Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW
2010-09-21 07:50:13 -07:00 · 2010-09-20 09:40:31 -07:00 · 2010-09-20 08:15:24 -07:00 · 2010-09-20 07:25:33 -07:00 · 2010-09-19 15:19:48 -07:00 · 2010-09-19 15:13:54 -07:00
279 changed files with 15416 additions and 20268 deletions
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -18,180 +18,188 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1

 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+LOGFILE=

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log

 LOG_VERBOSITY=2

-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 MACLIST_LOG_LEVEL=info

-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=

 IP=

-IPSET=
+TC=

-MODULESDIR=
+IPSET=

 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=On

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=Yes
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=Yes
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-IP_FORWARDING=On
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=15
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=Yes
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No

-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes

 USE_DEFAULT_RT=No

+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -200,17 +208,6 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -29,180 +29,188 @@ STARTUP_ENABLED=No
 VERBOSITY=1

 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log

 LOG_VERBOSITY=2

-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 MACLIST_LOG_LEVEL=info

-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=

 IP=

-IPSET=
+TC=

-MODULESDIR=
+IPSET=

 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=Off

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-IP_FORWARDING=Off
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No

-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes

 USE_DEFAULT_RT=No

+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -211,17 +219,6 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
 # Copyright (C) 2006 by the Shorewall Team
-#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -18,6 +17,9 @@
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
+#		       S T A R T U P   E N A B L E D
+###############################################################################
+
 STARTUP_ENABLED=No

 ###############################################################################
@@ -27,180 +29,188 @@ STARTUP_ENABLED=No
 VERBOSITY=1

 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log

 LOG_VERBOSITY=2

-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 MACLIST_LOG_LEVEL=info

-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=

 IP=

-IPSET=
+TC=

-MODULESDIR=
+IPSET=

 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=On

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=Yes
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-IP_FORWARDING=On
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No

-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=Yes
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes

 USE_DEFAULT_RT=No

+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -209,17 +219,6 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep            
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -30,180 +29,195 @@ STARTUP_ENABLED=No
 VERBOSITY=1

 ###############################################################################
-#		                L O G G I N G
+#                              C O M P I L E R
+#      (setting this to 'perl' requires installation of Shorewall-perl)
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+SHOREWALL_COMPILER=

-LOG_MARTIANS=Yes
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
+###############################################################################
+#			       L O G G I N G
+###############################################################################

 LOGFILE=/var/log/messages

+STARTUP_LOG=/var/log/shorewall-init.log
+
+LOG_VERBOSITY=2
+
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 MACLIST_LOG_LEVEL=info

-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
-
 IPTABLES=

 IP=

-IPSET=
+TC=

-MODULESDIR=
+IPSET=

 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=restore
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=On

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=Yes
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DISABLE_IPV6=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-IP_FORWARDING=On
-
-KEEP_RT_TABLES=No
-
-LOAD_HELPERS_ONLY=Yes
-
-LEGACY_FASTSTART=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No

-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=Yes
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes

 USE_DEFAULT_RT=No

+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -212,17 +226,6 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
-
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -22,163 +22,147 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
 LOGFILE=

-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
 STARTUP_LOG=/var/log/shorewall6-init.log

+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info

+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=

 IP=

-IPSET=
+TC=

-MODULESDIR=
+IPSET=

 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=Yes
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=Yes
-
-FORWARD_CLEAR_MARK=
-
-HIGH_ROUTE_MARKS=No
-
-IMPLICIT_CONTINUE=No
-
 IP_FORWARDING=Off

-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=15
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=Yes
-
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=Yes
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=15
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+DYNAMIC_BLACKLIST=Yes
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=Yes
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=Yes
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

-MACLIST_DISPOSITION=REJECTTTT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall6.conf"
+#
+# The manpage is also online at 
+# http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,141 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
-LOGFILE=
-
-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
+LOGFILE=/var/log/messages

 STARTUP_LOG=/var/log/shorewall6-init.log

+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info

+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=

-IP=
-
-IPSET=
-
-MODULESDIR=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=No
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-HIGH_ROUTE_MARKS=No
-
-IMPLICIT_CONTINUE=No
-
 IP_FORWARDING=Off

-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=No
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

-###############################################################################
+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
+##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

-MACLIST_DISPOSITION=REJECT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
+# Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall6.conf"
+#
+# The manpage is also online at 
+# http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,141 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
 LOGFILE=/var/log/messages

-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
 STARTUP_LOG=/var/log/shorewall6-init.log

+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info

+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=

-IP=
-
-IPSET=
-
-MODULESDIR=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall
+
+RESTOREFILE=
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-HIGH_ROUTE_MARKS=No
-
-IMPLICIT_CONTINUE=No
-
 IP_FORWARDING=On

-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

-MACLIST_DISPOSITION=REJECT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/three-interfaces/zones
+++ b/Samples6/three-interfaces/zones
@@ -15,6 +15,6 @@
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
-net	ipv6
-loc	ipv6
-dmz	ipv6
+net	ipv4
+loc	ipv4
+dmz	ipv4
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
+# Copyright (C) 2006 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+# See the file README.txt for further details.
+#
+# For information about the settings in this file, type "man shorewall6.conf"
+#
+# The manpage is also online at 
+# http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,141 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
-
-LOG_VERBOSITY=2
-
-LOGALLNEW=
-
 LOGFILE=/var/log/messages

-LOGFORMAT="Shorewall:%s:%s:"
-
-LOGLIMIT=
-
-LOGTAGONLY=No
-
-MACLIST_LOG_LEVEL=info
-
-SFILTER_LOG_LEVEL=info
-
-SMURF_LOG_LEVEL=info
-
 STARTUP_LOG=/var/log/shorewall6-init.log

+LOG_VERBOSITY=2
+
+LOGFORMAT="Shorewall:%s:%s:"
+
+LOGTAGONLY=No
+
+LOGLIMIT=
+
+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 TCP_FLAGS_LOG_LEVEL=info

+SMURF_LOG_LEVEL=info
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
-
 IP6TABLES=

-IP=
-
-IPSET=
-
-MODULESDIR=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-RESTOREFILE=
-
 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
+
+RESTOREFILE=
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
-NFQUEUE_DEFAULT="none"
-QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
-
-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DELETE_THEN_ADD=Yes
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=No
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-HIGH_ROUTE_MARKS=No
-
-IMPLICIT_CONTINUE=No
-
 IP_FORWARDING=On

-KEEP_RT_TABLES=Yes
-
-LEGACY_FASTSTART=No
-
-LOAD_HELPERS_ONLY=Yes
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MUTEX_TIMEOUT=60
-
-OPTIMIZE=1
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
 TC_ENABLED=No

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+MODULE_SUFFIX=ko
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+OPTIMIZE=1
+
+EXPORTPARAMS=No
+
+EXPAND_POLICIES=No
+
+KEEP_RT_TABLES=Yes
+
+DELETE_THEN_ADD=Yes
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes
+
+AUTOMAKE=No

 WIDE_TC_MARKS=Yes

+TRACK_PROVIDERS=Yes
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=Yes
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################

 BLACKLIST_DISPOSITION=DROP

-MACLIST_DISPOSITION=REJECT
-
-SFILTER_DISPOSITION=DROP
-
-SMURF_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall-init/COPYING
+++ b/Shorewall-init/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -22,52 +22,6 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-Debian_SuSE_ppp() {
-    NEWPRODUCTS=
-    INTERFACE="$1"
-
-    case $0 in
-	/etc/ppp/ip-*)
-	    #
-	    # IPv4
-	    #
-	    for product in $PRODUCTS; do
-		case $product in
-		    shorewall|shorewall-lite)
-			NEWPRODUCTS="$NEWPRODUCTS $product";
-			;;
-		esac
-	    done
-	    ;;
-	/etc/ppp/ipv6-*)
-	    #
-	    # IPv6
-	    #
-	    for product in $PRODUCTS; do
-		case $product in
-		    shorewall6|shorewall6-lite)
-			NEWPRODUCTS="$NEWPRODUCTS $product";
-			;;
-		esac
-	    done
-	    ;;
-	*)
-	    exit 0
-	    ;;
-    esac
-
-    PRODUCTS="$NEWPRODUCTS"
-
-    case $0 in
-	*up/*)
-	    COMMAND=up
-	    ;;
-	*)
-	    COMMAND=down
-	    ;;
-    esac
-}
-
 IFUPDOWN=0
 PRODUCTS=

@@ -80,103 +34,57 @@ fi
 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0

 if [ -f /etc/debian_version ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # Debian ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
+    #
+    # Debian ifupdown system
+    #
+    if [ "$MODE" = start ]; then
+	COMMAND=up
+    elif [ "$MODE" = stop ]; then
+	COMMAND=down
+    else
+	exit 0
+    fi

-	*)
-            #
-            # Debian ifupdown system
-            #
-	    INTERFACE="$IFACE"
-
-	    if [ "$MODE" = start ]; then
-		COMMAND=up
-	    elif [ "$MODE" = stop ]; then
-		COMMAND=down
-	    else
-		exit 0
-	    fi
-
-	    case "$PHASE" in
-		pre-*)
-		    exit 0
-		    ;;
-	    esac
+    case "$PHASE" in
+	pre-*)
+	    exit 0
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
+    #
+    # SuSE ifupdown system
+    #
+    IFACE="$2"
+
    case $0 in
-	/etc/ppp*)
-	    #
-	    # SUSE ppp
-	    #
-	    Debian_SuSE_ppp
+	*if-up.d*)
+	    COMMAND=up
+	    ;;
+	*if-down.d*)
+	    COMMAND=down
 	    ;;
-	
 	*)
-            #
-            # SuSE ifupdown system
-            #
-	    INTERFACE="$2"
-
-	    case $0 in
-		*if-up.d*)
-		    COMMAND=up
-		    ;;
-		*if-down.d*)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
+	    exit 0
 	    ;;
    esac
 else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
-    case $0 in
-	/etc/ppp*)
-	    INTERFACE="$1"
+    IFACE="$1"
    
-	    case $0 in
-		*ip-up.local)
-		    COMMAND=up
-		    ;;
-		*ip-down.local)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
+    case $0 in 
+	*ifup*)
+	    COMMAND=up
+	    ;;
+	*ifdown*)
+	    COMMAND=down
+	    ;;
+	*dispatcher.d*)
+	    COMMAND="$2"
 	    ;;
 	*)
-	    #
-	    # RedHat ifup/down system
-	    #
-	    INTERFACE="$1"
-    
-	    case $0 in 
-		*ifup*)
-		    COMMAND=up
-		    ;;
-		*ifdown*)
-		    COMMAND=down
-		    ;;
-		*dispatcher.d*)
-		    COMMAND="$2"
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
+	    exit 0
 	    ;;
    esac
 fi
@@ -187,7 +95,7 @@ for PRODUCT in $PRODUCTS; do
    if [ -x $VARDIR/firewall ]; then
 	  ( . /usr/share/$PRODUCT/lib.base
 	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
+	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
 	    mutex_off
 	  )
    fi
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:   6
+# Default-Stop:
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -69,10 +69,6 @@ shorewall_start () {
      fi
  done

-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
  return 0
 }

@@ -90,13 +86,6 @@ shorewall_stop () {
      fi
  done

-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
  return 0
 }

--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The Build script inserts the actual version.
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -88,6 +88,9 @@ install_file() # $1 = source $2 = target $3 = mode

 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

+#
+# Parse the run line
+#
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
@@ -121,16 +124,6 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=/usr/share}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
-
 #
 # Determine where to install the firewall script
 #
@@ -266,9 +259,9 @@ fi
 # Install the ifupdown script
 #

-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
+mkdir -p ${DESTDIR}/usr/share/shorewall-init

-install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
+install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
@@ -292,8 +285,11 @@ fi
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    
-	    update-rc.d shorewall-init defaults
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall-init
+	    else
+		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
+	    fi

 	    echo "Shorewall Init will start automatically at boot"
 	else
@@ -319,7 +315,6 @@ if [ -z "$DESTDIR" ]; then
 	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
-
 	fi
    fi
 else
@@ -335,32 +330,6 @@ else
    fi
 fi

-if [ -f ${DESTDIR}/etc/ppp ]; then
-    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	done
-    elif [ -n "$REDHAT" ]; then
-	#
-	# Must use the dreaded ip_xxx.local file
-	#
-	for file in ip-up.local ip-down.local; do
-	    FILE=${DESTDIR}/etc/ppp/$file
-	    if [ -f $FILE ]; then
-		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-		else
-		    echo "$FILE already exists -- ppp devices will not be handled"
-		    break
-		fi
-	    else
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-	    fi
-	done
-    fi
-fi
-
 #
 #  Report Success
 #
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -0,0 +1,156 @@
+%define name shorewall-init
+%define version 4.4.13
+%define release 0base
+
+Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: shoreline_firewall >= 4.4.10
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall Init is a companion product to Shorewall that allows for tigher
+control of connections during boot and that integrates Shorewall with
+ifup/ifdown and NetworkManager.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall-init;
+    fi
+fi
+
+if [ -f /etc/SuSE-release ]; then
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
+    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
+else
+    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
+	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
+	else
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+	fi
+    else
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
+	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
+    fi
+
+    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
+	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
+    fi
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall-init
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall-init
+    fi
+
+    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
+    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
+
+    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
+
+%attr(0544,root,root) /etc/init.d/shorewall-init
+%attr(0755,root,root) %dir /usr/share/shorewall-init
+
+%attr(0644,root,root) /usr/share/shorewall-init/version
+%attr(0544,root,root) /usr/share/shorewall-init/ifupdown
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Tue May 18 2010 Tom Eastep tom@shorewall.net
+- Initial version
+
+
+
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -10,9 +10,3 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
-#
-# Set this to the name of the file that is to hold
-# ipset contents. Shorewall-init will load those ipsets
-# during 'start' and will save them there during 'stop'.
-#
-SAVE_IPSETS=""
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,10 +1,10 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -60,16 +60,12 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Init $VERSION"

 INITSCRIPT=/etc/init.d/shorewall-init

 if [ -n "$INITSCRIPT" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall-init remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $INITSCRIPT
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
@@ -94,20 +90,7 @@ remove_file /etc/network/if-down.d/shorewall
 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall

-if [ -d /etc/ppp ]; then
-    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file /etc/ppp/$directory/shorewall
-    done
-
-    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
-	    remove_file /etc/ppp/$FILE
-	fi
-    done
-fi
-
 rm -rf /usr/share/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init

 echo "Shorewall Init Uninstalled"

--- a/Shorewall-lite/COPYING
+++ b/Shorewall-lite/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -17,9 +17,10 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}

-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

 export SHOREWALL_INIT_SCRIPT
+
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -123,16 +123,6 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=/usr/share}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
-
 #
 # Determine where to install the firewall script
 #
@@ -199,7 +189,6 @@ else
    rm -rf ${DESTDIR}/etc/shorewall-lite
    rm -rf ${DESTDIR}/usr/share/shorewall-lite
    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
 fi

 #
@@ -215,8 +204,6 @@ delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules

 install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544

-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
-
 echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"

 #
@@ -238,7 +225,6 @@ echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
 #
 mkdir -p ${DESTDIR}/etc/shorewall-lite
 mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
 mkdir -p ${DESTDIR}/var/lib/shorewall-lite

 chmod 755 ${DESTDIR}/etc/shorewall-lite
@@ -291,24 +277,24 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"

 #
 # Install wait4ifup
 #

 if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
+    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755

    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
+    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
 fi

 #
-# Install the Modules files
+# Install the Modules file
 #

 if [ -f modules ]; then
@@ -316,16 +302,6 @@ if [ -f modules ]; then
    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
 fi

-if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
-fi
-
-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
-done
-
 #
 # Install the Man Pages
 #
@@ -379,8 +355,6 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite

-	    update-rc.d shorewall-lite defaults
-
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.1
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -94,9 +94,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
+	LOGREAD="logread | tac"
    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
+	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,6 +113,10 @@ get_config() {

    [ -n "$FW" ] || FW=fw

+    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
+
+    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
+
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -141,12 +145,6 @@ get_config() {

    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
    g_hostname=$(hostname 2> /dev/null)

    IP=$(mywhich ip 2> /dev/null)
@@ -177,15 +175,6 @@ verify_firewall_script() {
    fi
 }

-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
 #
 # Start Command Executor
 #
@@ -474,13 +463,6 @@ g_use_verbosity=
 g_noroutes=
 g_timestamp=
 g_recovering=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=

 finished=0

@@ -570,7 +552,6 @@ MUTEX_TIMEOUT=
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 g_product="Shorewall Lite"
-g_libexec=share

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -21,7 +21,6 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
-
 VERBOSITY=

 ###############################################################################
@@ -30,6 +29,8 @@ VERBOSITY=

 LOGFILE=

+LOGFORMAT=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -0,0 +1,386 @@
+%define name shorewall-lite
+%define version 4.4.13
+%define release 0base
+
+Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: iptables iproute
+Provides: shoreline_firewall = %{version}-%{release}
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall Lite is a companion product to Shorewall that allows network
+administrators to centralize the configuration of Shorewall-based firewalls.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%pre
+
+if [ -f /etc/shorewall-lite/shorewall.conf ]; then
+    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
+fi
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall-lite
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall-lite;
+    fi
+elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
+    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
+    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
+    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
+    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall-lite
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall-lite
+    fi
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0755,root,root) %dir /etc/shorewall-lite
+%attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
+%attr(0644,root,root) /etc/shorewall-lite/Makefile
+%attr(0544,root,root) /etc/init.d/shorewall-lite
+%attr(0755,root,root) %dir /usr/share/shorewall-lite
+%attr(0700,root,root) %dir /var/lib/shorewall-lite
+
+%attr(0644,root,root) /etc/logrotate.d/shorewall-lite
+
+%attr(0755,root,root) /sbin/shorewall-lite
+
+%attr(0644,root,root) /usr/share/shorewall-lite/version
+%attr(0644,root,root) /usr/share/shorewall-lite/configpath
+%attr(-   ,root,root) /usr/share/shorewall-lite/functions
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.base
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
+%attr(0644,root,root) /usr/share/shorewall-lite/modules
+%attr(0544,root,root) /usr/share/shorewall-lite/shorecap
+%attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
+
+%attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
+%attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
+
+%attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta1
+* Mon May 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0base
+* Sun May 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC2
+* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC1
+* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta5
+* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta4
+* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta3
+* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta2
+* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
+* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0base
+* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC2
+* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC1
+* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta4
+* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta3
+* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta2
+* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta1
+* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.13-0base
+* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.12-0base
+* Sun May 10 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.11-0base
+* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.10-0base
+* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.9-0base
+* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.8-0base
+* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.7-0base
+* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.6-0base
+* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.5-0base
+* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
+* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.3-0base
+* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.2-0base
+* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.1-0base
+* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0base
+* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC4
+* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC3
+* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC2
+* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC1
+* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta3
+* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta2
+* Wed May 07 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta1
+* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.8-0base
+* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.7-0base
+* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.6-0base
+* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.5-0base
+* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.4-0base
+* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.3-0base
+* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.3-1
+* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.2-1
+* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.1-1
+* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.0-1
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
+* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.5-1
+* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.4-1
+* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.3-1
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
+* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.1-1
+* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-1
+* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0RC2
+* Mon Jul 02 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0RC1
+* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta7
+* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta6
+* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta5
+* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta4
+* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta3
+* Tue May 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta1
+* Fri May 11 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.7-1
+* Sat May 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.6-1
+* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.5-1
+* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.4-1
+* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.3-1
+* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.2-1
+* Sat Apr 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.1-1
+* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.1-1
+* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-1
+* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC3
+* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC2
+* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC1
+* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta3
+* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta2
+- Handle rename of shorewall.conf
+* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta1
+* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
+- Added shorewall-exclusion(5)
+- Updated to 3.3.6-1
+* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.5-1
+* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.4-1
+* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.3-1
+* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.2-1
+* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.1-1
+* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.0-1
+* Wed Aug 09 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.0-1
+
+
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -72,8 +72,6 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"

 if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
@@ -87,9 +85,7 @@ else
 fi

 if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
@@ -109,10 +105,9 @@ rm -rf /etc/shorewall-lite-*.bkout
 rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite

-echo "Shorewall Lite Uninstalled"
+echo "Shorewall Uninstalled"


--- a/Shorewall/COPYING
+++ b/Shorewall/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -1,15 +0,0 @@
-#
-# Shorewall version 4 - Audited AllowICMPs Macro
-#
-# /usr/share/shorewall/macro.AAllowICMPs
-#
-#	This macro A_ACCEPTs needed ICMP types
-#
-###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#					PORT(S)	PORT(S)	LIMIT	GROUP
-
-COMMENT Needed ICMP types
-
-A_ACCEPT       -	-	icmp	fragmentation-needed
-A_ACCEPT       -	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - Audited DropDNSrep Macro
-#
-# /usr/share/shorewall/macro.ADropDNSrep
-#
-#	This macro silently audites and drops DNS UDP replies
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-
-COMMENT Late DNS Replies
-
-A_DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -1,14 +0,0 @@
-#
-# Shorewall version 4 - ADropUPnP Macro
-#
-# /usr/share/shorewall/macro.ADropUPnP
-#
-#	This macro silently drops UPnP probes on UDP port 1900
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-
-COMMENT UPnP
-
-A_DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -11,6 +11,5 @@

 COMMENT Needed ICMP types

-DEFAULT ACCEPT
-PARAM	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	time-exceeded
+ACCEPT	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -11,5 +11,4 @@

 COMMENT Late DNS Replies

-DEFAULT DROP
-PARAM	-	-	udp	-	53
+DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -11,5 +11,4 @@

 COMMENT UPnP

-DEFAULT DROP
-PARAM	-	-	udp	1900
+DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - ICPV2 Macro
-#
-# /usr/share/shorewall/macro.ICPV2
-#
-#	This macro handles Internet Cache Protocol V2 (Squid) traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -13,5 +13,5 @@
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
-SSH(PARAM)
+HTTPS/PARAM
+SSH/PARAM
--- a/Shorewall/Macros/macro.Munin
+++ b/Shorewall/Macros/macro.Munin
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Munin Macro
-#
-# /usr/share/shorewall/macro.Munin
-#
-#	This macro handles Munin networked resource monitoring traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	4949
--- a/Shorewall/Macros/macro.Squid
+++ b/Shorewall/Macros/macro.Squid
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Squid Macro
-#
-# /usr/share/shorewall/macro.Squid
-#
-#	This macro handles Squid web proxy traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	3128
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -15,7 +15,389 @@
 #	- All entries in a macro undergo substitution when the macro is
 #	  invoked in the rules file.
 #
-# Columns are the same as in /etc/shorewall/rules.
+#	- Macros used in action bodies may not invoke other macros.
+#
+# The columns in the file are the same as those in the action.template file but
+# have different restrictions:
+#
+# Columns are:
+#
+#	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
+#			LOG, QUEUE, PARAM or an <action> name.
+#
+#				ACCEPT	 -- allow the connection request
+#				ACCEPT+	 -- like ACCEPT but also excludes the
+#					    connection from any subsequent
+#					    DNAT[-] or REDIRECT[-] rules
+#				NONAT	 -- Excludes the connection from any
+#					    subsequent DNAT[-] or REDIRECT[-]
+#					    rules but doesn't generate a rule
+#					    to accept the traffic.
+#				DROP	 -- ignore the request
+#				REJECT	 -- disallow the request and return an
+#					    icmp-unreachable or an RST packet.
+#				DNAT	 -- Forward the request to another
+#					    system (and optionally another
+#					    port).
+#				DNAT-	 -- Advanced users only.
+#					    Like DNAT but only generates the
+#					    DNAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				SAME	 -- Similar to DNAT except that the
+#					    port may not be remapped and when
+#					    multiple server addresses are
+#					    listed, all requests from a given
+#					    remote system go to the same
+#					    server.
+#				SAME-	 -- Advanced users only.
+#					    Like SAME but only generates the
+#					    NAT iptables rule and not
+#					    the companion ACCEPT rule.
+#				REDIRECT -- Redirect the request to a local
+#					    port on the firewall.
+#				REDIRECT-
+#					 -- Advanced users only.
+#					    Like REDIRET but only generates the
+#					    REDIRECT iptables rule and not
+#					    the companion ACCEPT rule.
+#
+#				CONTINUE -- (For experts only). Do not process
+#					    any of the following rules for this
+#					    (source zone,destination zone). If
+#					    The source and/or destination IP
+#					    address falls into a zone defined
+#					    later in /etc/shorewall/zones, this
+#					    connection request will be passed
+#					    to the rules defined for that
+#					    (those) zone(s).
+#				LOG	 -- Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
+#					    application such as ftwall
+#					    (http://p2pwall.sf.net).
+#				PARAM	 -- If you code PARAM as the action in
+#					    a macro then when you invoke the
+#					    macro, you can include the name of
+#					    the macro followed by a slash ("/")
+#					    and an ACTION (either builtin or
+#					    user-defined. All instances of
+#					    PARAM in the body of the macro will
+#					    be replaced with the ACTION.
+#				<action> -- The name of an action defined in
+#					    /usr/share/shorewall/actions.std or
+#					    in /etc/shorewall/actions.
+#
+#			The ACTION may optionally be followed
+#			by ":" and a syslog log level (e.g, REJECT:info or
+#			DNAT:debug). This causes the packet to be
+#			logged at the specified level.
+#
+#			You may also specify ULOG (must be in upper case) as a
+#			log level.This will log to the ULOG target for routing
+#			to a separate log through use of ulogd
+#			(http://www.gnumonks.org/projects/ulogd).
+#
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
+#	SOURCE		Source hosts to which the rule applies. May be a zone
+#			defined in /etc/shorewall/zones, $FW to indicate the
+#			firewall itself, "all", "all+" or "none" If the ACTION
+#			is DNAT	or REDIRECT, sub-zones of the specified zone
+#			may be excluded from the rule by following the zone
+#			name with "!' and a comma-separated list of sub-zone
+#			names.
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, clients may be
+#			further restricted to a list of subnets and/or hosts by
+#			appending ":" and a comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
+#
+#			Hosts may be specified as an IP address range using the
+#			syntax <low address>-<high address>. This requires that
+#			your kernel and iptables contain iprange match support.
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of source bindings to be
+#			matched.
+#
+#			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
+#
+#			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
+#						Internet
+#
+#			loc:192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2 in the local zone.
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
+#						MAC address 00:A0:C9:15:39:78.
+#
+#			net:192.0.2.11-192.0.2.17
+#						Hosts 192.0.2.11-192.0.2.17 in
+#						the net zone.
+#
+#			Alternatively, clients may be specified by interface
+#			by appending ":" to the zone name followed by the
+#			interface name. For example, loc:eth1 specifies a
+#			client that communicates with the firewall system
+#			through eth1. This may be optionally followed by
+#			another colon (":") and an IP/MAC/subnet address
+#			as described above (e.g., loc:eth1:192.168.1.5).
+#
+#	DEST		Location of Server. May be a zone defined in
+#			/etc/shorewall/zones, $FW to indicate the firewall
+#			itself, "all". "all+" or "none".
+#
+#			When "none" is used either in the SOURCE or DEST
+#			column, the rule is ignored.
+#
+#			When "all" is used either in the SOURCE or DEST column
+#			intra-zone traffic is not affected. When "all+" is
+#			used, intra-zone traffic is affected.
+#
+#			Except when "all[+]" is specified, the server may be
+#			further restricted to a particular subnet, host or
+#			interface by appending ":" and the subnet, host or
+#			interface. See above.
+#
+#				Restrictions:
+#
+#				1. MAC addresses are not allowed.
+#				2. In DNAT rules, only IP addresses are
+#				   allowed; no FQDNs or subnet addresses
+#				   are permitted.
+#				3. You may not specify both an interface and
+#				   an address.
+#
+#			Like in the SOURCE column, you may specify a range of
+#			up to 256 IP addresses using the syntax
+#			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
+#			the connections will be assigned to addresses in the
+#			range in a round-robin fashion.
+#
+#			If you kernel and iptables have ipset match support
+#			then you may give the name of an ipset prefaced by "+".
+#			The ipset name may be optionally followed by a number
+#			from 1 to 6 enclosed in square brackets ([]) to
+#			indicate the number of levels of destination bindings
+#			to be matched. Only one of the SOURCE and DEST columns
+#			may specify an ipset name.
+#
+#			The port that the server is listening on may be
+#			included and separated from the server's IP address by
+#			":". If omitted, the firewall will not modifiy the
+#			destination port. A destination port may only be
+#			included if the ACTION is DNAT or REDIRECT.
+#
+#			Example: loc:192.168.1.3:3128 specifies a local
+#			server at IP address 192.168.1.3 and listening on port
+#			3128. The port number MUST be specified as an integer
+#			and not as a name from /etc/services.
+#
+#			if the ACTION is REDIRECT, this column needs only to
+#			contain the port number on the firewall that the
+#			request should be redirected to.
+#
+#	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
+#			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
+#
+#			"tcp:syn" implies "tcp" plus the SYN flag must be
+#			set and the RST,ACK and FIN flags must be reset.
+#
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
+#			names (from /etc/services), port numbers or port
+#			ranges; if the protocol is "icmp", this column is
+#			interpreted as the destination icmp-type(s).
+#
+#			If the protocol is ipp2p*, this column is interpreted
+#			as an ipp2p option without the leading "--" (example
+#			"bit" for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
+#			A port range is expressed as <low port>:<high port>.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following ields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ORIGINAL DEST in the next column, then
+#			place "-" in this column.
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#       ORIGINAL        Original destination IP address. Must be omitted (
+#       DEST            or '-') if the macro is to be used from within
+#                       an action. See 'man shorewall-rules'.
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			where <rate> is the number of connections per
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
+#
+#				Example: 10/sec:20
+#
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			The column may contain:
+#
+#	[!][<user name or number>][:<group name or number>][+<program name>]
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
+#
+#			Examples:
+#
+#				joe	#program must be run by joe
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named upnpd (This feature was
+#					#removed from Netfilter in kernel
+#					#version 2.6.14).
+#
+#	MARK		Specifies a MARK value to match. Must be empty or 
+#			'-' if the macro is to be used within an action.
+#			
+#				[!]value[/mask][:C]
+#
+#    			Defines a test on the existing packet or connection
+#			mark. The rule will match only if the test returns
+#			true.
+#
+#    			If you don't want to define a test but need to
+#			specify anything in the following columns,
+#			place a "-" in this field.
+#
+#    			!
+#
+#				Inverts the test (not equal)
+#
+#    			value
+#
+#				Value of the packet or connection mark.
+#
+#  			mask
+#
+#				A mask to be applied to the mark before
+#				testing.
+#
+#    			:C
+#
+#				Designates a connection mark. If omitted, the
+#				packet mark's value is tested.
+#
+#	CONNLIMIT	Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#				[!]limit[:mask]
+#
+#			May be used to limit the number of simultaneous
+#			connections from each individual host to limit 
+#			connections. Requires connlimit match in your kernel
+#			and iptables. While the limit is only checked on rules
+#			specifying CONNLIMIT, the number of current connections
+#			is calculated over all current connections from the
+#			SOURCE host. By default, the limit is applied to each
+#			host but can be made to apply to networks of hosts by
+#			specifying a mask. The mask specifies the width of a
+#			VLSM mask to be applied to the source address; the
+#			number of current connections is then taken over all
+#			hosts in the subnet source-address/mask. When ! is
+#			specified, the rule matches when the number of
+#			connection exceeds the limit.
+#
+#	TIME		Must be empty or '-' if the macro is to be used within
+#			an action.
+#
+#
+#				<timeelement>[&...]
+#
+#			timeelement may be:
+#
+#    				timestart=hh:mm[:ss]
+#
+#					Defines the starting time of day.
+#
+#    				timestop=hh:mm[:ss]
+#
+#					Defines the ending time of day.
+#
+#    				utc
+#
+#					Times are expressed in Greenwich Mean
+#					Time.
+#
+#    				localtz
+#
+#					Times are expressed in Local Civil Time
+#					(default).
+#
+#    				weekdays=ddd[,ddd]...
+#
+#					where ddd is one of Mon, Tue, Wed, Thu,
+#					Fri, Sat or Sun
+#
+#    				monthdays=dd[,dd],...
+#
+#					where dd is an ordinal day of the month#
+#
+#    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the starting date and time.
+#
+#    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
+#
+#					Defines the ending date and time.
+#
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -74,6 +456,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#######################################################################################################
+#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	ORIGINAL
+#						PORT(S)	PORT(S)	DEST		LIMIT	GROUP   DEST
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>Shorewall</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.epic.perleditor.perlbuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.epic.perleditor.perlnature</nature>
-	</natures>
-</projectDescription>
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,101 +35,14 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
-
-#
-# Per-IP accounting tables. Each entry contains the associated network.
-#
-my %tables;
-
-my $jumpchainref;
-my %accountingjumps;
-my $asection;
-my $defaultchain;
-my $defaultrestriction;
-my $restriction;
-my $accounting_commands = { COMMENT => 0, SECTION => 2 };
-my $sectionname;
-my $acctable;
-
-#
-# Sections in the Accounting File
-#
-
-use constant {
-	      LEGACY      => 0,
-	      PREROUTING  => 1,
-	      INPUT       => 2,
-	      OUTPUT      => 3,
-	      FORWARD     => 4,
-	      POSTROUTING => 5
-	  };
-#
-# Map names to values
-#
-our %asections = ( PREROUTING  => PREROUTING,
-		   INPUT       => INPUT,
-		   FORWARD     => FORWARD,
-		   OUTPUT      => OUTPUT,
-		   POSTROUTING => POSTROUTING
-		 );
+our $VERSION = '4.4.13';

