Implement HL manipulation for IPv6

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add BALANCE_TABLE.
2011-10-09 14:01:40 -07:00 · 2011-10-09 09:00:14 -07:00 · 2011-10-09 08:50:55 -07:00 · 2011-10-09 07:05:08 -07:00 · 2011-10-08 18:19:08 -07:00 · 2011-10-08 17:10:23 -07:00
138 changed files with 5468 additions and 1366 deletions
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW

 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -10,9 +10,13 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW

 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -10,9 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
+#SECTION ESTABLISHED
+#SECTION RELATED
+SECTION NEW
+
+#       Don't allow connection pickup from the net
+#
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -0,0 +1,121 @@
+#! /bin/bash
+#
+# chkconfig: - 09 91
+# description: Initialize the shorewall firewall at boot time
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Initialize the shorewall firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+prog="shorewall-init"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/shorewall-init"
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+# Get startup options (override default)
+OPTIONS=
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+else
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
+fi
+
+# Initialize the firewall
+start () {
+    local product
+    local vardir
+
+    if [ -z "$PRODUCTS" ]; then
+	echo "No firewalls configured for shorewall-init"
+	failure
+	return 6 #Not configured
+    fi
+
+    echo -n "Initializing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall stop 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	touch $lockfile 
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+# Clear the firewall
+stop () {
+    local product
+    local vardir
+
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall clear 2>&1 | $logger
+	    retval=${PIPESTATUS[0]}
+	    [ retval -ne 0 ] && break
+	fi
+    done
+
+    if [ retval -eq 0 ]; then
+	rm -f $lockfile
+	success
+    else
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	echo "Not implemented"
+	exit 3
+	;;
+    condrestart|try-restart)
+	echo "Not implemented"
+	exit 3
+        ;;
+    status)
+	status $prog
+	;;
+  *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+esac
+
+exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -160,6 +160,8 @@ elif [ -f /etc/debian_version ]; then
    DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
    SUSE=Yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
    echo "Shorewall-init is currently not supported on Slackware" >&2
    exit 1
@@ -181,6 +183,14 @@ else
    exit 1
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -202,6 +212,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
@@ -210,6 +222,14 @@ fi

 echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+fi
+
 #
 # Create /usr/share/shorewall-init if needed
 #
@@ -297,7 +317,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall Init will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecReload=/sbin/shorewall-init $OPTIONS restart
+ExecStop=/sbin/shorewall-init $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -73,6 +73,8 @@ if [ -n "$INITSCRIPT" ]; then
        insserv -r $INITSCRIPT
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
@@ -93,6 +95,7 @@ remove_file /etc/network/if-down.d/shorewall

 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
+remove_file /lib/systemd/system/shorewall.service

 if [ -d /etc/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -136,7 +136,6 @@ esac
 #
 # Determine where to install the firewall script
 #
-DEBIAN=
 CYGWIN=
 INSTALLD='-D'
 T='-T'
@@ -173,6 +172,8 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
@@ -182,6 +183,14 @@ elif [ -f /etc/arch-release ] ; then
      ARCHLINUX=yes
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -223,12 +232,13 @@ echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-
+    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi

 echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
@@ -249,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+fi
+
 #
 # Install the config file
 #
@@ -389,7 +407,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall Lite will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall-lite; then
+		    echo "Shorewall Lite will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-lite ; then
 		    echo "Shorewall Lite will start automatically at boot"
 		else
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecReload=/sbin/shorewall-lite $OPTIONS restart
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -112,6 +114,7 @@ rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
+rm -f  /lib/systemd/system/shorewall-lite.service

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -141,7 +141,10 @@ sub process_accounting_rule( ) {

    $jumpchainref = 0;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -63,6 +63,7 @@ our @EXPORT = qw(

 		    %chain_table
 		    $raw_table
+		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
@@ -113,6 +114,8 @@ our %EXPORT_TAGS = (
 				       zone_input_chain
 				       use_input_chain
 				       output_chain
+				       prerouting_chain
+				       postrouting_chain
 				       zone_output_chain
 				       use_output_chain
 				       masq_chain
@@ -132,6 +135,7 @@ our %EXPORT_TAGS = (
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       ensure_raw_chain
+				       ensure_rawpost_chain
 				       new_standard_chain
 				       new_builtin_chain
 				       new_nat_chain
@@ -143,10 +147,13 @@ our %EXPORT_TAGS = (
 				       newexclusionchain
 				       newnonatchain
 				       source_exclusion
+				       source_iexclusion
 				       dest_exclusion
+				       dest_iexclusion
 				       clearrule
 				       port_count
 				       do_proto
+				       do_iproto
 				       do_mac
 				       do_imac
 				       verify_mark
@@ -162,6 +169,7 @@ our %EXPORT_TAGS = (
 				       do_connbytes
 				       do_helper
 				       do_headers
+				       do_condition
 				       have_ipset_rules
 				       record_runtime_address
 				       conditional_rule
@@ -262,6 +270,7 @@ our $VERSION = 'MODULEVERSION';
 #
 our %chain_table;
 our $raw_table;
+our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
@@ -438,31 +447,33 @@ use constant { UNIQUE      => 1,
 	       MATCH       => 8,
 	       CONTROL     => 16 };

-my %opttype = ( rule       => CONTROL,
-		cmd        => CONTROL,
+my %opttype = ( rule          => CONTROL,
+		cmd           => CONTROL,

-		dhcp       => UNIQUE,
+		dhcp          => UNIQUE,
 		
-	        mode       => CONTROL,
-		cmdlevel   => CONTROL,
-		simple     => CONTROL,
+	        mode          => CONTROL,
+		cmdlevel      => CONTROL,
+		simple        => CONTROL,

-	        i          => UNIQUE,
-		s          => UNIQUE,
-		o          => UNIQUE,
-		d          => UNIQUE,
-		p          => UNIQUE,
-		dport      => UNIQUE,
-		sport      => UNIQUE,
+	        i             => UNIQUE,
+		s             => UNIQUE,
+		o             => UNIQUE,
+		d             => UNIQUE,
+		p             => UNIQUE,
+		dport         => UNIQUE,
+		sport         => UNIQUE,
+		'icmp-type'   => UNIQUE,
+		'icmpv6-type' => UNIQUE,
 		
