated connections will match if this column
          is non-empty.</para>

-          <para>When this column is non-empty, the rule applies only if the
+          <para>When this column is non-empty, the rule matches only if the
          program generating the output is running under the effective
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>
--- a/manpages/shorewall-nat.xml
+++ b/manpages/shorewall-nat.xml
@@ -63,7 +63,7 @@
        role="bold">:</emphasis>[<emphasis>digit</emphasis>]]</term>

        <listitem>
-          <para>Interfacees that have the <emphasis
+          <para>Interfaces that have the <emphasis
          role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
          Shorewall will automatically add the EXTERNAL address to this
--- a/manpages/shorewall-netmap.xml
+++ b/manpages/shorewall-netmap.xml
@@ -43,7 +43,7 @@
          <para>Must be DNAT or SNAT.</para>

          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
-          it's destination address rewritten to the corresponding address in
+          its destination address rewritten to the corresponding address in
          NET2.</para>

          <para>If SNAT, traffic leaving INTERFACE with a source address in
--- a/manpages/shorewall-policy.xml
+++ b/manpages/shorewall-policy.xml
@@ -41,7 +41,7 @@

      <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
      the POLICY for connections from the zone to itself is ACCEPT (with no
-      logging or TCP connection rate limiting but may be overridden by an
+      logging or TCP connection rate limiting) but may be overridden by an
      entry in this file. The overriding entry must be explicit (cannot use
      "all" in the SOURCE or DEST).</para>

@@ -95,7 +95,7 @@
        <listitem>
          <para>Policy if no match from the rules file is found.</para>

-          <para>If the policy is other than CONTINUE or NONE then the policy
+          <para>If the policy is neither CONTINUE nor NONE then the policy
          may be followed by ":" and one of the following:</para>

          <orderedlist numeration="loweralpha">
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@@ -163,6 +163,13 @@
                <para>You want to specify <option>track</option> if internet
                hosts will be connecting to local servers through this
                provider.</para>
+
+                <para>Beginning with Shorewall 4.4.3, <option>track</option>
+                defaults to the setting of the TRACK_PROVIDERS option in
+                <ulink url="shorwewall.conf.html">shorewall.conf</ulink> (5).
+                If you set TRACK_PROVIDERS=Yes and want to override that
+                setting for an individual provider, then specify
+                <option>notrack</option> (see below).</para>
              </listitem>
            </varlistentry>

@@ -175,7 +182,7 @@
                specified will get outbound traffic load-balanced among them.
                By default, all interfaces with <option>balance</option>
                specified will have the same weight (1). You can change the
-                weight of an interface by specifiying
+                weight of an interface by specifying
                <option>balance=</option><replaceable>weight</replaceable>
                where <replaceable>weight</replaceable> is the weight of the
                route out of this interface.</para>
@@ -194,6 +201,15 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">notrack</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified, turns off
+                <option>track</option>.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">optional
              (deprecated)</emphasis></term>
--- a/manpages/shorewall-proxyarp.xml
+++ b/manpages/shorewall-proxyarp.xml
@@ -67,8 +67,8 @@
          or <emphasis role="bold">yes</emphasis> in this column. Otherwise,
          enter <emphasis role="bold">no</emphasis> or <emphasis
          role="bold">No</emphasis> or leave the column empty and Shorewall
-          will add the route for you. If Shorewall adds the route,the route
-          will be persistent if the <emphasis
+	  will add the route for you. If Shorewall adds the route, its 
+	  persistence depends on the value of the<emphasis
          role="bold">PERSISTENT</emphasis> column contains <emphasis
          role="bold">Yes</emphasis>; otherwise, <emphasis
          role="bold">shorewall stop</emphasis> or <emphasis
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -752,7 +752,10 @@
          <para>Destination Ports. A comma-separated list of Port names (from
          services(5)), port numbers or port ranges; if the protocol is
          <emphasis role="bold">icmp</emphasis>, this column is interpreted as
-          the destination icmp-type(s).</para>
+          the destination icmp-type(s). ICMP types may be specified as a
+          numeric type, a numberic type and code separated by a slash (e.g.,
+          3/4), or a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
          this column is interpreted as an ipp2p option without the leading
@@ -825,7 +828,7 @@
          role="bold">-</emphasis>] or <emphasis
          role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
          then if this column is included and is different from the IP address
-          given in the <emphasis role="bold">SERVER</emphasis> column, then
+          given in the <emphasis role="bold">DEST</emphasis> column, then
          connections destined for that address will be forwarded to the IP
          and port specified in the <emphasis role="bold">DEST</emphasis>
          column.</para>
@@ -946,7 +949,7 @@
              <term>+upnpd</term>

