Fix syntax error in the generated script

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct issues with debugging the generated script
2012-03-06 09:14:06 -08:00 · 2012-03-05 15:55:25 -08:00 · 2012-02-29 15:04:17 -08:00 · 2012-02-25 08:28:15 -08:00 · 2012-02-25 07:51:55 -08:00 · 2012-02-25 07:40:47 -08:00
321 changed files with 23378 additions and 25220 deletions
--- a/Shorewall-core/COPYING
+++ b/Shorewall-core/COPYING
@@ -0,0 +1,341 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -0,0 +1,24 @@
+Shoreline Firewall (Shorewall) Version 4
+-----         ----
+
+-----------------------------------------------------------------------------
+
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of Version 2 of the GNU General Public License
+     as published by the Free Software Foundation.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with this program; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+---------------------------------------------------------------------------
+
+Please see http://www.shorewall.net/Install.htm for installation
+instructions.
+
+
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -0,0 +1,287 @@
+#!/bin/sh
+#
+# Script to install Shoreline Firewall Core Modules
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -f"
+    exit $1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+run_install()
+{
+    if ! install $*; then
+	echo
+	echo "ERROR: Failed to install $*" >&2
+	exit 1
+    fi
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+install_file() # $1 = source $2 = target $3 = mode
+{
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
+}
+
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
+#
+# Parse the run line
+#
+# ARGS is "yes" if we've already parsed an argument
+#
+T="-T"
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+MACHOST=
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
+case "$PERLLIB" in
+    /*)
+	;;
+    *)
+	PERLLIB=/usr/${PERLLIB}
+	;;
+esac
+
+INSTALLD='-D'
+
+case $(uname) in
+    CYGWIN*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+	CYGWIN=Yes
+	;;
+    Darwin)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	MAC=Yes
+        MACHOST=Yes
+	INSTALLD=
+	T=
+	;;
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    a*)
+			ANNOTATED=Yes
+			option=${option#a}
+			;;
+		    p*)
+			ANNOTATED=
+			option=${option#p}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    [ -n "$option" ] && usage 1
+	    finished=1
+	    ;;
+    esac
+done
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+#
+# Determine where to install the firewall script
+#
+
+if [ -n "$DESTDIR" ]; then
+    if [ -z "$CYGWIN" ]; then
+	if [ `id -u` != 0 ] ; then
+	    echo "Not setting file owner/group permissions, not running as root."
+	    OWNERSHIP=""
+	fi
+    fi
+
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+
+    CYGWIN=
+    MAC=
+else
+    if [ -n "$CYGWIN" ]; then
+	echo "Installing Cygwin-specific configuration..."
+    elif [ -n "$MAC" ]; then
+	echo "Installing Mac-specific configuration..."
+    else
+	if [ -f /etc/debian_version ]; then
+	    echo "Installing Debian-specific configuration..."
+	    DEBIAN=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
+	elif [ -f /etc/slackware-version ] ; then
+	    echo "Installing Slackware-specific configuration..."
+	    DEST="/etc/rc.d"
+	    MANDIR="/usr/man"
+	    SLACKWARE=yes
+	elif [ -f /etc/arch-release ] ; then
+	    echo "Installing ArchLinux-specific configuration..."
+	    DEST="/etc/rc.d"
+	    INIT="shorewall"
+	    ARCHLINUX=yes
+	fi
+    fi
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Core Version $VERSION"
+
+#
+# Create /usr/share/shorewall
+#
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+chmod 755 ${DESTDIR}/usr/share/shorewall
+#
+# Install wait4ifup
+#
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+
+echo
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+
+#
+# Install the libraries
+#
+for f in lib.* ; do
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+done
+
+if [ -z "$MACHOST" ]; then
+    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+else
+    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+fi
+
+#
+# Symbolically link 'functions' to lib.base
+#
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+#
+# Create the version file
+#
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
+chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+#
+#  Report Success
+#
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,10 +1,9 @@
-#!/bin/sh
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,16 +23,53 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
-#   and /usr/share/shorewall-lite/shorecap.
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40417
+SHOREWALL_LIBVERSION=40500
+SHOREWALL_CAPVERSION=40501

-[ -n "${VARDIR:=/var/lib/shorewall}" ]
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
-[ -n "${CONFDIR:=/etc/shorewall}" ]
+[ -n "${g_program:=shorewall}" ]
+
+case $g_program in
+    shorewall)
+	SHAREDIR=/usr/share/shorewall
+	CONFDIR=/etc/shorewall
+	g_product="Shorewall"
+	g_family=4
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall6)
+	SHAREDIR=/usr/share/shorewall6
+	CONFDIR=/etc/shorewall6
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall-lite)
+	SHAREDIR=/usr/share/shorewall-lite
+	CONFDIR=/etc/shorewall-lite
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_basedir=/usr/share/shorewall-lite
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	SHAREDIR=/usr/share/shorewall6-lite
+	CONFDIR=/etc/shorewall6-lite
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_basedir=/usr/share/shorewall6-lite
+	g_lite=Yes
+	;;
+esac

 #
 # Conditionally produce message
@@ -102,6 +138,7 @@ mutex_on()
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -109,8 +146,22 @@ mutex_on()

 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
@@ -135,33 +186,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common

 #
 # Validate an IP address
@@ -325,8 +350,8 @@ ensure_config_path() {
 	. $F
    fi

-    if [ -n "$SHOREWALL_DIR" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }

@@ -364,9 +389,8 @@ resolve_file() # $1 = file name
    esac
 }

-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
+#
+# Determine how to do "echo -e"
 #

 find_echo() {
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,10 +1,9 @@
-#!/bin/sh
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,6 +24,50 @@
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
 # scripts rather than loaded at run-time.
 #
+#########################################################################################
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}

 #
 # Get the Shorewall version of the passed script
@@ -39,7 +82,7 @@ get_script_version() { # $1 = script
    verbosity="$VERBOSITY"
    VERBOSITY=0

-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

    if [ $? -ne 0 ]; then
 	version=0
@@ -89,13 +132,15 @@ run_it() {
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering

-	if [ "$g_product" != Shorewall ]; then
-	    #
-	    # Shorewall Lite
-	    #
-	    export LOGFORMAT
-	    export IPTABLES
-	fi
+	case "$g_program" in
+	    *-lite)
+		#
+		# Shorewall Lite
+		#
+		export LOGFORMAT
+		export IPTABLES
+		;;
+	esac
    else
 	#
 	# 4.4.8 or later -- no additional exports required
@@ -128,6 +173,30 @@ error_message() # $* = Error Message
   echo "   $@" >&2
 }

+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
 #
 # Split a colon-separated list into a space-separated list
 #
@@ -164,22 +233,39 @@ qt()
    "$@" >/dev/null 2>&1
 }

+#
+# Suppress all output and input - mainly for preventing leaked file descriptors
+# to avoid SELinux denials
+#
+qtnoin()
+{
+    "$@" </dev/null >/dev/null 2>&1
+}
+
 qt1()
 {
    local status

    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
+	"$@" </dev/null >/dev/null 2>&1
 	status=$?
 	[ $status -ne 4 ] && return $status
    done
 }

 #
-# Determine if Shorewall is "running"
+# Determine if Shorewall[6] is "running"
 #
+product_is_started() {
+    qt1 $g_tool -L shorewall -n
+}
+
 shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
+    qt1 $IPTABLES -L shorewall -n
+}
+
+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
 }

 #
@@ -217,7 +303,31 @@ loadmodule() # $1 = module name, $2 - * arguments
    local modulefile
    local suffix

-    if ! list_search $modulename $DONT_LOAD $MODULES; then
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
+		done
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift

 	for suffix in $MODULE_SUFFIX ; do
@@ -262,9 +372,9 @@ reload_kernel_modules() {

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

-    MODULES=$(lsmod | cut -d ' ' -f1)
+    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -301,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -310,7 +420,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)

    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
+	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 	progress_message "Loading Modules..."
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
@@ -433,38 +543,100 @@ in_network() # $1 = IP address, $2 = CIDR network
    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
 }

+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $g_tool -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Find interface address--returns the first IP address assigned to the passed
 # device
 #
 find_first_interface_address() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)	
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
 }

 find_first_interface_address_if_any() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+    fi
 }

 #
@@ -483,14 +655,6 @@ mywhich() {
    return 2
 }

-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
 #
 # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
 #
@@ -520,7 +684,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2
+set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    exit $1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+if [ -f /usr/share/shorewall/coreversion ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    VERSION=""
+fi
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+
+echo "Uninstalling Shorewall Core $VERSION"
+
+rm -rf /usr/share/shorewall
+
+echo "Shorewall Core Uninstalled"
+
+
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -0,0 +1,121 @@
+#! /bin/bash
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+prog="shorewall-init"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/shorewall-init"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Get startup options (override default)
+OPTIONS=
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+else
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
+fi
+
+# Initialize the firewall
+start () {
+    local product
+    local vardir
+
+    if [ -z "$PRODUCTS" ]; then
+	echo "No firewalls configured for shorewall-init"
+	failure
+	return 6 #Not configured
+    fi
+
+    echo -n "Initializing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	touch $lockfile 
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+# Clear the firewall
+stop () {
+    local product
+    local vardir
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	rm -f $lockfile
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	echo "Not implemented"
+	exit 3
+	;;
+    condrestart|try-restart)
+	echo "Not implemented"
+	exit 3
+        ;;
+    status)
+	status $prog
+	;;
+  *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+esac
+
+exit 0
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:
+# Default-Stop:   6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -69,6 +69,10 @@ shorewall_start () {
      fi
  done

+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
  return 0
 }

@@ -86,6 +90,13 @@ shorewall_stop () {
      fi
  done

+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
  return 0
 }

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.20.2
+VERSION=xxx #The Build script inserts the actual version.

 usage() # $1 = exit status
 {
@@ -160,6 +160,8 @@ elif [ -f /etc/debian_version ]; then
    DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
    SUSE=Yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
    echo "Shorewall-init is currently not supported on Slackware" >&2
    exit 1
@@ -181,6 +183,14 @@ else
    exit 1
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -200,15 +210,31 @@ fi
 #
 # Install the Init Script
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
+if [ -z "$SYSTEMD" ]; then
+    if [ -n "$DEBIAN" ]; then
+	install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    elif [ -n "$FEDORA" ]; then
+	install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    #elif [ -n "$ARCHLINUX" ]; then
+    #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    else
+	install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    fi

-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
+    echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
+else
+    #
+    # Install the .service file
+    #
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/sbin/
+	chmod 755 ${DESTDIR}/sbin/
+	run_install $OWNERSHIP -m 600 shorewall-init ${DESTDIR}/sbin/shorewall-init
+	echo "CLI installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    fi
+fi