-		comment    => CONTROL,
+		comment       => CONTROL,

-		policy     => MATCH,
-		state      => EXCLUSIVE,
+		policy        => MATCH,
+		state         => EXCLUSIVE,
 		
-		jump       => TARGET,
-		target     => TARGET,
-		targetopts => TARGET,
+		jump          => TARGET,
+		target        => TARGET,
+		targetopts    => TARGET,
 	      );

 my %aliases = ( protocol        => 'p',
@@ -474,9 +485,11 @@ my %aliases = ( protocol        => 'p',
 		'out-interface' => 'o',
 		dport           => 'dport',
 		sport           => 'sport',
+		'icmp-type'     => 'icmp-type',
+		'icmpv6-type'   => 'icmpv6-type',
 	      );

-my @unique_options = ( qw/p dport sport s d i o/ );
+my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
 	     
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -491,16 +504,18 @@ my @unique_options = ( qw/p dport sport s d i o/ );
 sub initialize( $$$ ) {
    ( $family, my $hard, $export ) = @_;

-    %chain_table = ( raw    => {},
-		     mangle => {},
-		     nat    => {},
-		     filter => {} );
+    %chain_table = ( raw    =>  {},
+		     rawpost => {},
+		     mangle =>  {},
+		     nat    =>  {},
+		     filter =>  {} );

-    $raw_table    = $chain_table{raw};
-    $nat_table    = $chain_table{nat};
-    $mangle_table = $chain_table{mangle};
-    $filter_table = $chain_table{filter};
-    %renamed      = ();
+    $raw_table     = $chain_table{raw};
+    $rawpost_table = $chain_table{rawpost};
+    $nat_table     = $chain_table{nat};
+    $mangle_table  = $chain_table{mangle};
+    $filter_table  = $chain_table{filter};
+    %renamed       = ();
    #
    # Contents of last COMMENT line.
    #
@@ -1582,6 +1597,22 @@ sub output_chain($)
    $_[0] . '_out';
 }

+#
+# Prerouting Chain for an interface
+#
+sub prerouting_chain($) 
+{
+    $_[0] . '_pre';
+}
+	    
+#
+# Prerouting Chain for an interface
+#
+sub postrouting_chain($) 
+{
+    $_[0] . '_post';
+}
+	    
 #
 # Output Chain for a zone
 #
@@ -2044,6 +2075,14 @@ sub ensure_raw_chain($) {
    $chainref;
 }

+sub ensure_rawpost_chain($) {
+    my $chain = $_[0];
+
+    my $chainref = ensure_chain 'rawpost', $chain;
+    $chainref->{referenced} = 1;
+    $chainref;
+}
+
 #
 # Add a builtin chain
 #
@@ -2110,7 +2149,7 @@ sub ensure_audit_chain( $;$$ ) {

 	$tgt ||= $action;

-	add_ijump $ref, j => 'AUDIT --type ' . lc $action;
+	add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
 	
 	if ( $tgt eq 'REJECT' ) {
 	    add_ijump $ref , g => 'reject';
@@ -2200,6 +2239,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'raw', $chain, 'ACCEPT';
 	}

+	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
+
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -2243,6 +2284,8 @@ sub initialize_chain_table($) {
 	    new_builtin_chain 'raw', $chain, 'ACCEPT';
 	}

+	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
+
 	for my $chain ( qw(INPUT OUTPUT FORWARD) ) {
 	    new_builtin_chain 'filter', $chain, 'DROP';
 	}
@@ -2718,7 +2761,7 @@ sub optimize_level8( $$$ ) {
 }

 sub optimize_ruleset() {
-    for my $table ( qw/raw mangle nat filter/ ) {
+    for my $table ( qw/raw rawpost mangle nat filter/ ) {

 	next if $family == F_IPV6 && $table eq 'nat';

@@ -2862,6 +2905,42 @@ sub source_exclusion( $$ ) {
    reftype $target ? $chainref : $chainref->{name};
 }

+sub source_iexclusion( $$$$$;@ ) {
+    my $chainref   = shift;
+    my $jump       = shift;
+    my $target     = shift;
+    my $targetopts = shift;
+    my $source     = shift;
+    my $table      = $chainref->{table};
+
+    my @exclusion;
+
+    if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
+	$source = $1;
+	@exclusion = mysplit( $2 );
+
+	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	
+	add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
+	
+	if ( $targetopts ) {
+	    add_ijump( $chainref1, $jump => $target, targetopts => $targetopts );
+	} else {
+	    add_ijump( $chainref1, $jump => $target );
+	}
+
+	add_ijump( $chainref , j => $chainref1, imatch_source_net( $source ),  @_ );
+    } elsif ( $targetopts ) {
+	add_ijump( $chainref,
+		   $jump      => $target,
+		   targetopts => $targetopts,
+		   imatch_source_net( $source ), 
+		   @_ );
+    } else {
+	add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ );
+    }
+}
+
 sub dest_exclusion( $$ ) {
    my ( $exclusions, $target ) = @_;

@@ -2877,6 +2956,38 @@ sub dest_exclusion( $$ ) {
    reftype $target ? $chainref : $chainref->{name};
 }

+sub dest_iexclusion( $$$$$;@ ) {
+    my $chainref   = shift;
+    my $jump       = shift;
+    my $target     = shift;
+    my $targetopts = shift;
+    my $dest       = shift;
+    my $table      = $chainref->{table};
+
+    my @exclusion;
+
+    if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
+	$dest = $1;
+	@exclusion = mysplit( $2 );
+
+	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	
+	add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
+	
+	if ( $targetopts ) {
+	    add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ );
+	} else {
+	    add_ijump( $chainref1, $jump => $target, @_ );
+	}
+
+	add_ijump( $chainref , j => $chainref1, imatch_dest_net( $dest ), @_ );
+    } elsif ( $targetopts ) {
+	add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), targetopts => $targetopts , @_ );
+    } else {
+	add_ijump( $chainref, $jump => $target, imatch_dest_net( $dest ), @_ );
+    }
+}
+
 sub clearrule() {
    $iprangematch = 0;
 }
@@ -2894,7 +3005,9 @@ sub port_count( $ ) {
 sub state_imatch( $ ) {
    my $state = shift;