              <listitem>
-                <para>#program named upnpd</para>
+                <para>program named upnpd</para>

                <important>
                  <para>The ability to specify a program name was removed from
--- a/manpages/shorewall-tcclasses.xml
+++ b/manpages/shorewall-tcclasses.xml
@@ -407,6 +407,28 @@
                <emphasis>before NAT</emphasis> as the key.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>pfifo</term>
+
+              <listitem>
+                <para>When specified for a leaf class, the pfifo queing
+                discipline is applied to the class rather than the sfq queuing
+                discipline.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>limit=<emphasis>number</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.3. When specified for a leaf
+                class, determines the maximum number of packets that may be
+                queued within the class. The <emphasis>number</emphasis> must
+                be &gt; 2 and &lt;=128. If not specified, the value 127 is
+                assumed.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	bce4d51a18	Allow wide MARK values in tcclasses when WIDE_TC_MARKS=Yes	2009-11-21 07:54:42 -08:00
Tom Eastep	c5bb493b29	Fix class number assignment when WIDE_TC_MARKS=Yes	2009-11-20 12:25:15 -08:00
Tom Eastep	0df84cf8b5	Remove superfluous line of code	2009-11-19 10:54:58 -08:00
Tom Eastep	a23632f45e	Mostly cosmetic cleanup of Shorewall::Chains	2009-11-19 10:35:25 -08:00
Tom Eastep	de9c088972	Fix reported issues in the Macro article	2009-11-18 20:08:50 -08:00
Tom Eastep	c26fe6b15e	Merge branch 'master' of ssh://teastep@shorewall.git.sourceforge.net/gitroot/shorewall/shorewall	2009-11-18 19:59:21 -08:00
Tom Eastep	c39a9fb5eb	Fix typo in shorewall-rules(5)	2009-11-18 19:55:20 -08:00
Cristian Rodríguez	d7c084c9c6	comment out broken link until we find a suitable substitute	2009-11-18 16:22:17 -03:00
Tom Eastep	4579a71574	More massaging of redundant test suppression	2009-11-17 11:14:02 -08:00
Tom Eastep	831611e792	Update version of Shorewall::Policy	2009-11-16 20:24:01 -08:00
Tom Eastep	5f70b261b6	Update version of Shorewall::Compiler	2009-11-16 20:21:59 -08:00
Tom Eastep	c4bfab29a5	Clean up release notes	2009-11-16 15:21:11 -08:00
Tom Eastep	9d5dd2ad3a	Implement an '-l' option to the 'show' command	2009-11-16 15:14:24 -08:00
Tom Eastep	5ec4f8d82c	Unconditionally include route marking and sticky chains	2009-11-16 14:15:01 -08:00
Tom Eastep	2a910ebddf	Suppress redundant tests for provider availability in route rules processing	2009-11-16 12:43:44 -08:00
Tom Eastep	31f01fe765	Document fixing route rule addition code	2009-11-16 11:20:02 -08:00
Tom Eastep	016537f631	Don't add route rules when interface is down	2009-11-16 10:58:38 -08:00
Tom Eastep	dd543a2934	Tweak policies display	2009-11-16 09:30:37 -08:00
Tom Eastep	f5a019becc	Implement 'show policies' command	2009-11-15 09:24:56 -08:00
Tom Eastep	20ef4e584b	Fix markup on tcrules manpage	2009-11-15 07:46:49 -08:00
Tom Eastep	1c1f16661f	Tweak per-IP section	2009-11-14 11:56:37 -08:00
Tom Eastep	cb67513160	Document per-IP traffic shaping:	2009-11-14 08:52:47 -08:00
Tom Eastep	b662718eec	Replace canonical_chain by rules_chain	2009-11-14 07:07:19 -08:00
Tom Eastep	10affb1cde	Set version to 4.4.4	2009-11-13 13:52:49 -08:00