 #
 # Create /usr/share/shorewall-init if needed
@@ -297,7 +323,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall Init will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -0,0 +1,92 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -1,266 +0,0 @@
-%define name shorewall-init
-%define version 4.4.20
-%define release 2
-
-Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: shoreline_firewall >= 4.4.10
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Init is a companion product to Shorewall that allows for tigher
-control of connections during boot and that integrates Shorewall with
-ifup/ifdown and NetworkManager.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-init;
-    fi
-fi
-
-if [ -f /etc/SuSE-release ]; then
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
-    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
-    if [ -d /etc/ppp ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p /etc/ppp/$directory
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/$directory/shorewall
-	done
-    fi
-else
-    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
-	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-	fi
-    else
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
-	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
-    fi
-
-    if [ -d /etc/ppp ]; then
-	if [ -f /etc/ppp/ip-up.local -o -f /etc/ppp/ip-down.local ]; then
-	    if ! grep -q Shorewall-based /etc/ppp/ip-up.local || ! grep -q Shorewall-based /etc/ppp//ip-down.local; then
-		echo "WARNING: /etc/ppp/ip-up.local and/or /etc/ppp/ip-down.local already exist; ppp devices will not be handled" >&2
-	    fi
-	else
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-up.local
-	    cp -pf /usr/share/shorewall-init/ifupdown /etc/ppp/ip-down.local
-	fi
-    fi
-
-    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
-	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
-    fi
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-init
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-init
-    fi
-
-    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
-    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
-
-    [ -f /etc/ppp/ip-up.local ]   && grep -q Shorewall-based /etc/ppp/ip-up.local   && rm -f /etc/ppp/ip-up.local
-    [ -f /etc/ppp/ip-down.local ] && grep -q Shorewall-based /etc/ppp/ip-down.local && rm -f /etc/ppp/ip-down.local
-
-    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
-
-%attr(0544,root,root) /etc/init.d/shorewall-init
-%attr(0755,root,root) %dir /usr/share/shorewall-init
-
-%attr(0644,root,root) /usr/share/shorewall-init/version
-%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta4
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta2
-* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Tue May 18 2010 Tom Eastep tom@shorewall.net
- Initial version
-
-
-
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -10,3 +10,9 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.20.2
+VERSION=xxx  #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -73,6 +73,8 @@ if [ -n "$INITSCRIPT" ]; then
        insserv -r $INITSCRIPT
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
@@ -93,6 +95,7 @@ remove_file /etc/network/if-down.d/shorewall

 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
+remove_file /lib/systemd/system/shorewall.service

 if [ -d /etc/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -18,9 +18,18 @@ startup=0
 #
 # Startup options
 #
-
 OPTIONS=""

+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0

 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -80,7 +80,7 @@ fi
 # start the firewall
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -98,7 +98,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -109,6 +109,11 @@ shorewall_refresh () {
  return 0
 }

+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall_start
@@ -122,8 +127,11 @@ case "$1" in
  force-reload|restart)
     shorewall_restart
     ;;
+  status)
+     shorewall_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -76,14 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall-lite $@
+    restart|reload)
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall-lite restart $@
+    status|stop)
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.20.2
+VERSION=xxx #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }

 delete_file() # $1 = file to delete
@@ -85,6 +85,19 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+if [ -f shorewall-lite ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 #
@@ -92,16 +105,13 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
-
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi

 if [ -z "$INIT" ] ; then
-	INIT="shorewall-lite"
+	INIT="$PRODUCT"
 fi

 while [ $# -gt 0 ] ; do
@@ -110,7 +120,7 @@ while [ $# -gt 0 ] ; do
 	    usage 0
 	    ;;
        -v)
-	    echo "Shorewall Lite Firewall Installer Version $VERSION"
+	    echo "$Product Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -118,7 +128,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
    esac
    shift
-    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -136,7 +145,6 @@ esac
 #
 # Determine where to install the firewall script
 #
-DEBIAN=
 CYGWIN=
 INSTALLD='-D'
 T='-T'
@@ -173,157 +181,168 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
      DEST="/etc/rc.d"
-      INIT="shorewall-lite"
+      INIT="$PRODUCT"
      ARCHLINUX=yes
 fi

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
+if [ -z "$DESTDIR" ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi

-echo "Installing Shorewall Lite Version $VERSION"
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
+echo "Installing $Product Version $VERSION"

 #
-# Check for /etc/shorewall-lite
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
-    [ -f /etc/shorewall-lite/shorewall.conf ] && \
-	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi
+
+    [ -f /etc/$PRODUCT/shorewall.conf ] && \
+	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
+    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
 fi

 #
-# Check for /sbin/shorewall-lite
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544

-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
-
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"

 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-
+    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi

-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"

 #
-# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
+# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT

-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
+fi
+
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi

 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
-
-#
-# Install wait4ifup
-#
-
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
-
-    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
-fi
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"

 #
 # Install the Modules files
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done

 #
@@ -353,58 +372,65 @@ if [ -d manpages ]; then
 fi

 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi

-
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #

 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-lite/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
+    rm -f /usr/share/$PRODUCT/init
+    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
 fi

+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
+delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
+    touch /var/log/$PRODUCT-init.log

    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT

-	    update-rc.d shorewall-lite defaults
+	    update-rc.d $PRODUCT defaults

 	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
+		insserv /etc/init.d/$PRODUCT
 	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi

-	    echo "Shorewall Lite will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically at boot"
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable $PRODUCT; then
+		    echo "$Product will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically in run levels as follows:"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -418,4 +444,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Lite Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -0,0 +1,34 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redisribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# This library contains the code common to all Shorewall components.
+
+g_program=shorewall-lite
+g_family=4
+g_basedir=/usr/share/shorewall
+
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
+[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
+[ -n "${CONFDIR:=/etc/$g_program}" ]
+
+. /usr/share/shorewall/lib.base
+
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -11,11 +11,27 @@
  <refnamediv>
    <refname>shorewall-lite</refname>

-    <refpurpose>Administration tool for Shoreline Firewall Lite
-    (Shorewall-lite)</refpurpose>
+    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
+    Lite)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>add</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -37,7 +53,38 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>clear</option></arg>
+      <arg
+      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>delete</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>disable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -64,13 +111,30 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-m</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>enable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

@@ -96,7 +160,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>hits</option></arg>
+      <arg
+      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -130,6 +195,19 @@
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -170,6 +248,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -191,8 +282,24 @@

      <arg>-<replaceable>options</replaceable></arg>

+      <arg choice="plain"><option>reset</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
      <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>restart</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -232,8 +339,10 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -263,7 +372,7 @@
      <arg choice="plain"><option>show</option></arg>

      <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -277,7 +386,7 @@

      <arg><option>-x</option></arg>

-      <arg choice="req"><option>mangle|nat</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -318,7 +427,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-f</option><arg><option>-p</option></arg></arg>
+      <arg><option>-p</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -349,7 +458,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>version</option></arg>
+      <arg
+      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -357,7 +467,7 @@
    <title>Description</title>

    <para>The shorewall-lite utility is used to control the Shoreline Firewall
-    (Shorewall) Lite.</para>
+    Lite (Shorewall Lite).</para>
  </refsect1>

  <refsect1>
@@ -365,12 +475,12 @@

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
-    <filename>started</filename> extension script.</para>
+    attempting to acquire the Shorewall-lite lockfile. It is useful if you
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -407,15 +517,17 @@
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.<caution>
-              <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
-              <command>shorewall show zones</command> command will indicate
-              that all hosts were added. If this happens, replace
-              <command>add</command> by <command>delete</command> and run the
-              same command again. Then enter the correct command.</para>
-            </caution></para>
+          elements are host or network addresses.</para>
+
+          <caution>
+            <para>The <command>add</command> command is not very robust. If
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
+            <command>shorewall-lite show zones</command> command will indicate
+            that all hosts were added. If this happens, replace
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
        </listitem>
      </varlistentry>

@@ -435,10 +547,16 @@
        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
-          Lite. The firewall is then wide open and unprotected. Existing
-          connections are untouched. Clear is often used to see if the
-          firewall is causing connection problems.</para>
+          <para>Clear will remove all rules and chains installed by
+          Shorewall-lite. The firewall is then wide open and unprotected.
+          Existing connections are untouched. Clear is often used to see if
+          the firewall is causing connection problems.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -457,6 +575,18 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">disable</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.26. Disables the optional provider
+          associated with the specified <replaceable>interface</replaceable>
+          or <replaceable>provider</replaceable>. Where more than one provider
+          share a single network interface, a
+          <replaceable>provider</replaceable> name must be given.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">drop</emphasis></term>

@@ -476,8 +606,23 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall-lite log
          messages to be displayed.</para>
+
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          number for each Netfilter rule to be displayed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">enable</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.26. Enables the optional provider
+          associated with the specified <replaceable>interface</replaceable>
+          or <replaceable>provider</replaceable>. Where more than one provider
+          share a single network interface, a
+          <replaceable>provider</replaceable> name must be given.</para>
        </listitem>
      </varlistentry>

@@ -489,7 +634,7 @@
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -506,8 +651,9 @@
        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
-          the current log file.</para>
+          <para>Generates several reports from Shorewall-lite log messages in
+          the current log file. If the <option>-t</option> option is included,
+          the reports are restricted to log messages generated today.</para>
        </listitem>
      </varlistentry>

@@ -530,12 +676,33 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+
+          <para>The trace records are written to the kernel's log buffer with
+          faciility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          Shorewall-lite has no control over where the messages go; consult
+          your logging daemon's documentation.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

@@ -543,9 +710,9 @@
        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          <para>Monitors the log file specified by the LOGFILE option in
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+          produces an audible alarm when new Shorewall-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
@@ -563,7 +730,22 @@

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
        </listitem>
      </varlistentry>

@@ -581,10 +763,10 @@

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> but assumes that the firewall is already started.
-          Existing connections are maintained.</para>
+          start</emphasis> except that it assumes that the firewall is already
+          started. Existing connections are maintained.</para>

-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
@@ -597,14 +779,14 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall-lite to a state saved using the <emphasis
          role="bold">shorewall-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall-lite created using <emphasis
          role="bold">shorewall-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -615,11 +797,10 @@
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall-lite/save. The state of the firewall is stored in
          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
-          If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          <emphasis role="bold">shorewall-lite restore</emphasis>. If
+          <emphasis>filename</emphasis> is not given then the state is saved
+          in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -631,15 +812,6 @@
          arguments:</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">actions</emphasis></term>
-
-              <listitem>
-                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -652,8 +824,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
-              ... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -669,20 +841,25 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-l</emphasis> option causes
+                the rule number for each Netfilter rule to be
+                displayed.</para>
+
                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
+              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
-                shaping configuration.</para>
+                defined on the system as a result of traffic shaping
+                configuration.</para>
              </listitem>
            </varlistentry>

@@ -704,15 +881,44 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to iptables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <para>Displays the system's IPv4 configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipa</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.17. Displays the per-IP
+                accounting counters (<ulink
+                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">log</emphasis></term>
+
+              <listitem>
+                <para>Displays the last 20 Shorewall-lite messages from the
+                log file specified by the LOGFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
+                <emphasis role="bold">-m</emphasis> option causes the MAC
+                address of each packet source to be displayed if that
+                information is available.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">marks</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.26. Displays the various fields
+                in packet marks giving the min and max value (in both decimal
+                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>