-    have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => $state );
+    unless ( $state eq 'ALL' ) {
+	have_capability 'CONNTRACK_MATCH' ? ( conntrack => "--ctstate $state" ) : ( state => "--state $state" );
+    }
 }

 #
@@ -3000,6 +3113,7 @@ sub do_proto( $$$;$ )

 			if ( $ports =~ /,/ ) {
 			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
 			    $types = '';
 			    for my $type ( split_list( $ports, 'ICMP type list' ) ) {
 				$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
@@ -3024,6 +3138,7 @@ sub do_proto( $$$;$ )

 			if ( $ports =~ /,/ ) {
 			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
 			    $types = '';
 			    for my $type ( list_split( $ports, 'ICMP type list' ) ) {
 				$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
@@ -3088,6 +3203,183 @@ sub do_mac( $ ) {
    "-m mac ${invert}--mac-source $mac ";
 }

+sub do_iproto( $$$ )
+{
+    my ($proto, $ports, $sports ) = @_;
+
+    my @output = ();
+
+    my $restricted = 1;
+
+    $proto  = '' if $proto  eq '-';
+    $ports  = '' if $ports  eq '-';
+    $sports = '' if $sports eq '-';
+
+    if ( $proto ne '' ) {
+
+	my $synonly  = ( $proto =~ s/:syn$//i );
+	my $invert   = ( $proto =~ s/^!// ? '! ' : '' );
+	my $protonum = resolve_proto $proto;
+
+	if ( defined $protonum ) {
+	    #
+	    # Protocol is numeric and <= 255 or is defined in /etc/protocols or NSS equivalent
+	    #
+	    fatal_error "'!0' not allowed in the PROTO column" if $invert && ! $protonum;
+
+	    my $pname = proto_name( $proto = $protonum );
+	    #
+	    # $proto now contains the protocol number and $pname contains the canonical name of the protocol
+	    #
+	    unless ( $synonly ) {
+		@output = ( p => "${invert}${proto}" );
+	    } else {
+		fatal_error '":syn" is only allowed with tcp' unless $proto == TCP && ! $invert;
+		@output = ( p => "$proto --syn" );
+	    }
+
+	    fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO !$pname" if $invert && ($ports ne '' || $sports ne '');
+
+	  PROTO:
+	    {
+		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
+		    my $multiport = 0;
+
+		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
+			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
+			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
+			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
+
+			    if ( port_count ( $ports ) > 15 ) {
+				if ( $restricted ) {
+				    fatal_error "A port list in this file may only have up to 15 ports";
+				} elsif ( $invert ) {
+				    fatal_error "An inverted port list may only have up to 15 ports";
+				}
+			    }
+
+			    $ports = validate_port_list $pname , $ports;
+			    push @output, multiport => "${invert}--dports ${ports}";
+			    $multiport = 1;
+			}  else {
+			    fatal_error "Missing DEST PORT" unless supplied $ports;
+			    $ports   = validate_portpair $pname , $ports;
+			    push @output, dport => "${invert}${ports}";
+			}
+		    } else {
+			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
+		    }
+
+		    if ( $sports ne '' ) {
+			$invert = $sports =~ s/^!// ? '! ' : '';
+			if ( $multiport ) {
+
+			    if ( port_count( $sports ) > 15 ) {
+				if ( $restricted ) {
+				    fatal_error "A port list in this file may only have up to 15 ports";
+				} elsif ( $invert ) {
+				    fatal_error "An inverted port list may only have up to 15 ports";
+				}
+			    }
+
+			    $sports = validate_port_list $pname , $sports;
+			    push @output, multiport => "${invert}--sports ${sports}";
+			}  else {
+			    fatal_error "Missing SOURCE PORT" unless supplied $sports;
+			    $sports  = validate_portpair $pname , $sports;
+			    push @output, sport => "${invert}${sports}";
+			}
+		    }
+
+		    last PROTO;	}
+
+		if ( $proto == ICMP ) {
+		    fatal_error "ICMP not permitted in an IPv6 configuration" if $family == F_IPV6; #User specified proto 1 rather than 'icmp'
+		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
+
+			my $types;
+
+			if ( $ports =~ /,/ ) {
+			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
+			    $types = '';
+			    for my $type ( split_list( $ports, 'ICMP type list' ) ) {
+				$types = $types ? join( ',', $types, validate_icmp( $type ) ) : $type;
+			    }
+			} else {
+			    $types = validate_icmp $ports;
+			}
+
+			push @output, 'icmp-type' => "${invert}${types}";
+		    }
+
+		    fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports ne '';
+
+		    last PROTO; }
+
+		if ( $proto == IPv6_ICMP ) {
+		    fatal_error "IPv6_ICMP not permitted in an IPv4 configuration" if $family == F_IPV4;
+		    if ( $ports ne '' ) {
+			$invert = $ports =~ s/^!// ? '! ' : '';
+
+			my $types;
+
+			if ( $ports =~ /,/ ) {
+			    fatal_error "An inverted ICMP list may only contain a single type" if $invert;
+			    fatal_error "An ICMP type list is not allowed in this context"     if $restricted;
+			    $types = '';
+			    for my $type ( split_list( $ports, 'ICMP type list' ) ) {
+				$types = $types ? join( ',', $types, validate_icmp6( $type ) ) : $type;
+			    }
+			} else {
+			    $types = validate_icmp6 $ports;
+			}
+
+			push @output, 'icmpv6-type' => "${invert}${types}";
+		    }
+
+		    fatal_error 'SOURCE PORT(S) not permitted with IPv6-ICMP' if $sports ne '';
+
+		    last PROTO; }
+
+
+		fatal_error "SOURCE/DEST PORT(S) not allowed with PROTO $pname" if $ports ne '' || $sports ne '';
+
+	    } # PROTO
+
+	} else {
+	    fatal_error '":syn" is only allowed with tcp' if $synonly;
+
+	    if ( $proto =~ /^(ipp2p(:(tcp|udp|all))?)$/i ) {
+		my $p = $2 ? lc $3 : 'tcp';
+		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
+		$proto = '-p ' . proto_name($p) . ' ';
+
+		my $options = '';
+
+		if ( $ports ne 'ipp2p' ) {
+		    $options .= " --$_" for split /,/, $ports;
+		}
+
+		$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
+
+		push @output, ipp2p => "${proto}${options}";
+	    } else {
+		fatal_error "Invalid/Unknown protocol ($proto)"
+	    }
+	}
+    } else {
+	#
+	# No protocol
+	#
+	fatal_error "SOURCE/DEST PORT(S) not allowed without PROTO" if $ports ne '' || $sports ne '';
+    }
+
+    @output;
+}
+
 sub do_imac( $ ) {
    my $mac = $_[0];