 #
 # Called by the compiler to [re-]initialize this module's state
 #
 sub initialize() {
-    $jumpchainref       = undef;
-    %tables             = ();
-    %accountingjumps    = ();
-    #
-    # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
-    # the first non-commentary line in the accounting file isn't a section header
-    #
-    # This allows the section header processor to quickly check for correct order 
-    #
-    $asection           = -1;
-    #
-    # These are the legacy values
-    #
-    $defaultchain       = 'accounting';
-    $defaultrestriction = NO_RESTRICT;
-    $sectionname        = '';
-}
-
-#
-# Process a SECTION header
-#
-sub process_section ($) {
-    $sectionname = shift;
-    my $newsect  = $asections{$sectionname};
-    #
-    # read_a_line has already verified that there are exactly two tokens on the line
-    #
-    fatal_error "Invalid SECTION ($sectionname)"                   unless defined $newsect;
-    fatal_error "SECTION not allowed after un-sectioned rules"     unless $asection;
-    fatal_error "Duplicate or out-of-order SECTION ($sectionname)" if     $newsect <= $asection;
-
-    if ( $sectionname eq 'INPUT' ) {
-	$defaultchain = 'accountin';
-	$defaultrestriction = INPUT_RESTRICT;
-    } elsif ( $sectionname eq 'OUTPUT' ) {
-	$defaultchain = 'accountout';
-	$defaultrestriction = OUTPUT_RESTRICT;
-    } elsif ( $sectionname eq 'FORWARD' ) {
-	$defaultchain = 'accountfwd';
-	$defaultrestriction = NO_RESTRICT;
-     } else {
-	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
-	 if ( $sectionname eq 'PREROUTING' ) {
-	     $defaultchain = 'accountpre';
-	     $defaultrestriction = PREROUTE_RESTRICT;
-	 } else {
-	     $defaultchain = 'accountpost';
-	     $defaultrestriction = POSTROUTE_RESTRICT;
-	 }
-     }
-
-    $asection = $newsect;
+    our $jumpchainref;
+    $jumpchainref = undef;
 }

 #
@@ -137,28 +50,19 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {

-    $acctable = $config{ACCOUNTING_TABLE};
+    our $jumpchainref;

-    $jumpchainref = 0;
-
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
 	return 0;
    }

-    if ( $action eq 'SECTION' ) {
-	process_section( $chain );
-	return 0;
-    }
-
-    $asection = LEGACY if $asection < 0;
-
    our $disposition = '';

    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out|pre|post)|ipsecin|ipsecout)$/;
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
    }

    sub ipsec_chain_name($) {
@@ -179,7 +83,7 @@ sub process_accounting_rule( ) {
    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
 	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0, $defaultrestriction );
+	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
 	$jumpchain;
@@ -191,44 +95,15 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; 
-
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
    my $rule2 = 0;
    my $jump  = 0;
    
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
 	    $target = 'RETURN';
-	} elsif ( $action =~ /^ACCOUNT\(/ ) {
-	    if ( $action =~ /^ACCOUNT\((.+)\)$/ ) {
-		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
-		my ( $table, $net, $rest ) = split/,/, $1;
-		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
-		fatal_error "Missing Table Name"                       unless supplied $table;
-		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
-		fatal_error "Missing Network Address"                  unless defined $net;
-		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
-		fatal_error "Netmask ($1) out of range"                unless $1 >= 8;
-		validate_net $net, 0;
-
-		my $prevnet = $tables{$table};
-
-		if ( $prevnet ) {
-		    fatal_error "Previous net associated with $table ($prevnet) does not match this one ($net)" unless compare_nets( $net , $prevnet );
-		} else {
-		    $tables{$table} = $net;
-		}
-
-		$target = "ACCOUNT --addr $net --tname $table";
-	    } else {
-		fatal_error "Invalid ACCOUNT Action";
-	    }
-	} elsif ( $action =~ /^NFLOG/ ) {
-	    $target = validate_level $action;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
-
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
 		    $rule2 = 1;
@@ -243,15 +118,11 @@ sub process_accounting_rule( ) {
 	}
    }

-    $restriction = $defaultrestriction;
+    my $restriction = NO_RESTRICT;

-    if ( $source eq 'any' || $source eq 'all' ) {
-        $source = ALLIP;
-    } else { 
-	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
-    }
+    $source = ALLIP if $source eq 'any' || $source eq 'all';

-    if ( have_bridges && ! $asection ) {
+    if ( have_bridges ) {
 	my $fw = firewall_zone;

 	if ( $source =~ /^$fw:?(.*)$/ ) {
@@ -261,10 +132,9 @@ sub process_accounting_rule( ) {
 	    $dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
 	} else {
 	    $chain = 'accounting' unless $chain and $chain ne '-';
-
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_filter_chain( 'accountout' , 0 ) ,
 			    OUTPUT_RESTRICT ,
 			    $rule ,
 			    $source ,
@@ -277,23 +147,15 @@ sub process_accounting_rule( ) {
 	    }
 	}
    } else {
-	$chain = $defaultchain unless $chain and $chain ne '-';
+	$chain = 'accounting' unless $chain and $chain ne '-';
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }

-    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
+    my $chainref = $filter_table->{$chain};
    my $dir;

    if ( ! $chainref ) {
-	if ( reserved_chain_name( $chain ) ) {
-	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; 
-	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
-	} elsif ( $asection ) {
-	    fatal_error "Unknown accounting chain ($chain)";
-	} else {
-	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
-	}
-
+	$chainref = ensure_accounting_chain $chain, 0;
 	$dir      = ipsec_chain_name( $chain );

 	if ( $ipsec ne '-' ) {
@@ -307,35 +169,12 @@ sub process_accounting_rule( ) {
 	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
 	    $chainref->{ipsec} = $dir;
 	}
-    } else {
-	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
-	if ( $ipsec ne '-' ) {
-	    $dir = $chainref->{ipsec};
-	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	    $rule .= do_ipsec( $dir , $ipsec );
-	} elsif ( $asection ) {
-	    $restriction |= $chainref->{restriction};
-	}
+    } elsif ( $ipsec ne '-' ) {
+	$dir = $chainref->{ipsec};
+	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	$rule .= do_ipsec( $dir , $ipsec );
    }

-    dont_optimize( $chainref ) if $target eq 'RETURN';
-
-    if ( $jumpchainref ) {
-	if ( $asection ) {
-	    #
-	    # Check the jump-to chain to be sure that it doesn't contain rules that are incompatible with this section
-	    #
-	    my $jumprestricted = $jumpchainref->{restricted};
-	    fatal_error "Chain $jumpchainref->{name} contains rules that are incompatible with the $sectionname section" if $jumprestricted && $restriction && $jumprestricted ne $restriction;
-	    $restriction |= $jumpchainref->{restriction};
-	}
-
-	$accountingjumps{$jumpchainref->{name}}{$chain} = 1;
-    }
-
-    fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;

    expand_rule
@@ -385,96 +224,48 @@ sub process_accounting_rule( ) {

 sub setup_accounting() {

-    if ( my $fn = open_file 'accounting' ) {
+    my $fn = open_file 'accounting';

-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";

-	my $nonEmpty = 0;
+    my $nonEmpty = 0;

-	$nonEmpty |= process_accounting_rule while read_a_line;
+    $nonEmpty |= process_accounting_rule while read_a_line;

-	clear_comment;
+    clear_comment;

-	if ( $nonEmpty ) {
-	    my $tableref = $chain_table{$acctable};
-
-	    if ( have_bridges || $asection ) {
-		if ( $tableref->{accountin} ) {
-		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
-		}
-
-		if ( $tableref->{accounting} ) {
-		    dont_optimize( 'accounting' );
-		    for my $chain ( qw/INPUT FORWARD/ ) {
-			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
-		    }
-		}
-
-		if ( $tableref->{accountfwd} ) {
-		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
-		}
-
-		if ( $tableref->{accountout} ) {
-		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
-		}
-
-		if ( $tableref->{accountpre} ) {
-		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
-		}
-
-		if ( $tableref->{accountpost} ) {
-		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
-		}
-	    } elsif ( $tableref->{accounting} ) {
-		dont_optimize( 'accounting' );
-		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
-		}
-	    }
-
-	    if ( $tableref->{accipsecin} ) {
-		for my $chain ( qw/INPUT FORWARD/ ) {
-		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
-		}
-	    }
-
-	    if ( $tableref->{accipsecout} ) {
-		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
-		}
-	    }
-
-	    unless ( $asection ) {
-		for ( accounting_chainrefs ) {
-		    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
-		}
-	    }
-
-	    if ( my $chainswithjumps = keys %accountingjumps ) {
-		my $progress = 1;
-
-		while ( $chainswithjumps && $progress ) {
-		    $progress = 0;
-		    for my $chain1 (  keys %accountingjumps ) {
-			if ( keys %{$accountingjumps{$chain1}} ) {
-			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
-				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
-			    }
-			} else {
-			    delete $accountingjumps{$chain1};
-			    $chainswithjumps--;
-			    $progress = 1;
-			}
-		    }
-		}
-
-		if ( $chainswithjumps ) {
-		    my @chainswithjumps = keys %accountingjumps;
-		    fatal_error "Jump loop involving the following chains: @chainswithjumps";
-		}
+    if ( have_bridges ) {
+	if ( $filter_table->{accounting} ) {
+	    for my $chain ( qw/INPUT FORWARD/ ) {
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	    }
 	}
+
+	if ( $filter_table->{accountout} ) {
+	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+	}
+    } elsif ( $filter_table->{accounting} ) {
+	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
+	}
    }
+
+    if ( $filter_table->{accipsecin} ) {
+	for my $chain ( qw/INPUT FORWARD/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+	}
+    }
+
+    if ( $filter_table->{accipsecout} ) {
+	for my $chain ( qw/FORWARD OUTPUT/ ) {
+	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
+	}
+    }
+
+    for ( accounting_chainrefs ) {
+	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
+    }
+
 }

 1;
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -0,0 +1,964 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Actions.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   This module contains the code for dealing with actions (built-in,
+#   standard and user-defined) and Macros.
+#
+package Shorewall::Actions;
+require Exporter;
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::IPAddrs;
+
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = qw( merge_levels
+		  isolate_basic_target
+		  get_target_param
+		  add_requiredby
+		  createactionchain
+		  find_logactionchain
+		  process_actions1
+		  process_actions2
+		  process_actions3
+
+		  find_macro
+		  split_action
+		  substitute_param
+		  merge_macro_source_dest
+		  merge_macro_column
+		  map_old_actions
+
+		  %usedactions
+		  %default_actions
+		  %actions
+
+		  %macros
+		  $macro_commands
+		  );
+our @EXPORT_OK = qw( initialize );
+our $VERSION = '4.4_13';
+
+#
+#  Used Actions. Each action that is actually used has an entry with value 1.
+#
+our %usedactions;
+#
+# Default actions for each policy.
+#
+our %default_actions;
+
+#  Action Table
+#
+#     %actions{ <action1> =>  { requires => { <requisite1> = 1,
+#                                             <requisite2> = 1,
+#                                             ...
+#                                           } ,
+#                               actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
+#
+our %actions;
+#
+# Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
+#
+our %logactionchains;
+
+our %macros;
+
+our $family;
+
+our @builtins;
+
+#
+# Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
+#
+our $macro_commands = { COMMENT => 0, FORMAT => 2 };
+
+#
+# Rather than initializing globals in an INIT block or during declaration,
+# we initialize them in a function. This is done for two reasons:
+#
+#   1. Proper initialization depends on the address family which isn't
+#      known until the compiler has started.
+#
+#   2. The compiler can run multiple times in the same process so it has to be
+#      able to re-initialize its dependent modules' state.
+#
+sub initialize( $ ) {
+
+    $family          = shift;
+    %usedactions     = ();
+    %default_actions = ( DROP     => 'none' ,
+			 REJECT   => 'none' ,
+			 ACCEPT   => 'none' ,
+			 QUEUE    => 'none' );
+    %actions         = ();
+    %logactionchains = ();
+    %macros          = ();
+
+    if ( $family == F_IPV4 ) {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
+    }
+}
+
+#
+# This function determines the logging for a subordinate action or a rule within a superior action
+#
+sub merge_levels ($$) {
+    my ( $superior, $subordinate ) = @_;
+
+    my @supparts = split /:/, $superior;
+    my @subparts = split /:/, $subordinate;
+
+    my $subparts = @subparts;
+
+    my $target   = $subparts[0];
+
+    push @subparts, '' while @subparts < 3;   #Avoid undefined values
+
+    my $level = $supparts[1];
+    my $tag   = $supparts[2];
+
+    if ( @supparts == 3 ) {
+	return "$target:none!:$tag"   if $level eq 'none!';
+	return "$target:$level:$tag"  if $level =~ /!$/;
+	return $subordinate           if $subparts >= 2;
+	return "$target:$level:$tag";
+    }
+
+    if ( @supparts == 2 ) {
+	return "$target:none!"        if $level eq 'none!';
+	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
+    }
+
+    $subordinate;
+}
+
+#
+# Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
+# If the file exists, the macro is entered into the 'targets' table and the fully-qualified
+# name of the file is stored in the 'macro' table.
+#
+sub find_macro( $ )
+{
+    my $macro = $_[0];
+    my $macrofile = find_file "macro.$macro";
+
+    if ( -f $macrofile ) {
+	$macros{$macro} = $macrofile;
+	$targets{$macro} = MACRO;
+    } else {
+	0;
+    }
+}
+
+#
+# Return ( action, level[:tag] ) from passed full action
+#
+sub split_action ( $ ) {
+    my $action = $_[0];
+
+    my $target = '';
+    my $max    = 3;
+    #
+    # The following rather grim RE, when matched, breaks the action into two parts:
+    #
+    #    basicaction(param)
+    #    logging part (may be empty)
+    #
+    # The param may contain one or more ':' characters
+    #
+    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
+	$target = $1;
+	$action = $2 ? $3 : '';
+	$max    = 2;
+    }
+	
+    my @a = split( /:/ , $action, 4 );
+    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
+    $target = shift @a unless $target;
+    ( $target, join ":", @a );
+}
+
+#
+# This function substitutes the second argument for the first part of the first argument up to the first colon (":")
+#
+# Example:
+#
+#         substitute_param DNAT PARAM:info:FTP
+#
+#         produces "DNAT:info:FTP"
+#
+sub substitute_param( $$ ) {
+    my ( $param, $action ) = @_;
+
+    if ( $action =~ /:/ ) {
+	my $logpart = (split_action $action)[1];
+	$logpart =~ s!/$!!;
+	return "$param:$logpart";
+    }
+
+    $param;
+}
+
+#
+# Combine fields from a macro body with one from the macro invocation
+#
+sub merge_macro_source_dest( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( $invocation ) {
+	if ( $body ) {
+	    return $body if $invocation eq '-';
+	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
+	    return "$invocation:$body";
+	}
+
+	return $invocation;
+    }
+
+    $body || '';
+}
+
+sub merge_macro_column( $$ ) {
+    my ( $body, $invocation ) = @_;
+
+    if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
+	$invocation;
+    } else {
+	$body;
+    }
+}
+
+#
+# Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
+#
+sub isolate_basic_target( $ ) {
+    my $target = ( split '[/:]', $_[0])[0];
+
+    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
+}
+
+#
+# Split the passed target into the basic target and parameter
+#
+sub get_target_param( $ ) {
+    my ( $target, $param ) = split '/', $_[0];
+
+    unless ( defined $param ) {
+	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
+    }
+
+    ( $target, $param );
+}
+
+#
+# Define an Action
+#
+sub new_action( $ ) {
+
+    my $action = $_[0];
+
+    $actions{$action} = { actchain => '', requires => {} };
+}
+
+#
+# Record a 'requires' relationship between a pair of actions.
+#
+sub add_requiredby ( $$ ) {
+    my ($requiredby , $requires ) = @_;
+    $actions{$requires}{requires}{$requiredby} = 1;
+}
+
+#
+# Map pre-3.0 actions to the corresponding Macro invocation
+#
+
+sub find_old_action ( $$$ ) {
+    my ( $target, $macro, $param ) = @_;
+
+    if ( my $actiontype = find_macro( $macro ) ) {
+	( $macro, $actiontype , $param );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+sub map_old_actions( $ ) {
+    my $target = shift;
+
+    if ( $target =~ /^Allow(.*)$/ ) {
+	find_old_action( $target, $1, 'ACCEPT' );
+    } elsif ( $target =~ /^Drop(.*)$/ ) {
+	find_old_action( $target, $1, 'DROP' );
+    } elsif ( $target = /^Reject(.*)$/ ) {
+	find_old_action( $target, $1, 'REJECT' );
+    } else {
+	( $target, 0, '' );
+    }
+}
+
+#
+# Create and record a log action chain -- Log action chains have names
+# that are formed from the action name by prepending a "%" and appending
+# a 1- or 2-digit sequence number. In the functions that follow,
+# the $chain, $level and $tag variable serves as arguments to the user's
+# exit. We call the exit corresponding to the name of the action but we
+# set $chain to the name of the iptables chain where rules are to be added.
+# Similarly, $level and $tag contain the log level and log tag respectively.
+#
+# The maximum length of a chain name is 30 characters -- since the log
+# action chain name is 2-3 characters longer than the base chain name,
+# this function truncates the original chain name where necessary before
+# it adds the leading "%" and trailing sequence number.
+#
+sub createlogactionchain( $$ ) {
+    my ( $action, $level ) = @_;
+    my $chain = $action;
+    my $actionref = $actions{$action};
+    my $chainref;
+
+    my ($lev, $tag) = split ':', $level;
+
+    validate_level $lev;
+
+    $actionref = new_action $action unless $actionref;
+
+    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
+
+  CHECKDUP:
+    {
+	$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
+	$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
+    }
+
+    $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
+
+    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
+
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
+
+	my $file = find_file $chain;
+
+	if ( -f $file ) {
+	    progress_message "Processing $file...";
+
+	    ( $level, my $tag ) = split /:/, $level;
+
+	    $tag = $tag || '';
+
+	    unless ( my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+		fatal_error "Couldn't do $file: $!"    unless defined $return;
+		fatal_error "Couldn't run $file"       unless $return;
+	    }
+	}
+    }
+}
+
+sub createsimpleactionchain( $ ) {
+    my $action  = shift;
+    my $chainref = new_standard_chain $action;
+
+    $logactionchains{"$action:none"} = $chainref;
+
+    unless ( $targets{$action} & BUILTIN ) {
+
+	dont_optimize $chainref;
+
+	my $file = find_file $action;
+
+	if ( -f $file ) {
+	    progress_message "Processing $file...";
+
+	    my ( $level, $tag ) = ( '', '' );
+
+	    unless ( my $return = eval `cat $file` ) {
+		fatal_error "Couldn't parse $file: $@" if $@;
+		fatal_error "Couldn't do $file: $!"    unless defined $return;
+		fatal_error "Couldn't run $file"       unless $return;
+	    }
+	}
+    }
+}
+
+#
+# Create an action chain and run its associated user exit
+#
+sub createactionchain( $ ) {
+    my ( $action , $level ) = split_action $_[0];
+
+    my $chainref;
+
+    if ( defined $level && $level ne '' ) {
+	if ( $level eq 'none' ) {
+	    createsimpleactionchain $action;
+	} else {
+	    createlogactionchain $action , $level;
+	}
+    } else {
+	createsimpleactionchain $action;
+    }
+}
+
+#
+# Find the chain that handles the passed action. If the chain cannot be found,
+# a fatal error is generated and the function does not return.
+#
+sub find_logactionchain( $ ) {
+    my $fullaction = $_[0];
+    my ( $action, $level ) = split_action $fullaction;
+
+    $level = 'none' unless $level;
+
+    fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
+}
+
+#
+# Scans a macro file invoked from an action file ensuring that all targets mentioned in the file are known and that none are actions.
+#
+sub process_macro1 ( $$ ) {
+    my ( $action, $macrofile ) = @_;
+
+    progress_message "   ..Expanding Macro $macrofile...";
+
+    push_open( $macrofile );
+
+    while ( read_a_line ) {
+	my ( $mtarget, $msource,  $mdest,  $mproto,  $mports,  $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
+
+	next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
+
+	$mtarget =~ s/:.*$//;
+
+	$mtarget = (split '/' , $mtarget)[0];
+
+	my $targettype = $targets{$mtarget};
+
+	$targettype = 0 unless defined $targettype;
+
+	fatal_error "Invalid target ($mtarget)"
+	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
+    }
+
+    progress_message "   ..End Macro $macrofile";
+
+    pop_open;
+}
+
+#
+# The functions process_actions1-3() implement the three phases of action processing.
+#
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
+#
+#      a) The related action definition file is located and scanned.
+#      b) Forward and unresolved action references are trapped as errors.
+#      c) A dependency graph is created using the 'requires' field in the 'actions' table.
+#
+# As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
+# is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
+# %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
+# length of the chain name does not exceed 30 characters.
+#
+# The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
+# %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
+#
+# The final phase (process_actions3) traverses the keys of %usedactions populating each chain appropriately
+# by reading the related action definition file and creating rules. Note that a given action definition file is
+# processed once for each unique [:level[:tag]] applied to an invocation of the action.
+#
+
+sub process_action1 ( $$ ) {
+    my ( $action, $wholetarget ) = @_;
+
+    my ( $target, $level ) = split_action $wholetarget;
+
+    $level = 'none' unless $level;
+
+    my $targettype = $targets{$target};
+
+    if ( defined $targettype ) {
+	return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE |  NFQ | CHAIN ) );
+
+	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
+
+	fatal_error "An action may not invoke itself" if $target eq $action;
+
+	add_requiredby $wholetarget, $action if $targettype & ACTION;
+    } elsif ( $target eq 'COMMENT' ) {
+	fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
+    } else {
+	( $target, my $param ) = get_target_param $target;
+
+	return if $target eq 'NFQUEUE';
+
+	if ( defined $param ) {
+	    my $paramtype = $targets{$param} || 0;
+
+	    fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
+	}
+
+	fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
+
+	if ( find_macro $target ) {
+	    process_macro1( $action, $macros{$target} );
+	} else {
+	    fatal_error "Invalid TARGET ($target)";
+	}
+    }
+}
+
+sub process_actions1() {
+
+    progress_message2 "Preprocessing Action Files...";
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
+
+    for my $file ( qw/actions.std actions/ ) {
+	open_file $file;
+
+	while ( read_a_line ) {
+	    my ( $action ) = split_line 1, 1, 'action file';
+
+	    if ( $action =~ /:/ ) {
+		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
+		$action =~ s/:.*$//;
+	    }
+
+	    next unless $action;
+
+	    if ( $targets{$action} ) {
+		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
+		next;
+	    }
+
+	    $targets{$action} = ACTION;
+
+	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
+
+	    new_action $action;
+
+	    my $actionfile = find_file "action.$action";
+
+	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+	    progress_message2 "   Pre-processing $actionfile...";
+
+	    push_open( $actionfile );
+
+	    while ( read_a_line ) {
+
+		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
+
+		process_action1( $action, $wholetarget );
+
+	    }
+
+	    pop_open;
+	}
+    }
+}
+
+sub process_actions2 () {
+    progress_message2 'Generating Transitive Closure of Used-action List...';
+
+    my $changed = 1;
+
+    while ( $changed ) {
+	$changed = 0;
+	for my $target (keys %usedactions) {
+	    my ($action, $level) = split_action $target;
+	    my $actionref = $actions{$action};
+	    assert( $actionref );
+	    for my $action1 ( keys %{$actionref->{requires}} ) {
+		my $action2 = merge_levels $target, $action1;
+		unless ( $usedactions{ $action2 } ) {
+		    $usedactions{ $action2 } = 1;
+		    createactionchain $action2;
+		    $changed = 1;
+		}
+	    }
+	}
+    }
+}
+
+#
+# This function is called to process each rule generated from an action file.
+#
+sub process_action( $$$$$$$$$$$ ) {
+    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+
+    my ( $action , $level ) = split_action $target;
+
+    if ( $action eq 'REJECT' ) {
+	$action = 'reject';
+    } elsif ( $action eq 'CONTINUE' ) {
+	$action = 'RETURN';
+    } elsif ( $action =~ /^NFQUEUE/ ) {
+	( $action, my $param ) = get_target_param $action;
+	$param = 1 unless defined $param;
+	$action = "NFQUEUE --queue-num $param";
+    } elsif ( $action eq 'COUNT' ) {
+	$action = '';
+    }
+
+    expand_rule ( $chainref ,
+		  NO_RESTRICT ,
+		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
+		  $source ,
+		  $dest ,
+		  '', #Original Dest
+		  $action ,
+		  $level ,
+		  $action ,
+		  '' );
+}
+
+#
+# Expand Macro in action files.
+#
+sub process_macro3( $$$$$$$$$$$$ ) {
+    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
+
+    my $nocomment = no_comment;
+
+    my $format = 1;
+
+    macro_comment $macro;
+
+    my $fn = $macros{$macro};
+
+    progress_message "..Expanding Macro $fn...";
+
+    push_open $fn;
+
+    while ( read_a_line ) {
+
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
+
+	if ( $format == 1 ) {
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
+	    $morigdest = '-';
+	    $mmark     = '-';
+	} else {
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
+	}
+
+	if ( $mtarget eq 'COMMENT' ) {
+	    process_comment unless $nocomment;
+	    next;
+	}
+
+	if ( $mtarget eq 'FORMAT' ) {
+	    fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
+	    $format = $msource;
+	    next;
+	}
+
+	if ( $mtarget =~ /^PARAM:?/ ) {
+	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
+	    $mtarget = substitute_param $param,  $mtarget;
+	}
+
+	fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
+
+	if ( $msource ) {
+	    if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
+		$msource = $source || '';
+	    } elsif ( $msource eq 'DEST' ) {
+		$msource = $dest || '';
+	    } else {
+		$msource = merge_macro_source_dest $msource, $source;
+	    }
+	} else {
+	    $msource = '';
+	}
+
+	$msource = '' if $msource eq '-';
+
+	if ( $mdest ) {
+	    if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
+		$mdest = $dest || '';
+	    } elsif ( $mdest eq 'SOURCE' ) {
+		$mdest = $source || '';
+	    } else {
+		$mdest = merge_macro_source_dest $mdest, $dest;
+	    }
+	} else {
+	    $mdest = '';
+	}
+
+	$mdest   = '' if $mdest eq '-';
+
+	$mproto  = merge_macro_column $mproto,  $proto;
+	$mports  = merge_macro_column $mports,  $ports;
+	$msports = merge_macro_column $msports, $sports;
+	$mrate   = merge_macro_column $mrate,   $rate;
+	$muser   = merge_macro_column $muser,   $user;
+	$mmark   = merge_macro_column $mmark,   $mark;
+
+	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
+    }
+
+    pop_open;
+
+    progress_message '..End Macro';
+
+    clear_comment unless $nocomment;
+}
+
+#
+# Generate chain for non-builtin action invocation
+#
+sub process_action3( $$$$$ ) {
+    my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
+    my $actionfile = find_file "action.$action";
+
+    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+    progress_message2 "Processing $actionfile for chain $chainref->{name}...";
+
+    open_file $actionfile;
+
+    while ( read_a_line ) {
+
+	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
+
+	if ( $target eq 'COMMENT' ) {
+	    process_comment;
+	    next;
+	}
+
+	my $target2 = merge_levels $wholeaction, $target;
+
+	my ( $action2 , $level2 ) = split_action $target2;
+
+	( $action2 , my $param ) = get_target_param $action2;
+
+	my $action2type = $targets{$action2} || 0;
+
+	unless ( $action2type == STANDARD ) {
+	    if ( $action2type & ACTION ) {
+		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
+	    } else {
+		assert( $action2type & ( MACRO | LOGRULE | NFQ | CHAIN ) );
+	    }
+	}
+
+	if ( $action2type == MACRO ) {
+	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
+	} else {
+	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
+	}
+    }
+
+    clear_comment;
+}
+
+#
+# The following small functions generate rules for the builtin actions of the same name
+#
+sub dropBcast( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    if ( $family == F_IPV4 ) {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	    } else {
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
+	    }
+	}
+
+	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
+	add_rule $chainref, '-d $address -j DROP';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+
+	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+    }
+
+
+    if ( $family == F_IPV4 ) {
+	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
+    } else {
+	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
+    }
+}
+
+sub allowBcast( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
+	if ( $level ne '' ) {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
+	}
+
+	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
+	add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
+    } else {
+	if ( $family == F_IPV4 ) {
+	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
+	} else {
+	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
+	}
+
+	incr_cmd_level $chainref;
+	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
+	add_rule $chainref, '-d $address -j ACCEPT';
+	decr_cmd_level $chainref;
+	add_commands $chainref, 'done';
+
+	if ( $family == F_IPV4 ) {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
+	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
+	} else {
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
+	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
+	}
+    }
+}
+
+sub dropNotSyn ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j DROP';
+}
+
+sub rejNotSyn ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
+}
+
+sub dropInvalid ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
+}
+
+sub allowInvalid ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
+}
+
+sub forwardUPnP ( $$$ ) {
+    my $chainref = dont_optimize 'forwardUPnP';
+    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
+}
+
+sub allowinUPnP ( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    if ( $level ne '' ) {
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
+	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
+    }
+
+    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
+    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
+}
+
+sub Limit( $$$ ) {
+    my ($chainref, $level, $tag) = @_;
+
+    my @tag = split /,/, $tag;
+
+    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
+
+    my $set   = $tag[0];
+
+    for ( @tag[1,2] ) {
+	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
+    }
+
+    my $count = $tag[1] + 1;
+
+    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
+
+    add_rule $chainref, "-m recent --name $set --set";
+
+    if ( $level ne '' ) {
+	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
+	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
+	add_rule $xchainref, '-j DROP';
+	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
+    } else {
+	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
+    }
+
+    add_rule $chainref, '-j ACCEPT';
+}
+
+sub process_actions3 () {
+    my %builtinops = ( 'dropBcast'      => \&dropBcast,
+		       'allowBcast'     => \&allowBcast,
+		       'dropNotSyn'     => \&dropNotSyn,
+		       'rejNotSyn'      => \&rejNotSyn,
+		       'dropInvalid'    => \&dropInvalid,
+		       'allowInvalid'   => \&allowInvalid,
+		       'allowinUPnP'    => \&allowinUPnP,
+		       'forwardUPnP'    => \&forwardUPnP,
+		       'Limit'          => \&Limit, );
+
+    for my $wholeaction ( keys %usedactions ) {
+	my $chainref = find_logactionchain $wholeaction;
+	my ( $action, $level, $tag ) = split /:/, $wholeaction;
+
+	$level = '' unless defined $level;
+	$tag   = '' unless defined $tag;
+
+	if ( $targets{$action} & BUILTIN ) {
+	    $level = '' if $level =~ /none!?/;
+	    $builtinops{$action}->($chainref, $level, $tag);
+	} else {
+	    process_action3 $chainref, $wholeaction, $action, $level, $tag;
+	}
+    }
+}
+
+1;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -21,49 +21,52 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
+
 package Shorewall::Compiler;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Zones;
+use Shorewall::Policy;
 use Shorewall::Nat;
 use Shorewall::Providers;
 use Shorewall::Tc;
 use Shorewall::Tunnels;
+use Shorewall::Actions;
 use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
 use Shorewall::IPAddrs;
 use Shorewall::Raw;
-use Shorewall::Misc;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_12';