@@ -729,6 +935,39 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones. Note that implicit intrazone
+                ACCEPT policies are not displayed for zones associated with a
+                single network where that network doesn't specify
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -742,8 +981,8 @@
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
-                <para>Displays the current composition of the Shorewall Lite
-                zones on the system.</para>
+                <para>Displays the current composition of the Shorewall zones
+                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -754,17 +993,10 @@
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall.</para>
-
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
+          policies.</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
@@ -779,11 +1011,18 @@
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
-          are taken down. The only new traffic permitted through the firewall
-          is from systems listed in <ulink
+          or permitted by the ADMINISABSENTMINDED option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
+          The only new traffic permitted through the firewall is from systems
+          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -800,7 +1039,9 @@
        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
+          is included for compatibility with earlier Shorewall releases and is
+          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -819,13 +1060,13 @@
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -48,10 +48,14 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
+g_program=shorewall-lite
 g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite

 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -60,6 +64,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)

 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

+g_tool=$IPTABLES
+
 VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,14 +1,13 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#         Tom Eastep (teastep@shorewall.net)
 #
-#	This file should be placed in /sbin/shorewall-lite.
-#
-#	Shorewall documentation is available at http://shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
@@ -23,858 +22,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#     If an error occurs while starting or restarting the firewall, the
-#     firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
-#     Commands are:
-#
-#     shorewall-lite dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#     shorewall-lite start 			   Starts the firewall
-#     shorewall-lite restart			   Restarts the firewall
-#     shorewall-lite stop			   Stops the firewall
-#     shorewall-lite status			   Displays firewall status
-#     shorewall-lite reset			   Resets iptables packet and
-#						   byte counts
-#     shorewall-lite clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#     shorewall-lite show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#     shorewall-lite show log			   Print the last 20 log messages
-#     shorewall-lite show connections		   Show the kernel's connection
-#						   tracking table
-#     shorewall-lite show nat			   Display the rules in the nat table
-#     shorewall-lite show {mangle|tos}		   Display the rules in the mangle table
-#     shorewall-lite show tc			   Display traffic control info
-#     shorewall-lite show classifiers		   Display classifiers
-#     shorewall-lite show capabilities             Display iptables/kernel capabilities
-#     shorewall-lite show vardir                   Display VARDIR setting
-#     shorewall-lite version			   Display the installed version id
-#     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#     shorewall-lite drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#     shorewall-lite reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#     shorewall-lite allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#     shorewall-lite save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#     shorewall-lite forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#     shorewall-lite restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#     shorewall-lite ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#     shorewall-lite iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#     shorewall-lite ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
+################################################################################################
+g_program=shorewall-lite

-#
-# Set the configuration variables from shorewall-lite.conf
-#
-get_config() {
+. /usr/share/shorewall/lib.cli

-    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
-    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
-    else
-	echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	exit 2
-    fi
-    #
-    # See if we have a real version of "tail" -- use separate redirection so
-    # that ash (aka /bin/sh on LRP) doesn't crap
-    #
-    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
-	realtail="Yes"
-    else
-	realtail=""
-    fi
-
-    [ -n "$FW" ] || FW=fw
-
-    if [ -n "$IPTABLES" ]; then
-	if [ ! -x "$IPTABLES" ]; then
-	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
-	    exit 2
-	fi
-    else
-	IPTABLES=$(mywhich iptables 2> /dev/null)
-	if [ -z "$IPTABLES" ] ; then
-	    echo "   ERROR: Can't find iptables executable" >&2
-	    exit 2
-	fi
-    fi
-
-    if [ -n "$SHOREWALL_SHELL" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
-	fi
-    fi
-
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
-    validate_restorefile RESTOREFILE
-
-    [ -n "${VERBOSITY:=2}" ]
-
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
-
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
-    g_hostname=$(hostname 2> /dev/null)
-
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
-
-}
-
-#
-# Verify that we have a compiled firewall script
-#
-verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
-	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
-	    echo "          non-existant file" >&2
-	else
-	    echo "          The file $g_firewall does not exist" >&2
-	fi
-	
-	exit 2
-    fi
-}
-
-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
-#
-# Start Command Executor
-#
-start_command() {
-    local finished
-    finished=0
-
-    do_it() {
-	local rc
-	rc=0
-	[ -n "$nolock" ] || mutex_on
-
-	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
-	    rc=$?
-	else
-	    error_message "${LITEDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:Shorewall Lite start failed"
-	    rc=2
-	fi
-
-	[ -n "$nolock" ] || mutex_off
-	exit $rc
-    }
-
-    verify_firewall_script
-
-    if shorewall_is_started; then
-	error_message "Shorewall is already running"
-	exit 0
-    fi
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			f*)
-			    g_fast=Yes
-			    option=${option#f}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    if [ -n "$g_fast" ]; then
-	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
-	fi
-
-	if [ -n "$g_fast" ]; then
-
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
-		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
-	    else
-		do_it
-	    fi
-	else
-	    do_it
-	fi
-    else
-	do_it
-    fi
-}
-
-#
-# Restart Command Executor
-#
-restart_command() {
-    local finished
-    finished=0
-    local rc
-    rc=0
-
-    verify_firewall_script
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    [ -n "$nolock" ] || mutex_on
-
-    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
-	rc=$?
-    else
-	error_message "${LITEDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:Shorewall Lite restart failed"
-	rc=2
-    fi
-
-    [ -n "$nolock" ] || mutex_off
-    return $rc
-}
-
-#
-# Give Usage Information
-#
-usage() # $1 = exit status
-{
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
-    echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
-    echo "   allow <address> ..."
-    echo "   clear"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
-    echo "   drop <address> ..."
-    echo "   dump [ -x ]"
-    echo "   forget [ <file name> ]"
-    echo "   help"
-    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
-    echo "   ipdecimal { <address> | <integer> }"
-    echo "   iprange <address>-<address>"
-    echo "   logdrop <address> ..."
-    echo "   logreject <address> ..."
-    echo "   logwatch [<refresh interval>]"
-    echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
-    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show [ -f ] capabilities"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show filters"
-    echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
-    echo "   status"
-    echo "   version [ -a ]"
-    echo
-    exit $1
-}
-
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
-#
-# Execution begins here
-#
-debugging=
-
-if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
-    debugging=$1
-    shift
-fi
-
-nolock=
-
-if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
-    nolock=nolock
-    shift
-fi
-
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=
-
-finished=0
-
-while [ $finished -eq 0 ]; do
-    [ $# -eq 0 ] && usage 1
-    option=$1
-    case $option in
-	-)
-	    finished=1
-	    ;;
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    x*)
-			g_ipt_options="-xnv"
-			option=${option#x}
-			;;
-		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
-			option=${option#q}
-			;;
-		    f*)
-			g_fast=Yes
-			option=${option#f}
-			;;
-		    v*)
-			option=${option#v}
-			case $option in 
-			    -1*)
-				g_use_verbosity=-1
-				option=${option#-1}
-				;;
-			    0*)
-				g_use_verbosity=0
-				option=${option#0}
-				;;
-			    1*)
-				g_use_verbosity=1
-				option=${option#1}
-				;;
-			    2*)
-				g_use_verbosity=2
-				option=${option#2}
-				;;
-			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
-				;;
-			esac
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    -)
-			finished=1
-			option=
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-if [ $# -eq 0 ]; then
-    usage 1
-fi
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-MUTEX_TIMEOUT=
-
-SHAREDIR=/usr/share/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
-g_libexec=share
-
-[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
-
-[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
-
-[ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
-
-version_file=$SHAREDIR/version
-
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
-done
-
-ensure_config_path
-
-config=$(find_file shorewall-lite.conf)
-
-if [ -f $config ]; then
-    if [ -r $config ]; then
-	. $config
-    else
-	echo "Cannot read $config! (Hint: Are you root?)" >&2
-	exit 1
-    fi
-else
-    echo "$config does not exist!" >&2
-    exit 2
-fi
-
-ensure_config_path
-
-LITEDIR=${VARDIR}
-
-[ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
-
-get_config
-
-g_firewall=$LITEDIR/firewall
-
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
-else
-    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
-    exit 1
-fi
-
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
-
-case $(echo -e) in
-    -e*)
-	RING_BELL="echo \a"
-	ECHO_E="echo"
-	;;
-    *)
-	RING_BELL="echo -e \a"
-	ECHO_E="echo -e"
-	;;
-esac
-
-case $(echo -n "Testing") in
-    -n*)
-	ECHO_N=
-	;;
-    *)
-	ECHO_N=-n
-	;;
-esac
-
-COMMAND=$1
-
-case "$COMMAND" in
-    start)
-	shift
-	start_command $@
-	;;
-    stop|reset|clear)
-	[ $# -ne 1 ] && usage 1
-	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
-	;;
-    restart)
-	shift
-	restart_command
-	;;
-    show|list)
-    	shift
-    	show_command $@
-	;;
-    status)
-	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
-	echo
-	if shorewall_is_started ; then
-	    echo "Shorewall Lite is running"
-	    status=0
-	else
-	    echo "Shorewall Lite is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Closed*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	exit $status
-	;;
-    dump)
-    	shift
-    	dump_command $@
-	;;
-    hits)
-	[ -n "$debugging" ] && set -x
-	shift
-	hits_command $@
-	;;
-    version)
-	shift
-	version_command $@
-	;;
-    logwatch)
-	logwatch_command $@
-	;;
-    drop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block DROP Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    logdrop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block logdrop Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    reject|logreject)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block $COMMAND Rejected $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    allow)
-	allow_command $@
-	;;
-    add)
-	get_config
-	shift
-	add_command $@
-	;;
-    delete)
-	get_config
-	shift
-	add_command $@
-	;;
-    save)
-	[ -n "$debugging" ] && set -x
-
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	[ "$nolock" ] || mutex_on
-
-	save_config
-
-	[ "$nolock" ] || mutex_off
-	;;
-    forget)
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	if [ -x $g_restorepath ]; then
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
-	fi
-	rm -f ${VARDIR}/save
-	;;
-    ipcalc)
-    	[ -n "$debugging" ] && set -x
-	if [ $# -eq 2 ]; then
-	    address=${2%/*}
-	    vlsm=${2#*/}
-	elif [ $# -eq 3 ]; then
-	    address=$2
-	    vlsm=$(ip_vlsm $3)
-	else
-	    usage 1
-	fi
-
-	valid_address $address || fatal_error "Invalid IP address: $address"
-	[ -z "$vlsm" ] && exit 2
-	[ "x$address" = "x$vlsm" ] && usage 2
-	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
-
-	address=$address/$vlsm
-
-	                                   echo "   CIDR=$address"
-	temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
-	temp=$(ip_network $address);       echo "   NETWORK=$temp"
-	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
-	;;
-
-    iprange)
-	[ -n "$debugging" ] && set -x
-	case $2 in
-	    *.*.*.*-*.*.*.*)
-		for address in ${2%-*} ${2#*-}; do
-		    valid_address $address || fatal_error "Invalid IP address: $address"
-		done
-
-		ip_range $2
-		;;
-	    *)
-		usage 1
-		;;
-	esac
-	;;
-    ipdecimal)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 2 ] || usage 1
-	case $2 in
-	    *.*.*.*)
-		valid_address $2 || fatal_error "Invalid IP address: $2"
-		echo "   $(decodeaddr $2)"
-		;;
-	    *)
-		echo "   $(encodeaddr $2)"
-		;;
-	esac
-	;;
-    restore)
-	shift
-	STARTUP_ENABLED=Yes
-	restore_command $@
-        ;;
-    call)
-	[ -n "$debugging" ] && set -x
-	#
-	# Undocumented way to call functions in ${SHAREDIR}/functions directly
-	#
-	shift
-	$@
-	;;
-    help)
-	shift
-	usage
-	;;
-    *)
-	usage 1
-	;;
-
-esac
+shorewall_cli $@
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,479 +0,0 @@
-%define name shorewall-lite
-%define version 4.4.20
-%define release 2
-
-Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
-Name: %{name}
-Version: %{version}
-Release: %{release}
-License: GPLv2
-Packager: Tom Eastep <teastep@shorewall.net>
-Group: Networking/Utilities
-Source: %{name}-%{version}.tgz
-URL: http://www.shorewall.net/
-BuildArch: noarch
-BuildRoot: %{_tmppath}/%{name}-%{version}-root
-Requires: iptables iproute
-Provides: shoreline_firewall = %{version}-%{release}
-
-%description
-
-The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
-(iptables) based firewall that can be used on a dedicated firewall system,
-a multi-function gateway/ router/server or on a standalone GNU/Linux system.
-
-Shorewall Lite is a companion product to Shorewall that allows network
-administrators to centralize the configuration of Shorewall-based firewalls.
-
-%prep
-
-%setup
-
-%build
-
-%install
-export DESTDIR=$RPM_BUILD_ROOT ; \
-export OWNER=`id -n -u` ; \
-export GROUP=`id -n -g` ;\
-./install.sh
-
-%clean
-rm -rf $RPM_BUILD_ROOT
-
-%pre
-
-if [ -f /etc/shorewall-lite/shorewall.conf ]; then
-    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
-fi
-
-%post
-
-if [ $1 -eq 1 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv /etc/rc.d/shorewall-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --add shorewall-lite;
-    fi
-elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
-    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
-    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
-    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
-    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
-fi
-
-%preun
-
-if [ $1 -eq 0 ]; then
-    if [ -x /sbin/insserv ]; then
-	/sbin/insserv -r /etc/init.d/shorewall-lite
-    elif [ -x /sbin/chkconfig ]; then
-	/sbin/chkconfig --del shorewall-lite
-    fi
-fi
-
-%files
-%defattr(0644,root,root,0755)
-%attr(0755,root,root) %dir /etc/shorewall-lite
-%attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
-%attr(0644,root,root) /etc/shorewall-lite/Makefile
-%attr(0544,root,root) /etc/init.d/shorewall-lite
-%attr(0755,root,root) %dir /usr/share/shorewall-lite
-%attr(0700,root,root) %dir /var/lib/shorewall-lite
-
-%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
-
-%attr(0755,root,root) /sbin/shorewall-lite
-
-%attr(0644,root,root) /usr/share/shorewall-lite/version
-%attr(0644,root,root) /usr/share/shorewall-lite/configpath
-%attr(-   ,root,root) /usr/share/shorewall-lite/functions
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.base
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
-%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
-%attr(0644,root,root) /usr/share/shorewall-lite/modules*
-%attr(0644,root,root) /usr/share/shorewall-lite/helpers
-%attr(0544,root,root) /usr/share/shorewall-lite/shorecap
-%attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
-
-%attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
-%attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
-
-%attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
-
-%doc COPYING changelog.txt releasenotes.txt
-
-%changelog
-* Tue Jun 07 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-2
-* Mon Jun 06 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-1
-* Tue May 31 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0base
-* Fri May 27 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0RC1
-* Tue May 24 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta5
-* Sun May 22 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta4
-* Thu May 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta3
-* Wed May 18 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta2
-* Sat Apr 16 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.20-0Beta1
-* Wed Apr 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-1
-* Sat Apr 09 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0base
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0RC1
-* Sun Apr 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta5
-* Sat Apr 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta4
-* Sat Mar 26 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta3
-* Sat Mar 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.19-0Beta1
-* Wed Mar 02 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0base
-* Mon Feb 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0RC1
-* Sun Feb 20 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta4
-* Sat Feb 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta3
-* Sun Feb 13 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta2
-* Sat Feb 05 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.18-0Beta1
-* Fri Feb 04 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0base
-* Sun Jan 30 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0RC1
-* Fri Jan 28 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta3
-* Wed Jan 19 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta2
-* Sat Jan 08 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.17-0Beta1
-* Mon Jan 03 2011 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0base
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0RC1
-* Thu Dec 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta8
-* Sun Dec 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta7
-* Mon Dec 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta6
-* Fri Dec 10 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta5
-* Sat Dec 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta4
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta3
-* Fri Dec 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta2
-* Tue Nov 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.16-0Beta1
-* Fri Nov 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0base
-* Mon Nov 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0RC1
-* Mon Nov 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta2
-* Sat Oct 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.15-0Beta1
-* Sat Oct 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0base
-* Wed Oct 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0RC1
-* Fri Oct 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta4
-* Sun Sep 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta3
-* Thu Sep 23 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta2
-* Tue Sep 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.14-0Beta1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0RC1
-* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta6
-* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta5
-* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta4
-* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta3
-* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta2
-* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.13-0Beta1
-* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0base
-* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0RC1
-* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta4
-* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta3
-* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta2
-* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.12-0Beta1
-* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0base
-* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0RC1
-* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta3
-* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta2
-* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.11-0Beta1
-* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0base
-* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC2
-* Thu May 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0RC1
-* Wed May 26 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta4
-* Tue May 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta3
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta2
-* Thu May 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.10-0Beta1
-* Mon May 03 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0base
-* Sun May 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC2
-* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0RC1
-* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta5
-* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta4
-* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta3
-* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta2
-* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.9-0Beta1
-* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0base
-* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC2
-* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0RC1
-* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta2
-* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.8-0Beta1
-* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0base
-* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC2
-* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0RC1
-* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta4
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta3
-* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta2
-* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-0Beta1
-* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0base
-* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.6-0Beta1
-* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.5-0base
-* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0base
-* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0Beta2
-* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.4-0Beta1
-* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.3-0base
-* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-0base
-* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.2-0base
-* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.1-0base
-* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0base
-* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0RC2
-* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0RC1
-* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta4
-* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta3
-* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta2
-* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
- Updated to 4.4.0-0Beta1
-* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.13-0base
-* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.12-0base
-* Sun May 10 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.11-0base
-* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.10-0base
-* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.9-0base
-* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.8-0base
-* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.7-0base
-* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.6-0base
-* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
- Updated to 4.3.5-0base
-* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
-* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.6-0base
-* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
- Updated to 4.2.5-0base
-* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.4-0base
-* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.3-0base
-* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.2-0base
-* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.1-0base
-* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0base
-* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC4
-* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC3
-* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC2
-* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0RC1
-* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta3
-* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta2
-* Wed May 07 2008 Tom Eastep tom@shorewall.net
- Updated to 4.2.0-0Beta1
-* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.8-0base
-* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.7-0base
-* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.6-0base
-* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.5-0base
-* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
- Updated to 4.1.4-0base
-* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-0base
-* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.3-1
-* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.2-1
-* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.1-1
-* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
- Updated to 4.1.0-1
-* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-1
-* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC3
-* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC2
-* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.6-0RC1
-* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.5-1
-* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.4-1
-* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.3-1
-* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.2-1
-* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.1-1
-* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-1
-* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC2
-* Mon Jul 02 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0RC1
-* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta7
-* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta6
-* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta5
-* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta4
-* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta3
-* Tue May 15 2007 Tom Eastep tom@shorewall.net
- Updated to 4.0.0-0Beta1
-* Fri May 11 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.7-1
-* Sat May 05 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.6-1
-* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.5-1
-* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.4-1
-* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.3-1
-* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.2-1
-* Sat Apr 07 2007 Tom Eastep tom@shorewall.net
- Updated to 3.9.1-1
-* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.1-1
-* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-1
-* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC3
-* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC2
-* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0RC1
-* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta3
-* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta2
- Handle rename of shorewall.conf
-* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
- Updated to 3.4.0-0Beta1
-* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
- Added shorewall-exclusion(5)
- Updated to 3.3.6-1
-* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.5-1
-* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.4-1
-* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.3-1
-* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.2-1
-* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.1-1
-* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.0-1
-* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
- Updated to 3.3.0-1
-
-
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.20.2
+VERSION=xxx  #The Build script inserts the actual version