@@ -3101,7 +3393,7 @@ sub do_imac( $ ) {
 }

 #
-# Mark validatation functions
+# Mark validation functions
 #
 sub verify_mark( $ ) {
    my $mark  = $_[0];
@@ -3445,6 +3737,22 @@ sub do_headers( $ ) {
    "-m ipv6header ${invert}--header ${headers} ${soft}";
 }

+#
+# Generate a -m condition match
+#
+sub do_condition( $ ) {
+    my $condition = shift;
+
+    return '' if $condition eq '-';
+
+    my $invert = $condition =~ s/^!// ? '! ' : '';
+
+    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
+    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
+
+    "-m condition ${invert}--condition $condition "
+}
+
 #
 # Match Source Interface
 #
@@ -4786,7 +5094,7 @@ sub expand_rule( $$$$$$$$$$;$ )

    if ( $origdest ) {
 	if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
-	    $origdest = '';
+	    $onets = $oexcl = '';
 	} elsif ( $origdest =~ /^detect:(.*)$/ ) {
 	    #
 	    # Either the filter part of a DNAT rule or 'detect' was given in the ORIG DEST column
@@ -4816,7 +5124,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 		$rule .= "-m conntrack --ctorigdst $variable ";
 	    }

-	    $origdest = '';
+	    $onets = $oexcl = '';
 	} else {
 	    fatal_error "Invalid ORIGINAL DEST" if  $origdest =~ /^([^!]+)?,!([^!]+)$/ || $origdest =~ /.*!.*!/;

@@ -4903,7 +5211,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Clear the exclusion bit
 	    #
-	    add_ijump $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
+	    add_ijump $chainref , j => 'MARK', targetopts => '--and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
 	    #
 	    # Mark packet if it matches any of the exclusions
 	    #
@@ -5263,12 +5571,37 @@ sub emitr1( $$ ) {

 sub save_dynamic_chains() {

-    my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+    my $tool;

    emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
    push_indent;

-emit <<"EOF";
+    if ( have_capability 'IPTABLES_S' ) {
+	$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
+
+	emit <<"EOF";
+if chain_exists 'UPnP -t nat'; then
+    $tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
+else
+    rm -f \${VARDIR}/.UPnP
+fi
+
+if chain_exists forwardUPnP; then
+    $tool -S forwardUPnP | tail -n +2 > \${VARDIR}/.forwardUPnP
+else
+    rm -f \${VARDIR}/.forwardUPnP
+fi
+
+if chain_exists dynamic; then
+    $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
+else
+    rm -f \${VARDIR}/.dynamic
+fi
+EOF
+    } else {
+	$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
+
+	emit <<"EOF";
 if chain_exists 'UPnP -t nat'; then
    $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
 else
@@ -5287,6 +5620,7 @@ else
    rm -f \${VARDIR}/.dynamic
 fi
 EOF
+    }

    pop_indent;
    emit ( 'else' );
@@ -5295,13 +5629,23 @@ EOF
 emit <<"EOF";
 rm -f \${VARDIR}/.UPnP
 rm -f \${VARDIR}/.forwardUPnP
+EOF

-if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
-    if chain_exists dynamic; then
-        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
+    if ( have_capability 'IPTABLES_S' ) {
+	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
+	      qq(    if chain_exists dynamic; then),
+	      qq(        $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
+    } else {
+	emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
+	      qq(    if chain_exists dynamic; then),
+	      qq(        $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
+    }
+
+emit <<"EOF";
    fi
 fi
 EOF
+
    pop_indent;

    emit ( 'fi' ,
@@ -5432,9 +5776,10 @@ sub create_netfilter_load( $ ) {

    my @table_list;

-    push @table_list, 'raw'    if have_capability( 'RAW_TABLE' );
-    push @table_list, 'nat'    if have_capability( 'NAT_ENABLED' );
-    push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
+    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
+    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
+    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter';

    $mode = NULL_MODE;
@@ -5534,9 +5879,10 @@ sub preview_netfilter_load() {

    my @table_list;

-    push @table_list, 'raw'    if have_capability( 'RAW_TABLE' );
-    push @table_list, 'nat'    if have_capability( 'NAT_ENABLED' );
-    push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
+    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
+    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
+    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter';

    $mode = NULL_MODE;
@@ -5644,7 +5990,7 @@ sub create_chainlist_reload($) {
 	for my $chain ( @chains ) {
 	    ( $table , $chain ) = split ':', $chain if $chain =~ /:/;

-	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw)$/;
+	    fatal_error "Invalid table ( $table )" unless $table =~ /^(nat|mangle|filter|raw|rawpost)$/;

 	    $chains{$table} = {} unless $chains{$table};

@@ -5673,7 +6019,7 @@ sub create_chainlist_reload($) {

 	enter_cat_mode;