Tom Eastep	fa3bdde214	Set version to Beta2	2009-11-13 12:39:41 -08:00
Tom Eastep	9d57ff050a	Remove obsolete documentation references	2009-11-13 08:16:04 -08:00
Tom Eastep	0e6c9abb5b	A fix for COPY handling	2009-11-12 16:45:39 -08:00
Tom Eastep	f904866336	More minor cleanup of chain name change	2009-11-12 12:30:08 -08:00
Tom Eastep	2d53f8cb0c	Delete unnecessary function	2009-11-11 16:35:46 -08:00
Tom Eastep	e748341afd	Correct mis-statement in the release notes	2009-11-11 16:35:06 -08:00
Tom Eastep	b943f09e37	Fix indentation	2009-11-11 12:34:15 -08:00
Tom Eastep	8ddc2e804d	Document Logical Interfaces some more	2009-11-11 11:29:21 -08:00
Tom Eastep	4e6b8f8f42	Set version to 4.4.4-Beta1	2009-11-11 10:58:22 -08:00
Tom Eastep	0f078e7440	Ignore empty port in INTERFACE column	2009-11-11 10:52:14 -08:00
Tom Eastep	a4eb581d44	Document full logical interface implementation	2009-11-11 10:45:01 -08:00
Tom Eastep	06d3b2c692	Allow wildcard logical names in COPY column	2009-11-11 10:17:53 -08:00
Tom Eastep	6987cd15c5	Avoid dereference of null variable	2009-11-11 10:10:45 -08:00
Tom Eastep	ba8ad6346a	More use of logical chain name	2009-11-11 10:06:06 -08:00
Tom Eastep	893a847c87	Suppress extra COMMENT warnings	2009-11-10 17:17:55 -08:00
Tom Eastep	1735e168b1	Fix manpages	2009-11-10 15:48:49 -08:00
Tom Eastep	bd9c651961	Clarify physical naming rules and '+'	2009-11-10 15:25:25 -08:00
Tom Eastep	bf8c38e054	Add ZONE2ZONE option to shorewall.conf	2009-11-10 14:12:55 -08:00
Tom Eastep	7120a73f0e	Minor efficiency improvement in move_rules()	2009-11-10 08:08:02 -08:00
Tom Eastep	c9e57c93a2	Insure uniqueness of physical names; use logical name when constructing the name of a chain	2009-11-10 07:24:14 -08:00
Tom Eastep	4e2f2923b6	Update ::Config::VERSION	2009-11-09 13:16:40 -08:00
Tom Eastep	79b5cb49df	Fix over-zealous use of physical name; Correct syntax errors	2009-11-09 12:38:00 -08:00
Tom Eastep	893a0c9d42	Remove order dependency in interface OPTIONS processing	2009-11-09 11:15:08 -08:00
Tom Eastep	9b127e6e06	Improve performance of logical->physical mapping	2009-11-09 07:27:14 -08:00
Tom Eastep	92208251b7	Add undocumented LOGICAL_NAMES option	2009-11-09 07:01:25 -08:00
Tom Eastep	dda6f06883	Update module versions	2009-11-08 09:01:30 -08:00
Tom Eastep	4d977306f9	Make 'physical' work as a general logical name facility	2009-11-08 08:37:03 -08:00
Tom Eastep	83621ff416	Add logical->physical mapping to Shorewall::Chains	2009-11-08 07:11:38 -08:00
Tom Eastep	09f1b6501c	Add logical->physical mapping to Shorewall::Providers	2009-11-08 07:00:43 -08:00
Tom Eastep	ca1dd1416d	Add logical->physical mapping to Shorewall::Tc	2009-11-08 06:26:47 -08:00
Tom Eastep	1238b771a2	Apply logical->physical mapping to /proc settings	2009-11-07 18:59:10 -08:00
Tom Eastep	b1706e10e3	Correct typo	2009-11-07 07:58:15 -08:00
Tom Eastep	bcd4887d84	Correct capitalization in error message; remove unused variable	2009-11-07 07:39:28 -08:00
Tom Eastep	7f54a6fea9	Make non-wild physical work correctly	2009-11-07 07:19:52 -08:00
Tom Eastep	496cfc391e	Make parsing of zone options tighter	2009-11-06 15:51:53 -08:00
Tom Eastep	b491745f1c	More physical interface changes	2009-11-06 13:10:19 -08:00
Tom Eastep	4ef45ff665	Generate an error if a bridge port is configured as a provider interface	2009-11-06 09:22:16 -08:00