 usage() # $1 = exit status
 {
@@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -112,6 +114,7 @@ rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
+rm -f  /lib/systemd/system/shorewall-lite.service

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -11,5 +11,6 @@

 COMMENT Needed ICMP types

-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
+DEFAULT ACCEPT
+PARAM	-	-	icmp	fragmentation-needed
+PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -11,4 +11,5 @@

 COMMENT Late DNS Replies

-DROP	-	-	udp	-	53
+DEFAULT DROP
+PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -11,4 +11,5 @@

 COMMENT UPnP

-DROP	-	-	udp	1900
+DEFAULT DROP
+PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.MSNP
+++ b/Shorewall/Macros/macro.MSNP
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - MSNP Macro
+#
+# /usr/share/shorewall/macro.MSNP
+#
+#	This macro handles MSNP (MicroSoft Notification Protocol)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1863
--- a/Shorewall/Macros/macro.Syslog
+++ b/Shorewall/Macros/macro.Syslog
@@ -3,9 +3,10 @@
 #
 # /usr/share/shorewall/macro.Syslog
 #
-#	This macro handles syslog UDP traffic.
+#	This macro handles syslog traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
+PARAM	-	-	tcp	514
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4.20';
+our $VERSION = 'MODULEVERSION';

 #
 # Per-IP accounting tables. Each entry contains the associated network.
@@ -141,7 +141,10 @@ sub process_accounting_rule( ) {

    $jumpchainref = 0;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
@@ -205,7 +208,7 @@ sub process_accounting_rule( ) {
 		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
 		my ( $table, $net, $rest ) = split/,/, $1;
 		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
-		fatal_error "Missing Table Name"                       unless defined $table && $table ne '';;
+		fatal_error "Missing Table Name"                       unless supplied $table;
 		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
 		fatal_error "Missing Network Address"                  unless defined $net;
 		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
@@ -400,47 +403,47 @@ sub setup_accounting() {

 	    if ( have_bridges || $asection ) {
 		if ( $tableref->{accountin} ) {
-		    add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
 		}

 		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
+			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
 		}

 		if ( $tableref->{accountfwd} ) {
-		    add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
 		}

 		if ( $tableref->{accountout} ) {
-		    add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
 		}

 		if ( $tableref->{accountpre} ) {
-		    add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
 		}

 		if ( $tableref->{accountpost} ) {
-		    add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
 	    }

 	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $tableref->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
 		}
 	    }

 	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
 		}
 	    }

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -38,10 +38,12 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;

+use strict;
+
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';

 my $export;

@@ -52,10 +54,10 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub initialize_package_globals( $ ) {
    Shorewall::Config::initialize($family);
    Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family);
+    Shorewall::Zones::initialize ($family, shift);
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
@@ -69,7 +71,7 @@ sub initialize_package_globals() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -81,11 +83,11 @@ sub generate_script_1( $ ) {

    if ( $script ) {
 	if ( $test ) {
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;

-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
@@ -93,7 +95,8 @@ sub generate_script_1( $ ) {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }

-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

    }
@@ -108,7 +111,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF

-    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
+    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -116,7 +119,7 @@ EOF
 	emit '}';
    }