-my $export;
+our $export;

-my $test;
+our $test;

-my $family;
+our $family;

 #
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals() {
    Shorewall::Config::initialize($family);
-    Shorewall::Chains::initialize ($family, 1, $export );
+    Shorewall::Chains::initialize ($family);
    Shorewall::Zones::initialize ($family);
+    Shorewall::Policy::initialize;
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
+    Shorewall::Actions::initialize( $family );
    Shorewall::Accounting::initialize;
    Shorewall::Rules::initialize($family);
    Shorewall::Proxyarp::initialize($family);
    Shorewall::IPAddrs::initialize($family);
-    Shorewall::Misc::initialize($family);
 }

 #
@@ -108,7 +111,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF

-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -116,7 +119,7 @@ EOF
 	emit '}';
    }

-    for my $exit ( qw/isusable findgw/ ) {
+    for my $exit qw/isusable findgw/ {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';
@@ -226,11 +229,7 @@ sub generate_script_2() {

    set_chain_variables;

-    if ( $config{EXPORTPARAMS} ) {
-	append_file 'params';
-    } else {
-	export_params;
-    }
+    append_file 'params' if $config{EXPORTPARAMS};

    emit ( '',
 	   "g_stopping=",
@@ -308,6 +307,7 @@ sub generate_script_2() {
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
 #    Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
+#
 #    Generate the 'setup_netfilter()' function that runs iptables-restore.
 #    Generate the 'define_firewall()' function.
 #
@@ -333,10 +333,10 @@ sub generate_script_3($) {

    save_progress_message 'Initializing...';

-    if ( $export || $config{EXPORTMODULES} ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+    if ( $export ) {
+	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';

-	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
+	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -344,7 +344,7 @@ sub generate_script_3($) {
 	    emit_unindented $currentline while read_a_line;

 	    emit_unindented 'EOF';
-	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
+	    emit 'reload_kernel_modules < ${VARDIR}/.modules';
 	} else {
 	    emit 'load_kernel_modules Yes';
 	}
@@ -352,11 +352,9 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
    }

-    emit '';
-
-    load_ipsets;
-
    if ( $family == F_IPV4 ) {
+	load_ipsets;
+
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
 	       '   run_refresh_exit' ,
 	       'else' ,
@@ -368,7 +366,7 @@ sub generate_script_3($) {

 	mark_firewall_not_started;

-	emit ( '',
+	emit ('',
 	       'delete_proxyarp',
 	       ''
 	     );
@@ -386,20 +384,11 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};

    } else {
-	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
-	       'else' ,
-	       '    run_init_exit',
-	       'fi',
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
 	       '' );
-
 	save_dynamic_chains;
 	mark_firewall_not_started;
-
-	emit ('',
-	       'delete_proxyndp',
-	       ''
-	     );
+	emit '';
    }

    emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -408,12 +397,7 @@ sub generate_script_3($) {

    emit( 'setup_routing_and_traffic_shaping', '' );

-    if ( $family == F_IPV4 ) {
-	emit 'cat > ${VARDIR}/proxyarp << __EOF__';
-    } else {
-	emit 'cat > ${VARDIR}/proxyndp << __EOF__';
-    } 
-
+    emit 'cat > ${VARDIR}/proxyarp << __EOF__';
    dump_proxy_arp;
    emit_unindented '__EOF__';

@@ -516,15 +500,15 @@ EOF

 }

-#1
+#
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );

    $export = 0;
    $test   = 0;
@@ -556,10 +540,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
-		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
-		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
-		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
+		  preview       => { store => \$preview },
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -589,11 +570,11 @@ sub compiler {
    set_verbosity( $verbosity );
    set_log($log, $log_verbosity) if $log;
    set_timestamp( $timestamp );
-    set_debug( $debug , $confess );
+    set_debug( $debug );
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export );

    report_capabilities unless $config{LOAD_HELPERS_ONLY};

@@ -612,7 +593,7 @@ sub compiler {
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # shorewall.conf has been processed and the capabilities have been determined.
    #
-    initialize_chain_table(1);
+    initialize_chain_table;

    #
    # Allow user to load Perl modules
@@ -638,12 +619,12 @@ sub compiler {
    #
    # Do action pre-processing.
    #
-    process_actions;
+    process_actions1;
    #
    #                                        P O L I C Y
    #                           (Produces no output to the compiled script)
    #
-    process_policies;
+    validate_policy;
    #
    #                                       N O T R A C K
    #                           (Produces no output to the compiled script)
@@ -767,6 +748,11 @@ sub compiler {
    #
    setup_tunnels;
    #
+    # Post-rules action processing.
+    #
+    process_actions2;
+    process_actions3;
+    #
    # MACLIST Filtration again
    #
    setup_mac_lists 2;
@@ -785,7 +771,7 @@ sub compiler {
 	#
 	generate_matrix;

-	if ( $config{OPTIMIZE} & 0xE ) {
+	if ( $config{OPTIMIZE} & 0xD ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -812,8 +798,8 @@ sub compiler {
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
-	Shorewall::Chains::initialize( $family, 0 , $export );
-	initialize_chain_table(0);
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;
 	#
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
@@ -854,7 +840,7 @@ sub compiler {
 	    #
 	    generate_matrix;

-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    if ( $config{OPTIMIZE} & 6 ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -863,7 +849,7 @@ sub compiler {
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & 4;
 	    }

 	    enable_script if $debug;
@@ -876,8 +862,8 @@ sub compiler {
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
-	Shorewall::Chains::initialize( $family , 0 , $export );
-	initialize_chain_table(0);
+	Shorewall::Chains::initialize( $family );
+	initialize_chain_table;

 	if ( $debug ) {
 	    compile_stop_firewall( $test, $export );
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,8 +34,6 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                  ALLIPv6
-		  NILIPv4
-		  NILIPv6
 	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
@@ -46,7 +44,6 @@ our @EXPORT = qw( ALLIPv4
 	          IPv6_SITE_ALLNODES
 	          IPv6_SITE_ALLRTRS
 		  ALLIP
-		  NILIP
 		  ALL
 		  TCP
 		  UDP
@@ -59,7 +56,6 @@ our @EXPORT = qw( ALLIPv4
 		  validate_address
 		  validate_net
 		  decompose_net
-		  compare_nets
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -67,9 +63,6 @@ our @EXPORT = qw( ALLIPv4
 		  allipv4
 		  allipv6
 		  allip
-		  nilipv4
-		  nilipv6
-		  nilip
 		  rfc1918_networks
 		  resolve_proto
 		  proto_name
@@ -80,30 +73,24 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_12';

 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
-my $allip;
-my @allip;
-my @nilipv4 = ( '0.0.0.0' );
-my @nilipv6 = ( '::' );
-my $nilip;
-my @nilip;
-my $valid_address;
-my $validate_address;
-my $validate_net;
-my $validate_range;
-my $validate_host;
-my $family;
+our @allipv4 = ( '0.0.0.0/0' );
+our @allipv6 = ( '::/0' );
+our $allip;
+our @allip;
+our $valid_address;
+our $validate_address;
+our $validate_net;
+our $validate_range;
+our $validate_host;
+our $family;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       NILIPv4             => '0.0.0.0' ,
-	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
@@ -121,7 +108,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };

-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

 #
 # Note: initialize() is declared at the bottom of the file
@@ -197,16 +184,7 @@ sub validate_4net( $$ ) {
    $net = '' unless defined $net;

    fatal_error "Missing address" if $net eq '';
-
-    if ( $net =~ /\+(\[?)/ ) {
-	if ( $1 ) {
-	    fatal_error "An ipset list ($net) is not allowed in this context";
-	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
-	    fatal_error "An ipset name ($net) is not allowed in this context";
-	} else {
-	    fatal_error "Invalid ipset name ($net)";
-	}
-    }
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';

    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -281,19 +259,10 @@ sub decompose_net( $ ) {
    my $net = $_[0];

    ( $net, my $vlsm ) = validate_net( $net , 0 );
-    ( ( $family == F_IPV4 ? encodeaddr( $net) : normalize_6addr( $net ) )  , $vlsm );
+    ( encodeaddr( $net) , $vlsm );

 }

-sub compare_nets( $$ ) {
-    my ( @net1, @net2 );
-
-    @net1 = decompose_net( $_[0] );
-    @net2 = decompose_net( $_[1] );
-    
-    $net1[0] eq $net2[0] && $net1[1] == $net2[1];
-}			    
-
 sub allipv4() {
    @allipv4;
 }
@@ -302,14 +271,6 @@ sub allipv6() {
    @allipv6;
 }

-sub nilipv4() {
-    @nilipv4;
-}
-
-sub nilipv6() {
-    @nilipv6;
-}
-
 sub rfc1918_networks() {
    @rfc1918_networks
 }
@@ -330,7 +291,7 @@ sub resolve_proto( $ ) {

    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
-	defined $number && $number <= 255 ? $number : undef;
+	defined $number && $number <= 65535 ? $number : undef;
    } else {
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
@@ -536,7 +497,6 @@ sub valid_6address( $ ) {
    }

    return 0 if @address > $max;
-    return 0 unless $address =~ /^[a-f:\d]+$/;
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;

@@ -580,15 +540,7 @@ sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[1];

-    if ( $net =~ /\+(\[?)/ ) {
-	if ( $1 ) {
-	    fatal_error "An ipset list ($net) is not allowed in this context";
-	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
-	    fatal_error "An ipset name ($net) is not allowed in this context";
-	} else {
-	    fatal_error "Invalid ipset name ($net)";
-	}
-    }
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';

    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
@@ -597,16 +549,6 @@ sub validate_6net( $$ ) {
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
 	validate_6address $net, $allow_name;
-	$vlsm = 128;
-    }
-
-    if ( defined wantarray ) {
-	assert ( ! $allow_name );
-	if ( wantarray ) {
-	    ( $net , $vlsm );
-	} else {
-	    "$net/$vlsm";
-	}
    }
 }

@@ -715,14 +657,6 @@ sub allip() {
    @allip;
 }

-sub NILIP() {
-    $nilip;
-}
-
-sub nilip() {
-    @nilip;
-}
-
 sub valid_address ( $ ) {
    $valid_address->(@_);
 }
@@ -759,8 +693,6 @@ sub initialize( $ ) {
    if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;
 	@allip            = @allipv4;
-	$nilip            = NILIPv4;
-	@nilip            = @nilipv4;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -769,8 +701,6 @@ sub initialize( $ ) {
    } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
-	$nilip            = NILIPv6;
-	@nilip            = @nilipv6;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,10 +36,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';

-my @addresses_to_add;
-my %addresses_to_add;
+our @addresses_to_add;
+our %addresses_to_add;

 #
 # Called by the compiler
@@ -155,7 +155,6 @@ sub process_one_masq( )
 	my $exceptionrule = '';
 	my $randomize     = '';
 	my $persistent    = '';
-	my $conditional   = 0;
 	#
 	# Parse the ADDRESSES column
 	#
@@ -163,8 +162,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
-		$addresses =~ s/:random$//     and $randomize  = ' --random ';
+		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
+		$addresses =~ s/:random$//     and $randomize  = '--random ';

 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;

@@ -187,14 +186,7 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
-			    $target = 'SNAT ';
-			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $1;
-			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address $1;
-			    }
-			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
+			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
@@ -205,12 +197,8 @@ sub process_one_masq( )
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr; 
-			    $ports =~ s/^://;
-			    my $portrange = $ports;
-			    $portrange =~ s/-/:/;
-			    validate_portpair( $proto, $portrange );
-			    $addrlist .= "--to-ports $ports ";
+			    $addr =~ s/^://;
+			    $addrlist .= "--to-ports $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    }
@@ -238,7 +226,10 @@ sub process_one_masq( )
 		     '' ,
 		     $exceptionrule );

-	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	if ( $detectaddress ) {
+	    decr_cmd_level( $chainref );
+	    add_commands( $chainref , 'fi' );
+	}

 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
@@ -271,14 +262,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    my $fn = open_file 'masq';

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

-	process_one_masq while read_a_line;
+    process_one_masq while read_a_line;
+
+    clear_comment;

-	clear_comment;
-    }
 }

 #
@@ -368,32 +359,32 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {

-    if ( my $fn = open_file 'nat' ) {
+    my $fn = open_file 'nat';

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );

-	while ( read_a_line ) {
+    while ( read_a_line ) {

-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';

-	    if ( $external eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	if ( $external eq 'COMMENT' ) {
+	    process_comment;
+	} else {
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;

-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';

-		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
-		}
-
-		progress_message "   NAT entry \"$currentline\" $done";
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
+		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 	    }
+
+	    progress_message "   NAT entry \"$currentline\" $done";
 	}

-	clear_comment;
    }
+
+    clear_comment;
 }

 #
@@ -401,43 +392,40 @@ sub setup_nat() {
 #
 sub setup_netmap() {

-    if ( my $fn = open_file 'netmap' ) {
+    my $fn = open_file 'netmap';

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );

-	while ( read_a_line ) {
+    while ( read_a_line ) {

-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';

-	    $net3 = ALLIP if $net3 eq '-';
+	$net3 = ALLIP if $net3 eq '-';

-	    for my $interface ( split_list $interfacelist, 'interface' ) {
+	for my $interface ( split_list $interfacelist, 'interface' ) {

-		my @rulein;
-		my @ruleout;
-		my $iface = $interface;
+	    my $rulein = '';
+	    my $ruleout = '';
+	    my $iface = $interface;

-		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-		unless ( $interfaceref->{root} ) {
-		    @rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
-
-		if ( $type eq 'DNAT' ) {
-		    add_ijump ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
-		} elsif ( $type eq 'SNAT' ) {
-		    add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
-		} else {
-		    fatal_error "Invalid type ($type)";
-		}
-
-		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
+	    unless ( $interfaceref->{root} ) {
+		$rulein  = match_source_dev( $interface );
+		$ruleout = match_dest_dev( $interface );
+		$interface = $interfaceref->{name};
 	    }
-	}

-	clear_comment;
+	    if ( $type eq 'DNAT' ) {
+		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+	    } elsif ( $type eq 'SNAT' ) {
+		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+	    } else {
+		fatal_error "Invalid type ($type)";
+	    }
+
+	    progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
+	}
    }

 }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -0,0 +1,533 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Policy.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   This module deals with the /etc/shorewall/policy file.
+#
+package Shorewall::Policy;
+require Exporter;
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::Chains qw( :DEFAULT :internal) ;
+use Shorewall::Actions;
+
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
+our @EXPORT_OK = qw(  );
+our $VERSION = '4.4_12';
+
+# @policy_chains is a list of references to policy chains in the filter table
+
+our @policy_chains;
+
+#
+# Called by the compiler
+#
+sub initialize() {
+    @policy_chains = ();
+}
+
+#
+# Convert a chain into a policy chain.
+#
+sub convert_to_policy_chain($$$$$)
+{
+    my ($chainref, $source, $dest, $policy, $provisional ) = @_;
+
+    $chainref->{is_policy}   = 1;
+    $chainref->{policy}      = $policy;
+    $chainref->{provisional} = $provisional;
+    $chainref->{policychain} = $chainref->{name};
+    $chainref->{policypair}  = [ $source, $dest ];
+}
+
+#
+# Create a new policy chain and return a reference to it.
+#
+sub new_policy_chain($$$$)
+{
+    my ($source, $dest, $policy, $provisional) = @_;
+
+    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
+
+    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
+
+    $chainref;
+}
+
+#
+# Set the passed chain's policychain and policy to the passed values.
+#
+sub set_policy_chain($$$$$)
+{
+    my ($source, $dest, $chain1, $chainref, $policy ) = @_;
+
+    my $chainref1 = $filter_table->{$chain1};
+
+    $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
+
+    unless ( $chainref1->{policychain} ) {
+	if ( $config{EXPAND_POLICIES} ) {
+	    #
+	    # We convert the canonical chain into a policy chain, using the settings of the
+	    # passed policy chain.
+	    #
+	    $chainref1->{policychain} = $chain1;
+	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
+
+	    if ( defined $chainref->{synparams} ) {
+		$chainref1->{synparams}   = $chainref->{synparams};
+		$chainref1->{synchain}    = $chainref->{synchain};
+	    }
+
+	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
+	    $chainref1->{is_policy}   = 1;
+	    push @policy_chains, $chainref1;
+	} else {
+	    $chainref1->{policychain} = $chainref->{name};
+	}
+
+	$chainref1->{policy} = $policy;
+	$chainref1->{policypair} = [ $source, $dest ];
+    }
+}
+
+#
+# Process the policy file
+#
+use constant { PROVISIONAL => 1 };
+
+sub add_or_modify_policy_chain( $$ ) {
+    my ( $zone, $zone1 ) = @_;
+    my $chain    = rules_chain( ${zone}, ${zone1} );
+    my $chainref = $filter_table->{$chain};
+
+    if ( $chainref ) {
+	unless( $chainref->{is_policy} ) {
+	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
+	    push @policy_chains, $chainref;
+	}
+    } else {
+	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
+    }
+}
+
+sub print_policy($$$$) {
+    my ( $source, $dest, $policy , $chain ) = @_;
+    unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
+	if ( $policy eq 'CONTINUE' ) {
+	    my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
+	    warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
+	}
+	progress_message_nocompress "   Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
+    }
+}
+
+sub process_a_policy() {
+
+    our %validpolicies;
+    our @zonelist;
+
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
+
+    $loglevel  = '' if $loglevel  eq '-';
+    $synparams = '' if $synparams eq '-';
+    $connlimit = '' if $connlimit eq '-';
+
+    my $clientwild = ( "\L$client" eq 'all' );
+
+    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
+
+    my $serverwild = ( "\L$server" eq 'all' );
+
+    fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
+
+    my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
+
+    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
+
+    fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
+
+    ( $policy , my $queue ) = get_target_param $policy;
+
+    if ( $default ) {
+	if ( "\L$default" eq 'none' ) {
+	    $default = 'none';
+	} else {
+	    my $defaulttype = $targets{$default} || 0;
+
+	    if ( $defaulttype & ACTION ) {
+		unless ( $usedactions{$default} ) {
+		    $usedactions{$default} = 1;
+		    createactionchain $default;
+		}
+	    } else {
+		fatal_error "Unknown Default Action ($default)";
+	    }
+	}
+    } else {
+	$default = $default_actions{$policy} || '';
+    }
+
+    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
+
+    if ( defined $queue ) {
+	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
+	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
+	my $queuenum = numeric_value( $queue );
+	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
+	$policy = "NFQUEUE --queue-num $queuenum";
+    } elsif ( $policy eq 'NONE' ) {
+	fatal_error "NONE policy not allowed with \"all\""
+	    if $clientwild || $serverwild;
+	fatal_error "NONE policy not allowed to/from firewall zone"
+	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
+    }
+
+    unless ( $clientwild || $serverwild ) {
+	if ( zone_type( $server ) == BPORT ) {
+	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
+		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
+	}
+    }
+
+    my $chain = rules_chain( ${client}, ${server} );
+    my $chainref;
+
+    if ( defined $filter_table->{$chain} ) {
+	$chainref = $filter_table->{$chain};
+
+	if ( $chainref->{is_policy} ) {
+	    if ( $chainref->{provisional} ) {
+		$chainref->{provisional} = 0;
+		$chainref->{policy} = $policy;
+	    } else {
+		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	    }
+	} elsif ( $chainref->{policy} ) {
+	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
+	} else {
+	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
+	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
+	}
+    } else {
+	$chainref = new_policy_chain $client, $server, $policy, 0;
+	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
+    }
+
+    $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
+
+    if ( $synparams ne '' || $connlimit ne '' ) {
+	my $value = '';
+	fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/;
+	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
+	$value .= do_connlimit $connlimit            if $connlimit ne '';
+	$chainref->{synparams} = $value;
+	$chainref->{synchain}  = $chain
+    }
+
+    $chainref->{default} = $default if $default;
+
+    if ( $clientwild ) {
+	if ( $serverwild ) {
+	    for my $zone ( @zonelist ) {
+		for my $zone1 ( @zonelist ) {
+		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
+		    print_policy $zone, $zone1, $policy, $chain;
+		}
+	    }
+	} else {
+	    for my $zone ( all_zones ) {
+		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
+		print_policy $zone, $server, $policy, $chain;
+	    }
+	}
+    } elsif ( $serverwild ) {
+	for my $zone ( @zonelist ) {
+	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
+	    print_policy $client, $zone, $policy, $chain;
+	}
+
+    } else {
+	print_policy $client, $server, $policy, $chain;
+    }
+}
+
+sub save_policies() {
+    for my $zone1 ( all_zones ) {
+	for my $zone2 ( all_zones ) {
+	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
+	    my $policyref = $filter_table->{ $chainref->{policychain} };
+
+	    if ( $policyref->{referenced} ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
+	    } elsif ( $zone1 ne $zone2 ) {
+		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
+	    }
+	}
+    }
+}
+
+sub validate_policy()
+{
+    our %validpolicies = (
+			  ACCEPT => undef,
+			  REJECT => undef,
+			  DROP   => undef,
+			  CONTINUE => undef,
+			  QUEUE => undef,
+			  NFQUEUE => undef,
+			  NONE => undef
+			  );
+
+    our %map = ( DROP_DEFAULT    => 'DROP' ,
+		 REJECT_DEFAULT  => 'REJECT' ,
+		 ACCEPT_DEFAULT  => 'ACCEPT' ,
+		 QUEUE_DEFAULT   => 'QUEUE' ,
+		 NFQUEUE_DEFAULT => 'NFQUEUE' );
+
+    my $zone;
+    my $firewall = firewall_zone;
+    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
+
+    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
+	my $action = $config{$option};
+	next if $action eq 'none';
+	my $actiontype = $targets{$action};
+
+	if ( defined $actiontype ) {
+	    fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
+	} else {
+	    fatal_error "Default Action $option=$action not found";
+	}
+
+	unless ( $usedactions{$action} ) {
+	    $usedactions{$action} = 1;
+	    createactionchain $action;
+	}
+
+	$default_actions{$map{$option}} = $action;
+    }
+
+    for $zone ( all_zones ) {
+	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
+	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
+
+	my $zoneref = find_zone( $zone );
+
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	    for my $zone1 ( all_zones ) {
+		unless( $zone eq $zone1 ) {
+		    add_or_modify_policy_chain( $zone, $zone1 );
+		    add_or_modify_policy_chain( $zone1, $zone );
+		}
+	    }		
+	}
+    }
+
+    my $fn = open_file 'policy';
+
+    first_entry "$doing $fn...";
+
+    process_a_policy while read_a_line;
+
+    for $zone ( all_zones ) {
+	for my $zone1 ( all_zones ) {
+	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
+	}
+    }
+}
+
+#
+# Policy Rule application
+#
+sub policy_rules( $$$$$ ) {
+    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
+
+    unless ( $target eq 'NONE' ) {
+	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
+	add_jump $chainref, $default, 0 if $default && $default ne 'none';
+	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
+	fatal_error "Null target in policy_rules()" unless $target;
+
+	add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
+    }
+}
+
+sub report_syn_flood_protection() {
+    progress_message_nocompress '      Enabled SYN flood protection';
+}
+
+sub default_policy( $$$ ) {
+    my $chainref   = $_[0];
+    my $policyref  = $filter_table->{$chainref->{policychain}};
+    my $synparams  = $policyref->{synparams};
+    my $default    = $policyref->{default};
+    my $policy     = $policyref->{policy};
+    my $loglevel   = $policyref->{loglevel};
+
+    assert( $policyref );
+
+    if ( $chainref eq $policyref ) {
+	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+    } else {
+	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
+	    if ( $synparams ) {
+		report_syn_flood_protection;
+		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	    } else {
+		add_jump $chainref,  $policyref, 1;
+		$chainref = $policyref;
+	    }
+	} elsif ( $policy eq 'CONTINUE' ) {
+	    report_syn_flood_protection if $synparams;
+	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
+	} else {
+	    report_syn_flood_protection if $synparams;
+	    add_jump $chainref , $policyref, 1;
+	    $chainref = $policyref;
+	}
+    }
+
+    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
+
+}
+
+sub apply_policy_rules() {
+    progress_message2 'Applying Policies...';
+
+    for my $chainref ( @policy_chains ) {
+	my $policy      = $chainref->{policy};
+
+	unless ( $policy eq 'NONE' ) {
+	    my $loglevel    = $chainref->{loglevel};
+	    my $provisional = $chainref->{provisional};
+	    my $default     = $chainref->{default};
+	    my $name        = $chainref->{name};
+	    my $synparms    = $chainref->{synparms};
+
+	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
+		if ( $config{OPTIMIZE} & 2 ) {
+		    #
+		    # This policy chain is empty and the only thing that we would put in it is
+		    # the policy-related stuff. Don't create it if all we are going to put in it
+		    # is a single jump. Generate_matrix() will just use the policy target when
+		    # needed.
+		    #
+		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		} else {
+		    ensure_filter_chain $name, 1;
+		}
+	    }
+
+	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
+		run_user_exit $chainref;
+		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
+	    }
+	}
+    }
+
+    for my $zone ( all_zones ) {
+	for my $zone1 ( all_zones ) {
+	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
+
+	    if ( $chainref->{referenced} ) {
+		run_user_exit $chainref;
+		default_policy $chainref, $zone, $zone1;
+	    }
+	}
+    }
+}
+
+#
+# Complete a standard chain
+#
+#	- run any supplied user exit
+#	- search the policy file for an applicable policy and add rules as
+#	  appropriate
+#	- If no applicable policy is found, add rules for an assummed
+#	  policy of DROP INFO
+#
+sub complete_standard_chain ( $$$$ ) {
+    my ( $stdchainref, $zone, $zone2, $default ) = @_;
+
+    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
+
+    run_user_exit $stdchainref;
+
+    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
+    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
+    my $policychainref;
+
+    $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
+
+    ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
+
+    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
+}
+
+#
+# Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
+#
+sub setup_syn_flood_chains() {
+    for my $chainref ( @policy_chains ) {
+	my $limit = $chainref->{synparams};
+	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
+	    my $level = $chainref->{loglevel};
+	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
+	    add_rule $synchainref , "${limit}-j RETURN";
+	    log_rule_limit( $level , 
+			    $synchainref , 
+			    $chainref->{name} , 
+			    'DROP', 
+			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
+			    '' , 
+			    'add' , 
+			    '' )
+		if $level ne '';
+	    add_rule $synchainref, '-j DROP';
+	}
+    }
+}
+
+#
+# Optimize Policy chains with ACCEPT policy
+#
+sub optimize_policy_chains() {
+    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
+	optimize_chain ( $chainref );
+    }
+    #
+    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
+    #
+    my $outputrules = $filter_table->{OUTPUT}{rules};
+
+    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
+	optimize_chain( $filter_table->{OUTPUT} );
+    }
+
+    progress_message '  Policy chains optimized';
+    progress_message '';
+}
+
+1;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -41,7 +41,7 @@ our @EXPORT = qw(
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_7';