-	for $table ( qw(raw nat mangle filter) ) {
+	for $table ( qw(raw rawpost nat mangle filter) ) {
 	    my $tableref=$chains{$table};

 	    next unless $tableref;
@@ -5748,9 +6094,10 @@ sub create_stop_load( $ ) {

    my @table_list;

-    push @table_list, 'raw'    if have_capability( 'RAW_TABLE' );
-    push @table_list, 'nat'    if have_capability( 'NAT_ENABLED' );
-    push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    push @table_list, 'raw'     if have_capability( 'RAW_TABLE' );
+    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
+    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
+    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
    push @table_list, 'filter';

    my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -38,6 +38,8 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;

+use strict;
+
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
@@ -81,11 +83,11 @@ sub generate_script_1( $ ) {

    if ( $script ) {
 	if ( $test ) {
-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;

-	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
@@ -263,9 +265,9 @@ sub generate_script_2() {
 	push_indent;

 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh)' );
+	    emit( 'start|restart|refresh|disable|enable)' );
 	} else {
-	    emit( 'start|restart|refresh|restore)' );
+	    emit( 'start|restart|refresh|disable|enable|restore)' );
 	}

 	push_indent;
@@ -613,7 +615,6 @@ sub compiler {
    # shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
-
    #
    # Allow user to load Perl modules
    #
@@ -695,7 +696,7 @@ sub compiler {
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
-	emit '}';
+	emit '}'; # End of setup_common_rules()
    }

    disable_script;
@@ -704,7 +705,17 @@ sub compiler {
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
-
+    #
+    # Validate the TC files so that the providers will know what interfaces have TC
+    #
+    my $tcinterfaces = process_tc;
+    #
+    # Generate a function to bring up each provider
+    #
+    process_providers( $tcinterfaces );
+    #
+    # [Re-]establish Routing
+    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
@@ -714,9 +725,7 @@ sub compiler {

 	push_indent;
    }
-    #
-    # [Re-]establish Routing
-    #
+
    setup_providers;
    #
    # TCRules and Traffic Shaping
@@ -725,7 +734,7 @@ sub compiler {

    if ( $scriptfilename || $debug ) {
 	pop_indent;
-	emit "}\n";
+	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }

    disable_script;
@@ -748,12 +757,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
-	#
-	# Setup NETMAP
-	#
-	setup_netmap;
    }

+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
    #
    # MACLIST Filtration
    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -279,6 +279,9 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 HEADER_MATCH    => 'Header Match',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
+		 RAWPOST_TABLE   => 'Rawpost Table',
+		 CONDITION_MATCH => 'Condition Match',
+		 IPTABLES_S      => 'iptables -S',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -306,6 +309,7 @@ our %config_files = ( #accounting      => 1,
 		      refresh          => 1,
 		      refreshed        => 1,
 		      restored         => 1,
+		      rawnat           => 1,
 		      route_rules      => 1,
 		      routes           => 1,
 		      routestopped     => 1,
@@ -381,6 +385,12 @@ my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip

+my $shell;                   # Type of shell that processed the params file
+
+use constant { BASH    => 1,
+	       OLDBASH => 2,
+	       ASH     => 3 };
+
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
 	       F_IPV4 => 4,
@@ -435,8 +445,8 @@ sub initialize( $ ) {
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.22-Beta1",
-		    CAPVERSION => 40421 ,
+		    VERSION    => "4.4.22.1",
+		    CAPVERSION => 40424 ,
 		  );
    #
    # From shorewall.conf file
@@ -624,6 +634,7 @@ sub initialize( $ ) {
 	       CONNMARK_MATCH => undef,
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
+	       RAWPOST_TABLE => undef,
 	       IPP2P_MATCH => undef,
 	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
@@ -655,6 +666,8 @@ sub initialize( $ ) {
 	       HEADER_MATCH => undef,
 	       ACCOUNT_TARGET => undef,
 	       AUDIT_TARGET => undef,
+	       CONDITION_MATCH => undef,
+	       IPTABLES_S => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1326,46 +1339,45 @@ sub supplied( $ ) {

 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
+#    Handles all of the supported forms of column/pair specification
 #
-sub split_line( $$$ ) {
-    my ( $mincolumns, $maxcolumns, $description ) = @_;
+sub split_line1( $$;$ ) {
+    my ( $description, $columnsref, $nopad) = @_;

-    fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $currentline =~ /["'`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
+    my @maxcolumns = ( keys %$columnsref );
+    my $maxcolumns = @maxcolumns;
+    #
+    # First see if there is a semicolon on the line; what follows will be column/value paris
+    #
+    my ( $columns, $pairs, $rest ) = split( ';', $currentline );

-    my @line = split( ' ', $currentline );
+    if ( supplied $pairs ) {
+	#
+	# Found it -- be sure there wasn't more than one.
+	#
+	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+    } elsif ( $currentline =~ /(.*){(.*)}$/ ) {
+	#
+	# Pairs are enclosed in curly brackets.
+	#
+	$columns = $1;
+	$pairs   = $2;
+    } else {
+	$pairs = '';
+    }

-    my $line = @line;
+    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;

-    fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
-
-    $line-- while $line > 0 && $line[$line-1] eq '-';
-
-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
-    push @line, '-' while @line < $maxcolumns;
-
-    @line;
-}
-
-#
-# Version of 'split_line' used on files with exceptions
-#
-sub split_line1( $$$;$ ) {
-    my ( $mincolumns, $maxcolumns, $description, $nopad) = @_;
-
-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-
-    my @line = split( ' ', $currentline );
+    my @line = split( ' ', $columns );

    $nopad = { COMMENT => 0 } unless $nopad;

-    my $first   = $line[0];
-    my $columns = $nopad->{$first};
+    my $first     = supplied $line[0] ? $line[0] : '-';
+    my $npcolumns = $nopad->{$first};

-    if ( defined $columns ) {
-	fatal_error "Invalid $first entry" if $columns && @line != $columns;
+    if ( defined $npcolumns ) {
+	fatal_error "Invalid $first entry" if $npcolumns && @line != $npcolumns;
 	return @line
    }