-    for my $exit qw/isusable findgw/ {
+    for my $exit ( qw/isusable findgw/ ) {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';
@@ -160,27 +163,39 @@ sub generate_script_2() {
    push_indent;

    if ( $family == F_IPV4 ) {
+	emit( 'g_family=4' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'g_product="Shorewall Lite"',
+		   'g_program=shorewall-lite',
+		   'g_basedir=/usr/share/shorewall-lite',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'g_product=Shorewall',
+		   'g_program=shorewall',
+		   'g_basedir=/usr/share/shorewall',
 		 );
 	}
    } else {
+	emit( 'g_family=6' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"',
+		   'g_program=shorewall6-lite',
+		   'g_basedir=/usr/share/shorewall6',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'g_product=Shorewall6',
+		   'g_program=shorewall6',
+		   'g_basedir=/usr/share/shorewall'
 		 );
 	}
    }
@@ -263,9 +278,9 @@ sub generate_script_2() {
 	push_indent;

 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh)' );
+	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
-	    emit( 'start|restart|refresh|restore)' );
+	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}

 	push_indent;
@@ -354,9 +369,9 @@ sub generate_script_3($) {

    emit '';

-    if ( $family == F_IPV4 ) {
-	load_ipsets;
+    load_ipsets;

+    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
 	       '   run_refresh_exit' ,
 	       'else' ,
@@ -430,6 +445,10 @@ sub generate_script_3($) {
    save_policies;
    emit_unindented '__EOF__';

+    emit 'cat > ${VARDIR}/marks << __EOF__';
+    dump_mark_layout;
+    emit_unindented '__EOF__';
+
    pop_indent;

    emit "fi\n";
@@ -455,6 +474,7 @@ sub generate_script_3($) {
    fi
 EOF
    pop_indent;
+    setup_load_distribution;
    setup_forwarding( $family , 1 );
    push_indent;

@@ -467,14 +487,18 @@ else
    if [ \$COMMAND = refresh ]; then
        chainlist_reload
 EOF
+    setup_load_distribution;
    setup_forwarding( $family , 0 );

+    emit( '        run_refreshed_exit' ,
+	  '        do_iptables -N shorewall' ,
+	  "        set_state Started $config_dir" ,
+	  '    else' ,
+	  '        setup_netfilter' );
+    
+    setup_load_distribution;
+
    emit<<"EOF";
-        run_refreshed_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-    else
-        setup_netfilter
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
@@ -523,8 +547,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');

    $export = 0;
    $test   = 0;
@@ -556,8 +580,12 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview },
-		  confess       => { store => \$confess },
+		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
+		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
+		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
+		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
+		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  config_path   => { store => \$config_path } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -575,7 +603,9 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals;
+    initialize_package_globals( $update );
+
+    set_config_path( $config_path ) if $config_path;

    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
@@ -591,15 +621,10 @@ sub compiler {
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export );
-
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
-    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
-
+    get_configuration( $export , $update , $annotate );
+    #
+    # Create a temp file to hold the script
+    #
    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
@@ -608,10 +633,9 @@ sub compiler {
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
+    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
-
    #
    # Allow user to load Perl modules
    #
@@ -670,7 +694,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules;
+    add_common_rules( $convert );
    #
    # More /proc
    #
@@ -693,7 +717,7 @@ sub compiler {
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
-	emit '}';
+	emit '}'; # End of setup_common_rules()
    }

    disable_script;
@@ -702,7 +726,17 @@ sub compiler {
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
-
+    #
+    # Validate the TC files so that the providers will know what interfaces have TC
+    #
+    my $tcinterfaces = process_tc;
+    #
+    # Generate a function to bring up each provider
+    #
+    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
@@ -712,9 +746,7 @@ sub compiler {

 	push_indent;
    }
-    #
-    # [Re-]establish Routing
-    #
+
    setup_providers;
    #
    # TCRules and Traffic Shaping
@@ -723,7 +755,7 @@ sub compiler {

    if ( $scriptfilename || $debug ) {
 	pop_indent;
-	emit "}\n";
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }

    disable_script;
@@ -746,12 +778,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
-	#
-	# Setup NETMAP
-	#
-	setup_netmap;
    }

+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
    #
    # MACLIST Filtration
    #
@@ -759,7 +791,7 @@ sub compiler {
    #
    # Process the rules file.
    #
-    process_rules;
+    process_rules( $convert );
    #
    # Add Tunnel rules.
    #
@@ -783,7 +815,9 @@ sub compiler {
 	#
 	generate_matrix;

-	if ( $config{OPTIMIZE} & 0xE ) {
+	optimize_level0;
+
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -792,7 +826,7 @@ sub compiler {
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -825,13 +859,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	unless ( $test ) {
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.footer';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.footer6';
-	    }
-	}
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

 	disable_script;
 	#
@@ -852,16 +880,18 @@ sub compiler {
 	    #
 	    generate_matrix;

-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    optimize_level0;
+
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -55,6 +55,7 @@ our @EXPORT = qw( ALLIPv4
 		  DCCP
 		  IPv6_ICMP
 		  SCTP
+		  GRE

 		  validate_address
 		  validate_net
@@ -80,7 +81,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';

 #
 # Some IPv4/6 useful stuff
@@ -117,6 +118,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
+	       GRE                 => 47,
 	       IPv6_ICMP           => 58,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
@@ -530,12 +532,13 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
+	return 1 if $address eq ':';
    } else {
 	$max = 8;
    }

    return 0 if @address > $max;
+    return 0 unless $address =~ /^[a-fA-F:\d]+$/;
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -36,7 +36,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';

 my @addresses_to_add;
 my %addresses_to_add;
@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
    }

+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
@@ -163,8 +166,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = '--random ';
+		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
+		$addresses =~ s/:random$//     and $randomize  = ' --random ';

 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;

@@ -374,7 +377,7 @@ sub setup_nat() {

 	while ( read_a_line ) {

-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,8 +386,11 @@ sub setup_nat() {

 		$digit = defined $digit ? ":$digit" : '';

+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 		}

@@ -403,36 +409,104 @@ sub setup_netmap() {

    if ( my $fn = open_file 'netmap' ) {

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";

 	while ( read_a_line ) {

-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

 	    $net3 = ALLIP if $net3 eq '-';

 	    for my $interface ( split_list $interfacelist, 'interface' ) {

-		my $rulein = '';
-		my $ruleout = '';
 		my $iface = $interface;

 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-		unless ( $interfaceref->{root} ) {
-		    $rulein  = match_source_dev( $interface );
-		    $ruleout = match_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		my @rule = do_iproto( $proto, $dport, $sport );

-		if ( $type eq 'DNAT' ) {
-		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
-		} elsif ( $type eq 'SNAT' ) {
-		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;
+		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface ); 
+			$interface = $interfaceref->{name};
+		    }
+			
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+		    
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
-		    fatal_error "Invalid type ($type)";
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
 		}
-
+		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,8 +40,8 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( );
-our $VERSION = '4.4_7';
+our @EXPORT_OK = qw( setup_interface_proc );
+our $VERSION = 'MODULEVERSION';

 #
 # ARP Filtering
@@ -277,4 +277,44 @@ sub setup_forwarding( $$ ) {
    }
 }

+sub setup_interface_proc( $ ) {
+    my $interface = shift;
+    my $physical  = get_physical $interface;
+    my $value;
+    my @emitted;
+
+    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
+    }
+	 
+    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
+    }
+
+    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
+    }
+
+    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( @emitted ) {
+	emit( 'if [ $COMMAND = enable ]; then' );
+	push_indent;
+	emit "$_" for @emitted;
+	pop_indent;
+	emit "fi\n";
+    }
+}
+	 
+
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_19';
+our $VERSION = 'MODULEVERSION';

 our @proxyarp;

@@ -84,7 +84,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical".
+		  "    qt \$IP -6 route del $address/128 dev $physical",
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
@@ -122,13 +122,15 @@ sub setup_proxy_arp() {

 	while ( read_a_line ) {

-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };

 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }

+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -34,14 +34,16 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = '4.4_14';
+our $VERSION = 'MODULEVERSION';
+
+my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );

 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {

-    my ($source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
@@ -55,42 +57,110 @@ sub process_notrack_rule( $$$$$$ ) {
    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';

+    my $target = $action;
+    my $exception_rule = '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    expand_rule
-	$chainref ,
-	$restriction ,
-	$rule ,
-	$source ,
-	$dest ,
-	'' ,
-	'NOTRACK' ,
-	'' ,
-	'NOTRACK' ,
-	'' ;
+    unless ( $action eq 'NOTRACK' ) {
+	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

+	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
+
+	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+
+	if ( $option eq 'notrack' ) {
+	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    $action = 'CT --notrack';
+	} else {
+	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
+
+	    if ( $option eq 'helper' ) {
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $args";
+		$exception_rule = do_proto( $proto, '-', '-' );
+	    } elsif ( $option eq 'ctevents' ) {
+		for ( split ',', $args ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevent' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+	    } elsif ( $option eq 'zone' ) {
+		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+	    } else {
+		fatal_error "Invalid CT option ($option)";
+	    }
+	}
+    }
+
+    expand_rule( $chainref ,
+		 $restriction ,
+		 $rule,
+		 $source ,
+		 $dest ,
+		 '' ,
+		 $action ,
+		 '' ,
+		 $target ,
+		 $exception_rule );
+    
    progress_message "  Notrack rule \"$currentline\" $done";

    $globals{UNTRACKED} = 1;
 }

+sub process_format( $ ) {
+    my $format = shift;
+
+    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+
+    $format;
+}
+
 sub setup_notrack() {

+    my $format = 1;
+    my $action = 'NOTRACK';
+
    if ( my $fn = open_file 'notrack' ) {

 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;

-	while ( read_a_line ) {
+	while ( read_a_line ) {	    
+	    my ( $source, $dest, $proto, $ports, $sports, $user );

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
-
-	    if ( $source eq 'COMMENT' ) {
-		process_comment;
+	    if ( $format == 1 ) {
+		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		
+		if ( $source eq 'FORMAT' ) {
+		    $format = process_format( $dest );
+		    next;
+		}
+		
+		if ( $source eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    } else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		
+		if ( $action eq 'FORMAT' ) {
+		    $format = process_format( $source );
+		    $action = 'NOTRACK';
+		    next;
+		}
+		
+		if ( $action eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    }
+	    
+	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}

 	clear_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = '4.4_18';
+our $VERSION = 'MODULEVERSION';

 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -62,22 +62,22 @@ sub setup_tunnels() {
 	    }
 	}

-	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
+	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