 #
 # ARP Filtering
@@ -106,7 +106,7 @@ sub setup_route_filtering() {

 	my $val = '';

-	if ( $config ne '' ) {
+	if ( $config{ROUTE_FILTER} ne '' ) {
 	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;

 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
@@ -227,10 +227,6 @@ sub setup_forwarding( $$ ) {
 	}

 	emit '';
-
-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
-	       ''
-	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
@@ -242,10 +238,6 @@ sub setup_forwarding( $$ ) {

 	emit '';

-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
-	       ''
-	     ) if have_bridges;
-
 	my $interfaces = find_interfaces_by_option 'forward';

 	if ( @$interfaces ) {
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -18,10 +18,10 @@
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
+#   This module deals with the /etc/shorewall/providers and
+#   /etc/shorewall/route_rules files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -43,23 +43,23 @@ use constant { LOCAL_TABLE   => 255,
 	       UNSPEC_TABLE  => 0
 	       };

-my  @routemarked_providers;
-my  %routemarked_interfaces;
+our @routemarked_providers;
+our %routemarked_interfaces;
 our @routemarked_interfaces;
-my  %provider_interfaces;
+our %provider_interfaces;

-my $balancing;
-my $fallback;
-my $first_default_route;
-my $first_fallback_route;
+our $balancing;
+our $fallback;
+our $first_default_route;
+our $first_fallback_route;

-my %providers;
+our %providers;

-my @providers;
+our @providers;

-my $family;
+our $family;

-my $lastmark;
+our $lastmark;

 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };

@@ -100,7 +100,7 @@ sub setup_route_marking() {

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

-    add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    add_rule $mangle_table->{$_} , "-m connmark ! --mark 0/$mask -j CONNMARK --restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

    my $chainref  = new_chain 'mangle', 'routemark';
    my $chainref1 = new_chain 'mangle', 'setsticky';
@@ -114,22 +114,20 @@ sub setup_route_marking() {
 	my $mark      = $providerref->{mark};

 	unless ( $marked_interfaces{$interface} ) {
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
-	    add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
+	    add_jump $mangle_table->{PREROUTING} , $chainref,  0, "-i $physical -m mark --mark 0/$mask ";
+	    add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "! -i $physical -m mark --mark  $mark/$mask ";
+	    add_jump $mangle_table->{OUTPUT}     , $chainref2, 0, "-m mark --mark  $mark/$mask ";
 	    $marked_interfaces{$interface} = 1;
 	}

 	if ( $providerref->{shared} ) {
-	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-	    add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
-	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
+	    add_rule $chainref, match_source_dev( $interface ) . "-m mac --mac-source $providerref->{mac} -j MARK --set-mark $providerref->{mark}";
 	} else {
-	    add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface );
+	    add_rule $chainref, match_source_dev( $interface ) . "-j MARK --set-mark $providerref->{mark}";
 	}
    }

-    add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask";
+    add_rule $chainref, "-m mark ! --mark 0/$mask -j CONNMARK --save-mark --mask $mask";
 }

 sub copy_table( $$$ ) {
@@ -140,13 +138,13 @@ sub copy_table( $$$ ) {
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';

    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
    } else {
-	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
    }

    emit ( '    case $net in',
-	   '        default)',
+	   '        default|nexthop)',
 	   '            ;;',
 	   '        *)',
 	   "            run_ip route add table $number \$net \$route $realm",
@@ -172,13 +170,13 @@ sub copy_and_edit_table( $$$$ ) {
    $copy =~ s/\+/*/;

    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
    } else {
-	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
+	emit  ( "\$IP -$family route show table $duplicate | ${filter}while read net route; do" )
    }

    emit (  '    case $net in',
-	    '        default)',
+	    '        default|nexthop)',
 	    '            ;;',
 	    '        *)',
 	    '            case $(find_device $route) in',
@@ -277,7 +275,7 @@ sub add_a_provider( ) {
 	require_capability 'REALM_MATCH', "Configuring multiple providers through one interface", "s";
    }

-    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface );
+    fatal_error "Unknown Interface ($interface)" unless known_interface( $interface, 1 );
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

    my $physical    = get_physical $interface;
@@ -349,8 +347,6 @@ sub add_a_provider( ) {
 	}
    }

-    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
-
    my $val = 0;
    my $pref;

@@ -431,7 +427,7 @@ sub add_a_provider( ) {

 	if ( $gatewaycase eq 'none' ) {
 	    if ( $local ) {
-		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
+		emit "run_ip route add local 0.0.0.0/0 dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
 	    }
@@ -468,18 +464,9 @@ sub add_a_provider( ) {

    if ( $gateway ) {
 	$address = get_interface_address $interface unless $address;
-	if ( $family == F_IPV4 ) {
-	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
-	} else {
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}";
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
-	}
-   	
+	emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
- }
+    }

    balance_default_route $balance , $gateway, $physical, $realm if $balance;

@@ -488,12 +475,7 @@ sub add_a_provider( ) {
    } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
-	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-	    }
+	    emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
@@ -649,7 +631,7 @@ sub add_an_rtrule( ) {
 	my $base = uc chain_base( $providers{$provider}{physical} );
 	finish_current_if if $base ne $current_if;
 	start_new_if( $base ) unless $current_if;
-    } else {
+  } else {
 	finish_current_if;
    }

@@ -659,70 +641,15 @@ sub add_an_rtrule( ) {
    progress_message "   Routing rule \"$currentline\" $done";
 }

-sub add_a_route( ) {
-    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
-
-    our $current_if;
-
-    unless ( $providers{$provider} ) {
-	my $found = 0;
-
-	if ( "\L$provider" =~ /^(0x[a-f0-9]+|0[0-7]*|[0-9]*)$/ ) {
-	    my $provider_number = numeric_value $provider;
-
-	    for ( keys %providers ) {
-		if ( $providers{$_}{number} == $provider_number ) {
-		    $provider = $_;
-		    fatal_error "You may not add routes to the $provider table" if $provider_number == LOCAL_TABLE || $provider_number == UNSPEC_TABLE;
-		    $found = 1;
-		    last;
-		}
-	    }
-	}
-
-	fatal_error "Unknown provider ($provider)" unless $found;
-    }
-
-    validate_net ( $dest, 1 );
-
-    validate_address ( $gateway, 1 ) if $gateway ne '-';
-
-    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
-
-    my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device );
-    
-    if ( $providers{$provider}{optional} ) {
-	my $base = uc chain_base( $physical );
-	finish_current_if if $base ne $current_if;
-	start_new_if ( $base ) unless $current_if;
-    } else {
-	finish_current_if;
-    }
-
-    if ( $gateway ne '-' ) {
-	if ( $device ne '-' ) {
-	    emit qq(run_ip route add $dest via $gateway dev $physical table $number);
-	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
-	} else {
-	    emit qq(run_ip route add $dest via $gateway table $number);
-	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; 
-	}
-    } else {
-	fatal_error "You must specify a device for this route" unless $physical;
-	emit qq(run_ip route add $dest dev $physical table $number);
-	emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
-    }
-
-    progress_message "   Route \"$currentline\" $done";
-}
-
+#
+# This probably doesn't belong here but looking forward to the day when we get Shorewall out of the routing business,
+# it makes sense to keep all of the routing code together
+#
 sub setup_null_routing() {
    save_progress_message "Null Routing the RFC 1918 subnets";
    for ( rfc1918_networks ) {
-	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace unreachable $_),
-	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
-	      qq(fi\n) );
+	emit( qq(run_ip route replace unreachable $_) );
+	emit( qq(echo "qt \$IP -$family route del unreachable $_" >> \${VARDIR}/undo_routing) );
    }
 }

@@ -746,7 +673,7 @@ sub start_providers() {
    emit  ( '#',
 	    '# Capture the default route(s) if we don\'t have it (them) already.',
 	    '#',
-	    "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route",
+	    '[ -f ${VARDIR}/default_route ] || $IP -' . $family . ' route list | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
 	    '#',
 	    '# Initialize the file that holds \'undo\' commands',
 	    '#',
@@ -773,27 +700,14 @@ sub finish_providers() {
 	}

 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
-	} else {
-	    emit  ( "    qt \$IP -6 route del default scope global table $table \$DEFAULT_ROUTE" );
-	    emit  ( "    run_ip route add default scope global table $table \$DEFAULT_ROUTE" );
-	}
-
-	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( "    while qt \$IP -$family route del default table " . MAIN_TABLE . '; do',
-		    '        true',
-		    '    done',
-		    ''
-		  );
-	}
- 
+	emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
+	emit  ( "    qt \$IP -$family route del default table " . MAIN_TABLE ) if $config{USE_DEFAULT_RT};
 	emit  ( "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
 		'else',
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );

 	if ( $config{RESTORE_DEFAULT_ROUTE} ) {
-	    emit qq(    restore_default_route $config{USE_DEFAULT_RT} && error_message "NOTICE: Default route restored")
+	    emit '    restore_default_route && error_message "NOTICE: Default route restored"'
 	} else {
 	    emit qq(    qt \$IP -$family route del default table $table && error_message "WARNING: Default route deleted from table $table");
 	}
@@ -804,22 +718,16 @@ sub finish_providers() {
 	emit ( '#',
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
-	       "restore_default_route $config{USE_DEFAULT_RT}" ,
+	       'restore_default_route' ,
 	       '' );
    }

    if ( $fallback ) {
-	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
-	if ( $family == F_IPV4 ) {
-	    emit( "    run_ip route replace default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" );
-	} else {
-	    emit( "    qt \$IP -6 route del default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route add default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" );
-	}
-
-	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
-	      'fi',
-	      '' );
+	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' ,
+		"    run_ip route replace default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" ,
+		"    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
+		'fi',
+		'' );
    }

    unless ( $config{KEEP_RT_TABLES} ) {
@@ -849,35 +757,20 @@ sub setup_providers() {

    $lastmark = 0;

-    if ( my $fn = open_file 'providers' ) {
+    my $fn = open_file 'providers';

-	first_entry sub() {
-	    progress_message2 "$doing $fn...";
-	    emit "\nif [ -z \"\$g_noroutes\" ]; then";
-	    push_indent;
-	    start_providers; };
+    first_entry sub() {
+	progress_message2 "$doing $fn...";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	push_indent;
+	start_providers; };

-	add_a_provider, $providers++ while read_a_line;
-    }
+    add_a_provider, $providers++ while read_a_line;

    if ( $providers ) {
 	finish_providers;

-	my $fn = open_file 'routes';
-
-	if ( $fn ) {
-	    our $current_if = '';
-
-	    first_entry "$doing $fn...";
-
-	    emit '';
-
-	    add_a_route while read_a_line;
-
-	    finish_current_if;
-	}
-
-	$fn = open_file 'route_rules';
+	my $fn = open_file 'route_rules';

 	if ( $fn ) {
 	    our $current_if = '';
@@ -906,7 +799,7 @@ sub setup_providers() {
 	push_indent;

 	emit "\nundo_routing";
-	emit "restore_default_route $config{USE_DEFAULT_RT}";
+	emit 'restore_default_route';

 	if ( $config{NULL_ROUTE_RFC1918} ) {
 	    emit  ( '#',
@@ -1095,7 +988,7 @@ sub handle_stickiness( $ ) {
 	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};

-	    for ( grep rule_target($_) eq 'sticky', @{$tcpreref->{rules}} ) {
+	    for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
 		my $stickyref = ensure_mangle_chain 'sticky';
 		my ( $rule1, $rule2 );
 		my $list = sprintf "sticky%03d" , $sticky++;
@@ -1103,32 +996,26 @@ sub handle_stickiness( $ ) {
 		for my $chainref ( $stickyref, $setstickyref ) {
 		    if ( $chainref->{name} eq 'sticky' ) {
 			$rule1 = $_;
-
-			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300" );
-
+			$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
 			$rule2 = $_;
-
-			clear_rule_target( $rule2 );
-			set_rule_option( $rule2, 'mark', "--mark 0/$mask -m recent --name $list --remove" );
+			$rule2 =~ s/-j sticky/-m mark --mark 0\/$mask -m recent --name $list --remove/;
 		    } else {
 			$rule1 = $_;
-
-			clear_rule_target( $rule1 );
-			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" ); 
-
+			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 			$rule2 = '';
 		    }

-		    add_trule $chainref, $rule1;
+		    assert ( $rule1 =~ s/^-A // );
+		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			add_trule $chainref, $rule2;
+			assert ( $rule2 =~ s/^-A // );
+			add_rule $chainref, $rule2;
 		    }
 		}
 	    }

-	    for ( grep rule_target( $_ ) eq 'sticko', , @{$tcoutref->{rules}} ) {
+	    for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
 		my ( $rule1, $rule2 );
 		my $list = sprintf "sticky%03d" , $sticky++;
 		my $stickoref = ensure_mangle_chain 'sticko';
@@ -1136,27 +1023,21 @@ sub handle_stickiness( $ ) {
 		for my $chainref ( $stickoref, $setstickoref ) {
 		    if ( $chainref->{name} eq 'sticko' ) {
 			$rule1 = $_;
-
-			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark" );
-
+			$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
 			$rule2 = $_;
-			
-			clear_rule_target( $rule2 );
-			set_rule_option  ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
+			$rule2 =~ s/-j sticko/-m mark --mark 0\/$mask -m recent --name $list --rdest --remove/;
 		    } else {
 			$rule1 = $_;
-
-			clear_rule_target( $rule1 );
-			set_rule_option  ( $rule1, 'mark', "--mark $mark -m recent --name $list --rdest --set" );
-
+			$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
 			$rule2 = '';
 		    }

-		    add_trule $chainref, $rule1;
+		    assert( $rule1 =~ s/-A // );
+		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			add_trule $chainref, $rule2;
+			$rule2 =~ s/-A //;
+			add_rule $chainref, $rule2;
 		    }
 		}
 	    }
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_9';

 our @proxyarp;

@@ -56,10 +56,8 @@ sub initialize( $ ) {
    @proxyarp = ();
 }

-sub setup_one_proxy_arp( $$$$$$$ ) {
-    my ( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent) = @_;
-
-    my $proto = $family == F_IPV4 ? 'ARP' : 'NDP';
+sub setup_one_proxy_arp( $$$$$ ) {
+    my ( $address, $interface, $external, $haveroute, $persistent) = @_;

    if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) {
 	$haveroute = '';
@@ -78,105 +76,105 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }

    unless ( $haveroute ) {
-	fatal_error "HAVEROUTE=No requires an INTERFACE" if $interface eq '-';
-
-	if ( $family == F_IPV4 ) {
-	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
-	} else {
-	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical".
-		  "    run_ip route add $address/128 dev $physical",
-		  'fi'
-		);
-	}
-
+	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
    }

-    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
-	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
+    emit ( "if ! arp -i $external -Ds $address $external pub; then",
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
+	   'fi' ,
+	   '',
+	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );

    push @proxyarp, "$address $interface $external $haveroute";

-    progress_message "   Host $address connected to $interface added to $proto on $external";
+    progress_message "   Host $address connected to $interface added to ARP on $external";
 }

 #
-# Setup Proxy ARP/NDP
+# Setup Proxy ARP
 #
 sub setup_proxy_arp() {
-    my $proto      = $family == F_IPV4 ? 'arp' : 'ndp';   # Protocol
-    my $file_opt   = 'proxy' . $proto;                    # Name of config file and of the interface option
-    my $proc_file  = 'proxy_' . $proto;                   # Name of the corresponding file in /proc
+    if ( $family == F_IPV4 ) {

-    my $interfaces= find_interfaces_by_option $file_opt;
-    my $fn = open_file $file_opt;
+	my $interfaces= find_interfaces_by_option 'proxyarp';
+	my $fn = open_file 'proxyarp';

-    if ( @$interfaces || $fn ) {
+	if ( @$interfaces || $fn ) {

-	my $first_entry = 1;
+	    my $first_entry = 1;

-	save_progress_message 'Setting up Proxy ' . uc($proto) . '...';
+	    save_progress_message "Setting up Proxy ARP...";

-	my ( %set, %reset );
+	    my ( %set, %reset );

-	while ( read_a_line ) {
+	    while ( read_a_line ) {

-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+		my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';

-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		$first_entry = 0;
-	    }
+		if ( $first_entry ) {
+		    progress_message2 "$doing $fn...";
+		    $first_entry = 0;
+		}

-	    fatal_error "Unknown interface ($external)" unless known_interface $external;
-	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
-	    $reset{$external} = 1 unless $set{$external};
+		$interface = get_physical $interface;
+		$external  = get_physical $external;

-	    my $extphy   = get_physical $external;
-	    my $physical = '-';
-
-	    if ( $interface ne '-' ) {
-		fatal_error "Unknown interface ($interface)" unless known_interface $interface;
-		fatal_error "Wildcard interface ($interface) not allowed" if $interface =~ /\+$/;
-		$physical = physical_name $interface;
 		$set{$interface}  = 1;
+		$reset{$external} = 1 unless $set{$external};
+
+		setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	    }

-	    setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent );
-	}
+	    emit '';

-	emit '';
+	    for my $interface ( keys %reset ) {
+		unless ( $set{interface} ) {
+		    emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			    "    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		    emit    "fi\n";
+		}
+	    }

-	for my $interface ( keys %reset ) {
-	    unless ( $set{interface} ) {
-		my $physical = get_physical $interface;
-		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
-			"    echo 0 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
+	    for my $interface ( keys %set ) {
+		emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
+			"    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit  ( 'else' ,
+			"    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
 		emit    "fi\n";
 	    }
+
+	    for my $interface ( @$interfaces ) {
+		my $value = get_interface_option $interface, 'proxyarp';
+		my $optional = interface_is_optional $interface;
+
+		$interface = get_physical $interface;
+
+		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
+		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
+		emit ( 'else' ,
+		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
+		emit   "fi\n";
+	    }
 	}
+    } else {
+	my $interfaces= find_interfaces_by_option 'proxyndp';

-	for my $interface ( keys %set ) {
-	    my $physical = get_physical $interface;
-	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
-		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
-	    emit  ( 'else' ,
-		    "    error_message \"    WARNING: Cannot set the '$file_opt' option for interface $physical\"" ) unless interface_is_optional( $interface );
-	    emit    "fi\n";
-	}
+	if ( @$interfaces ) {
+	    save_progress_message "Setting up Proxy NDP...";

-	for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, $file_opt;
-	    my $optional = interface_is_optional $interface;
+	    for my $interface ( @$interfaces ) {
+		my $value = get_interface_option $interface, 'proxyndp';
+		my $optional = interface_is_optional $interface;

-	    $interface = get_physical $interface;
+		$interface = get_physical $interface;

-	    emit ( "if [ -f /proc/sys/net/ipv$family/conf/$interface/$proc_file ] ; then" ,
-		   "    echo $value > /proc/sys/net/ipv$family/conf/$interface/$proc_file" );
-	    emit ( 'else' ,
-		   "    error_message \"WARNING: Unable to set/reset the '$file_opt' option on $interface\"" ) unless $optional;
-	    emit   "fi\n";
+		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
+		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
+		emit ( 'else' ,
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
+		emit   "fi\n";
+	    }
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';

 #
 # Notrack
@@ -76,25 +76,24 @@ sub process_notrack_rule( $$$$$$ ) {

 sub setup_notrack() {

-    if ( my $fn = open_file 'notrack' ) {
+    my $fn = open_file 'notrack';

-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";

-	my $nonEmpty = 0;
+    my $nonEmpty = 0;

-	while ( read_a_line ) {
+    while ( read_a_line ) {

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';

-	    if ( $source eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
-	    }
+	if ( $source eq 'COMMENT' ) {
+	    process_comment;
+	} else {
+	    process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
 	}
-
-	clear_comment;
    }
+
+    clear_comment;
 }

 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,14 +28,13 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::Rules;

 use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';

 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -62,47 +61,47 @@ sub setup_tunnels() {
 	    }
 	}

-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";

-	add_tunnel_rule $inchainref,  p => 50, @$source;
-	add_tunnel_rule $outchainref, p => 50, @$dest;
+	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";

 	unless ( $noah ) {
-	    add_tunnel_rule $inchainref,  p => 51, @$source;
-	    add_tunnel_rule $outchainref, p => 51, @$dest;
+	    add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
+	    add_tunnel_rule $outchainref, "-p 51 $dest   -j ACCEPT";
 	}

 	if ( $kind eq 'ipsec' ) {
-	    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
-	    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
+	    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
+	    add_tunnel_rule $outchainref, "-p udp $dest   --dport 500 $options";
 	} else {
-	    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
-	    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
+	    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
+	    add_tunnel_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";
 	}

 	unless ( $gatewayzones eq '-' ) {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

 		unless ( have_ipsec ) {
-		    add_tunnel_rule $inchainref,  p => 50, @$source;
-		    add_tunnel_rule $outchainref, p => 50, @$dest;
+		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
+		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";

 		    unless ( $noah ) {
-			add_tunnel_rule $inchainref,  p => 51, @$source;
-			add_tunnel_rule $outchainref, p => 51, @$dest;
+			add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
+			add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
 		    }
 		}

 		if ( $kind eq 'ipsec' ) {
-		    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
-		    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
+		    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
+		    add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
 		} else {
-		    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
-		    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
+		    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
+		    add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
 		}
 	    }
 	}
@@ -111,24 +110,24 @@ sub setup_tunnels() {
    sub setup_one_other {
 	my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;

-	add_tunnel_rule $inchainref ,  p => $protocol, @$source;
-	add_tunnel_rule $outchainref , p => $protocol, @$dest;
+	add_tunnel_rule $inchainref ,  "-p $protocol $source -j ACCEPT";
+	add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
    }

    sub setup_pptp_client {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $outchainref,  p => 47, @$dest;
-	add_tunnel_rule $inchainref,   p => 47, @$source;
-	add_tunnel_rule $outchainref,  p => 'tcp --dport 1723', @$dest;
-    }
+	add_tunnel_rule $outchainref,  "-p 47 $dest -j ACCEPT";
+	add_tunnel_rule $inchainref,   "-p 47 $source -j ACCEPT";
+	add_tunnel_rule $outchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
+	}

    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $inchainref,  p => 47, @$dest;
-	add_tunnel_rule $outchainref, p => 47, @$source;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
+	add_tunnel_rule $inchainref,  "-p 47 $dest -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
+	add_tunnel_rule $inchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
 	}

    sub setup_one_openvpn {
@@ -141,10 +140,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( supplied $p ) {
+	if ( defined $p && $p ne '' ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( supplied $proto ) {
+	} elsif ( defined $proto && $proto ne '' ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -152,8 +151,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
    }

    sub setup_one_openvpn_client {
@@ -166,10 +165,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( supplied $p ) {
+	if ( defined $p && $p ne '' ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( supplied $proto ) {
+	} elsif ( defined $proto && $proto ne '' ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -177,8 +176,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  p => "$protocol --sport $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
+	add_tunnel_rule $inchainref,  "-p $protocol $source --sport $port -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
    }

    sub setup_one_openvpn_server {
@@ -191,10 +190,10 @@ sub setup_tunnels() {

 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;

-	if ( supplied $p ) {
+	if ( defined $p && $p ne '' ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( supplied $proto ) {
+	} elsif ( defined $proto && $proto ne '' ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -202,8 +201,8 @@ sub setup_tunnels() {
 	    }
 	}

-	add_tunnel_rule $inchainref,  p => "$protocol --dport $port" , @$source;
-	add_tunnel_rule $outchainref, p => "$protocol --sport $port",  @$dest;
+	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
    }

    sub setup_one_l2tp {
@@ -211,8 +210,8 @@ sub setup_tunnels() {

 	fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;

-	add_tunnel_rule $inchainref,  p => 'udp --sport 1701 --dport 1701', @$source;
-	add_tunnel_rule $outchainref, p => 'udp --sport 1701 --dport 1701', @$dest;
+	add_tunnel_rule $inchainref,  "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p udp $dest   --sport 1701 --dport 1701 -j ACCEPT";
    }

    sub setup_one_generic {
@@ -229,8 +228,8 @@ sub setup_tunnels() {
 	    ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
 	}

-	add_tunnel_rule $inchainref,  p => "$protocol $port", @$source;
-	add_tunnel_rule $outchainref, p => "$protocol $port", @$dest;
+	add_tunnel_rule $inchainref,  "-p $protocol $source $port -j ACCEPT";
+	add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
    }

    sub setup_one_tunnel($$$$) {
@@ -240,26 +239,26 @@ sub setup_tunnels() {

 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;

-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;

 	$gateway = ALLIP if $gateway eq '-';

-	my @source = imatch_source_net $gateway;
-	my @dest   = imatch_dest_net   $gateway;
+	my $source = match_source_net $gateway;
+	my $dest   = match_dest_net   $gateway;

-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
+	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
+			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
+			    'ipip'          => { function => \&setup_one_other,          params   => [ $source, $dest , 4 ] } ,
+			    'gre'           => { function => \&setup_one_other,          params   => [ $source, $dest , 47 ] } ,
+			    '6to4'          => { function => \&setup_one_other,          params   => [ $source, $dest , 41 ] } ,
+			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, $source, $dest ] } ,
+			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, $source, $dest ] } ,
+			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, $source, $dest ] } ,
+			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, $source, $dest ] } ,
+			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, $source, $dest ] } ,
+			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, $source, $dest ] } ,
+			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, $source, $dest ] } ,
 			  );

 	$kind = "\L$kind";
@@ -278,23 +277,22 @@ sub setup_tunnels() {
    #
    # Setup_Tunnels() Starts Here
    #
-    if ( my $fn = open_file 'tunnels' ) {
+    my $fn = open_file 'tunnels';

-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";

-	while ( read_a_line ) {
+    while ( read_a_line ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';

-	    if ( $kind eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    }
+	if ( $kind eq 'COMMENT' ) {
+	    process_comment;
+	} else {
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	}
-
-	clear_comment;
    }
+
+    clear_comment;
 }

 1;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -74,7 +74,6 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option1
 		  get_interface_option
 		  set_interface_option
-		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
 		  validate_hosts_file
@@ -85,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';

 #
 # IPSEC Option types
@@ -129,11 +128,11 @@ use constant { NOTHING    => 'NOTHING',
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
-my %zones;
-my $firewall_zone;
+our @zones;
+our %zones;
+our $firewall_zone;