@@ -1377,13 +1389,34 @@ sub split_line1( $$$;$ ) {

    $line-- while $line > 0 && $line[$line-1] eq '-';

-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
    push @line, '-' while @line < $maxcolumns;

+    if ( supplied $pairs ) {
+	$pairs =~ s/^\s*//;
+	$pairs =~ s/\s*$//;
+
+	my @pairs = split( /,?\s+/, $pairs );
+
+	for ( @pairs ) {
+	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
+	    my ( $column, $value ) = ( lc $1, $2 );
+	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+	    $column = $columnsref->{$column};
+	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+	    $value = $1 if $value =~ /^"([^"]+)"$/;
+	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+	    $line[$column] = $value;
+	}
+    }   
+
    @line;
 }

+sub split_line($$) {
+    &split_line1( @_, {} );
+}
+
 #
 # Open a file, setting $currentfile. Returns the file's absolute pathname if the file
 # exists, is non-empty  and was successfully opened. Terminates with a fatal error
@@ -2525,6 +2558,10 @@ sub Raw_Table() {
    qt1( "$iptables -t raw -L -n" );
 }

+sub Rawpost_Table() {
+    qt1( "$iptables -t rawpost -L -n" );
+}
+
 sub Old_IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
@@ -2658,15 +2695,24 @@ sub Account_Target() {
    }
 }

+sub Condition_Match() {
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
+}
+
 sub Audit_Target() {
    qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }

+sub Iptables_S() {
+    qt1( "$iptables -S INPUT" )
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
+      CONDITION_MATCH => \&Condition_Match,
      COMMENTS => \&Comments,
      CONNLIMIT_MATCH => \&Connlimit_Match,
      CONNMARK => \&Connmark,
@@ -2686,6 +2732,7 @@ our %detect_capability =
      IPSET_MATCH => \&IPSet_Match,
      OLD_IPSET_MATCH => \&Old_IPSet_Match,
      IPSET_V5 => \&IPSET_V5,
+      IPTABLES_S => \&Iptables_S,
      KLUDGEFREE => \&Kludgefree,
      LENGTH_MATCH => \&Length_Match,
      LOGMARK_TARGET => \&Logmark_Target,
@@ -2707,6 +2754,7 @@ our %detect_capability =
      PHYSDEV_MATCH => \&Physdev_Match,
      POLICY_MATCH => \&Policy_Match,
      RAW_TABLE => \&Raw_Table,
+      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      RECENT_MATCH => \&Recent_Match,
      TCPMSS_MATCH => \&Tcpmss_Match,
@@ -2820,6 +2868,7 @@ sub determine_capabilities() {

 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
+	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
 	$capabilities{IPSET_MATCH}     = detect_capability( 'IPSET_MATCH' );
 	$capabilities{USEPKTTYPE}      = detect_capability( 'USEPKTTYPE' );
 	$capabilities{ADDRTYPE}        = detect_capability( 'ADDRTYPE' );
@@ -2838,6 +2887,8 @@ sub determine_capabilities() {
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
+	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
+	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );


 	qt1( "$iptables -F $sillyname" );
@@ -3054,8 +3105,19 @@ EOF

 	fatal_error "Can't rename $configfile to $configfile.bak: $!"     unless rename $configfile, "$configfile.bak";
 	fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile;
+	
+	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
+	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
+	} else {
+	    if ( unlink "$configfile.bak" ) {
+		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
+	    } else {
+		warning_message "Unable to unlink $configfile.bak";
+		progress_message3 "No update required to configuration file $configfile; $configfile.b";
+	    }

-	progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
+	    exit 0;
+	}
    } else {
 	fatal_error "$fn does not exist";
    }
@@ -3249,6 +3311,8 @@ sub get_params() {
 	    # - Embedded double quotes are escaped with '\\'
 	    # - Valueless variables are supported (e.g., 'declare -x foo')
 	    #
+	    $shell = BASH;
+
 	    for ( @params ) {
 		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3257,11 +3321,11 @@ sub get_params() {
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3275,6 +3339,8 @@ sub get_params() {
 	    # - Embedded single quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
+	    $shell = OLDBASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3283,11 +3349,11 @@ sub get_params() {
 		} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3300,6 +3366,8 @@ sub get_params() {
 	    # - Param values are delimited by single quotes.
 	    # - Embedded single quotes are transformed to the five characters '"'"'
 	    #
+	    $shell = ASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
 		    $params{$variable=$1}="${2}\n";		    
@@ -3308,11 +3376,11 @@ sub get_params() {
 		} elsif ( /^export (.*?)='(.*)$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/'$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }				
 		}
@@ -3351,15 +3419,29 @@ sub export_params() {
 	#
 	next if exists $compiler_params{$param};
 	#
+	# Values in %params are generated from the output of 'export -p'.
+	# The different shells have different conventions for delimiting
+	# the value and for escaping embedded instances of the delimiter.
+	# The following logic removes the escape characters.
+	#
+	if ( $shell == BASH ) {
+	    $value =~ s/\\"/"/g;
+	} elsif ( $shell == OLDBASH ) {
+	    $value =~ s/\\'/'/g;
+	} else {
+	    $value =~ s/'"'"'/'/g;
+	}
+	#
 	# Don't export pairs from %ENV
 	#
-	if ( exists $ENV{$param} && defined $ENV{$param} ) {
-	    next if $value eq $ENV{$param};
-	}
+	next if defined $ENV{$param} && $value eq $ENV{$param};

 	emit "#\n# From the params file\n#" unless $count++;
-
-	if ( $value =~ /[\s()[]/ ) {
+	#
+	# We will use double quotes and escape embedded quotes with \.
+	#
+	if ( $value =~ /[\s()['"]/ ) {
+	    $value =~ s/"/\\"/g;
 	    emit "$param='$value'";
 	} else {
 	    emit "$param=$value";
@@ -3368,9 +3450,10 @@ sub export_params() {
 }

 #
+# - Process the params file
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
-# - establish global hashes %config , %globals and %capabilities
+# - establish global hashes %params, %config , %globals and %capabilities
 #
 sub get_configuration( $$$ ) {