Tom Eastep	73eab1fa55	Report physical name in zone reports rather than logical name	2009-11-06 08:40:53 -08:00
Tom Eastep	d73ebb8a6a	Add comment explaining the purpose of dump_zone_contents()	2009-11-06 08:11:18 -08:00
Tom Eastep	7014bd3ea0	Add 'physical' interface option for bridge ports	2009-11-06 08:07:13 -08:00
Tom Eastep	89bdcf9a3d	Implement 'physical' option	2009-11-06 07:27:44 -08:00
Tom Eastep	a98195e156	Back out fix for multiple bridges with wildcard ports	2009-11-05 16:34:41 -08:00
Tom Eastep	fb3477b8b5	A couple of additional tweaks to the two-bridge fix	2009-11-05 13:40:03 -08:00
Tom Eastep	c1898d1c80	Remove anachronistic 'LAST LINE' from INtro	2009-11-05 13:30:18 -08:00
Tom Eastep	7e21488aec	Document ICMP codes	2009-11-05 11:58:54 -08:00
Tom Eastep	b4199fd068	Document ICMP codes	2009-11-05 11:44:40 -08:00
Tom Eastep	28b660c853	Avoid reporting bogus duplicate interface with two bridges and wildcard ports	2009-11-05 11:04:14 -08:00
Tom Eastep	3cc9ee7be5	Fix typo in the install script	2009-11-04 06:58:49 -08:00
Tom Eastep	4548db58da	Relax port list limitation in /etc/shorewall/routestopped	2009-11-03 11:36:32 -08:00
Tom Eastep	4f5c602d5f	Fix .spec error and document logrotate files	2009-11-03 10:12:38 -08:00
Tom Eastep	25549b176c	Update version to 4.4.4	2009-11-03 10:06:29 -08:00
Tom Eastep	306549119a	Add logrotate files to packages	2009-11-03 10:06:10 -08:00
Tom Eastep	5a525134ea	Be sure that startup log is secured 0600	2009-11-03 09:34:21 -08:00
Tom Eastep	f2f91ce7dd	Some optimizations	2009-11-03 09:28:34 -08:00
Tom Eastep	c893ba6ffa	Remove dependence of Shorewall::Rules on Scalar::Util	2009-11-03 07:40:06 -08:00
Tom Eastep	1892160ed5	Update copyright year list	2009-11-03 07:39:27 -08:00
Tom Eastep	45653ffe79	A couple of more move_rules() tweaks	2009-11-02 15:35:00 -08:00
Tom Eastep	f97e0c5989	Flesh out fix for Perl run-time errors	2009-11-02 07:15:20 -08:00
Tom Eastep	11ddfa92e9	Eliminate Perl run-time errors out of move_rules()	2009-11-01 17:14:42 -08:00
Tom Eastep	23d0806da2	Change Shorewall6 default STARTUP_LOG and LOG_VERBOSITY	2009-11-01 11:09:17 -08:00
Tom Eastep	99c77d2611	Fix typo in shorewall-rules(5)	2009-10-29 17:51:06 -07:00
Tom Eastep	4c3b0c7571	Re-word 'limit' description	2009-10-28 11:29:12 -07:00
Tom Eastep	59d01ccf97	A couple of tweaks to 'limit' class option	2009-10-27 12:33:14 -07:00
Tom Eastep	105754823a	Raise max limit to 128	2009-10-26 13:03:26 -07:00
Tom Eastep	f0b4b1f42e	Add limit option to tcclasses	2009-10-26 12:23:32 -07:00
Tom Eastep	cc0adc218f	Update comments and release documentation	2009-10-26 10:03:51 -07:00
Tom Eastep	8251948d2a	Add a comment	2009-10-24 15:55:56 -07:00
Tom Eastep	b3571261dd	Fix optional providers	2009-10-24 12:05:44 -07:00
Tom Eastep	c922afaf23	Tweak release notes	2009-10-24 12:01:15 -07:00
Tom Eastep	3e2cf982a3	Correct messages issued when a provider is not added	2009-10-24 08:50:15 -07:00
Tom Eastep	86df82a29a	Fix IPv6 address validation error	2009-10-23 13:41:51 -07:00
Tom Eastep	46896e7dce	Fix for Ipv6	2009-10-23 11:34:13 -07:00
Tom Eastep	445527d27e	Use /etc/debian_version to distinguish Debian-based systems	2009-10-21 16:12:02 -07:00
Tom Eastep	58ef1d3b63	Correct typo; elaborate on how PERL is processed	2009-10-21 09:39:50 -07:00
Tom Eastep	d0cda6b6ea	Add TRACK_PROVIDERS option	2009-10-20 13:24:17 -07:00
Tom Eastep	49f361124e	Make 'track' the default	2009-10-20 12:24:28 -07:00