-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -147,38 +146,32 @@ my  %reservedName = ( all => 1,
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
 #                                     options     => { port => undef|1
-#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
-#                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name>
-#                                     ports       => <number of port on this bridge>
-#                                     ipsec       => undef|1 # Has an ipsec host group
+#                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
-#                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files. 
 #
-my @interfaces;
-my %interfaces;
-my %roots;
-my @bport_zones;
-my %ipsets;
-my %physical;
-my %basemap;
-my %mapbase;
-my $family;
-my $have_ipsec;
-my $baseseq;
-my $minroot;
+our @interfaces;
+our %interfaces;
+our @bport_zones;
+our %ipsets;
+our %physical;
+our %basemap;
+our %mapbase;
+our $family;
+our $have_ipsec;
+our $baseseq;

 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -199,16 +192,15 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
 	       IF_OPTION_VSERVER  => 32,
-	       IF_OPTION_WILDOK   => 64
 	   };

-my %validinterfaceoptions;
+our %validinterfaceoptions;

-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );

-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );

-my %validhostoptions;
+our %validhostoptions;

 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -228,7 +220,6 @@ sub initialize( $ ) {
    $have_ipsec = undef;

    @interfaces = ();
-    %roots = ();
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
@@ -236,7 +227,6 @@ sub initialize( $ ) {
    %basemap = ();
    %mapbase = ();
    $baseseq = 0;
-    $minroot = 0;

    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -255,14 +245,13 @@ sub initialize( $ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
-				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
-				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
-				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  mss         => NUMERIC_IF_OPTION,
+				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -285,13 +274,12 @@ sub initialize( $ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
-				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    mss         => NUMERIC_IF_OPTION,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -308,7 +296,7 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$)
 {
    my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
@@ -322,13 +310,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );

-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );

-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -358,18 +346,14 @@ sub parse_zone_option_list($$\$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }

-	    my $key = $key{$e};
-
-	    if ( $key ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
-		$$complexref = 1 if $key & COMPLEX;
+	    if ( $key{$e} ) {
+		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
-		$$complexref = 1;
 	    }
 	}
    }
@@ -436,7 +420,7 @@ sub process_zone( \$ ) {
 	fatal_error 'Firewall zone may not be nested' if @parents;
 	fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
 	$firewall_zone = $zone;
-	add_param( FW => $zone );
+	$ENV{FW} = $zone;
 	$type = FIREWALL;
    } elsif ( $type eq 'vserver' ) {
 	fatal_error 'Vserver zones may not be nested' if @parents;
@@ -455,15 +439,13 @@ sub process_zone( \$ ) {
 	}
    }

-    my $complex = 0;
-
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -493,12 +475,11 @@ sub determine_zones()
    my @z;
    my $ip = 0;

-    if ( my $fn = open_file 'zones' ) {
-	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line;
-    } else {
-	fatal_error q(The 'zones' file does not exist or has zero size);
-    }
+    my $fn = open_file 'zones';
+
+    first_entry "$doing $fn...";
+
+    push @z, process_zone( $ip ) while read_a_line;

    fatal_error "No firewall zone defined" unless $firewall_zone;
    fatal_error "No IP zones defined" unless $ip;
@@ -676,7 +657,6 @@ sub add_group_to_zone($$$$$)
    my $zoneref  = $zones{$zone};
    my $zonetype = $zoneref->{type};

-
    $zoneref->{interfaces}{$interface} = 1;

    my @newnetworks;
@@ -688,11 +668,9 @@ sub add_group_to_zone($$$$$)
    for my $host ( @$networks ) {
 	$interfaceref = $interfaces{$interface};

-	$interfaceref->{zones}{$zone} = 1;
-
 	$interfaceref->{nets}++;

-	fatal_error "Invalid Host List" unless supplied $host;
+	fatal_error "Invalid Host List" unless defined $host and $host ne '';

 	if ( substr( $host, 0, 1 ) eq '!' ) {
 	    fatal_error "Only one exclusion allowed in a host list" if $switched;
@@ -720,7 +698,7 @@ sub add_group_to_zone($$$$$)
 	}

 	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
@@ -745,8 +723,6 @@ sub add_group_to_zone($$$$$)
 			     hosts   => \@newnetworks,
 			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
-
-    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
 }

 #
@@ -834,7 +810,7 @@ sub chain_base($) {
    $chain =~ s/\+$//;
    $chain =~ tr/./_/;

-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
@@ -868,8 +844,7 @@ sub chain_base($) {
 #
 sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
-    my $netsref   = '';
-    my $filterref = [];
+    my $netsref = '';
    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
    my $zoneref;
    my $bridge = '';
@@ -887,16 +862,15 @@ sub process_interface( $$ ) {

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;

-    if ( supplied $port ) {
+    if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );

 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};

 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
-	$interfaces{$interface}{ports}++;
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;

 	if ( $zone ) {
@@ -925,14 +899,6 @@ sub process_interface( $$ ) {
    if ( $interface =~ /\+$/ ) {
 	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
-	$roots{$root} = $interface;
-	my $len = length $root;
-	
-	if ( $minroot ) {
-	    $minroot = $len if $minroot > $len;
-	} else {
-	    $minroot = $len;
-	}
    } else {
 	$root = $interface;
    }
@@ -1025,7 +991,6 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK; 
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1060,9 +1025,6 @@ sub process_interface( $$ ) {
 		    # Assume 'broadcast'
 		    #
 		    $hostoptions{broadcast} = 1;
-		} elsif ( $option eq 'sfilter' ) {
-		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1087,7 +1049,7 @@ sub process_interface( $$ ) {
 	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};

 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = "${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1110,7 +1072,6 @@ sub process_interface( $$ ) {

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
-						       filter     => $filterref ,
 						       nets       => 0 ,
 						       number     => $nextinum ,
 						       root       => $root ,
@@ -1118,8 +1079,7 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => chain_base( $physical ),
-						       zones      => {},
+						       base       => chain_base( $physical )
 						     };

    if ( $zone ) {
@@ -1143,15 +1103,15 @@ sub process_interface( $$ ) {
 sub validate_interfaces_file( $ ) {
    my $export = shift;

+    my $fn = open_file 'interfaces';
+
    my @ifaces;
+
    my $nextinum = 1;

-    if ( my $fn = open_file 'interfaces' ) {
-	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
-    } else {
-	fatal_error q(The 'interfaces' file does not exist or has zero size);
-    }
+    first_entry "$doing $fn...";
+
+    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;

    #
    # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1215,36 +1175,35 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added to %interfaces.
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
+# %interfaces.
 #
-sub known_interface($)
+sub known_interface($;$)
 {
-    my $interface = shift;
+    my ( $interface, $cache ) = @_;
    my $interfaceref = $interfaces{$interface};

    return $interfaceref if $interfaceref;

    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;

-    my $iface = $interface;
+    for my $i ( @interfaces ) {
+	$interfaceref = $interfaces{$i};
+	my $root = $interfaceref->{root};
+	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
+	    my $physical = map_physical( $interface, $interfaceref );
 	    
-    if ( $minroot ) {
-	while ( length $iface > $minroot ) {
-	    chop $iface;
+	    my $copyref = { options  => $interfaceref->{options},
+			    bridge   => $interfaceref->{bridge} ,
+			    name     => $i ,
+			    number   => $interfaceref->{number} ,
+			    physical => $physical ,
+			    base     => chain_base( $physical ) ,
+			  };

-	    if ( my $i = $roots{$iface} ) {
-		$interfaceref = $interfaces{$i};
+	    $interfaces{$interface} = $copyref if $cache;

-		my $physical = map_physical( $interface, $interfaceref );
-
-		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
-						   bridge   => $interfaceref->{bridge} ,
-						   name     => $i ,
-						   number   => $interfaceref->{number} ,
-						   physical => $physical ,
-						   base     => chain_base( $physical ) ,
-						 };
-	    }
+	    return $copyref;
 	}
    }

@@ -1325,16 +1284,6 @@ sub source_port_to_bridge( $ ) {
    return $portref ? $portref->{bridge} : '';
 }

-
-#
-# Returns a hash reference for the zones interface through the interface
-#
-sub interface_zones( $ ) {
-    my $interfaceref = $interfaces{(shift)};
-
-    $interfaceref->{zones};
-}
-
 #
 # Return the 'optional' setting of the passed interface
 #
@@ -1376,7 +1325,7 @@ sub find_interfaces_by_option1( $ ) {
    my $wild = 0;

    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
-			( grep $interfaces{$_}{root}, keys %interfaces ) ) {
+			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -1400,14 +1349,7 @@ sub find_interfaces_by_option1( $ ) {
 sub get_interface_option( $$ ) {
    my ( $interface, $option ) = @_;

-    my $ref = $interfaces{$interface};
-
-    return $ref->{options}{$option} if $ref;
-
-    assert( $ref = known_interface( $interface ) );
-
-    $ref->{options}{$option};
-    
+    $interfaces{$interface}{options}{$option};
 }

 #
@@ -1719,39 +1661,31 @@ sub process_host( ) {
    fatal_error "Unknown ZONE ($zone)" unless $type;
    fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;

-    my ( $interface, $interfaceref );
+    my $interface;

    if ( $family == F_IPV4 ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
-	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
 	$interface = $1;
 	$hosts = $2;
-
-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
+	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
    } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts" 
-    }
-
-    if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{options}{complex} = 1;
-	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+	fatal_error "Invalid HOST(S) column contents: $hosts";
    }

    if ( $type == BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
-	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
+	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
-	} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
+	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
    } 
@@ -1767,7 +1701,7 @@ sub process_host( ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
 		$zoneref->{options}{complex} = 1;
-		$ipsec = $interfaceref->{ipsec} = 1;
+		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
@@ -1803,13 +1737,12 @@ sub process_host( ) {
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
-	$hosts = "+$set";
+	my $physical = physical_name $interface;
+	$hosts = "+${zone}_${physical}";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
-    }
+	$ipsets{"${zone}_${physical}"} = 1;

+    }
    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
@@ -1829,15 +1762,14 @@ sub validate_hosts_file()
 {
    my $ipsec = 0;

-    if ( my $fn = open_file 'hosts' ) {
-	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line;
-    }
+    my $fn = open_file 'hosts';
+
+    first_entry "$doing $fn...";
+
+    $ipsec |= process_host while read_a_line;

    $have_ipsec = $ipsec || haveipseczones;

-    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
-
 }

 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -54,15 +54,12 @@ sub usage( $ ) {
    [ --verbose={-1|0-2} ]
    [ --timestamp ]
    [ --debug ]
-    [ --confess ]
    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
    [ --preview ]
    [ --family={4|6} ]
-    [ --annotate ]
-    [ --updatee ]
 ';

    exit shift @_;
@@ -76,16 +73,13 @@ my $shorewall_dir = '';
 my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
-my $confess       = 0;
-my $chains        = ':none:';
+my $chains        = '';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
 my $preview       = 0;
-my $annotate      = 0;
-my $update        = 0;

 Getopt::Long::Configure ('bundling');

@@ -109,12 +103,6 @@ my $result = GetOptions('h'               => \$help,
 			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
-			'c'               => \$confess,
-			'confess'         => \$confess,
-			'a'               => \$annotate,
-			'annotate'        => \$annotate,
-			'u'               => \$update,
-			'update'          => \$update,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -131,8 +119,4 @@ compiler( script          => $ARGV[0] || '',
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
 	  preview         => $preview,
-	  family          => $family,
-	  confess         => $confess,
-	  update          => $update,
-	  annotate        => $annotate,
-	);
+	  family          => $family );
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -1,40 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010,2011 - Tom Eastep (teastep@shorewall.net)
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
-if [ "$3" = 6 ]; then
-    . /usr/share/shorewall6/lib.base
-    . /usr/share/shorewall6/lib.cli
-else
-    . /usr/share/shorewall/lib.base
-    . /usr/share/shorewall/lib.cli
-fi
-
-CONFIG_PATH="$2"
-
-set -a
-
-. $1 >&2 # Avoid spurious output on STDOUT
-
-set +a
-
-export -p
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -169,10 +169,8 @@ case "$COMMAND" in
 	    detect_configuration
 	    define_firewall
 	    status=$?
-	    if [ $status -eq 0 ]; then
-		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		progress_message3 "done."
-	    fi
+	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
+	    progress_message3 "done."
 	fi
 	;;
    stop)
@@ -227,9 +225,9 @@ case "$COMMAND" in
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
-	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-	fi
-	[ $status -eq 0 ] && progress_message3 "done."
+ 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+        fi
+	progress_message3 "done."
 	;;
    refresh)
 	[ $# -ne 1 ] && usage 2
@@ -238,7 +236,7 @@ case "$COMMAND" in
 	    detect_configuration
 	    define_firewall
 	    status=$?
-	    [ $status -eq 0 ] && progress_message3 "done."
+	    progress_message3 "done."
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -258,10 +256,10 @@ case "$COMMAND" in
 	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	if [ $status -eq 0 ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	    progress_message3 "done."
+	if [ -n "$SUBSYSLOCK" ]; then
+	    rm -f $SUBSYSLOCK
 	fi
+	progress_message3 "done."
 	;;
    status)
 	[ $# -ne 1 ] && usage 2
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -17,28 +17,6 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
-
-checkkernelversion() {
-    local kernel
-
-    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-
-    case "$kernel" in 
-	*.*.*)
-	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-	    ;;
-	*)
-	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-	    ;;
-    esac
-
-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
-    else
-	return 0
-    fi
-}
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -177,43 +155,40 @@ done

 COMMAND="$1"

-
-case "$COMMAND" in
-    start)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    error_message "$g_product is already Running"
-	    status=0
-	else
-	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+if [ $kernel -lt 20624 ]; then
+    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+    status=2
+else
+    case "$COMMAND" in
+	start)
+	    [ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
+		error_message "$g_product is already Running"
+		status=0
+	    else
+		progress_message3 "Starting $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
-		if [ $status -eq 0 ]; then
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		    progress_message3 "done."
-		fi
+		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
+		progress_message3 "done."
 	    fi
-	fi
-	;;
-    stop)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
+	    ;;
+	stop)
+	    [ $# -ne 1 ] && usage 2
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
-	fi
-	;;
-    reset)
-	if ! shorewall6_is_started ; then
-	    error_message "$g_product is not running"
-	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
+	    ;;
+ 	reset)
+	    if ! shorewall6_is_started ; then
+		error_message "$g_product is not running"
+		status=2
+	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
@@ -236,112 +211,102 @@ case "$COMMAND" in
 		    fi
 		done
 	    fi
-	fi
-	;;
-    restart)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Restarting $g_product...."
-	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
-	fi
+	    ;;
+	restart)
+	    [ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
+		progress_message3 "Restarting $g_product...."
+	    else
+		error_message "$g_product is not running"
+		progress_message3 "Starting $g_product...."
+		COMMAND=start
+	    fi

-	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
-
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
+	    progress_message3 "done."
+	    ;;
+	refresh)
+	    [ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
+		progress_message3 "Refreshing $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
+		progress_message3 "done."
+	    else
+		echo "$g_product is not running" >&2
+		status=2
 	    fi
-	else
-	    echo "$g_product is not running" >&2
-	    status=2
-	fi
-	;;
-    restore)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
+	    ;;
+	restore)
+	    [ $# -ne 1 ] && usage 2
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    clear)
-	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
+	    ;;
+	clear)
+	    [ $# -ne 1 ] && usage 2
+	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
-	fi
-	;;
-    status)
-	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
-	if shorewall6_is_started; then
-	    echo "$g_product is running"
-	    status=0
-	else
-	    echo "$g_product is stopped"
-	    status=4
-	fi
+	    ;;
+	status)
+	    [ $# -ne 1 ] && usage 2
+	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	    echo
+	    if shorewall6_is_started; then
+		echo "$g_product is running"
+		status=0
+	    else
+		echo "$g_product is stopped"
+		status=4
+	    fi

-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
-	;;
-    version)
-	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
-	status=0
-	;;
-    help)
-	[ $# -ne 1 ] && usage 2
-	usage 0
-	;;
-    *)
-	usage 2
-	;;
-esac
+	    if [ -f ${VARDIR}/state ]; then
+		state="$(cat ${VARDIR}/state)"
+		case $state in
+		    Stopped*|Clear*)
+			status=3
+			;;
+		esac
+	    else
+		state=Unknown
+	    fi
+	    echo "State:$state"
+	    echo
+	    ;;
+	up|down)
+	    [ $# -eq 1 ] && exit 0
+	    shift
+	    [ $# -ne 1 ] && usage 2
+	    updown $1
+	    status=0
+	    ;;
+	version)
+	    [ $# -ne 1 ] && usage 2
+	    echo $SHOREWALL_VERSION
+	    status=0
+	    ;;
+	help)
+	    [ $# -ne 1 ] && usage 2
+	    usage 0
+	    ;;
+	*)
+	    usage 2
+	    ;;
+    esac
+fi

 exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -2,7 +2,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -272,7 +272,7 @@ get_interface_bcasts() # $1 = interface
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
 }

 # Add IP Aliases
@@ -504,57 +504,40 @@ undo_routing() {

 }

-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {deroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
+restore_default_route() {
    local result
-    result=1
    
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	result=1

 	while read route ; do
 	    case $route in
 		default*)
-		    replace_default_route $1
+		    if [ -n "$default_route" ]; then
+			case "$default_route" in
+			    *metric*)
+		                #
+		                # Don't restore a route with a metric -- we only replace the one with metric == 0
+		                #
+				qt $IP -4 route delete default metric 0 && \
+				    progress_message "Default Route with metric 0 deleted"
+				;;
+			    *)
+				qt $IP -4 route replace $default_route && \
+				    result=0 && \
+				    progress_message "Default Route (${default_route# }) restored"
+				;;
+			esac
+
+			break
+		    fi
+
 		    default_route="$default_route $route"
 		    ;;
 		*)
@@ -563,20 +546,6 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 	    esac
 	done < ${VARDIR}/default_route

-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
 	rm -f ${VARDIR}/default_route
    fi

@@ -624,8 +593,8 @@ conditionally_flush_conntrack() {
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
-	    qtnoin $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+	    qt arp -i $external -d $address pub
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -2,7 +2,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -492,57 +492,40 @@ undo_routing() {

 }

-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
+restore_default_route() {
    local result
-    result=1
    
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
+	result=1

 	while read route ; do
 	    case $route in
-		default*)
-		    replace_default_route $1
+		default)
+		    if [ -n "$default_route" ]; then
+			case "$default_route" in
+			    *metric*)
+		                #
+		                # Don't restore a route with a metric -- we only replace the one with metric == 0
+		                #
+				qt $IP -6 route delete default metric 0 && \
+				    progress_message "Default Route with metric 0 deleted"
+				;;
+			    *)
+				qt $IP -6 route replace $default_route && \
+				    result=0 && \
+				    progress_message "Default Route (${default_route# }) restored"
+				;;
+			esac
+
+			break
+		    fi
+
 		    default_route="$default_route $route"
 		    ;;
 		*)
@@ -551,20 +534,6 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 	    esac
 	done < ${VARDIR}/default_route

-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
 	rm -f ${VARDIR}/default_route
    fi