-	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => 50, @$source;
+	add_tunnel_rule $outchainref, p => 50, @$dest;

 	unless ( $noah ) {
-	    add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-	    add_tunnel_rule $outchainref, "-p 51 $dest   -j ACCEPT";
+	    add_tunnel_rule $inchainref,  p => 51, @$source;
+	    add_tunnel_rule $outchainref, p => 51, @$dest;
 	}

 	if ( $kind eq 'ipsec' ) {
-	    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-	    add_tunnel_rule $outchainref, "-p udp $dest   --dport 500 $options";
+	    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+	    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
 	} else {
-	    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-	    add_tunnel_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";
+	    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+	    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
 	}

 	unless ( $gatewayzones eq '-' ) {
@@ -88,21 +88,21 @@ sub setup_tunnels() {
 		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 		unless ( have_ipsec ) {
-		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
+		    add_tunnel_rule $inchainref,  p => 50, @$source;
+		    add_tunnel_rule $outchainref, p => 50, @$dest;

 		    unless ( $noah ) {
-			add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-			add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
+			add_tunnel_rule $inchainref,  p => 51, @$source;
+			add_tunnel_rule $outchainref, p => 51, @$dest;
 		    }
 		}

 		if ( $kind eq 'ipsec' ) {
-		    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-		    add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
+		    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+		    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
 		} else {
-		    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-		    add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
+		    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+		    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
 		}
 	    }
 	}
@@ -111,24 +111,24 @@ sub setup_tunnels() {
    sub setup_one_other {
 	my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;

-	add_tunnel_rule $inchainref ,  "-p $protocol $source -j ACCEPT";
-	add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
+	add_tunnel_rule $inchainref ,  p => $protocol, @$source;
+	add_tunnel_rule $outchainref , p => $protocol, @$dest;
    }

    sub setup_pptp_client {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $outchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $inchainref,   "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $outchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
-	}
+	add_tunnel_rule $outchainref,  p => 47, @$dest;
+	add_tunnel_rule $inchainref,   p => 47, @$source;
+	add_tunnel_rule $outchainref,  p => 'tcp --dport 1723', @$dest;
+    }

    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $inchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $inchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
+	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
 	}

    sub setup_one_openvpn {
@@ -141,10 +141,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -152,8 +152,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
    }

    sub setup_one_openvpn_client {
@@ -166,10 +166,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -177,8 +177,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source --sport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --sport $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
    }

    sub setup_one_openvpn_server {
@@ -191,10 +191,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( defined $p && $p ne '' ) {
+	if ( supplied $p ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( defined $proto && $proto ne '' ) {
+	} elsif ( supplied $proto ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -202,8 +202,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol --dport $port" , @$source;
+	add_tunnel_rule $outchainref, p => "$protocol --sport $port",  @$dest;
    }

    sub setup_one_l2tp {
@@ -211,8 +211,8 @@ sub setup_tunnels() {

 	fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;

-	add_tunnel_rule $inchainref,  "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p udp $dest   --sport 1701 --dport 1701 -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => 'udp --sport 1701 --dport 1701', @$source;
+	add_tunnel_rule $outchainref, p => 'udp --sport 1701 --dport 1701', @$dest;
    }

    sub setup_one_generic {
@@ -229,8 +229,8 @@ sub setup_tunnels() {
 	    ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
 	}

-	add_tunnel_rule $inchainref,  "-p $protocol $source $port -j ACCEPT";
-	add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
+	add_tunnel_rule $inchainref,  p => "$protocol $port", @$source;
+	add_tunnel_rule $outchainref, p => "$protocol $port", @$dest;
    }

    sub setup_one_tunnel($$$$) {
@@ -238,28 +238,29 @@ sub setup_tunnels() {

 	my $zonetype = zone_type( $zone );

-	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
+	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

 	$gateway = ALLIP if $gateway eq '-';

-	my $source = match_source_net $gateway;
-	my $dest   = match_dest_net   $gateway;
+	my @source = imatch_source_net $gateway;
+	my @dest   = imatch_dest_net   $gateway;

-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ $source, $dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ $source, $dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ $source, $dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, $source, $dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, $source, $dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, $source, $dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, $source, $dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, $source, $dest ] } ,
+	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
 			  );

 	$kind = "\L$kind";
@@ -284,7 +285,10 @@ sub setup_tunnels() {

 	while ( read_a_line ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';

 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
 		  defined_zone
 		  zone_type
 		  zone_interfaces
+		  zone_mark
 		  all_zones
 		  all_parent_zones
 		  complex_zones
@@ -60,6 +61,7 @@ our @EXPORT = qw( NOTHING
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
+		  all_real_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -73,7 +75,9 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
+		  interface_has_option
 		  set_interface_option
+		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
@@ -85,7 +89,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_20';
+our $VERSION = 'MODULEVERSION';

 #
 # IPSEC Option types
@@ -96,6 +100,14 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
@@ -131,6 +143,7 @@ use constant { NOTHING    => 'NOTHING',
 #
 my @zones;
 my %zones;
+my %zonetypes;
 my $firewall_zone;

 my  %reservedName = ( all => 1,
@@ -176,15 +189,19 @@ my %physical;
 my %basemap;
 my %mapbase;
 my $family;
+my $upgrade;
 my $have_ipsec;
 my $baseseq;
 my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;

 use constant { FIREWALL => 1,
 	       IP       => 2,
-	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       BPORT    => 4,
+	       IPSEC    => 8,
+	       VSERVER  => 16 };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -220,8 +237,8 @@ my %validhostoptions;
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $ ) {
-    $family = shift;
+sub initialize( $$ ) {
+    ( $family , $upgrade ) = @_;
    @zones = ();
    %zones = ();
    $firewall_zone = '';
@@ -274,6 +291,7 @@ sub initialize( $ ) {
 			     destonly => 1,
 			     sourceonly => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
@@ -299,6 +317,7 @@ sub initialize( $ ) {
 			     routeback => 1,
 			     tcpflags => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
 }

@@ -308,9 +327,10 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$\$$)
 {
    my %validoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
@@ -322,13 +342,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );

-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );

-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -361,11 +381,12 @@ sub parse_zone_option_list($$\$)
 	    my $key = $key{$e};

 	    if ( $key ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
+		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
-		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
+		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
@@ -401,19 +422,14 @@ sub process_zone( \$ ) {

    my @parents;

-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';

    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
 	@parents = split_list $2, 'zone';
-
-	for my $p ( @parents ) {
-	    fatal_error "Invalid Parent List ($2)" unless $p;
-	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
-	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
-	    push @{$zones{$p}{children}}, $zone;
-	}
    }

    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
@@ -426,10 +442,11 @@ sub process_zone( \$ ) {
 	$$ip = 1;
    } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	$type = IPSEC;
    } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
-	warning_message "Bridge Port zones should have a parent zone" unless @parents;
+	warning_message "Bridge Port zones should have a parent zone" unless @parents || $config{ZONE_BITS};
 	$type = BPORT;
 	push @bport_zones, $zone;
    } elsif ( $type eq 'firewall' ) {
@@ -448,11 +465,18 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)";
    }

-    if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
-	for ( @parents ) {
-	    set_super( $zones{$_} ) unless $zones{$_}{type} == IPSEC;
-	}
+    for my $p ( @parents ) {
+	fatal_error "Invalid Parent List ($2)" unless $p;
+	fatal_error "Unknown parent zone ($p)" unless $zones{$p};
+
+	my $ptype = $zones{$p}{type};
+
+	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
+	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+
+	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
+
+	push @{$zones{$p}{children}}, $zone;
    }

    my $complex = 0;
@@ -460,10 +484,10 @@ sub process_zone( \$ ) {
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
+						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -472,6 +496,28 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };

+    if ( $config{ZONE_BITS} ) {
+	my $mark;
+
+	if ( $type == FIREWALL ) {
+	    $mark = 0;
+	} else {
+	    unless ( $zoneref->{options}{in_out}{nomark} ) {
+		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
+		$mark      = $zonemark;
+		$zonemark += $zonemarkincr;
+		$zoneref->{options}{complex} = 1;
+	    }
+	}
+
+	if ( $zoneref->{options}{in_out}{nomark} ) {
+	    progress_message_nocompress "   Zone $zone:\tmark value not assigned";
+	} else {
+	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
+	}
+    }
+	
+
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -493,6 +539,10 @@ sub determine_zones()
    my @z;
    my $ip = 0;

+    $zonemark      = 1 << $globals{ZONE_OFFSET};
+    $zonemarkincr  = $zonemark;
+    $zonemarklimit = $zonemark << $config{ZONE_BITS};
+
    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
 	push @z, process_zone( $ip ) while read_a_line;
@@ -531,7 +581,7 @@ sub determine_zones()
 #
 sub haveipseczones() {
    for my $zoneref ( values %zones ) {
-	return 1 if $zoneref->{type} == IPSEC;
+	return 1 if $zoneref->{type} & IPSEC;
    }

    0;
@@ -544,22 +594,13 @@ sub zone_report()
 {
    progress_message2 "Determining Hosts in Zones...";

-    my @translate;
-
-    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
-    for my $zone ( @zones )
-    {
+    for my $zone ( @zones ) {
 	my $zoneref   = $zones{$zone};
 	my $hostref   = $zoneref->{hosts};
 	my $type      = $zoneref->{type};
 	my $optionref = $zoneref->{options};

-	progress_message_nocompress "   $zone ($translate[$type])";
+	progress_message_nocompress "   $zone ($zonetypes{$type})";

 	my $printed = 0;

@@ -570,11 +611,14 @@ sub zone_report()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+
 			if ( $hosts ) {
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
+
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;

 			    if ( $family == F_IPV4 ) {
@@ -585,13 +629,12 @@ sub zone_report()
 			    $printed = 1;
 			}
 		    }
-
 		}
 	    }
 	}

 	unless ( $printed ) {
-	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
+	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
 	}

@@ -601,16 +644,7 @@ sub zone_report()
 #
 # This function is called to create the contents of the ${VARDIR}/zones file
 #
-sub dump_zone_contents()
-{
-    my @xlate;
-
-    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
+sub dump_zone_contents() {
    for my $zone ( @zones )
    {
 	my $zoneref    = $zones{$zone};
@@ -618,9 +652,10 @@ sub dump_zone_contents()
 	my $type       = $zoneref->{type};
 	my $optionref  = $zoneref->{options};

-	my $entry      =  "$zone $xlate[$type]";
+	my $entry      =  "$zone $zonetypes{$type}";

-	$entry .= ":$zoneref->{bridge}" if $type == BPORT;
+	$entry .= ":$zoneref->{bridge}" if $type & BPORT;
+	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
 	    for my $type ( sort keys %$hostref ) {
@@ -629,6 +664,7 @@ sub dump_zone_contents()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};

@@ -692,7 +728,7 @@ sub add_group_to_zone($$$$$)

 	$interfaceref->{nets}++;

-	fatal_error "Invalid Host List" unless defined $host and $host ne '';
+	fatal_error "Invalid Host List" unless supplied $host;

 	if ( substr( $host, 0, 1 ) eq '!' ) {
 	    fatal_error "Only one exclusion allowed in a host list" if $switched;
@@ -720,7 +756,7 @@ sub add_group_to_zone($$$$$)
 	}

 	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
@@ -731,7 +767,7 @@ sub add_group_to_zone($$$$$)

    $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};

-    my $gtype = $type == IPSEC ? 'ipsec' : 'ip';
+    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';

    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
@@ -743,7 +779,7 @@ sub add_group_to_zone($$$$$)

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
-			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
+			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };

    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
@@ -771,6 +807,12 @@ sub zone_interfaces( $ ) {
    find_zone( $_[0] )->{interfaces};
 }