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -82,7 +82,7 @@ sub process_tos() {

 	while ( read_a_line ) {

-	    my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;

 	    $first_entry = 0;

@@ -152,12 +152,16 @@ sub setup_ecn()

    if ( my $fn = open_file 'ecn' ) {

-	first_entry "$doing $fn...";
+	first_entry( sub { progress_message2 "$doing $fn...";
+			   require_capability 'MANGLE_ENABLED', 'Entries in the ecn file', '';
+			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
+		       } );

 	while ( read_a_line ) {

-	    my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
+	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };

+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;

 	    $interfaces{$interface} = 1;
@@ -178,12 +182,12 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );

-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
 		add_ijump $mangle_table->{OUTPUT},       j => $chainref, p => 'tcp', imatch_dest_dev( $interface );
 	    }

 	    for my $host ( @hosts ) {
-		add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN --ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[1] ) );
+		add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[1] ) );
 	    }
 	}
    }
@@ -223,7 +227,7 @@ sub setup_blacklist() {

 	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );

-	    add_ijump( $logchainref, j => 'AUDIT --type ' . lc $target ) if $audit;
+	    add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
 	    add_ijump( $logchainref, g => $target );

 	    $target = 'blacklog';
@@ -253,7 +257,7 @@ sub setup_blacklist() {
 		    $first_entry = 0;
 		}

-		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
+		my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };

 		if ( $options eq '-' ) {
 		    $options = 'src';
@@ -355,10 +359,12 @@ sub process_routestopped() {

 	while ( read_a_line ) {

-	    my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };

 	    my $interfaceref;

+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

@@ -498,34 +504,45 @@ sub add_common_rules() {
    my $audit    = $policy =~ s/^A_//;
    my @ipsec    = have_ipsec ? ( policy => '--pol none --dir in' ) : ();

-    if ( $level || $audit || @ipsec ) {
+    if ( $level || $audit ) {
+	#
+	# Create a chain to log and/or audit and apply the policy
+	#
 	$chainref = new_standard_chain 'sfilter';

 	log_rule $level , $chainref , $policy , '' if $level ne '';
 	
-	add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
+	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
 	
 	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
 	
 	$target = 'sfilter';
-
-	if ( @ipsec ) {
-	    $chainref = new_standard_chain 'sfilter1';
-
-	    add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
-	    log_rule $level , $chainref , $policy , '' if $level ne '';
-	
-	    add_ijump( $chainref, j => 'AUDIT --type ' . lc $policy ) if $audit;
-	
-	    add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
-	
-	    $target1 = 'sfilter1';
-	}
-    } elsif ( ( $target = $policy ) eq 'REJECT' ) {
-	$target = 'reject';
+    } else {
+	$target = $policy eq 'REJECT' ? 'reject' : $policy;
    }

-    $target1 = $target unless $target1;
+    if ( @ipsec ) {
+	#
+	# sfilter1 will be used in the FORWARD chain where we allow traffic entering the interface
+	# to leave the interface encrypted. We need a separate chain because '--dir out' cannot be
+	# used in the input chain
+	#
+	$chainref = new_standard_chain 'sfilter1';
+
+	add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
+	log_rule $level , $chainref , $policy , '' if $level ne '';
+	
+	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
+	
+	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
+	
+	$target1 = 'sfilter1';
+    } else {
+	#
+	# No IPSEC -- use the same target in both INPUT and FORWARD
+	#
+	$target1 = $target;
+    }

    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
 	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
@@ -540,9 +557,15 @@ sub add_common_rules() {
 	
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		$interfaceref->{options}{use_forward_chain} = 1;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
-		    unless $interfaceref->{options}{routeback} || $interfaceref->{options}{routefilter} || $interfaceref->{physical} eq '+';
+		    unless( $config{ROUTE_FILTER} eq 'on' ||
+			    $interfaceref->{options}{routeback} ||
+			    $interfaceref->{options}{routefilter} ||
+			    $interfaceref->{physical} eq '+' );
+
+		$interfaceref->{options}{use_forward_chain} = 1;
 	    }

 	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
@@ -552,6 +575,7 @@ sub add_common_rules() {
 	
 	    if ( @filters ) {
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
+		$interfaceref->{options}{use_input_chain} = 1;
 	    }
 	
 	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
@@ -592,7 +616,7 @@ sub add_common_rules() {
 			    '',
 			    'add',
 			    '' );
-	    add_ijump( $smurfref, j => 'AUDIT --type drop' ) if $smurfdest eq 'A_DROP';
+	    add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
 	    add_ijump( $smurfref, j => 'DROP' );

 	    $smurfdest = 'smurflog';
@@ -666,7 +690,7 @@ sub add_common_rules() {
    }

    add_ijump $rejectref , j => 'DROP', p => 2;
-    add_ijump $rejectref , j => 'REJECT --reject-with tcp-reset', p => 6;
+    add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;

    if ( have_capability( 'ENHANCED_REJECT' ) ) {
 	add_ijump $rejectref , j => 'REJECT', p => 17;
@@ -729,11 +753,11 @@ sub add_common_rules() {

 	    if ( $audit ) {
 		$disposition =~ s/^A_//;
-		add_ijump( $logflagsref, j => 'AUDIT --type ' . lc $disposition );
+		add_ijump( $logflagsref, j => 'AUDIT', targetopts => '--type ' . lc $disposition );
 	    }

 	    if ( $disposition eq 'REJECT' ) {
-		add_ijump $logflagsref , j => 'REJECT --reject-with tcp-reset', p => 6;
+		add_ijump $logflagsref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
 	    } else {
 		add_ijump $logflagsref , j => $disposition;
 	    }
@@ -876,7 +900,7 @@ sub setup_mac_lists( $ ) {

 	    while ( read_a_line ) {

-		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
+		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };

 		if ( $original_disposition eq 'COMMENT' ) {
 		    process_comment;
@@ -906,14 +930,14 @@ sub setup_mac_lists( $ ) {
 			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 				if supplied $level;
 			    