@@ -604,22 +573,6 @@ conditionally_flush_conntrack() {
    fi
 }

-#
-# Clear Proxy NDP
-#
-delete_proxyndp() {
-    if [ -f ${VARDIR}/proxyndp ]; then
-	while read address interface external haveroute; do
-	    qt $IP -6 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
-	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyndp
-
-	rm -f ${VARDIR}/proxyndp
-    fi
-}
-
 #
 # Remove all Shorewall-added rules
 #
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -1,56 +0,0 @@
-#
-# Shorewall version 4 - Drop Action
-#
-# /usr/share/shorewall/action.A_Drop
-#
-#	The audited default DROP common rules
-#
-#	This action is invoked before a DROP policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-#
-###############################################################################
-#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Reject 'auth'
-#
-Auth(A_REJECT)
-#
-# Don't log broadcasts
-#
-dropBcast(audit)
-#
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log.
-#
-dropInvalid(audit)
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_DROP)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@@ -1,54 +0,0 @@
-#
-# Shorewall version 4 - Reject Action
-#
-# /usr/share/shorewall/action.A_Reject
-#
-#	The audited default REJECT action common rules
-#
-#	This action is invoked before a REJECT policy is enforced. The purpose
-#	of the action is:
-#
-#	a) Avoid logging lots of useless cruft.
-#	b) Ensure that certain ICMP packets that are necessary for successful
-#	   internet operation are always ACCEPTed.
-#
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-###############################################################################
-#TARGET		SOURCE	DEST	PROTO
-#
-# Count packets that come through here
-#
-COUNT
-#
-# Don't log 'auth' -- REJECT
-#
-Auth(A_REJECT)
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast(audit)
-#
-# ACCEPT critical ICMP types
-#
-A_AllowICMPs	-	-	icmp
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid(audit)
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-SMB(A_REJECT)
-A_DropUPnP
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn(audit)	-	-	tcp
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-A_DropDNSrep
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -1,73 +0,0 @@
-#
-# Shorewall 4 - Broadcast Action
-#
-#    /usr/share/shorewall/action.Broadcast
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   Broadcast[([<action>|-[,{audit|-}])] 
-#
-#       Default action is DROP
-#
-##########################################################################################
-FORMAT 2
-
-DEFAULTS DROP,-
-
-BEGIN PERL;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
-my $chainref           = get_action_chain;
-my ( $level, $tag )    = get_action_logging;
-my $target             = require_audit ( $action , $audit );
-
-if ( have_capability( 'ADDRTYPE' ) ) {
-    if ( $level ne '' ) {
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
-	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }	
-
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
-    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
-} else {
-    add_commands $chainref, 'for address in $ALL_BCASTS; do';
-    incr_cmd_level $chainref;
-    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
-    add_jump $chainref, $target, 0, "-d \$address ";
-    decr_cmd_level $chainref;
-    add_commands $chainref, 'done';
-}
-    
-log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
-add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
-
-1;
-
-END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -15,49 +15,9 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is DROP or A_DROP,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-FORMAT 2
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is 
-# 'audit'.
-#
-BEGIN PERL;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) { 
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
-	set_action_param( 3, 'A_DROP')     unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
-    }
-}
-
-1;
-
-END PERL;
-
-DEFAULTS -,REJECT,DROP,ACCEPT,DROP
-
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
@@ -66,31 +26,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($2)
+Auth(REJECT)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+dropBcast
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(DROP)
+DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+dropNotSyn	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -1,56 +0,0 @@
-#
-# Shorewall 4 - Invalid Action
-#
-#    /usr/share/shorewall/action.Invalid
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   Invalid[([<action>|-[,{audit|-}])] 
-#
-#       Default action is DROP
-#
-##########################################################################################
-FORMAT 2
-
-DEFAULTS DROP,-
-
-BEGIN PERL;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
-my $chainref         = get_action_chain;
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
-
-$chainref->{dont_optimize} = 0;
-
-1;
-
-END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -1,56 +0,0 @@
-#
-# Shorewall 4 - NotSyn Action
-#
-#    /usr/share/shorewall/action.NotSyn
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   NotSyn[([<action>|-[,{audit|-}])] 
-#
-#       Default action is DROP
-#
-##########################################################################################
-FORMAT 2
-
-DEFAULTS DROP,-
-
-BEGIN PERL;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-
-my ( $action, $audit ) = get_action_params( 2 );
-
-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
-
-my $chainref         = get_action_chain;
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 ! --syn ';
-
-$chainref->{dont_optimize} = 0;
-
-1;
-
-END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -12,48 +12,8 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-#  The action accepts five optional parameters:
-#
-#	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
-#           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
-#       4 - Action to take with required ICMP packets. Default is ACCEPT or
-#           A_ACCEPT depending on the first parameter.
-#       5 - Action to take with late UDP replies (UDP source port 53). Default
-#           is DROP or A_DROP depending on the first parameter.
-#
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-FORMAT 2
-#
-# The following magic provides different defaults for $2 thru $5, when $1 is 
-# 'audit'.
-#
-BEGIN PERL;
-use Shorewall::Config;
-
-my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
-
-if ( defined $p1 ) { 
-    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
-	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
-	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
-	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
-    } else {
-	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
-    }
-}
-
-1;
-
-END PERL;
-
-DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
-
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
@@ -62,33 +22,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($2)
+Auth(REJECT)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,$1)
+dropBcast
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,$1)
+dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
-DropUPnP($5)
+SMB(REJECT)
+DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+dropNotSyn	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -16,11 +16,184 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
-# Columns are the same as in /etc/shorewall/rules.
+# Columns are:
 #
-#######################################################################################################
-#                                         DO NOT REMOVE THE FOLLOWING LINE
-FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#
+#	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>
+#			or a previously-defined <action>
+#
+#				ACCEPT	 -- allow the connection request
+#				DROP	 -- ignore the request
+#				REJECT	 -- disallow the request and return an
+#					    icmp-unreachable or an RST packet.
+#				LOG	 -- Simply log the packet and continue.
+#				QUEUE	 -- Queue the packet to a user-space
+#					    application such as p2pwall.
+#				CONTINUE -- Stop processing this action and
+#					    return to the point where the
+#					    action was invoked.
+#				<action> -- An <action> defined in
+#					    /etc/shorewall/actions.
+#					    The <action> must appear in that
+#					    file BEFORE the one being defined
+#					    in this file.
+#				<macro>	 -- The name of a macro defined in a
+#					    file named macro.<macro-name>. If
+#					    the macro accepts an action
+#					    parameter (Look at the macro
+#					    source to see if it has PARAM in
+#					    the TARGET column) then the macro
+#					    name is followed by "/" and the
+#					    action (ACCEPT, DROP, REJECT, ...)
+#					    to be substituted for the
+#					    parameter. Example: FTP/ACCEPT.
+#
+#			The TARGET may optionally be followed
+#			by ":" and a syslog log level (e.g, REJECT:info or
+#			ACCEPT:debugging). This causes the packet to be
+#			logged at the specified level.
+#
+#			The special log level 'none' does not result in logging
+#			but rather exempts the rule from being overridden by a
+#			non-forcing log level when the action is invoked.
+#
+#			You may also specify ULOG (must be in upper case) as a
+#			log level.This will log to the ULOG target for routing
+#			to a separate log through use of ulogd
+#			(http://www.gnumonks.org/projects/ulogd).
+#
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf).
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
+#	SOURCE		Source hosts to which the rule applies.
+#			A comma-separated list of subnets
+#			and/or hosts. Hosts may be specified by IP or MAC
+#			address; mac addresses must begin with "~" and must use
+#			"-" as a separator.
+#
+#			192.168.2.2		Host 192.168.2.2
+#
+#			155.186.235.0/24	Subnet 155.186.235.0/24
+#
+#			10.0.0.4-10.0.0.9	Range of IP addresses; your
+#						kernel and iptables must have
+#						iprange match support.
+#
+#			+remote			The name of an ipset prefaced
+#						by "+". Your kernel and
+#						iptables must have set match
+#						support
+#
+#			+remote[4]		The name of the ipset may
+#						followed by a number of
+#						levels of ipset bindings
+#						enclosed in square brackets.
+#
+#			192.168.1.1,192.168.1.2
+#						Hosts 192.168.1.1 and
+#						192.168.1.2.
+#			~00-A0-C9-15-39-78	Host with
+#						MAC address 00:A0:C9:15:39:78.
+#
+#			Alternatively, clients may be specified by interface
+#			name. For example, eth1 specifies a
+#			client that communicates with the firewall system
+#			through eth1. This may be optionally followed by
+#			another colon (":") and an IP/MAC/subnet address
+#			as described above (e.g., eth1:192.168.1.5).
+#
+#	DEST		Location of destination host. Same as above with
+#			the exception that MAC addresses are not allowed and
+#			that you cannot specify an ipset name in both the
+#			SOURCE and DEST columns.
+#
+#	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
+#			"ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".
+#                       "ipp2p*" requires ipp2p match support in your kernel
+#                       and iptables.
+#
+#			"tcp:syn" implies "tcp" plus the SYN flag must be
+#			set and the RST, ACK and FIN flags must be reset.
+#
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
+#			names (from /etc/services), port numbers or port
+#			ranges; if the protocol is "icmp", this column is
+#			interpreted as the destination icmp-type(s).
+#
+#			A port range is expressed as <low port>:<high port>.
+#
+#			This column is ignored if PROTOCOL = all but must be
+#			entered if any of the following fields are supplied.
+#			In that case, it is suggested that this field contain
+#			 "-"
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the CLIENT PORT(S) list below:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
+#			any source port is acceptable. Specified as a comma-
+#			separated list of port names, port numbers or port
+#			ranges.
+#
+#			If you don't want to restrict client ports but need to
+#			specify an ADDRESS in the next column, then place "-"
+#			in this column.
+#
+#			If your kernel contains multi-port match support, then
+#			only a single Netfilter rule will be generated if in
+#			this list and the DEST PORT(S) list above:
+#			1. There are 15 or less ports listed.
+#			2. No port ranges are included.
+#			Otherwise, a separate rule will be generated for each
+#			port.
+#
+#	RATE LIMIT	You may rate-limit the rule by placing a value in
+#			this column:
+#
+#				<rate>/<interval>[:<burst>]
+#
+#			where <rate> is the number of connections per
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. If no <burst> is given,
+#			a value of 5 is assumed. There may be no
+#			no whitespace embedded in the specification.
+#
+#				Example: 10/sec:20
+#
+#	USER/GROUP	This column may only be non-empty if the SOURCE is
+#			the firewall itself.
+#
+#			The column may contain:
+#
+#	[!][<user name or number>][:<group name or number>][+<program name>]
+#
+#			When this column is non-empty, the rule applies only
+#			if the program generating the output is running under
+#			the effective <user> and/or <group> specified (or is
+#			NOT running under that id if "!" is given).
+#
+#			Examples:
+#
+#				joe	#program must be run by joe
+#				:kids	#program must be run by a member of
+#					#the 'kids' group
+#				!:kids	#program must not be run by a member
+#					#of the 'kids' group
+#				+upnpd	#program named upnpd (This feature was
+#					#removed from Netfilter in kernel
+#					#version 2.6.14).
+#
+###############################################################################
+#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,9 +8,6 @@
 #
 # Builtin Actions are:
 #
-#    A_ACCEPT           # Audits then accepts a connection request
-#    A_DROP             # Audits then drops a connection request
-#    A_REJECT		# Audits then drops a connection request
 #    allowBcast		# Silently Allow Broadcast/multicast
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
@@ -33,10 +30,5 @@
 #
 ###############################################################################
 #ACTION
-A_Drop 		    # Audited Default Action for DROP policy
-A_Reject	    # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
-Invalid             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -0,0 +1,632 @@
+Changes in Shorewall 4.4.13
+
+1)  Allow zone lists in rules SOURCE and DEST.
+
+2)  Fix exclusion in the blacklist file.
+
+3)  Correct several old exclusion bugs.
+
+4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
+
+5)  Re-implement optional interface handling.
+
+6)  Add secmark config file.
+
+7)  Split in and out blacklisting.
+
+8)  Correct handling of [{src|dst},...] in ipset invocation
+
+9)  Correct SAME.
+
+10) TC Enhancements:
+
+    <burst> in IN-BANDWIDTH columns.
+    OUT-BANDWIDTH column in tcinterfaces.
+
+11) Create dynamic zone ipsets on 'start'.
+
+12) Remove new blacklisting implementation.
+
+13) Implement an alternative blacklisting scheme.
+
+14) Use '-m state' for UNTRACKED.
+
+15) Clear raw table on 'clear'
+
+16) Correct port-range check in tcfilters.
+
+17) Disallow '*' in interface names.
+
+Changes in Shorewall 4.4.12
+
+1)  Fix IPv6 shorecap program.
+
+2)  Eradicate incorrect IPv6 Multicast Network
+
+3)  Add ADD/DEL support.
+
+4)  Allow :random to work with REDIRECT
+
+5)  Add per-ip log rate limiting.
+
+6)  Use new hashlimit match syntax if available.
+
+7)  Add Universal sample.
+
+8)  Add COMPLETE option.
+
+9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
+
+10) Support new set match syntax.
+
+11) Blacklisting by DEST IP.
+
+12) Fix duplicate rule generation with 'any'.
+
+13) Fix port range editing problem.
+
+14) Display the .conf file directory in response to the status command.
+
+15)  Correct AUTOMAKE
+
+Changes in Shorewall 4.4.11
+
+1)  Apply patch from Gabriel.
+
+2)  Fix IPSET match detection when a pathname is specified for IPSET.
+
+3)  Fix start priority of shorewall-init on Debian
+
+4)  Make IPv6 log and connections output readable.
+
+5)  Add REQUIRE_INTERFACE to shorewall*.conf
+
+6)  Avoid run-time warnings when options are not listed in
+    shorewall.conf.
+
+7)  Implement Vserver zones.
+
+8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
+    hosts file.
+
+9)  Add CLEAR_FORWARD_MARK option.
+
+10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
+
+11) Add PERL option.
+
+12) Fix nets= in Shorewall6
+
+Changes in Shorewall 4.4.10
+
+1)  Fix regression with scripts.
+
+2)  Log startup errors.
+
+3)  Implement Shorewall-init.
+
+4)  Add SAFESTOP option to /etc/default/shorewall*
+
+5)  Restore -a functionality to the version command.
+
+6)  Correct Optimization issue
+
+7)  Rename PREFIX to DESTDIR in install scripts
+
+8)  Correct handling of optional/required interfaces with wildcard names.
+
+Changes in Shorewall 4.4.9
+
+1)  Auto-detection of bridges.
+
+2)  Correct handling of a logical interface name in the EXTERNAL column
+    of proxyarp.
+
+3)  More robust 'trace'.
+
+4)  Added IPv6 mDNS macro.
+
+5)  Fix find_first_interface_address() error reporting.
+
+6)  Fix propagation of zero-valued config variables.
+
+7)  Fix OPTIMIZE 4 bug.
+
+8)  Deallocate unused rules.
+
+9)  Keep rule arrays compressed during optimization.
+
+10) Remove remaining fallback scripts.
+
+11) Rationalize startup logs.
+
+12) Optimize 8.
+
+13) Don't create output chains for BPORT zones.
+
+14) Implement 'show log ip-addr' in /sbin/shorewall and
+    /sbin/shorewall-lite/
+
+15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
+
+16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
+
+17) Set IP before sourcing the params file.
+
+18) Fix rare optimization bug.
+
+19) Allow definition of an addressless bridge without a zone.
+
+20) In the routestopped file, assume 'routeback' if the interface has
+    'routeback'.
+
+21) Make Shorewall and Shorewall6 installable on OS X.
+
+Changes in Shorewall 4.4.8
+
+1)  Correct handling of RATE LIMIT on NAT rules.
+
+2)  Don't create a logging chain for rules with '-j RETURN'.
+
+3)  Avoid duplicate SFQ class numbers.
+
+4)  Fix low per-IP rate limits.
+
+5)  Fix Debian init script exit status
+
+6)  Fix NFQUEUE(queue-num) in policy
+
+7)  Implement -s option in install.sh
+
+8)  Add HKP Macro
+
+9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
+
+10) Eliminate up-cased variable names that aren't documented options.
+
+11) Don't show 'OLD' capabilities if they are not available.
+
+12) Attempt to flag use of '-' as a port-range separator.
+
+13) Add undocumented OPTIMIZE=-1 setting.
+
+14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
+    default optimizations.
+
+15) Add support for UDPLITE
+
+16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
+
+17) Issue warnings when 'blacklist' but no blacklist file entries.
+
+18) Don't optimize 'blacklst'.
+
+Changes in Shorewall 4.4.7
+
+1)  Backport optimization changes from 4.5.
+
+2)  Backport two new options from 4.5.
+
+3)  Backport TPROXY from 4.5
+
+4)  Add TC_PRIOMAP to shorewall*.conf
+
+5)  Implement LOAD_HELPERS_ONLY
+
+6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
+
+7)  Fix case where MARK target is unavailable.
+
+8)  Change default to ADD_IP_ALIASES=No
+
+9)  Correct defects in generate_matrix().
+
+10) Fix and optimize 'nosmurfs'.
+
+11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
+
+Changes in Shorewall 4.4.6
+
+1)  Fix for rp_filter and kernel 2.6.31.
+
+2)  Add a hack to work around a bug in Lenny + xtables-addons
+
+3)  Re-enable SAVE_IPSETS
+
+4)  Allow both <...> and [...] for IPv6 Addresses.
+
+5)  Port mark geometry change from 4.5.
+
+6)  Add Macro patch from Tuomo Soini
+
+7)  Add 'show macro' command.
+
+8)  Add -r option to check.
+
+9)  Port simplified TC from 4.5.
+
+Changes in Shorewall 4.4.5
+
+1)  Fix 15-port limit removal change.
+
+2)  Fix handling of interfaces with the 'bridge' option.
+
+3)  Generate error for port number 0
+
+4)  Allow zone::serverport in rules DEST column.
+
+5)  Fix 'show policies' in Shorewall6.
+
+6)  Auto-load tc modules.
+
+7)  Allow LOGFILE=/dev/null
+
+8)  Fix shorewall6-lite/shorecap
+
+9) Fix MODULE_SUFFIX.
+
+10) Fix ENHANCED_REJECT detection for IPv4.
+
+11) Fix DONT_LOAD vs 'reload -c'
+
+12) Fix handling of SOURCE and DEST vs macros.
+
+13) Remove silly logic in expand_rule().
+
+14) Add current and limit to Conntrack Table Heading.
+
+Changes in Shorewall 4.4.4
+
+1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
+
+2)  Fix access to uninitialized variable.
+
+3)  Add logrotate scripts.
+
+4)  Allow long port lists in /etc/shorewall/routestopped.
+
+5)  Implement 'physical' interface option.
+
+6)  Implement ZONE2ZONE option.
+
+7)  Suppress duplicate COMMENT warnings.
+
+8)  Implement 'show policies' command.
+
+9)  Fix route_rule suppression for down provider.
+
+10) Suppress redundant tests for provider availability in route rules
+    processing.
+
+11) Implement the '-l' option to the 'show' command.
+
+12) Fix class number assignment when WIDE_TC_MARKS=Yes
+
+13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
+
+Changes in Shorewall 4.4.3
+
+1)  Move Debian INITLOG initialization to /etc/default/shorewall
+
+2)  Fix 'routeback' in /etc/shorewall/routestopped.
+
+3)  Rename 'object' to 'script' in compiler and config modules.
+
+4)  Correct RETAIN_ALIASES=No.
+
+5)  Fix detection of IP config.
+
+6)  Fix nested zones.
+
+7)  Move all function declarations from prog.footer to prog.header
+
+8)  Remove superfluous variables from generated script
+
+9)  Make 'track' the default.
+
+10)  Add TRACK_PROVIDERS option.
+
+11)  Fix IPv6 address parsing bug.
+
+12)  Add hack to work around iproute IPv6 bug in route handling
+
+13)  Correct messages issued when an optional provider is not usable.
+
+14)  Fix optional interfaces.
+
+15)  Add 'limit' option to tcclasses.
+
+Changes in Shorewall 4.4.2
+
+1)  BUGFIX: Correct detection of Persistent SNAT support
+
+2)  BUGFIX: Fix chain table initialization
+
+3)  BUGFIX: Validate routestopped file on 'check'
+
+4)  Let the Actions module add the builtin actions to
+    %Shorewall::Chains::targets. Much better modularization that way.
+
+5)  Some changes to make Lenny->Squeeze less painful.
+
+6)  Allow comments at the end of continued lines.
+
+7)  Call process_routestopped() during 'check' rather than
+    'compile_stop_firewall()'.
+
+8)  Don't look for an extension script for built-in actions.
+
+9)  Apply Jesse Shrieve's patch for SNAT range.
+
+10) Add -<family> to 'ip route del default' command.
+
+11) Add three new columns to macro body.
+
+12) Change 'wait4ifup' so that it requires no PATH
+
+13) Allow extension scripts for accounting chains.
+
+14) Allow per-ip LIMIT to work on ancient iptables releases.
+
+15) Add 'MARK' column to action body.
+
+Changes in Shorewall 4.4.1
+
+1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
+
+2)  Deleted superfluous export from Chains.pm.
+
+3)  Added support for --persistent.
+
+4)  Don't do module initialization in an INIT block.
+
+5)  Minor performance improvements.
+
+6)  Add 'clean' target to Makefile.
+
+7)  Redefine 'full' for sub-classes.
+
+8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
+
+9)  Fix nested ipsec zones.
+
+10) Change one-interface sample to IP_FORWARDING=Off.
+
+11) Allow multicast to non-dynamic zones defined with nets=.
+
+12) Allow zones with nets= to be extended by /etc/shorewall/hosts
+    entries.
+
+13) Don't allow nets= in a multi-zone interface definition.
+
+14) Fix rule generated by MULTICAST=Yes
+
+15) Fix silly hole in zones file parsing.
+
+16) Tighen up zone membership checking.
+
+17) Combine portlist-spitting routines into a single function.
+
+Changes in Shorewall 4.4.0
+
+1)  Fix 'compile ... -' so that it no longer requires '-v-1'
+
+2)  Fix rule generation for logging nat rules with no exclusion.
+
+3)  Fix log record formatting.
+
+4)  Restore ipset binding
+
+5)  Fix 'upnpclient' with required interfaces.
+
+6)  Fix provider number in masq file.
+
+Changes in Shorewall 4.4.0-RC2
+
+1)  Fix capabilities file with Shorewall6.
+
+2)  Allow Shorewall6 to recognize TC, IP and IPSET
+
+3)  Make 'any' a reserved zone name.
+
+4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
+
+Changes in Shorewall 4.4.0-RC1
+
+1)  Delete duplicate Git macro.
+
+2)  Fix routing when no providers.
+
+3)  Add 'any' as a SOURCE/DEST in rules.
+
+4)  Fix NONAT on child zone.
+
+5)  Fix rpm -U from earlier versions
+
+6)  Generate error on 'status' by non-root.
+
+7)  Get rid of prog.functions and prog.functions6
+
+Changes in Shorewall 4.4.0-Beta4
+
+1)  Add more macros.
+
+2)  Correct broadcast address detection
+
+3) Fix 'show dynamic'
+
+4) Fix BGP and OSFP macros.
+
+5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
+
+Changes in Shorewall 4.4.0-Beta3
+
+1)  Add new macros.
+
+2)  Work around mis-configured interfaces.
+
+3)  Fix 'show dynamic'.
+
+4)  Check for xt_LOG.
+
+5)  Fix 'findgw'
+
+Changes in Shorewall 4.4.0-Beta2
+
+1)  The 'find_first_interface_address()' and
+    'find_first_interface_address_if_any()' functions have been restored to
+    lib.base.
+
+2)  Integerize r2q before inserting it into 'tc qdisc add root'
+    command.
+
+3)  Remove '-h' from the help text for install.sh in Shorewall and
+    Shorewall6.
+
+4)  Delete the 'continue' file from the Shorewall package.
+
+5)  Add 'upnpclient' interface option.
+
+6)  Fix handling of optional interfaces.
+
+7)  Add 'iptrace' and 'noiptrace' command.
+
+8)  Add 'USER/GROUP' column to masq file.
+
+9)  Added lib.private.
+
+Changes in Shorewall 4.4.0-Beta1
+
+1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
+
+2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
+
+Changes in Shorewall 4.3.12
+
+1) Eliminate 'large quantum' warnings.
+
+2) Add HFSC support.
+
+3) Delete support for ipset binding. Jozsef has removed the capability
+   from ipset.
+
+4) Add TOS and LENGTH columns to tcfilters file.
+
+5) Fix 'reset' command.
+
+6) Fix 'findgw'.
+
+7) Remove 'norfc1918' support.
+
+Changes in Shorewall 4.3.11
+
+1) Reduce the number of arguments passed in may cases.
+
+2) Fix SCTP source port handling in tcfilters.
+
+3) Add 'findgw' user exit.
+
+4) Add macro.Trcrt
+
+Changes in Shorewall 4.3.10
+
+1) Fix handling of shared optional providers.
+
+2) Add WIDE_TC_MARKS option.
+
+3) Allow compile to STDOUT.
+
+4) Fix handling of class IDs.
+
+5) Deprecate use of an interface in the SOURCE column of
+   /etc/shorewall/masq.
+
+6) Fix handling of 'all' in the SOURCE of DNAT- rules.
+
+7) Fix compile for export.
+
+8) Optimize IPMARK.
+
+9) Implement nested HTB classes.
+
+10) Fix 'iprange' command.
+
+11) Make traffic shaping work better with IPv6.
+
+12) Externalize 'flow'.
+
+13) Fix 'start' with AUTOMAKE=Yes
+
+Changes in Shorewall 4.3.9
+
+1) Logging rules now create separate chain.
+
+2) Fix netmask genereation in tcfilters.
+
+3) Allow Shorewall6 with kernel 2.6.24
+
+4) Avoid 'Invalid BROADCAST address' errors.
+
+5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
+
+6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
+
+7) Add IPMARK support
+
+Changes in Shorewall 4.3.8
+
+1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
+
+2) Use 'startup_error' for those errors caught early.
+
+3) Fix swping
+
+4) Detect gateway via dhclient leases file.
+
+5) Suppress leading whitespace on certain continuation lines.
+
+6) Use iptables[6]-restore to stop the firewall.
+
+7) Add AUTOMAKE option
+
+8) Remove SAME support.
+
+9) Allow 'compile' without a pathname.
+
+10) Fix LOG_MARTIANS=Yes.
+
+11) Adapt I. Buijs's hashlimit patch.
+
+Changes in Shorewall 4.3.7
+
+1)  Fix forward treatment of interface options.
+
+2)  Replace $VARDIR/.restore with $VARDIR/firewall
+
+3)  Fix DNAT- parsing of DEST column.
+
+4)  Implement dynamic zones
+
+5)  Allow 'HOST' options on bridge ports.
+
+6)  Deprecate old macro parameter syntax.
+
+Changes in Shorewall 4.3.6
+
+1)  Add SAME tcrules target.
+
+2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
+
+3)  Fix split_list1()
+
+4)  Fix Shorewall6 file location bugs.
+
+Changes in Shorewall 4.3.5
+
+1)  Remove support for shorewall-shell.
+
+2)  Combine shorewall-common and shorewall-perl to produce shorewall.
+
+3)  Add nets= OPTION in interfaces file.
+
+
--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#################################################################################################################
+#####################################################################################################
 #ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-#############################################################################################
+###############################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/routes
+++ b/Shorewall/configfiles/routes
@@ -1,9 +0,0 @@
-#
-# Shorewall version 4 - routes File
-#
-# For information about entries in this file, type "man shorewall-routes"
-#
-# For additional information, see http://www.shorewall.net/MultiISP.html
-##############################################################################
-#PROVIDER		DEST			GATEWAY		DEVICE
-
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+####################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -1,15 +0,0 @@
-#! /bin/sh
-#
-# Shorewall version 4 - Show Connections Filter
-#
-# /etc/shorewall/scfilter
-#
-#	Replace the 'cat' command below to filter the output of
-#       'show connections. Unlike other extension scripts, this file
-#       must be executable before Shorewall will use it.
-#
-# See http://shorewall.net/shorewall_extension_scripts.htm for additional
-# information.
-#
-###############################################################################
-cat -
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -18,180 +18,188 @@ STARTUP_ENABLED=No
 VERBOSITY=1

 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages

-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log

 LOG_VERBOSITY=2

-LOGALLNEW=
-
-LOGFILE=/var/log/messages
-
 LOGFORMAT="Shorewall:%s:%s:"

 LOGTAGONLY=No

 LOGLIMIT=

+LOGALLNEW=
+
+BLACKLIST_LOGLEVEL=
+
 MACLIST_LOG_LEVEL=info

-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info

-STARTUP_LOG=/var/log/shorewall-init.log
-
-TCP_FLAGS_LOG_LEVEL=info
+LOG_MARTIANS=Yes

 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
-
 IPTABLES=

 IP=

+TC=
+
 IPSET=

-MODULESDIR=
-
-PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
-
 PERL=/usr/bin/perl

-RESTOREFILE=restore
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 SHOREWALL_SHELL=/bin/sh

 SUBSYSLOCK=/var/lock/subsys/shorewall

-TC=
+MODULESDIR=
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+
+RESTOREFILE=
+
+IPSECFILE=zones
+
+LOCKFILE=

 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################

-ACCEPT_DEFAULT=none
-DROP_DEFAULT=Drop
-NFQUEUE_DEFAULT=none
-QUEUE_DEFAULT=none
-REJECT_DEFAULT=Reject
+DROP_DEFAULT="Drop"
+REJECT_DEFAULT="Reject"
+ACCEPT_DEFAULT="none"
+QUEUE_DEFAULT="none"
+NFQUEUE_DEFAULT="none"

 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################

-RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
+RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'

 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################

-ACCOUNTING=Yes
-
-ACCOUNTING_TABLE=filter
+IP_FORWARDING=On

 ADD_IP_ALIASES=No

 ADD_SNAT_ALIASES=No

-ADMINISABSENTMINDED=Yes
-
-AUTO_COMMENT=Yes
-
-AUTOMAKE=No
-
-BLACKLISTNEWONLY=Yes
-
-CLAMPMSS=No
-
-CLEAR_TC=Yes
-
-COMPLETE=No
-
-DELETE_THEN_ADD=Yes
-
-DETECT_DNAT_IPADDRS=No
-
-DISABLE_IPV6=No
-
-DONT_LOAD=
-
-DYNAMIC_BLACKLIST=Yes
-
-EXPAND_POLICIES=Yes
-
-EXPORTMODULES=Yes
-
-FASTACCEPT=No
-
-FORWARD_CLEAR_MARK=
-
-IMPLICIT_CONTINUE=No
-
-HIGH_ROUTE_MARKS=No
-
-IP_FORWARDING=On
-
-KEEP_RT_TABLES=No
-
-LEGACY_FASTSTART=Yes
-
-LOAD_HELPERS_ONLY=No
-
-MACLIST_TABLE=filter
-
-MACLIST_TTL=
-
-MANGLE_ENABLED=Yes
-
-MAPOLDACTIONS=No
-
-MARK_IN_FORWARD_CHAIN=No
-
-MODULE_SUFFIX=ko
-
-MULTICAST=No
-
-MUTEX_TIMEOUT=60
-
-NULL_ROUTE_RFC1918=No
-
-OPTIMIZE=0
-
-OPTIMIZE_ACCOUNTING=No
-
-REQUIRE_INTERFACE=No
-
-RESTORE_DEFAULT_ROUTE=Yes
-
 RETAIN_ALIASES=No

-ROUTE_FILTER=No
-
-SAVE_IPSETS=No
-
 TC_ENABLED=Internal

 TC_EXPERT=No

 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

-TRACK_PROVIDERS=No
+CLEAR_TC=Yes
+
+MARK_IN_FORWARD_CHAIN=No
+
+CLAMPMSS=No
+
+ROUTE_FILTER=No
+
+DETECT_DNAT_IPADDRS=No
+
+MUTEX_TIMEOUT=60
+
+ADMINISABSENTMINDED=Yes
+
+BLACKLISTNEWONLY=Yes
+
+DELAYBLACKLISTLOAD=No
+
+MODULE_SUFFIX=ko
+
+DISABLE_IPV6=No
+
+BRIDGING=No
+
+DYNAMIC_ZONES=No
+
+PKTTYPE=Yes
+
+NULL_ROUTE_RFC1918=No
+
+MACLIST_TABLE=filter
+
+MACLIST_TTL=
+
+SAVE_IPSETS=No
+
+MAPOLDACTIONS=No
+
+FASTACCEPT=No
+
+IMPLICIT_CONTINUE=No
+
+HIGH_ROUTE_MARKS=No
+
+USE_ACTIONS=Yes
+
+OPTIMIZE=0
+
+EXPORTPARAMS=Yes
+
+EXPAND_POLICIES=Yes
+
+KEEP_RT_TABLES=No
+
+DELETE_THEN_ADD=Yes
+
+MULTICAST=No
+
+DONT_LOAD=
+
+AUTO_COMMENT=Yes
+
+MANGLE_ENABLED=Yes

 USE_DEFAULT_RT=No

+RESTORE_DEFAULT_ROUTE=Yes
+
+AUTOMAKE=No
+
 WIDE_TC_MARKS=No

+TRACK_PROVIDERS=No
+
 ZONE2ZONE=2

+ACCOUNTING=Yes
+
+DYNAMIC_BLACKLIST=Yes
+
+OPTIMIZE_ACCOUNTING=No
+
+LOAD_HELPERS_ONLY=No
+
+REQUIRE_INTERFACE=No
+
+FORWARD_CLEAR_MARK=Yes
+
+COMPLETE=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -200,15 +208,6 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

-SMURF_DISPOSITION=DROP
-
-SFILTER_DISPOSITION=DROP
-
 TCP_FLAGS_DISPOSITION=DROP

-################################################################################
-#                            L E G A C Y  O P T I O N
-#                      D O  N O T  D E L E T E  O R  A L T E R
-################################################################################
-
-IPSECFILE=zones
+#LAST LINE -- DO NOT REMOVE
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2009,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -30,8 +30,6 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
-    echo "       $ME -s"
-    echo "       $ME -f"
    exit $1
 }

@@ -96,6 +94,7 @@ install_file() # $1 = source $2 = target $3 = mode
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
 #
+ARGS=""
 T="-T"

 if [ -z "$DEST" ] ; then
@@ -106,29 +105,8 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall"
 fi

-ANNOTATED=
 SPARSE=
 MANDIR=${MANDIR:-"/usr/share/man"}
-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-MACHOST=
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
-
-case "$PERLLIB" in
-    /*)
-	;;
-    *)
-	PERLLIB=/usr/${PERLLIB}
-	;;
-esac
-
 INSTALLD='-D'

 case $(uname) in
@@ -153,7 +131,6 @@ case $(uname) in
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
-        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -165,49 +142,24 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-	    
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    s*)
-			SPARSE=Yes
-			option=${option#s}
-			;;
-		    a*)
-			ANNOTATED=Yes
-			option=${option#a}
-			;;
-		    p*)
-			ANNOTATED=
-			option=${option#p}
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
+while [ $# -gt 0 ] ; do
+    case "$1" in
+	-h|help|?)
+	    usage 0
+	    ;;
+        -v)
+	    echo "Shorewall Firewall Installer Version $VERSION"
+	    exit 0
+	    ;;
+	-s)
+	    SPARSE=Yes
 	    ;;
 	*)
-	    [ -n "$option" ] && usage 1
-	    finished=1
+	    usage 1
 	    ;;
    esac
+    shift
+    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -281,19 +233,9 @@ fi
 if [ -z "$CYGWIN" ]; then
   install_file shorewall ${DESTDIR}/sbin/shorewall 0755
   echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
-
-   if [ -z "$MACHOST" ]; then
-       eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
-       eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
-   else
-       eval sed -i \'\' -e  \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall 
-       eval sed -i \'\' -e  \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
-   fi
 else
   install_file shorewall ${DESTDIR}/bin/shorewall 0755
   echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
-   eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall
-   eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall
 fi

 #
@@ -316,8 +258,7 @@ fi
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
 mkdir -p ${DESTDIR}/etc/shorewall
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-mkdir -p ${DESTDIR}${PERLLIB}/Shorewall
+mkdir -p ${DESTDIR}/usr/share/shorewall
 mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
 mkdir -p ${DESTDIR}/var/lib/shorewall

@@ -325,24 +266,21 @@ chmod 755 ${DESTDIR}/etc/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall/configfiles

-run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf.annotated ${DESTDIR}/usr/share/shorewall/configfiles
-
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

-if [ -n "$ANNOTATED" ]; then
-    suffix=.annotated
-else
-    suffix=
-fi
 #
 # Install the config file
 #
+run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${DESTDIR}/usr/share/shorewall/configfiles
+
+perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${DESTDIR}/usr/share/shorewall/configfiles/shorewall.conf
+perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall-lite-init.log|;' ${DESTDIR}/usr/share/shorewall/configfiles/shorewall.conf
+
 if [ ! -f ${DESTDIR}/etc/shorewall/shorewall.conf ]; then
-   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf${suffix} ${DESTDIR}/etc/shorewall/shorewall.conf
+   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${DESTDIR}/etc/shorewall

   if [ -n "$DEBIAN" ]; then
       #
@@ -360,11 +298,10 @@ fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 configfiles/zones           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/zones.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0644 configfiles/zones${suffix} ${DESTDIR}/etc/shorewall/zones
+    run_install $OWNERSHIP -m 0744 configfiles/zones ${DESTDIR}/etc/shorewall
    echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi

@@ -386,212 +323,189 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
 # Install wait4ifup
 #

-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755

 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall/wait4ifup"

 #
 # Install the policy file
 #
-run_install -m 0644 configfiles/policy           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install -m 0644 configfiles/policy.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+install_file configfiles/policy ${DESTDIR}/usr/share/shorewall/configfiles/policy 0644

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/policy ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/policy${suffix} ${DESTDIR}/etc/shorewall/policy
+    run_install $OWNERSHIP -m 0600 configfiles/policy ${DESTDIR}/etc/shorewall
    echo "Policy file installed as ${DESTDIR}/etc/shorewall/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 configfiles/interfaces           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/interfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/interfaces ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/interfaces${suffix} ${DESTDIR}/etc/shorewall/interfaces
+    run_install $OWNERSHIP -m 0600 configfiles/interfaces ${DESTDIR}/etc/shorewall
    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall/interfaces"
 fi