+sub zone_mark( $ ) {
+    my $zoneref = find_zone( $_[0] );
+    fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
+    $zoneref->{mark};
+}
+
 sub defined_zone( $ ) {
    $zones{$_[0]};
 }
@@ -780,11 +822,11 @@ sub all_zones() {
 }

 sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }

 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }

 sub all_parent_zones() {
@@ -800,7 +842,7 @@ sub complex_zones() {
 }

 sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
+    grep ( $zones{$_}{type} & VSERVER, @zones );
 }

 sub firewall_zone() {
@@ -870,7 +912,7 @@ sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
    my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    my $zoneref;
    my $bridge = '';

@@ -883,21 +925,23 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }

+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

-    if ( defined $port && $port ne '' ) {
+    if ( supplied $port ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};

 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};

 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	$interfaces{$interface}{ports}++;
-	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
+	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! ( $zoneref->{type} & BPORT );

 	if ( $zone ) {
 	    if ( $zoneref->{bridge} ) {
@@ -906,15 +950,15 @@ sub process_interface( $$ ) {
 		$zoneref->{bridge} = $interface;
 	    }

-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
+	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} & VSERVER;
 	}

 	$bridge = $interface;
 	$interface = $port;
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
-	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
+	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} & BPORT;
+	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} & VSERVER;

 	$bridge = $interface;
    }
@@ -980,7 +1024,7 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

 	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
@@ -1087,7 +1131,7 @@ sub process_interface( $$ ) {
 	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};

 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = "${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1265,6 +1309,13 @@ sub all_interfaces() {
    @interfaces;
 }

+#
+# Return all non-vserver interfaces
+#
+sub all_real_interfaces() {
+    grep $_ ne '%vserver%', @interfaces;
+}
+
 #
 # Return a list of bridges
 #
@@ -1300,7 +1351,7 @@ sub physical_name( $ ) {

    $devref ? $devref->{physical} : $device;
 }
-
+    
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1375,8 +1426,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;

-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
-			( grep $interfaces{$_}{root}, keys %interfaces ) ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -1410,6 +1460,22 @@ sub get_interface_option( $$ ) {
    
 }

+#
+# Return the value of an option for an interface
+#
+sub interface_has_option( $$\$ ) {
+    my ( $interface, $option, $value ) = @_;
+
+    my $ref = $interfaces{$interface};
+
+    $ref = known_interface( $interface ) unless $ref;
+
+    if ( exists $ref->{options}{$option} ) {
+	$$value = $ref->{options}{$option};
+	1;
+    }
+}
+
 #
 # Set an option for an interface
 #
@@ -1602,7 +1668,7 @@ sub compile_updown() {
    if ( @$ignore ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;

-	$interfaces =~ s/\+/*/;
+	$interfaces =~ s/\+/*/g;

 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
@@ -1614,7 +1680,7 @@ sub compile_updown() {
    if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;

-	my $wildcard = ( $interfaces =~ s/\+/*/ );
+	my $wildcard = ( $interfaces =~ s/\+/*/g );

 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
@@ -1653,17 +1719,26 @@ sub compile_updown() {
    }

    if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
+	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
+	my $interfaces = join '|', @interfaces; 

-	$interfaces =~ s/\+/*/;
+	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  '        echo 0 > ${VARDIR}/${1}.state',
+		  '    else',
+		  '        echo 1 > ${VARDIR}/${1}.state',
+		  '    fi' );
+	} else {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  "        echo 0 > \${VARDIR}/$interfaces.state",
+		  '    else',
+		  "        echo 1 > \${VARDIR}/$interfaces.state",
+		  '    fi' );
+	}

-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
-	      '        echo 0 > ${VARDIR}/${1}.state',
-	      '    else',
-	      '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
+	emit( '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
@@ -1711,7 +1786,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';

    my $zoneref = $zones{$zone};
    my $type    = $zoneref->{type};
@@ -1725,27 +1803,29 @@ sub process_host( ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-
-	    if ( $hosts =~ /^\+/ ) {
-		$zoneref->{options}{complex} = 1;
-		fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-		fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^\+[a-zA-Z][-\w]*$/;
-	    }
-
 	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
-	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+
+	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
    } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts";
+	fatal_error "Invalid HOST(S) column contents: $hosts" 
    }

-    if ( $type == BPORT ) {
+    if ( $hosts =~ /^!?\+/ ) {
+	$zoneref->{options}{complex} = 1;
+	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+    }
+
+    if ( $type & BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
 	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
@@ -1771,14 +1851,14 @@ sub process_host( ) {
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}

-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} & VSERVER;

 	$optionsref = \%options;
    }
@@ -1799,19 +1879,19 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';

    if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
+	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = physical_name $interface;
-	$hosts = "+${zone}_${physical}";
+	my $physical = chain_base( physical_name $interface );
+	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{"${zone}_${physical}"} = 1;
-
+	$ipsets{$set} = 1;
    }

    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
-    $interface = '%vserver%' if $type == VSERVER;
+    $interface = '%vserver%' if $type & VSERVER;

    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);

@@ -1853,7 +1933,7 @@ sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;

-    for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
+    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --config_path=<path-list>   # Search path for config files
 #
 use strict;
 use FindBin;
@@ -61,6 +62,10 @@ sub usage( $ ) {
    [ --test ]
    [ --preview ]
    [ --family={4|6} ]
+    [ --annotate ]
+    [ --update ]
+    [ --convert ]
+    [ --config_path=<path-list> ]
 ';

    exit shift @_;
@@ -82,6 +87,10 @@ my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
 my $preview       = 0;
+my $annotate      = 0;
+my $update        = 0;
+my $convert       = 0;
+my $config_path   = '';

 Getopt::Long::Configure ('bundling');

@@ -107,6 +116,12 @@ my $result = GetOptions('h'               => \$help,
 			'family=i'        => \$family,
 			'c'               => \$confess,
 			'confess'         => \$confess,
+			'a'               => \$annotate,
+			'annotate'        => \$annotate,
+			'u'               => \$update,
+			'update'          => \$update,
+			'convert'         => \$convert,
+			'config_path=s'   => \$config_path,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -125,4 +140,8 @@ compiler( script          => $ARGV[0] || '',
 	  preview         => $preview,
 	  family          => $family,
 	  confess         => $confess,
+	  update          => $update,
+	  convert         => $convert,
+	  annotate        => $annotate,
+	  config_path     => $config_path,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -20,15 +20,21 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
 if [ "$3" = 6 ]; then
-    . /usr/share/shorewall6/lib.base
-    . /usr/share/shorewall6/lib.cli
+    g_program=shorewall6
 else
-    . /usr/share/shorewall/lib.base
-    . /usr/share/shorewall/lib.cli
+    g_program=shorewall
 fi

+. /usr/share/shorewall/lib.cli
+
 CONFIG_PATH="$2"

 set -a
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,7 +5,21 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] <command>"
+    echo
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
    echo
    echo "Options are:"
    echo
@@ -17,23 +31,50 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    if [ $g_family -eq 6 ]; then
+	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+	case "$kernel" in 
+	    *.*.*)
+		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+		;;
+	    *)
+		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+		;;
+	esac
+
+	if [ $kernel -lt 20624 ]; then
+	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	    return 1
+	fi
+    fi
+
+    return 0
+}
+
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 #
 # Start trace if first arg is "debug" or "trace"
 #
+g_debug_iptables=
+
 if [ $# -gt 1 ]; then
    if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
+	g_debug_iptables=Yes
 	shift
    fi
 fi
 #
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
@@ -161,61 +202,66 @@ COMMAND="$1"
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ $status -eq 0 ]; then
-		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		progress_message3 "done."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		if [ $status -eq 0 ]; then
+		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		    progress_message3 "done."
+		fi
 	    fi
 	fi
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
-	detect_configuration
-	stop_firewall
-	status=0
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	progress_message3 "done."
+	if checkkernelversion; then
+	    progress_message3 "Stopping $g_product...."
+	    detect_configuration
+	    stop_firewall
+	    status=0
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    progress_message3 "done."
+	fi
 	;;
    reset)
-	if ! shorewall_is_started ; then
+	if ! product_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	elif [ $# -eq 1 ]; then
-	    $IPTABLES -Z
-	    $IPTABLES -t nat -Z
-	    $IPTABLES -t mangle -Z
-	    date > ${VARDIR}/restarted
-	    status=0
-	    progress_message3 "$g_product Counters Reset"
-	else
-	    shift
-	    status=0
-	    for chain in $@; do
-		if chain_exists $chain; then
-		    if qt $IPTABLES -Z $chain; then
-			progress_message3 "Filter $chain Counters Reset"
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
+		$IP6TABLES -Z
+		$IP6TABLES -t mangle -Z
+		date > ${VARDIR}/restarted
+		status=0
+		progress_message3 "$g_product Counters Reset"
+	    else
+		shift
+		status=0
+		for chain in $@; do
+		    if chain_exists $chain; then
+			if qt $IP6TABLES -Z $chain; then
+			    progress_message3 "Filter $chain Counters Reset"
+			else
+			    error_message "ERROR: Reset of chain $chain failed"
+			    status=2
+			    break
+			fi
 		    else
-			error_message "ERROR: Reset of chain $chain failed"
-			status=2
-			break
+			error_message "WARNING: Filter Chain $chain does not exist"
 		    fi
-		else
-		    error_message "WARNING: Filter Chain $chain does not exist"
-		fi
-	    done
+		done
+	    fi
 	fi
 	;;
    restart)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
@@ -223,22 +269,27 @@ case "$COMMAND" in
 	    COMMAND=start
 	fi

-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
-	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-	fi
-	[ $status -eq 0 ] && progress_message3 "done."
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+
 	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
+	;;
+    refresh)
+	[ $# -ne 1 ] && usage 2
+	if product_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		[ $status -eq 0 ] && progress_message3 "done."
+	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -246,20 +297,25 @@ case "$COMMAND" in
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
- 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-        fi
+	if checkkernelversion; then
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	clear_firewall
-	status=0
-	if [ $status -eq 0 ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	if checkkernelversion; then
+	    clear_firewall
+	    status=0
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	fi
 	;;
@@ -267,7 +323,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
-	if shorewall_is_started; then
+	if product_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
@@ -278,7 +334,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -292,8 +348,28 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
+	updown $1
+	status=0
+	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if product_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if product_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -1,338 +0,0 @@
-###############################################################################
-# Code imported from /usr/share/shorewall/prog.footer6
-###############################################################################
-#
-# Give Usage Information
-#
-usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
-    exit $1
-}
-
-checkkernelversion() {
-    local kernel
-
-    kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-
-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
-    else
-	return 0
-    fi
-}
-################################################################################
-# E X E C U T I O N    B E G I N S   H E R E				       #
-################################################################################
-#
-# Start trace if first arg is "debug" or "trace"
-#
-if [ $# -gt 1 ]; then
-    if [ "x$1" = "xtrace" ]; then
-	set -x
-	shift
-    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
-	shift
-    fi
-fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
-
-initialize
-
-if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
-    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
-	#
-	# We're being run by a startup script that isn't redirecting STDOUT
-	# Redirect it to the log
-	#
-	exec 2>>$STARTUP_LOG
-    fi
-fi
-
-finished=0
-
-while [ $finished -eq 0 -a $# -gt 0 ]; do
-    option=$1
-    case $option in
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
-			option=${option#v}
-			;;
-		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
-			option=${option#q}
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-COMMAND="$1"
-
-
-case "$COMMAND" in
-    start)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    error_message "$g_product is already Running"
-	    status=0
-	else
-	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		if [ $status -eq 0 ]; then
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		    progress_message3 "done."
-		fi
-	    fi
-	fi
-	;;
-    stop)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
-	    stop_firewall
-	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	    progress_message3 "done."
-	fi
-	;;
-    reset)
-	if ! shorewall6_is_started ; then
-	    error_message "$g_product is not running"
-	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
-		date > ${VARDIR}/restarted
-		status=0
-		progress_message3 "$g_product Counters Reset"
-	    else
-		shift
-		status=0
-		for chain in $@; do
-		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
-			    progress_message3 "Filter $chain Counters Reset"
-			else
-			    error_message "ERROR: Reset of chain $chain failed"
-			    status=2
-			    break
-			fi
-		    else
-			error_message "WARNING: Filter Chain $chain does not exist"
-		    fi
-		done
-	    fi
-	fi
-	;;
-    restart)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Restarting $g_product...."
-	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
-	fi
-
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
-	    fi
-	else
-	    echo "$g_product is not running" >&2
-	    status=2
-	fi
-	;;
-    restore)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    clear)
-	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
-	    clear_firewall
-	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
-	    progress_message3 "done."
-	fi
-	;;
-    status)
-	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
-	if shorewall6_is_started; then
-	    echo "$g_product is running"
-	    status=0
-	else
-	    echo "$g_product is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
-	;;
-    version)
-	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
-	status=0
-	;;
-    help)
-	[ $# -ne 1 ] && usage 2
-	usage 0
-	;;
-    *)
-	usage 2
-	;;
-esac
-
-exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
@@ -30,119 +28,12 @@
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
 #
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv4 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
+# Find the value 'weight' in the passed arguments then echo the next value
 #