Tom Eastep	c4af105ee4	Update display of capabilities in FAQ	2009-10-19 08:41:29 -07:00
Tom Eastep	7adb9b12bb	Move all function declarations from prog.footer6 to prog.header6	2009-10-19 07:37:49 -07:00
Tom Eastep	a0482132c6	Move all function declarations from prog.footer6 to prog.header6	2009-10-19 07:28:30 -07:00
Tom Eastep	abc9ab061a	Remove superfluous variables from generated script	2009-10-19 07:25:03 -07:00
Tom Eastep	65e4a5ff66	Move all functions from prog.footer to prog.header; minor tweaks elsewhere	2009-10-18 08:47:20 -07:00
Tom Eastep	0a74320bc2	Fix progress message	2009-10-17 14:23:11 -07:00
Tom Eastep	31bbec0fdd	Make 'debug' work with the safe commands	2009-10-17 13:05:26 -07:00
Tom Eastep	30dbfdc949	Fix intentation problem introduces with config-detection fix	2009-10-17 11:08:34 -07:00
Tom Eastep	f3043f1453	Document nested zone fix	2009-10-17 11:06:36 -07:00
Tom Eastep	e6755b7172	Merge nested zone fix into master	2009-10-17 10:59:41 -07:00
Tom Eastep	f6913953fe	Add Raw table to Netfilter Overview	2009-10-16 11:25:57 -07:00
Tom Eastep	a61c9a9e06	Fix typo	2009-10-16 10:45:46 -07:00
Tom Eastep	62c7ad7fbb	Update Netfilter Overview	2009-10-16 10:29:36 -07:00
Tom Eastep	b38841798e	Fix initialization	2009-10-15 13:43:46 -07:00
Tom Eastep	44c5ebcfa4	Fix initialization	2009-10-15 13:06:04 -07:00
Tom Eastep	6e6063f193	Don't wait for openvpn to start	2009-10-15 12:22:37 -07:00
Cristian Rodríguez	e2f64af187	if configured, openvpn should start before shorewall	2009-10-14 14:08:02 -03:00
Tom Eastep	19a90db09f	Back out last unnecessary change	2009-10-14 07:13:52 -07:00
Tom Eastep	94d039bf56	Merge branch 'master' of ssh://teastep@shorewall.git.sourceforge.net/gitroot/shorewall/shorewall	2009-10-13 17:51:45 -07:00
Cristian Rodríguez	b24544306c	fix some typos reported by Justin	2009-10-13 19:47:13 -03:00
Tom Eastep	990a9f0fdc	Fix RETAIN_ALIASES	2009-10-13 14:36:47 -07:00
Tom Eastep	1b0a3e4417	Correct typos in release notes	2009-10-13 08:13:34 -07:00
Tom Eastep	80f41779f8	Replace keyword 'object' with 'script'	2009-10-12 08:24:47 -07:00
Tom Eastep	fe3b8be029	Expand the answer to FAQ 1h	2009-10-12 07:38:19 -07:00
Tom Eastep	f1d014dfe4	Fix test for null INITLOG	2009-10-08 15:57:25 -07:00
Tom Eastep	7064b8dd08	Update version of changed modules	2009-10-08 15:49:54 -07:00
Tom Eastep	7612c895e5	Attempt to clarify LSM some more	2009-10-08 14:05:46 -07:00
Tom Eastep	3f7a1f9574	Rename a variable	2009-10-08 09:48:15 -07:00
Tom Eastep	28b0e99492	Explain how to list the dynamic blacklist	2009-10-06 10:20:09 -07:00
Tom Eastep	83a9d8dd1b	Rename 'object' to 'script'	2009-10-05 15:43:29 -07:00
Tom Eastep	dc643c67e9	Move declaration to inner block where it is used	2009-10-05 14:23:43 -07:00
Tom Eastep	ab4e7cffcf	Document fix to routestopped	2009-10-03 10:53:53 -07:00
Tom Eastep	8089ef1599	Fix 'routeback' in routestopped file	2009-10-03 10:44:26 -07:00
Tom Eastep	8915145607	More INITLOG changes	2009-10-03 08:29:45 -07:00
Tom Eastep	beac09e45f	STARTUP_LOG changes	2009-10-02 16:10:14 -07:00
Tom Eastep	de933ba912	Fix typo in comment	2009-10-02 13:10:49 -07:00
Tom Eastep	964cba79a9	Initialize 4.4.3	2009-10-02 11:31:08 -07:00
Tom Eastep	065808be16	Fix reference to README.Debian.gz	2009-10-02 11:13:44 -07:00
Tom Eastep	3171d3bfc2	Update FAQ regarding ACCEPT/DNAT	2009-10-02 10:45:56 -07:00