 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 configfiles/hosts           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/hosts.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/hosts ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/hosts ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/hosts${suffix} ${DESTDIR}/etc/shorewall/hosts
+    run_install $OWNERSHIP -m 0600 configfiles/hosts ${DESTDIR}/etc/shorewall
    echo "Hosts file installed as ${DESTDIR}/etc/shorewall/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 configfiles/rules           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/rules ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/rules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/rules${suffix} ${DESTDIR}/etc/shorewall/rules
+    run_install $OWNERSHIP -m 0600 configfiles/rules ${DESTDIR}/etc/shorewall
    echo "Rules file installed as ${DESTDIR}/etc/shorewall/rules"
 fi
 #
 # Install the NAT file
 #
-run_install $OWNERSHIP -m 0644 configfiles/nat           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/nat.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/nat ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/nat ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/nat${suffix} ${DESTDIR}/etc/shorewall/nat
+    run_install $OWNERSHIP -m 0600 configfiles/nat ${DESTDIR}/etc/shorewall
    echo "NAT file installed as ${DESTDIR}/etc/shorewall/nat"
 fi
 #
 # Install the NETMAP file
 #
-run_install $OWNERSHIP -m 0644 configfiles/netmap           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/netmap.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/netmap ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/netmap ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/netmap${suffix} ${DESTDIR}/etc/shorewall/netmap
+    run_install $OWNERSHIP -m 0600 configfiles/netmap ${DESTDIR}/etc/shorewall
    echo "NETMAP file installed as ${DESTDIR}/etc/shorewall/netmap"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 configfiles/params           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/params.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/params ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -f ${DESTDIR}/etc/shorewall/params ]; then
    chmod 0644 ${DESTDIR}/etc/shorewall/params
 else
-    run_install $OWNERSHIP -m 0644 configfiles/params${suffix} ${DESTDIR}/etc/shorewall/params
+    run_install $OWNERSHIP -m 0644 configfiles/params ${DESTDIR}/etc/shorewall
    echo "Parameter file installed as ${DESTDIR}/etc/shorewall/params"
 fi
 #
 # Install the proxy ARP file
 #
-run_install $OWNERSHIP -m 0644 configfiles/proxyarp           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/proxyarp.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/proxyarp ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/proxyarp ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/proxyarp${suffix} ${DESTDIR}/etc/shorewall/proxyarp
+    run_install $OWNERSHIP -m 0600 configfiles/proxyarp ${DESTDIR}/etc/shorewall
    echo "Proxy ARP file installed as ${DESTDIR}/etc/shorewall/proxyarp"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 configfiles/routestopped           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/routestopped.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/routestopped ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/routestopped${suffix} ${DESTDIR}/etc/shorewall/routestopped
+    run_install $OWNERSHIP -m 0600 configfiles/routestopped ${DESTDIR}/etc/shorewall
    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 configfiles/maclist           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/maclist.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/maclist ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/maclist ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/maclist${suffix} ${DESTDIR}/etc/shorewall/maclist
+    run_install $OWNERSHIP -m 0600 configfiles/maclist ${DESTDIR}/etc/shorewall
    echo "MAC list file installed as ${DESTDIR}/etc/shorewall/maclist"
 fi
 #
 # Install the Masq file
 #
-run_install $OWNERSHIP -m 0644 configfiles/masq           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/masq.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/masq ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/masq ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/masq${suffix} ${DESTDIR}/etc/shorewall/masq
+    run_install $OWNERSHIP -m 0600 configfiles/masq ${DESTDIR}/etc/shorewall
    echo "Masquerade file installed as ${DESTDIR}/etc/shorewall/masq"
 fi
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 configfiles/notrack           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/notrack.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/notrack ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/notrack ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/notrack${suffix} ${DESTDIR}/etc/shorewall/notrack
+    run_install $OWNERSHIP -m 0600 configfiles/notrack ${DESTDIR}/etc/shorewall
    echo "Notrack file installed as ${DESTDIR}/etc/shorewall/notrack"
 fi
 #
-# Install the Modules files
+# Install the Modules file
 #
-run_install $OWNERSHIP -m 0644 modules ${DESTDIR}/usr/share/shorewall
+run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall
 echo "Modules file installed as ${DESTDIR}/usr/share/shorewall/modules"

-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall/$f"
-done
-
 #
 # Install the Module Helpers file
 #
-run_install $OWNERSHIP -m 0644 helpers ${DESTDIR}/usr/share/shorewall
+run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall
 echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall/helpers"

 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcrules           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tcrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcrules ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcrules${suffix} ${DESTDIR}/etc/shorewall/tcrules
+    run_install $OWNERSHIP -m 0600 configfiles/tcrules ${DESTDIR}/etc/shorewall
    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall/tcrules"
 fi

 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces${suffix} ${DESTDIR}/etc/shorewall/tcinterfaces
+    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${DESTDIR}/etc/shorewall
    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall/tcinterfaces"
 fi

 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcpri           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tcpri.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcpri ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcpri${suffix} ${DESTDIR}/etc/shorewall/tcpri
+    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${DESTDIR}/etc/shorewall
    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall/tcpri"
 fi

 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tos           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tos.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tos ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tos ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tos${suffix} ${DESTDIR}/etc/shorewall/tos
+    run_install $OWNERSHIP -m 0600 configfiles/tos ${DESTDIR}/etc/shorewall
    echo "TOS file installed as ${DESTDIR}/etc/shorewall/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tunnels           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tunnels.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tunnels ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tunnels${suffix} ${DESTDIR}/etc/shorewall/tunnels
+    run_install $OWNERSHIP -m 0600 configfiles/tunnels ${DESTDIR}/etc/shorewall
    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 configfiles/blacklist           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/blacklist.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blacklist ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/blacklist${suffix} ${DESTDIR}/etc/shorewall/blacklist
+    run_install $OWNERSHIP -m 0600 configfiles/blacklist ${DESTDIR}/etc/shorewall
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
 fi
 #
@@ -625,66 +539,60 @@ delete_file ${DESTDIR}/usr/share/shorewall/xmodules
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 configfiles/providers           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/providers.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/providers ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/providers ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/providers${suffix} ${DESTDIR}/etc/shorewall/providers
+    run_install $OWNERSHIP -m 0600 configfiles/providers ${DESTDIR}/etc/shorewall
    echo "Providers file installed as ${DESTDIR}/etc/shorewall/providers"
 fi

 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 configfiles/route_rules           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/route_rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/route_rules ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/route_rules${suffix} ${DESTDIR}/etc/shorewall/route_rules
+    run_install $OWNERSHIP -m 0600 configfiles/route_rules ${DESTDIR}/etc/shorewall
    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall/route_rules"
 fi

 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcclasses           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tcclasses.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcclasses ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcclasses${suffix} ${DESTDIR}/etc/shorewall/tcclasses
+    run_install $OWNERSHIP -m 0600 configfiles/tcclasses ${DESTDIR}/etc/shorewall
    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall/tcclasses"
 fi

 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcdevices           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tcdevices.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcdevices ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcdevices${suffix} ${DESTDIR}/etc/shorewall/tcdevices
+    run_install $OWNERSHIP -m 0600 configfiles/tcdevices ${DESTDIR}/etc/shorewall
    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall/tcdevices"
 fi

 #
 # Install the tcfilters file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcfilters           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/tcfilters.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcfilters ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcfilters${suffix} ${DESTDIR}/etc/shorewall/tcfilters
+    run_install $OWNERSHIP -m 0600 configfiles/tcfilters ${DESTDIR}/etc/shorewall
    echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi

 #
 # Install the secmarks file
 #
-run_install $OWNERSHIP -m 0644 configfiles/secmarks           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/secmarks.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/secmarks${suffix} ${DESTDIR}/etc/shorewall/secmarks
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
 fi

@@ -741,21 +649,19 @@ fi
 #
 # Install the ECN file
 #
-run_install $OWNERSHIP -m 0644 configfiles/ecn           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/ecn.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/ecn ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/ecn ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/ecn${suffix} ${DESTDIR}/etc/shorewall/ecn
+    run_install $OWNERSHIP -m 0600 configfiles/ecn ${DESTDIR}/etc/shorewall
    echo "ECN file installed as ${DESTDIR}/etc/shorewall/ecn"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 configfiles/accounting           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/accounting.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/accounting ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/accounting ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/accounting${suffix} ${DESTDIR}/etc/shorewall/accounting
+    run_install $OWNERSHIP -m 0600 configfiles/accounting ${DESTDIR}/etc/shorewall
    echo "Accounting file installed as ${DESTDIR}/etc/shorewall/accounting"
 fi
 #
@@ -831,15 +737,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclear ]; then
    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall/tcclear"
 fi
 #
-# Install the Scfilter file
-#
-run_install $OWNERSHIP -m 644 configfiles/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
-
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/scfilter ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/scfilter ${DESTDIR}/etc/shorewall
-    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall/scfilter"
-fi
-#
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall/actions.std 0644
@@ -848,11 +745,10 @@ echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall/actions
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 configfiles/actions           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/actions.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/actions ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/actions ]; then
-    run_install $OWNERSHIP -m 0644 configfiles/actions${suffix} ${DESTDIR}/etc/shorewall/actions
+    run_install $OWNERSHIP -m 0644 configfiles/actions ${DESTDIR}/etc/shorewall
    echo "Actions file installed as ${DESTDIR}/etc/shorewall/actions"
 fi

@@ -906,23 +802,16 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
 #
 cd Perl

-install_file compiler.pl ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl 0755
+install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755

 echo
-echo "Compiler installed in ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl"
-#
-# Install the params file helper
-#
-install_file getparams ${DESTDIR}${LIBEXEC}/shorewall/getparams 0755
-
-echo
-echo "Params file helper installed in ${DESTDIR}${LIBEXEC}/shorewall/getparams"
+echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
 #
 # Install the libraries
 #
 for f in Shorewall/*.pm ; do
-    install_file $f ${DESTDIR}${PERLLIB}/$f 0644
-    echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIB}/$f"
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    echo "Module ${f%.*} installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
 #
 # Install the program skeleton files
@@ -983,14 +872,17 @@ fi
 if [ -z "$DESTDIR" ]; then
    rm -rf /usr/share/shorewall-perl
    rm -rf /usr/share/shorewall-shell
-    [ "$PERLLIB" != /usr/share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
 fi

 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644

-	update-rc.d shorewall defaults
+	if [ -x /sbin/insserv ]; then
+	    insserv /etc/init.d/shorewall
+	else
+	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
+	fi

 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -0,0 +1,2 @@
+1)  On systems running Upstart, shorewall-init cannot reliably start the
+    firewall before interfaces are brought up.
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -29,7 +29,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40421
+SHOREWALL_CAPVERSION=40413

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -339,7 +339,7 @@ do_save() {
                    #
                    # Don't save an 'empty' file
                    #
-		    grep -qE -- '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
+		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 	    fi
 	    ;;
@@ -399,11 +399,6 @@ show_routing() {
 	    heading "Table $table:"
 	    ip route list table $table
 	done
-
-	if [ -n "$g_routecache" ]; then
-	    heading "Route Cache"
-	    ip -4 route list cache
-	fi
    else
 	heading "Routing Table"
 	ip route list
@@ -427,9 +422,7 @@ list_zone() {

    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"

-    sets=$(ipset -L -n | grep '^$1_');
-
-    [ -n "$sets" ] || sets=$(find_sets $1)
+    sets=$(find_sets $1)

    for setname in $sets; do
 	echo "${setname#${1}_}:"
@@ -440,36 +433,6 @@ list_zone() {
    done
 }

-#
-# Show Filter - For Shorewall-lite, if there was an scfilter file at compile-time,
-#               then the compiler generated another version of this function and
-#               embedded it in the firewall.conf file. That version supersedes this
-#               one.
-#
-show_connections_filter() {
-    local filter
-    local command
-    local first
-
-    command=${SHOREWALL_SHELL}
-
-    filter=$(find_file scfilter)
-
-    if [ -f $filter ]; then
-	first=$(head -n1 $filter)
-
-	case $first in
-	    \#!*)
-		command=${first#\#!}
-		;;
-	esac
-
-	$command $filter
-    else
-	cat -
-    fi
-}
-
 #
 # Show Command Executor
 #
@@ -542,10 +505,6 @@ show_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
-			c*)
-			    g_routecache=Yes
-			    option=${option#c}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -561,33 +520,15 @@ show_command() {

    g_ipt_options="$g_ipt_options $g_ipt_options1"

-
    [ -n "$g_debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
-
-	    if [ -d /proc/sys/net/netfilter/ ]; then
-		local count
-		local max
-		count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
-		max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-		echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
-	    else
-		echo "$g_product $SHOREWALL_VERSION Connections at $g_hostname - $(date)"
-	    fi
-
+	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
+	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 	    echo
-
-	    if qt mywhich conntrack ; then
-		conntrack -f ipv4 -L | show_connections_filter
-	    else
-		if [ -f /proc/net/ip_conntrack ]; then
-		    cat /proc/net/ip_conntrack | show_connections_filter
-		else
-		    grep -v '^ipv6' /proc/net/nf_conntrack | show_connections_filter
-		fi
-	    fi
+	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
@@ -642,12 +583,6 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
 	    echo
 	    shift
-
-	    if [ -z "$1" ]; then
-		$IPTABLES -t mangle -L -n -v
-		echo
-	    fi
-
 	    show_tc $1
 	    ;;
 	classifiers|filters)
@@ -704,17 +639,8 @@ show_command() {
 	    ;;
 	config)
 	    . ${SHAREDIR}/configpath
-	    if [ -n "$g_filemode" ]; then
-		echo "CONFIG_PATH=$CONFIG_PATH"
-		echo "VARDIR=$VARDIR"
-		echo "LIBEXEC=$g_libexec"
-		[ -n "$LITEDIR" ] && echo "LITEDIR=$LITEDIR"
-	    else
-		echo "Default CONFIG_PATH is $CONFIG_PATH"
-		echo "Default VARDIR is $VARDIR"
-		echo "LIBEXEC is $g_libexec"
-		[ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
-	    fi
+	    echo "Default CONFIG_PATH is $CONFIG_PATH"
+	    [ -n "$LITEDIR" ] && echo "LITEDIR is $LITEDIR"
 	    ;;
 	chain)
 	    shift
@@ -739,20 +665,11 @@ show_command() {
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
-	ipa)
-	    echo "$g_product $SHOREWALL_VERSION per-IP Accounting at $g_hostname - $(date)"
-	    echo
-	    [ $# -gt 1 ] && usage 1
-	    perip_accounting
-	    ;;
 	*)
 	    if [ "$g_product" = Shorewall ]; then
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
-			echo "A_ACCEPT            # Audit and accept the connection"
-			echo "A_DROP              # Audit and drop the connection"
-			echo "A_REJECT            # Audit and reject the connection "
 			echo "allowBcast          # Silently Allow Broadcast/multicast"
 			echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
 			echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
@@ -760,8 +677,12 @@ show_command() {
 			echo "dropBcast           # Silently Drop Broadcast/multicast"
 			echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
 			echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
+			echo "drop1918src         # Drop packets with an RFC 1918 source address"
+			echo "drop1918dst         # Drop packets with an RFC 1918 original dest address"
 			echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
 			echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
+			echo "rej1918src          # Reject packets with an RFC 1918 source address"
+			echo "rej1918dst          # Reject packets with an RFC 1918 original dest address"

 			if [ -f ${CONFDIR}/actions ]; then
 			    cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
@@ -842,61 +763,10 @@ show_command() {
    esac
 }

-perip_accounting() {
-    if qt mywhich iptaccount; then
-	local hnames
-	local hname
-
-	hnames=$(iptaccount -a | grep '^Found table:' | cut -d ' ' -f 3)
-
-	if [ -n "$hnames" ]; then
-	    for hname in $hnames; do
-		iptaccount -l $hname | egrep '^IP:|^Show' 
-		echo
-	    done
-	else
-	    echo "   No IP Accounting Tables Defined"
-	    echo 
-	fi
-    else
-	echo "   iptaccount is not installed"
-    fi
-}
-
-#
-# Dump Filter - For Shorewall-lite, if there was a dumpfilter file at compile-time,
-#               then the compiler generated another version of this function and
-#               embedded it in the firewall.conf file. That version supersedes this
-#               one.
-#
-dump_filter() {
-    local filter
-    local command
-    local first
-
-    command=${SHOREWALL_SHELL}
-
-    filter=$(find_file dumpfilter)
-
-    if [ -f $filter ]; then
-	first=$(head -n1 $filter)
-
-	case $first in
-	    \#!*)
-		command=${first#\#!}
-		;;
-	esac
-
-	$command $filter
-    else
-	cat -
-    fi
-}
-
 #
 # Dump Command Executor
 #
-do_dump_command() {
+dump_command() {
    local finished
    finished=0

@@ -924,10 +794,6 @@ do_dump_command() {
 			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
-			c*)
-			    g_routecache=Yes
-			    option=${option#c}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1003,10 +869,6 @@ do_dump_command() {
 	brctl show
    fi

-    heading "Per-IP Counters"
-
-    perip_accounting
-
    if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1050,10 +912,6 @@ do_dump_command() {
 	fi
 }

-dump_command() {
-    do_dump_command | dump_filter
-}
-
 #
 # Restore Comand Executor
 #
@@ -1685,7 +1543,6 @@ determine_capabilities() {
    OWNER_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
-    IPSET_V5=
    CONNMARK=
    XCONNMARK=
    CONNMARK_MATCH=
@@ -1720,9 +1577,6 @@ determine_capabilities() {
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
-    HEADER_MATCH=
-    ACCOUNT_TARGET=
-    AUDIT_TARGET=

    chain=fooX$$

@@ -1831,16 +1685,7 @@ determine_capabilities() {
    if qt mywhich ipset; then
 	qt ipset -X $chain # Just in case something went wrong the last time

-	local have_ipset
-
-	if qt ipset -N $chain hash:ip family inet; then
-	    IPSET_V5=Yes
-	    have_ipset=Yes
-	elif qt ipset -N $chain iphash ; then
-	    have_ipset=Yes
-	fi
-
-	if [ -n "$have_ipset" ]; then
+	if qt ipset -N $chain iphash ; then
 	    if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
 		qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
@@ -1870,8 +1715,6 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
-    qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
-    qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes

    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
@@ -1882,17 +1725,7 @@ determine_capabilities() {
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
-   
-    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-
-    case "$KERNELVERSION" in 
-	*.*.*)
-	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-	    ;;
-	*)
-	    KERNELVERSION=$(printf "%d%02d00" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-	    ;;
-    esac
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }

 report_capabilities() {
@@ -1962,10 +1795,6 @@ report_capabilities() {
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
 	report_capability "Mark in any table" $MARK_ANYWHERE
-	report_capability "Header Match" $HEADER_MATCH
-        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
-	report_capability "AUDIT Target" $AUDIT_TARGET
-	report_capability "ipset V5" $IPSET_V5
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2031,10 +1860,6 @@ report_capabilities1() {
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
    report_capability1 MARK_ANYWHERE
-    report_capability1 HEADER_MATCH
-    report_capability1 ACCOUNT_TARGET
-    report_capability1 AUDIT_TARGET
-    report_capability1 IPSET_V5

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -34,10 +34,6 @@ get_script_version() { # $1 = script
    local version
    local ifs
    local digits
-    local verbosity
-
-    verbosity="$VERBOSITY"
-    VERBOSITY=0

    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )

@@ -58,8 +54,6 @@ get_script_version() { # $1 = script
    fi

    echo $version
-
-    VERBOSITY="$verbosity"
 }

 #
@@ -164,21 +158,12 @@ qt()
    "$@" >/dev/null 2>&1
 }

-#
-# Suppress all output and input - mainly for preventing leaked file descriptors
-# to avoid SELinux denials
-#
-qtnoin()
-{
-    "$@" </dev/null >/dev/null 2>&1
-}
-
 qt1()
 {
    local status

    while [ 1 ]; do
-	"$@" </dev/null >/dev/null 2>&1
+	"$@" >/dev/null 2>&1
 	status=$?
 	[ $status -ne 4 ] && return $status
    done
@@ -188,7 +173,7 @@ qt1()
 # Determine if Shorewall is "running"
 #
 shorewall_is_started() {
-    qt1 $IPTABLES -L shorewall -n
+    qt $IPTABLES -L shorewall -n
 }

 #
@@ -267,7 +252,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
--- a/Shorewall/modules
+++ b/Shorewall/modules
@@ -16,24 +16,165 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+loadmodule nfnetlink
+loadmodule x_tables
+loadmodule ip_tables
+loadmodule iptable_filter
+loadmodule iptable_mangle
+loadmodule ip_conntrack
+loadmodule nf_conntrack
+loadmodule nf_conntrack_ipv4
+loadmodule iptable_nat
+loadmodule xt_state
+loadmodule xt_tcpudp
+loadmodule ipt_LOG
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+loadmodule xt_CLASSIFY
+loadmodule xt_connmark
+loadmodule xt_CONNMARK
+loadmodule xt_conntrack
+loadmodule xt_dccp
+loadmodule xt_dscp
+loadmodule xt_DSCP
+loadmodule xt_hashlimit
+loadmodule xt_helper
+loadmodule xt_ipp2p
+loadmodule xt_iprange
+loadmodule xt_length
+loadmodule xt_limit
+loadmodule xt_mac
+loadmodule xt_mark
+loadmodule xt_MARK
+loadmodule xt_multiport
+loadmodule xt_NFLOG
+loadmodule xt_NFQUEUE
+loadmodule xt_owner
+loadmodule xt_physdev
+loadmodule xt_pkttype
+loadmodule xt_tcpmss
+loadmodule xt_IPMARK
+loadmodule xt_TPROXY
 #
 # Helpers
 #
-INCLUDE helpers
+loadmodule ip_conntrack_amanda
+loadmodule ip_conntrack_ftp
+loadmodule ip_conntrack_h323
+loadmodule ip_conntrack_irc
+loadmodule ip_conntrack_netbios_ns
+loadmodule ip_conntrack_pptp
+loadmodule ip_conntrack_sip
+loadmodule ip_conntrack_tftp
+loadmodule ip_nat_amanda
+loadmodule ip_nat_ftp
+loadmodule ip_nat_h323
+loadmodule ip_nat_irc
+loadmodule ip_nat_pptp
+loadmodule ip_nat_sip
+loadmodule ip_nat_snmp_basic
+loadmodule ip_nat_tftp
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
 #
 # Ipset
 #
-INCLUDE modules.ipset
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_ipporthash
+loadmodule ip_set_iptree
+loadmodule ip_set_iptreemap
+loadmodule ip_set_macipmap
+loadmodule ip_set_nethash
+loadmodule ip_set_portmap
+loadmodule ipt_SET
+loadmodule ipt_set
+#
+# 2.6.20+ helpers
+#
+loadmodule nf_conntrack_ftp
+loadmodule nf_conntrack_h323
+loadmodule nf_conntrack_irc
+loadmodule nf_conntrack_netbios_ns
+loadmodule nf_conntrack_netlink
+loadmodule nf_conntrack_pptp
+loadmodule nf_conntrack_proto_gre
+loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_sip
+loadmodule nf_conntrack_tftp
+loadmodule nf_conntrack_sane
+loadmodule nf_nat_amanda
+loadmodule nf_nat_ftp
+loadmodule nf_nat_h323
+loadmodule nf_nat_irc
+loadmodule nf_nat
+loadmodule nf_nat_pptp
+loadmodule nf_nat_proto_gre
+loadmodule nf_nat_sip
+loadmodule nf_nat_snmp_basic
+loadmodule nf_nat_tftp
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+loadmodule sch_sfq
+loadmodule sch_ingress
+loadmodule sch_hfsc
+loadmodule sch_htb
+loadmodule cls_u32
+loadmodule cls_fw
+loadmodule cls_flow
+loadmodule act_police
 #
 # Extensions
 #
-INCLUDE modules.extensions
+loadmodule ipt_addrtype
+loadmodule ipt_ah
+loadmodule ipt_CLASSIFY
+loadmodule ipt_CLUSTERIP
+loadmodule ipt_comment
+loadmodule ipt_connmark
+loadmodule ipt_CONNMARK
+loadmodule ipt_conntrack
+loadmodule ipt_dscp
+loadmodule ipt_DSCP
+loadmodule ipt_ecn
+loadmodule ipt_ECN
+loadmodule ipt_esp
+loadmodule ipt_hashlimit
+loadmodule ipt_helper
+loadmodule ipt_ipp2p
+loadmodule ipt_iprange
+loadmodule ipt_length
+loadmodule ipt_limit
+loadmodule ipt_LOG
+loadmodule ipt_mac
+loadmodule ipt_mark
+loadmodule ipt_MARK
+loadmodule ipt_MASQUERADE
+loadmodule ipt_multiport
+loadmodule ipt_NETMAP
+loadmodule ipt_NOTRACK
+loadmodule ipt_owner
+loadmodule ipt_physdev
+loadmodule ipt_pkttype
+loadmodule ipt_policy
+loadmodule ipt_realm
+loadmodule ipt_recent
+loadmodule ipt_REDIRECT
+loadmodule ipt_REJECT
+loadmodule ipt_SAME
+loadmodule ipt_sctp
+loadmodule ipt_set
+loadmodule ipt_state
+loadmodule ipt_tcpmss
+loadmodule ipt_TCPMSS
+loadmodule ipt_tos
+loadmodule ipt_TOS
+loadmodule ipt_ttl
+loadmodule ipt_TTL
+loadmodule ipt_ULOG
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -1,30 +0,0 @@
-#
-# Shorewall version 4 - Essential Modules File
-#
-# /usr/share/shorewall/modules.essential
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-#
-# Essential Modules
-#
-loadmodule nfnetlink
-loadmodule x_tables
-loadmodule ip_tables
-loadmodule iptable_filter
-loadmodule iptable_mangle
-loadmodule ip_conntrack
-loadmodule nf_conntrack
-loadmodule nf_conntrack_ipv4
-loadmodule iptable_nat
-loadmodule xt_state
-loadmodule xt_tcpudp
-loadmodule ipt_LOG
--- a/Shorewall/modules.extensions
+++ b/Shorewall/modules.extensions
@@ -1,61 +0,0 @@
-#
-# Shorewall version 4 - Extensions Modules File
-#
-# /usr/share/shorewall/modules.extensions
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-loadmodule ipt_addrtype
-loadmodule ipt_ah
-loadmodule ipt_CLASSIFY
-loadmodule ipt_CLUSTERIP
-loadmodule ipt_comment
-loadmodule ipt_connmark
-loadmodule ipt_CONNMARK
-loadmodule ipt_conntrack
-loadmodule ipt_dscp
-loadmodule ipt_DSCP
-loadmodule ipt_ecn
-loadmodule ipt_ECN
-loadmodule ipt_esp
-loadmodule ipt_hashlimit
-loadmodule ipt_helper
-loadmodule ipt_ipp2p
-loadmodule ipt_iprange
-loadmodule ipt_length
-loadmodule ipt_limit
-loadmodule ipt_LOG
-loadmodule ipt_mac
-loadmodule ipt_mark
-loadmodule ipt_MARK
-loadmodule ipt_MASQUERADE
-loadmodule ipt_multiport
-loadmodule ipt_NETMAP
-loadmodule ipt_NOTRACK
-loadmodule ipt_owner
-loadmodule ipt_physdev
-loadmodule ipt_pkttype
-loadmodule ipt_policy
-loadmodule ipt_realm
-loadmodule ipt_recent
-loadmodule ipt_REDIRECT
-loadmodule ipt_REJECT
-loadmodule ipt_SAME
-loadmodule ipt_sctp
-loadmodule ipt_set
-loadmodule ipt_state
-loadmodule ipt_tcpmss
-loadmodule ipt_TCPMSS
-loadmodule ipt_tos
-loadmodule ipt_TOS
-loadmodule ipt_ttl
-loadmodule ipt_TTL
-loadmodule ipt_ULOG
--- a/Shorewall/modules.ipset
+++ b/Shorewall/modules.ipset
@@ -1,27 +0,0 @@
-#
-# Shorewall version 4 - IP Set Modules File
-#
-# /usr/share/shorewall/modules.ipset
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-loadmodule xt_set
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_ipporthash
-loadmodule ip_set_iptree
-loadmodule ip_set_iptreemap
-loadmodule ip_set_macipmap
-loadmodule ip_set_nethash
-loadmodule ip_set_portmap
-loadmodule ipt_SET
-loadmodule ipt_set
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -1,25 +0,0 @@
-#
-# Shorewall version 4 - Traffic Shaping Modules File
-#
-# /usr/share/shorewall/modules.tc
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-loadmodule sch_sfq
-loadmodule sch_ingress
-loadmodule sch_hfsc
-loadmodule sch_htb
-loadmodule sch_prio
-loadmodule sch_tbf
-loadmodule cls_u32
-loadmodule cls_fw
-loadmodule cls_flow
-loadmodule act_police
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -1,41 +0,0 @@
-#
-# Shorewall version 4 - Xtables Modules File
-#
-# /usr/share/shorewall/modules.xtables
-#
-#	This file loads the modules that may be needed by the firewall.
-#
-#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-#	dependency order. i.e., if M2 depends on M1 then you must load M1
-#	before you load M2.
-#
-#  If you need to modify this file, copy it to /etc/shorewall and modify the
-#  copy.
-#
-###############################################################################
-loadmodule xt_AUDIT
-loadmodule xt_CLASSIFY
-loadmodule xt_connmark
-loadmodule xt_CONNMARK
-loadmodule xt_conntrack
-loadmodule xt_dccp
-loadmodule xt_dscp
-loadmodule xt_DSCP
-loadmodule xt_hashlimit
-loadmodule xt_helper
-loadmodule xt_ipp2p
-loadmodule xt_iprange
-loadmodule xt_length
-loadmodule xt_limit
-loadmodule xt_mac
-loadmodule xt_mark
-loadmodule xt_MARK
-loadmodule xt_multiport
-loadmodule xt_NFLOG
-loadmodule xt_NFQUEUE
-loadmodule xt_owner
-loadmodule xt_physdev
-loadmodule xt_pkttype
-loadmodule xt_tcpmss
-loadmodule xt_IPMARK
-loadmodule xt_TPROXY
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -4,8 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
-#         Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -26,7 +25,7 @@
 #
 #       For a list of supported commands, type 'shorewall help'
 #
-################################################################################################
+#####################################################################################################
 #
 # Set the configuration variables from shorewall.conf
 #
@@ -299,26 +298,10 @@ get_config() {
 	    fi
 	    ;;
    esac
-
-    case $LEGACY_FASTSTART in
-	Yes|yes)
-	    ;;
-	No|no)
-	    LEGACY_FASTSTART=
-	    ;;
-	*)
-	    if [ -n "$LEGACY_FASTSTART" ]; then
-		echo "   ERROR: Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)" >&2
-		exit 1
-	    fi
-
-	    LEGACY_FASTSTART=Yes
-	    ;;
-    esac
 }

 #
-# Issue an error message and die
+# Fatal error
 #
 startup_error() {
    echo "   ERROR: $@" >&2
@@ -326,36 +309,10 @@ startup_error() {
    exit 1
 }