-find_device() {
+find_weight() {
    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	[ "x$1" = xweight ] && echo $2 && return
 	shift
    done
 }
@@ -169,23 +60,6 @@ find_rt_interface() {
    done
 }

-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -4 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
@@ -202,31 +76,6 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }

-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -272,7 +121,7 @@ get_interface_bcasts() # $1 = interface
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }

 # Add IP Aliases
@@ -420,167 +269,57 @@ disable_ipv6() {
 }

 #
-# Clear the current traffic shaping configuration
+# Add an additional gateway to the default route
 #
-
-delete_tc1()
+add_gateway() # $1 = Delta $2 = Table Number
 {
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
+    local route
+    local weight
+    local delta
+    local dev
+    
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`

-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
-}
-
-#
-# Detect a device's MTU -- echos the passed device's MTU
-#
-get_device_mtu() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-
-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
    else
-	echo 1500
-    fi
-}
+	delta=$1

-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {deroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
 	    fi
 	fi

-	rm -f ${VARDIR}/default_route
+	run_ip route replace default scope global table $2 $route $delta
    fi
+}

-    return $result
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
 }

 #
@@ -604,28 +343,14 @@ find_mac() # $1 = IP address, $2 = interface
    fi
 }

-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy Arp
 #
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
-	    qt $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address/32 dev $interface
+	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
@@ -664,124 +389,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -790,90 +397,6 @@ get_all_bcasts()
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }

-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
@@ -29,166 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv6 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -6 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Get all interface addresses with VLSMs
 #
@@ -198,35 +36,6 @@ find_interface_full_addresses() # $1 = interface
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }

-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-
-    $IP -6 route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		2*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/128"
-		    echo $address
-		    ;;
-	    esac
-        done
-}
-
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
@@ -411,164 +220,33 @@ detect_gateway() # $1 = interface
    [ -n "$gateway" ] && echo $gateway
 }

-delete_tc1()
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
 {
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
 }

 #
-# Detect a device's MTU -- echos the passed device's MTU
+# Remove a gateway from the default route
 #
-get_device_mtu() # $1 = device
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local route
+    local gateway
+    local dev

-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }

 #
@@ -590,20 +268,6 @@ find_echo() {
    echo echo
 }

-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(which conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy NDP
 #
@@ -642,201 +306,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
--- a/Shorewall/Samples/README.txt
+++ b/Shorewall/Samples/README.txt
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -29,8 +29,6 @@ LOG_VERBOSITY=2

 LOGALLNEW=

-LOGBURST=
-
 LOGFILE=/var/log/messages

 LOGFORMAT="Shorewall:%s:%s:"
@@ -39,10 +37,10 @@ LOGTAGONLY=No

 LOGLIMIT=

-LOGRATE=
-
 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -134,16 +132,12 @@ EXPAND_POLICIES=Yes

 EXPORTMODULES=Yes

-EXPORTPARAMS=No
-
 FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -194,7 +188,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -206,12 +200,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/Universal/zones
+++ b/Shorewall/Samples/Universal/zones
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW

 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -40,8 +40,6 @@ LOG_VERBOSITY=2

 LOGALLNEW=

-LOGBURST=
-
 LOGFILE=/var/log/messages

 LOGFORMAT="Shorewall:%s:%s:"
@@ -50,10 +48,10 @@ LOGTAGONLY=No

 LOGLIMIT=

-LOGRATE=
-
 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -145,16 +143,12 @@ EXPAND_POLICIES=Yes

 EXPORTMODULES=Yes

-EXPORTPARAMS=No
-
 FASTACCEPT=No

 FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
@@ -205,7 +199,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -217,12 +211,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
--- a/Shorewall/Samples/three-interfaces/routestopped
+++ b/Shorewall/Samples/three-interfaces/routestopped
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -38,8 +38,6 @@ LOG_VERBOSITY=2

 LOGALLNEW=

-LOGBURST=
-
 LOGFILE=/var/log/messages

 LOGFORMAT="Shorewall:%s:%s:"
@@ -48,10 +46,10 @@ LOGTAGONLY=No

 LOGLIMIT=

-LOGRATE=
-
 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -143,16 +141,12 @@ EXPAND_POLICIES=Yes

 EXPORTMODULES=Yes

-EXPORTPARAMS=No
-
 FASTACCEPT=No

 FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -203,7 +197,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -215,12 +209,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
--- a/Shorewall/Samples/two-interfaces/routestopped
+++ b/Shorewall/Samples/two-interfaces/routestopped
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -41,8 +41,6 @@ LOG_VERBOSITY=2

 LOGALLNEW=

-LOGBURST=
-
 LOGFILE=/var/log/messages

 LOGFORMAT="Shorewall:%s:%s:"
@@ -51,10 +49,10 @@ LOGTAGONLY=No

 LOGLIMIT=

-LOGRATE=
-
 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -146,16 +144,12 @@ EXPAND_POLICIES=Yes

 EXPORTMODULES=Yes

-EXPORTPARAMS=No
-
 FASTACCEPT=No

 FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -206,7 +200,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -218,12 +212,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -0,0 +1,73 @@
+#
+# Shorewall 4 - Broadcast Action
+#
+#    /usr/share/shorewall/action.Broadcast
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Broadcast[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref           = get_action_chain;
+my ( $level, $tag )    = get_action_logging;
+my $target             = require_audit ( $action , $audit );
+
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
+	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
+    }	
+
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
+    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
+} else {
+    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    incr_cmd_level $chainref;
+    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
+    add_jump $chainref, $target, 0, "-d \$address ";
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+    
+log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
+
+1;
+
+END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -15,9 +15,49 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
+	set_action_param( 3, 'A_DROP')     unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
@@ -26,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth(REJECT)
+Auth($2)
 #
 # Don't log broadcasts
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(DROP)
-DropUPnP
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -0,0 +1,85 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS -
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $audit ) = get_action_params( 1 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+my $target;
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    'DROP',
+		    '',
+		    $tag,
+		    'add',
+		    '' );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
+    } 
+	
+    add_ijump( $logchainref, j => 'DROP' );
+
+    $target = $logchainref;
+} else {
+    $target = 'DROP';
+}
+		    
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 ) {
+	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
+    } else {
+	add_ijump $chainref , j => 'RETURN', s => '::';
+    }
+
+    add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
+} else {
+    if ( $family == F_IPV4 ) {
+	add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } else {
+	add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+    
+    incr_cmd_level $chainref;
+    add_ijump( $chainref, g => $target, s => '$address' );
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+
+if ( $family == F_IPV4 ) {
+    add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
+} else {
+    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
+}
+
+END PERL;
+
+
+    
+
+
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - Invalid Action
+#
+#    /usr/share/shorewall/action.Invalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Invalid[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
+
+$chainref->{dont_optimize} = 0;
+
+1;
+
+END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - NotSyn Action
+#
+#    /usr/share/shorewall/action.NotSyn
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   NotSyn[([<action>|-[,{audit|-}])] 
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 ! --syn ';
+
+$chainref->{dont_optimize} = 0;
+
+1;
+
+END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -12,8 +12,48 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
+#  The action accepts five optional parameters:
+#
+#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
+#           actions.
+#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
+#           depending on the setting of the first parameter.
+#       4 - Action to take with required ICMP packets. Default is ACCEPT or
+#           A_ACCEPT depending on the first parameter.
+#       5 - Action to take with late UDP replies (UDP source port 53). Default
+#           is DROP or A_DROP depending on the first parameter.
+#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
+FORMAT 2
+#
+# The following magic provides different defaults for $2 thru $5, when $1 is 
+# 'audit'.
+#
+BEGIN PERL;
+use Shorewall::Config;
+
+my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
+
+if ( defined $p1 ) { 
+    if ( $p1 eq 'audit' ) {
+	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
+	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
+	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
+	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
+    } else {
+	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
+    }
+}
+
+1;
+
+END PERL;
+
+DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
@@ -22,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(REJECT)
+Auth($2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-dropBcast
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-dropInvalid
+Invalid(DROP,$1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(REJECT)
-DropUPnP
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep
+DropDNSrep($5)
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+
+
+my ( $disposition, $audit ) = get_action_params( 2 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+
+fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    $disposition,
+		    '',
+		    $tag,
+		    'add',
+		    '' ) if $level;
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
+    } 
+
+    add_ijump( $logchainref, g => $disposition );
+
+    $disposition = $logchainref;
+}
+		    
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
+add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+
+END PERL;
+
+
+    
+
+
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -35,5 +35,10 @@
 #ACTION
 A_Drop 		    # Audited Default Action for DROP policy
 A_Reject	    # Audited Default action for REJECT policy
+Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+DropSmurfs          # Drop smurf packets
+Invalid             # Handles packets in the INVALID conntrack state
+NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###################################################################################################################################################################################################
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#									PORT	PORT(S)		DEST		LIMIT		GROUP
+
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-###############################################################################
+#############################################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -4,5 +4,6 @@
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
-#SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#					PORT(S)		PORT(S)	GROUP
+FORMAT 2
+#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/route_rules
+++ b/Shorewall/configfiles/route_rules
@@ -1,8 +1,8 @@
 #
-# Shorewall version 4 - route_rules File
+# Shorewall version 4 - route rules File
 #
-# For information about entries in this file, type "man shorewall-route_rules"
+# For information about entries in this file, type "man shorewall-rtrules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
-##############################################################################
-#SOURCE			DEST			PROVIDER	PRIORITY
+####################################################################################
+#SOURCE			DEST			PROVIDER	PRIORITY	MASK
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Show More
+++ b/Show More