-#
-# Determine if there are config files newer than the passed object
-#
-uptodate() {
-    [ -f $1 ] || return 1
-
-    local dir
-    local ifs
-
-    ifs="$IFS"
-    IFS=':'
-
-    for dir in $CONFIG_PATH; do
-	if [ -n "$(find ${dir} -newer $1)" ]; then
-	    IFS="$ifs"
-	    return 1;
-	fi
-    done
-
-    IFS="$ifs"
-
-    return 0
-}
-
 #
 # Run the compiler
 #
 compiler() {
-    local pc
-    pc=$g_libexec/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$SHOREWALL_DIR" -o "$SHOREWALL_DIR" = /etc/shorewall ]; then
@@ -396,9 +353,12 @@ compiler() {
    [ -n "$g_preview" ] && options="$options --preview"
    [ "$g_debugging" = trace ] && options="$options --debug"
    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
-    [ -n "$g_confess" ] && options="$options --confess"
-    [ -n "$g_update" ] && options="$options --update"
-    [ -n "$g_annotate" ] && options="$options --annotate"
+    #
+    # Run the appropriate params file
+    #
+    set -a;
+    run_user_exit params
+    set +a

    if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then
@@ -409,13 +369,7 @@ compiler() {
 	PERL=/usr/bin/perl
    fi

-    if [ $g_perllib = ${g_libexec}/shorewall ]; then
-	$PERL $debugflags $pc $options $@
-    else
-	PERL5LIB=$g_perllib
-	export PERL5LIB
-	$PERL $debugflags $pc $options $@
-    fi
+    $PERL $debugflags /usr/share/shorewall/compiler.pl $options $@
 }

 #
@@ -424,7 +378,7 @@ compiler() {
 start_command() {
    local finished
    finished=0
-    local object
+    local restorefile

    do_it() {
 	local rc
@@ -484,10 +438,6 @@ start_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
-			c*)
-			    AUTOMAKE=
-			    option=${option#c}
-			    ;;			    
 			*)
 			    usage 1
 			    ;;
@@ -524,19 +474,25 @@ start_command() {
    esac

    if [ -n "${g_fast}${AUTOMAKE}" ]; then
-	if [ -z "$g_fast" -o -z "$LEGACY_FASTSTART" ]; then
-	    #
-	    # Automake or LEGACY_FASTSTART=No -- use the last compiled script
-	    #
-	    object=firewall
-	else
-	    #
-	    # 'start -f' with LEGACY_FASTSTART=Yes -- use last saved configuration
-	    #
-	    object=$RESTOREFILE
-	fi
+	if qt mywhich make; then
+	    restorefile=$RESTOREFILE

-	if ! uptodate ${VARDIR}/$object; then
+	    if [ -z "$g_fast" ]; then
+		#
+		# Automake -- use the last compiled script
+		#
+		RESTOREFILE=firewall
+	    fi
+
+	    export RESTOREFILE
+
+	    if ! make -qf ${CONFDIR}/Makefile; then
+		g_fast=
+		AUTOMAKE=
+	    fi
+
+	    RESTOREFILE=$restorefile
+	else
 	    g_fast=
 	    AUTOMAKE=
 	fi
@@ -595,10 +551,6 @@ compile_command() {
 			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
 			-)
 			    finished=1
 			    option=
@@ -681,17 +633,9 @@ check_command() {
 			    option=${option#d}
 			    ;;
 			r*)
-			    g_preview=Yes
+			    g_preview=Yes;
 			    option=${option#r}
 			    ;;
-			T*)
-			    g_confess=Yes
-			    option=${option#T}
-			    ;;
-			a*)
-			    g_annotate=Yes
-			    option=${option#a}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -761,10 +705,6 @@ restart_command() {
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
-			c*)
-			    AUTOMAKE=
-			    option=${option#c}
-			    ;;			    
 			n*)
 			    g_noroutes=Yes
 			    option=${option#n}
@@ -813,7 +753,15 @@ restart_command() {
    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
-	uptodate ${VARDIR}/firewall && g_fast=Yes
+	if qt mywhich make; then
+	    #
+	    # RESTOREFILE is exported by get_config()
+	    #
+	    restorefile=$RESTOREFILE
+	    RESTOREFILE=firewall
+	    make -qf ${CONFDIR}/Makefile && g_fast=Yes
+	    RESTOREFILE=$restorefile
+	fi
    fi

    if [ -z "$g_fast" ]; then
@@ -879,8 +827,6 @@ refresh_command() {
 	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
-    else
-	g_refreshchains=:refresh:
    fi

    shorewall_is_started || fatal_error "Shorewall is not running"
@@ -907,7 +853,6 @@ refresh_command() {
 safe_commands() {
    local finished
    finished=0
-    local command

    # test is the shell supports timed read
    read -t 0 junk 2> /dev/null
@@ -1010,7 +955,7 @@ safe_commands() {

    [ -n "$nolock" ] || mutex_on

-    if run_it ${VARDIR}/.$command $g_debugging $command; then
+    if ${VARDIR}/.$command $g_debugging $command; then

 	echo -n "Do you want to accept the new firewall configuration? [y/n] "

@@ -1018,9 +963,9 @@ safe_commands() {
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" ]; then
-		run_it ${VARDIR}/.safe restore
+		${VARDIR}/.safe restore
 	    else
-		run_it ${VARDIR}/.$command clear
+		${VARDIR}/.$command clear
 	    fi

 	    [ -n "$nolock" ] || mutex_off
@@ -1146,13 +1091,13 @@ try_command() {

    [ -n "$nolock" ] || mutex_on

-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout

 	if [ "$command" = "restart" ]; then
-	    run_it ${VARDIR}/.try restore
+	    ${VARDIR}/.try restore
 	else
-	    run_it ${VARDIR}/.$command clear
+	    ${VARDIR}/.$command clear
 	fi
    fi

@@ -1196,8 +1141,6 @@ reload_command() # $* = original arguments less the command.
    getcaps=
    local root
    root=root
-    local libexec
-    libexec=/usr/share

    litedir=/var/lib/shorewall-lite

@@ -1258,19 +1201,6 @@ reload_command() # $* = original arguments less the command.

    [ -n "$temp" ] && litedir="$temp"

-    temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
-
-    if [ -n "$temp" ]; then
-	case $temp in
-	    /*)
-		libexec="$temp"
-		;;
-	    *)
-		libexec=/usr/$temp
-		;;
-	esac
-    fi
-
    if [ -z "$getcaps" ]; then
 	SHOREWALL_DIR=$(resolve_file $directory)
 	ensure_config_path
@@ -1278,21 +1208,16 @@ reload_command() # $* = original arguments less the command.
 	[ -f $capabilities ] || getcaps=Yes
    fi

-    if [ -f $directory/shorewall.conf ]; then
-	if [ -f $directory/params ]; then
-	    . $directory/params
+    if [ -n "$getcaps" ]; then
+	if [ -f $directory/shorewall.conf ]; then
+	    . $directory/shorewall.conf
+	    ensure_config_path
 	fi

-	. $directory/shorewall.conf
-	
-	ensure_config_path
-    fi
-
-    if [ -n "$getcaps" ]; then
 	[ -n "$DONT_LOAD" ] && DONT_LOAD="$(echo $DONT_LOAD | tr ',' ' ')"

 	progress_message "Getting Capabilities on system $system..."
-	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then
+	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" /usr/share/shorewall-lite/shorecap" > $directory/capabilities; then
 	    fatal_error "ERROR: Capturing capabilities on system $system failed"
 	fi
    fi
@@ -1409,7 +1334,7 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   check [ -e ] [ -r ] [ <directory> ]"
    echo "   clear"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
@@ -1432,7 +1357,7 @@ usage() # $1 = exit status
    echo "   reject <address> ..."
    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -1444,7 +1369,6 @@ usage() # $1 = exit status
    echo "   show dynamic <zone>"
    echo "   show filters"
    echo "   show ip"
-    echo "   show ipa"
    echo "   show [ -m ] log [<regex>]"
    echo "   show macro <macro>"
    echo "   show macros"
@@ -1453,67 +1377,17 @@ usage() # $1 = exit status
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ <directory> ]"
    echo "   stop"
    echo "   status"
    echo "   try <directory> [ <timeout> ]"
    echo "   version [ -a ]"
    echo "   safe-start [ <directory> ]"
    echo "   safe-restart [ <directory> ]"
-    echo "   update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
    echo
    exit $1
 }

-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-
-    if [ -n "$all" ]; then
-	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
 #
 # Execution begins here
 #
@@ -1541,16 +1415,7 @@ g_verbose_offset=0
 g_use_verbosity=
 g_debug=
 g_export=
-g_refreshchains=:none:
-g_confess=
-g_update=
-g_annotate=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=
+g_refreshchains=

 finished=0

@@ -1647,6 +1512,55 @@ while [ $finished -eq 0 ]; do
    esac
 done

+version_command() {
+    local finished
+    finished=0
+    local all
+    all=
+    local product
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			a*)
+			    all=Yes
+			    option=${option#a}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    [ $# -gt 0 ] && usage 1
+
+    echo $SHOREWALL_VERSION
+
+    if [ -n "$all" ]; then
+	for product in shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
+	    if [ -f /usr/share/$product/version ]; then
+		echo "$product: $(cat /usr/share/$product/version)"
+	    fi
+	done
+    fi
+}
+
 if [ $# -eq 0 ]; then
    usage 1
 fi
@@ -1659,8 +1573,6 @@ CONFDIR=/etc/shorewall
 g_product="Shorewall"
 g_recovering=
 g_timestamp=
-g_libexec=/usr/share
-g_perllib=/usr/share/shorewall

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir

@@ -1716,8 +1628,8 @@ case "$COMMAND" in
 	start_command $@
 	;;
    stop|clear)
-	[ $# -ne 1 ] && usage 1
 	get_config
+	[ $# -ne 1 ] && usage 1
 	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
 	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $g_debugging $COMMAND
@@ -1751,12 +1663,6 @@ case "$COMMAND" in
 	shift
 	check_command $@
 	;;
-    update)
-	get_config Yes
-	shift
-	g_update=Yes
-	check_command $@
-	;;
    show|list)
 	get_config Yes No Yes
    	shift
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -0,0 +1,427 @@
+%define name shorewall
+%define version 4.4.13
+%define release 0base
+
+Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: iptables iproute perl
+Provides: shoreline_firewall = %{version}-%{release}
+Obsoletes: shorewall-common shorewall-perl shorewall-shell
+
+%description
+
+The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
+(iptables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%post
+
+if [ $1 -eq 1 ]; then
+	if [ -x /sbin/insserv ]; then
+		/sbin/insserv /etc/rc.d/shorewall
+	elif [ -x /sbin/chkconfig ]; then
+		/sbin/chkconfig --add shorewall;
+	fi
+fi
+
+%preun
+
+if [ $1 = 0 ]; then
+	if [ -x /sbin/insserv ]; then
+		/sbin/insserv -r /etc/init.d/shorewall
+	elif [ -x /sbin/chkconfig ]; then
+		/sbin/chkconfig --del shorewall
+	fi
+
+	rm -f /etc/shorewall/startup_disabled
+
+fi
+
+%triggerpostun  -- shorewall-common < 4.4.0
+
+if [ -x /sbin/insserv ]; then
+    /sbin/insserv /etc/rc.d/shorewall
+elif [ -x /sbin/chkconfig ]; then
+    /sbin/chkconfig --add shorewall;
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0544,root,root) /etc/init.d/shorewall
+%attr(0755,root,root) %dir /etc/shorewall
+%attr(0755,root,root) %dir /usr/share/shorewall
+%attr(0755,root,root) %dir /usr/share/shorewall/configfiles
+%attr(0700,root,root) %dir /var/lib/shorewall
+%attr(0644,root,root) %config(noreplace) /etc/shorewall/*
+
+%attr(0644,root,root) /etc/logrotate.d/shorewall
+
+%attr(0755,root,root) /sbin/shorewall
+
+%attr(0644,root,root) /usr/share/shorewall/version
+%attr(0644,root,root) /usr/share/shorewall/actions.std
+%attr(0644,root,root) /usr/share/shorewall/action.Drop
+%attr(0644,root,root) /usr/share/shorewall/action.Reject
+%attr(0644,root,root) /usr/share/shorewall/action.template
+%attr(-   ,root,root) /usr/share/shorewall/functions
+%attr(0644,root,root) /usr/share/shorewall/lib.base
+%attr(0644,root,root) /usr/share/shorewall/lib.cli
+%attr(0644,root,root) /usr/share/shorewall/lib.common
+%attr(0644,root,root) /usr/share/shorewall/macro.*
+%attr(0644,root,root) /usr/share/shorewall/modules
+%attr(0644,root,root) /usr/share/shorewall/helpers
+%attr(0644,root,root) /usr/share/shorewall/configpath
+%attr(0755,root,root) /usr/share/shorewall/wait4ifup
+
+%attr(755,root,root) /usr/share/shorewall/compiler.pl
+%attr(0644,root,root) /usr/share/shorewall/prog.*
+%attr(0644,root,root) /usr/share/shorewall/Shorewall/*.pm
+
+%attr(0644,root,root) /usr/share/shorewall/configfiles/*
+
+%attr(0644,root,root) %{_mandir}/man5/*
+%attr(0644,root,root) %{_mandir}/man8/*
+
+%doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples
+
+%changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta1
+* Mon May 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0base
+* Sun May 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC2
+* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC1
+* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta5
+* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta4
+* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta3
+* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta2
+* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Thu Jan 21 2010 Tom Eastep tom@shorewall.net
+- Add /usr/share/shorewall/helpers
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
+* Sun Aug 09 2009 Tom Eastep tom@shorewall.net
+- Made Perl a dependency
+* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0base
+* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC2
+* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC1
+* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta4
+* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta3
+* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta2
+* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta1
+* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.13-0base
+* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.12-0base
+* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
+- Remove 'rfc1918' file
+* Sun May 10 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.11-0base
+* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.10-0base
+* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.9-0base
+* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.8-0base
+* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.7-0base
+* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.6-0base
+* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.5-0base
+* Sat Feb 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.7-0base
+* Thu Feb 05 2009 Tom Eastep tom@shorewall.net
+- Add 'restored' script
+* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Fri Jan 30 2009 Tom Eastep tom@shorewall.net
+- Added swping files to the doc directory
+* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
+* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0RC2
+* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0RC1
+* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.4-0base
+* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.3-0base
+* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.2-0base
+* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.1-0base
+* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.1-0base
+* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.0-0base
+* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
+- Updated to 2.3.0-0base
+* Fri Dec 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.3-0base
+* Wed Nov 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.2-0base
+* Wed Oct 08 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.1-0base
+* Fri Oct 03 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0base
+* Tue Sep 23 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC4
+* Mon Sep 15 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC3
+* Mon Sep 08 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC2
+* Tue Aug 19 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0RC1
+* Thu Jul 03 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta3
+* Mon Jun 02 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta2
+* Wed May 07 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.0-0Beta1
+* Mon Apr 28 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.8-0base
+* Mon Mar 24 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.7-0base
+* Thu Mar 13 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.6-0base
+* Tue Feb 05 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.5-0base
+* Fri Jan 04 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.1.4-0base
+* Wed Dec 12 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.3-0base
+* Fri Dec 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.3-1
+* Tue Nov 27 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.2-1
+* Wed Nov 21 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.1-1
+* Mon Nov 19 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.1.0-1
+* Thu Nov 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-1
+* Sat Nov 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC3
+* Wed Nov 07 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC2
+* Thu Oct 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.6-0RC1
+* Tue Oct 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.5-1
+* Wed Sep 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.4-1
+* Mon Aug 13 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.3-1
+* Thu Aug 09 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.2-1
+* Sat Jul 21 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.1-1
+* Wed Jul 11 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-1
+* Sun Jul 08 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0RC2
+* Fri Jun 29 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0RC1
+* Sun Jun 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta7
+* Wed Jun 20 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta6
+* Thu Jun 14 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta5
+* Fri Jun 08 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta4
+* Tue Jun 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta3
+* Tue May 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 4.0.0-0Beta1
+* Fri May 11 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.7-1
+* Sat May 05 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.6-1
+* Mon Apr 30 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.5-1
+* Mon Apr 23 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.4-1
+* Wed Apr 18 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.3-1
+* Mon Apr 16 2007 Tom Eastep tom@shorewall.net
+- Moved lib.dynamiczones from Shorewall-shell
+* Sat Apr 14 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.2-1
+* Tue Apr 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.9.1-1
+* Thu Mar 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.2-1
+* Thu Mar 15 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.1-1
+* Sat Mar 10 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-1
+* Sun Feb 25 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC3
+* Sun Feb 04 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC2
+* Wed Jan 24 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0RC1
+* Mon Jan 22 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta3
+* Wed Jan 03 2007 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta2
+* Thu Dec 14 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.4.0-0Beta1
+* Sat Nov 25 2006 Tom Eastep tom@shorewall.net
+- Added shorewall-exclusion(5)
+- Updated to 3.3.6-1
+* Sun Nov 19 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.5-1
+* Sat Nov 18 2006 Tom Eastep tom@shorewall.net
+- Add Man Pages.
+* Sun Oct 29 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.4-1
+* Mon Oct 16 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.3-1
+* Sat Sep 30 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.2-1
+* Wed Aug 30 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.1-1
+* Sun Aug 27 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.3.0-1
+* Fri Aug 25 2006 Tom Eastep tom@shorewall.net
+- Updated to 3.2.3-1
+
+
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -72,9 +72,6 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
 echo "Uninstalling shorewall $VERSION"

 if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
@@ -88,9 +85,7 @@ else
 fi

 if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
@@ -109,8 +104,6 @@ rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
-rm -rf $PERLLIB}/Shorewall/*
-rm -rf ${LIBEXEC}/shorewall
 rm -rf /usr/share/shorewall
 rm -rf /usr/share/shorewall-*.bkout
 rm -rf /usr/share/man/man5/shorewall*
--- a/Shorewall6-lite/COPYING
+++ b/Shorewall6-lite/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-			  Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -17,7 +17,7 @@ SRWL=/sbin/shorewall6-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall6-lite-init.log}

-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0

 export SHOREWALL_INIT_SCRIPT

--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx #The build script will insert the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -123,16 +123,6 @@ done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=/usr/share}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	LIBEXEC=/usr/${LIBEXEC}
-	;;
-esac
-
 #
 # Determine where to install the firewall script
 #
@@ -197,7 +187,6 @@ else
    rm -rf ${DESTDIR}/etc/shorewall6-lite
    rm -rf ${DESTDIR}/usr/share/shorewall6-lite
    rm -rf ${DESTDIR}/var/lib/shorewall6-lite
-    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/shorewall6-lite/wait4ifup /usr/share/shorewall6-lite/shorecap
 fi

 #
@@ -213,8 +202,6 @@ delete_file ${DESTDIR}/usr/share/shorewall6-lite/xmodules

 install_file shorewall6-lite ${DESTDIR}/sbin/shorewall6-lite 0544

-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall6-lite
-
 echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-lite"

 #
@@ -236,7 +223,6 @@ echo  "Shorewall6 Lite script installed in ${DESTDIR}${DEST}/$INIT"
 #
 mkdir -p ${DESTDIR}/etc/shorewall6-lite
 mkdir -p ${DESTDIR}/usr/share/shorewall6-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall6-lite
 mkdir -p ${DESTDIR}/var/lib/shorewall6-lite

 chmod 755 ${DESTDIR}/etc/shorewall6-lite
@@ -289,41 +275,30 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall6-lite/funct
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall6-lite/shorecap 0755
+install_file shorecap ${DESTDIR}/usr/share/shorewall6-lite/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall6-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall6-lite/shorecap"

 #
 # Install wait4ifup
 #

 if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall6-lite/wait4ifup 0755
+    install_file wait4ifup ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup 0755

    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall6-lite/wait4ifup"
+    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall6-lite/wait4ifup"
 fi

-#
-# Install the Modules files
-#
-
 if [ -f modules ]; then
+    #
+    # Install the Modules file
+    #
    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall6-lite
    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
 fi

-if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall6-lite
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall6-lite/modules"
-fi
-
-for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall6-lite/$f
-    echo "Modules file $f installed as ${DESTDIR}/usr/share/shorewall6-lite/$f"
-done
-
 if [ -d manpages ]; then
    #
    # Install the Man Pages
@@ -376,7 +351,11 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall6-lite

-	    update-rc.d shorewall6-lite defaults
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/shorewall6-lite
+	    else
+		ln -s ../init.d/shorewall6-lite /etc/rcS.d/S40shorewall6-lite
+	    fi

 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     Shorewall6  Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall6  Lite Packet Filtering Firewall Control Program - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -94,9 +94,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
+	LOGREAD="logread | tac"
    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
+	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,6 +113,10 @@ get_config() {

    [ -n "$FW" ] || FW=fw

+    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
+
+    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
+
    if [ -n "$IP6TABLES" ]; then
 	if [ ! -x "$IP6TABLES" ]; then
 	    echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
@@ -141,12 +145,6 @@ get_config() {

    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
    g_hostname=$(hostname 2> /dev/null)

    IP=$(mywhich ip 2> /dev/null)
@@ -176,15 +174,6 @@ verify_firewall_script() {
    fi
 }

-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
 #
 # Start Command Executor
 #
@@ -458,13 +447,6 @@ g_noroutes=
 g_timestamp=
 g_recovering=
 g_purge=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=

 finished=0

@@ -554,7 +536,6 @@ MUTEX_TIMEOUT=
 SHAREDIR=/usr/share/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
 g_product="Shorewall6 Lite"
-g_libexec=share

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

--- a/Shorewall6-lite/shorewall6-lite.conf
+++ b/Shorewall6-lite/shorewall6-lite.conf
@@ -21,7 +21,6 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
-
 VERBOSITY=

 ###############################################################################
@@ -30,6 +29,8 @@ VERBOSITY=

 LOGFILE=

+LOGFORMAT=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -0,0 +1,269 @@
+%define name shorewall6-lite
+%define version 4.4.13
+%define release 0base
+
+Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
+Name: %{name}
+Version: %{version}
+Release: %{release}
+License: GPLv2
+Packager: Tom Eastep <teastep@shorewall.net>
+Group: Networking/Utilities
+Source: %{name}-%{version}.tgz
+URL: http://www.shorewall.net/
+BuildArch: noarch
+BuildRoot: %{_tmppath}/%{name}-%{version}-root
+Requires: iptables iproute
+Provides: shoreline_firewall = %{version}-%{release}
+
+%description
+
+The Shoreline Firewall 6, more commonly known as "Shorewall6", is a Netfilter
+(ip6tables) based firewall that can be used on a dedicated firewall system,
+a multi-function gateway/ router/server or on a standalone GNU/Linux system.
+
+Shorewall6 Lite is a companion product to Shorewall6 that allows network
+administrators to centralize the configuration of Shorewall6-based firewalls.
+
+%prep
+
+%setup
+
+%build
+
+%install
+export DESTDIR=$RPM_BUILD_ROOT ; \
+export OWNER=`id -n -u` ; \
+export GROUP=`id -n -g` ;\
+./install.sh
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%pre
+
+%post
+
+if [ $1 -eq 1 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv /etc/rc.d/shorewall6-lite
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --add shorewall6-lite;
+    fi
+fi
+
+%preun
+
+if [ $1 -eq 0 ]; then
+    if [ -x /sbin/insserv ]; then
+	/sbin/insserv -r /etc/init.d/shorewall6-lite
+    elif [ -x /sbin/chkconfig ]; then
+	/sbin/chkconfig --del shorewall6-lite
+    fi
+fi
+
+%files
+%defattr(0644,root,root,0755)
+%attr(0755,root,root) %dir /etc/shorewall6-lite
+%attr(0644,root,root) %config(noreplace) /etc/shorewall6-lite/shorewall6-lite.conf
+%attr(0644,root,root) /etc/shorewall6-lite/Makefile
+%attr(0544,root,root) /etc/init.d/shorewall6-lite
+%attr(0755,root,root) %dir /usr/share/shorewall6-lite
+%attr(0700,root,root) %dir /var/lib/shorewall6-lite
+
+%attr(0644,root,root) /etc/logrotate.d/shorewall6-lite
+
+%attr(0755,root,root) /sbin/shorewall6-lite
+
+%attr(0644,root,root) /usr/share/shorewall6-lite/version
+%attr(0644,root,root) /usr/share/shorewall6-lite/configpath
+%attr(-   ,root,root) /usr/share/shorewall6-lite/functions
+%attr(0644,root,root) /usr/share/shorewall6-lite/lib.base
+%attr(0644,root,root) /usr/share/shorewall6-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall6-lite/lib.common
+%attr(0644,root,root) /usr/share/shorewall6-lite/modules
+%attr(0544,root,root) /usr/share/shorewall6-lite/shorecap
+%attr(0755,root,root) /usr/share/shorewall6-lite/wait4ifup
+
+%attr(0644,root,root) %{_mandir}/man5/shorewall6-lite.conf.5.gz
+%attr(0644,root,root) %{_mandir}/man5/shorewall6-lite-vardir.5.gz
+
+%attr(0644,root,root) %{_mandir}/man8/shorewall6-lite.8.gz
+
+%doc COPYING changelog.txt releasenotes.txt
+
+%changelog
+* Mon Sep 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0base
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0RC1
+* Fri Sep 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta6
+* Mon Sep 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta5
+* Sat Sep 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta4
+* Mon Aug 30 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta3
+* Wed Aug 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta2
+* Wed Aug 18 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.13-0Beta1
+* Sun Aug 15 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0base
+* Fri Aug 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0RC1
+* Sun Aug 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta4
+* Sat Jul 31 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta3
+* Sun Jul 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta2
+* Wed Jul 21 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.12-0Beta1
+* Fri Jul 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0base
+* Mon Jul 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0RC1
+* Sat Jul 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta3
+* Thu Jul 01 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta2
+* Sun Jun 06 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.11-0Beta1
+* Sat Jun 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0base
+* Fri Jun 04 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC2
+* Thu May 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0RC1
+* Wed May 26 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta4
+* Tue May 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta3
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta2
+* Thu May 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.10-0Beta1
+* Mon May 03 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0base
+* Sun May 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC2
+* Sun Apr 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0RC1
+* Sat Apr 24 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta5
+* Fri Apr 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta4
+* Fri Apr 09 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta3
+* Thu Apr 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta2
+* Sat Mar 20 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.9-0Beta1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
+* Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0base
+* Tue Feb 02 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC2
+* Wed Jan 27 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0RC1
+* Mon Jan 25 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta4
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta3
+* Fri Jan 22 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta2
+* Sun Jan 17 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.7-0Beta1
+* Wed Jan 13 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0base
+* Tue Jan 12 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.6-0Beta1
+* Thu Dec 24 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.5-0base
+* Sat Nov 21 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0base
+* Fri Nov 13 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta2
+* Wed Nov 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.4-0Beta1
+* Tue Nov 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.3-0base
+* Sun Sep 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Sep 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.2-0base
+* Fri Aug 14 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.1-0base
+* Mon Aug 03 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0base
+* Tue Jul 28 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC2
+* Sun Jul 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0RC1
+* Thu Jul 09 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta4
+* Sat Jun 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta3
+* Mon Jun 15 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta2
+* Fri Jun 12 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.4.0-0Beta1
+* Sun Jun 07 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.13-0base
+* Fri Jun 05 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.12-0base
+* Sun May 10 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.11-0base
+* Sun Apr 19 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.10-0base
+* Sat Apr 11 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.9-0base
+* Tue Mar 17 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.8-0base
+* Sun Mar 01 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.7-0base
+* Fri Feb 27 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.6-0base
+* Sun Feb 22 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.3.5-0base
+* Wed Feb 04 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Thu Jan 29 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.6-0base
+* Tue Jan 06 2009 Tom Eastep tom@shorewall.net
+- Updated to 4.2.5-0base
+* Thu Dec 25 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0base
+* Sun Dec 21 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0RC2
+* Wed Dec 17 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.2.4-0RC1
+* Tue Dec 16 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.4-0base
+* Sat Dec 13 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.3-0base
+* Fri Dec 12 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.2-0base
+* Thu Dec 11 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.1-0base
+* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
+- Updated to 4.3.0-0base
+* Wed Dec 10 2008 Tom Eastep tom@shorewall.net
+- Updated to 2.3.0-0base
+* Tue Dec 09 2008 Tom Eastep tom@shorewall.net
+- Initial Version
+
+
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.13

 usage() # $1 = exit status
 {
@@ -60,8 +60,6 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"

 if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
@@ -75,9 +73,7 @@ else
 fi

 if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall6-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
@@ -97,7 +93,6 @@ rm -rf /etc/shorewall6-lite-*.bkout
 rm -rf /var/lib/shorewall6-lite
 rm -rf /var/lib/shorewall6-lite-*.bkout
 rm -rf /usr/share/shorewall6-lite
-rm -rf ${LIBEXEC}/shorewall6-lite
 rm -rf /usr/share/shorewall6-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall6-lite

--- a/Shorewall6/COPYING
+++ b/Shorewall6/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
-                          Boston, MA 02110-1301 USA
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

--- a/Shorewall6/configfiles/accounting
+++ b/Shorewall6/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-###############################################################################################################
-#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC	HEADERS
+#####################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK
 #							PORT(S)		PORT(S)	GROUP
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	a258de3c9d	Update known problems Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-21 07:50:13 -07:00
Tom Eastep	a796623dde	Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-20 09:40:31 -07:00
Tom Eastep	f6f840bebf	Misc cleanup for 4.4.13 1. Replace statement with equivalent function call in promote_blacklist_rules() 2. Bump version of Tunnels.pm 3. Fix typo in comment in Zones.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-20 08:15:24 -07:00
Tom Eastep	59905e8744	Set version to 4.4.13	2010-09-20 07:25:33 -07:00
Tom Eastep	7d2f6379e0	Document fix for '*' in interface names. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-19 15:19:48 -07:00
Tom Eastep	8bdd9828fd	Don't allow '*' in interface names	2010-09-19 15:13:54 -07:00