-			    add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+			    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
 			    add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
 			}
 		    } else {
 			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
 			    if supplied $level;

-			add_ijump( $chainref , j => 'AUDIT --type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+			add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
 			add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
 		    }

@@ -1163,6 +1187,12 @@ sub add_interface_jumps {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
+	
+	if ( have_capability 'RAWPOST_TABLE' ) {
+	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
+	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
+	    insert_ijump ( $raw_table->{OUTPUT},          j => output_chain( $interface ),      0, imatch_dest_dev( $interface) )   if $raw_table->{output_chain $interface};
+	}
    }
    #
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
@@ -1821,10 +1851,10 @@ sub setup_mss( ) {

    if ( $clampmss ) {
 	if ( "\L$clampmss" eq 'yes' ) {
-	    $option = ' --clamp-mss-to-pmtu';
+	    $option = '--clamp-mss-to-pmtu';
 	} else {
 	    @match  = ( tcpmss => "--mss $clampmss:" ) if have_capability( 'TCPMSS_MATCH' );
-	    $option = " --set-mss $clampmss";
+	    $option = "--set-mss $clampmss";
 	}

 	push @match, ( policy => '--pol none --dir out' ) if have_ipsec;
@@ -1855,14 +1885,14 @@ sub setup_mss( ) {
 	    my @mssmatch = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @source   = imatch_source_dev $_;
 	    my @dest     = imatch_dest_dev $_;
-	    add_ijump $chainref, j => "TCPMSS --set-mss $mss", @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
+	    add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @out_match;
 	    add_ijump $chainref, j => 'RETURN', @dest if $clampmss;
-	    add_ijump $chainref, j => "TCPMSS --set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
+	    add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @in_match;
 	    add_ijump $chainref, j => 'RETURN', @source if $clampmss;
 	}
    }

-    add_ijump $chainref , j => "TCPMSS${option}", p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
+    add_ijump $chainref , j => 'TCPMSS', targetopts => $option, p => 'tcp --tcp-flags SYN,RST SYN', @match if $clampmss;
 }

 #
@@ -1928,6 +1958,9 @@ EOF
 	        refresh)
 	            logger -p kern.err "ERROR:$g_product refresh failed"
 	            ;;
+                enable)
+                    logger -p kern.err "ERROR:$g_product 'enable $g_interface' failed"
+                    ;;
            esac

            if [ "$RESTOREFILE" = NONE ]; then
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
    }

+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
@@ -374,7 +377,7 @@ sub setup_nat() {

 	while ( read_a_line ) {

-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,6 +386,9 @@ sub setup_nat() {

 		$digit = defined $digit ? ":$digit" : '';

+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
 		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
@@ -403,36 +409,104 @@ sub setup_netmap() {

    if ( my $fn = open_file 'netmap' ) {

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";

 	while ( read_a_line ) {

-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

 	    $net3 = ALLIP if $net3 eq '-';

 	    for my $interface ( split_list $interfacelist, 'interface' ) {

-		my @rulein;
-		my @ruleout;
 		my $iface = $interface;

 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

-		unless ( $interfaceref->{root} ) {
-		    @rulein  = imatch_source_dev( $interface );
-		    @ruleout = imatch_dest_dev( $interface );
-		    $interface = $interfaceref->{name};
-		}
+		my @rule = do_iproto( $proto, $dport, $sport );

-		if ( $type eq 'DNAT' ) {
-		    add_ijump ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
-		} elsif ( $type eq 'SNAT' ) {
-		    add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
+		unless ( $type =~ /:/ ) {
+		    my @rulein;
+		    my @ruleout;
+		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@rulein  = imatch_source_dev( $interface );
+			@ruleout = imatch_dest_dev( $interface );
+			$interface = $interfaceref->{name};
+		    }
+
+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
+		    if ( $type eq 'DNAT' ) {
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
+		    } elsif ( $type eq 'SNAT' ) {
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
+		    } else {
+			fatal_error "Invalid type ($type)";
+		    }
+		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
+		    my ( $target , $chain ) = ( $1, $2 );
+		    my $table = 'raw';
+		    my @match;
+
+		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
+
+		    validate_net $net2, 0;
+
+		    unless ( $interfaceref->{root} ) {
+			@match = imatch_dest_dev(  $interface ); 
+			$interface = $interfaceref->{name};
+		    }
+			
+		    if ( $chain eq 'P' ) {
+			$chain = prerouting_chain $interface;
+			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
+		    } elsif ( $chain eq 'O' ) {
+			$chain = output_chain $interface;
+		    } else {
+			$chain = postrouting_chain $interface;
+			$table = 'rawpost';
+		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
+		    
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
+		    } else {
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
+		    }
 		} else {
-		    fatal_error "Invalid type ($type)";
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
 		}
-
+		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -40,7 +40,7 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( );
+our @EXPORT_OK = qw( setup_interface_proc );
 our $VERSION = 'MODULEVERSION';

 #
@@ -277,4 +277,45 @@ sub setup_forwarding( $$ ) {
    }
 }

+sub setup_interface_proc( $ ) {
+    my $interface = shift;
+    my $physical  = get_physical $interface;
+    my $value;
+    my @emitted;
+
+    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
+    }
+	 
+    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
+    }
+
+    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
+    }
+
+    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    }
+
+    if ( @emitted ) {
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );
+	push_indent;
+	emit "$_" for @emitted;
+	pop_indent;
+	emit "fi\n";
+    }
+}
+	 
+
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -29,17 +29,23 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
+use Shorewall::Proc qw( setup_interface_proc );

 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
+our @EXPORT = qw( process_providers
+		  setup_providers
+		  @routemarked_interfaces
+		  handle_stickiness
+		  handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
 	       DEFAULT_TABLE => 253,
+	       BALANCE_TABLE => 250,
 	       UNSPEC_TABLE  => 0
 	       };

@@ -85,10 +91,11 @@ sub initialize( $ ) {
    $first_default_route  = 1;
    $first_fallback_route = 1;

-    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 } ,
-		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 } ,
-		    default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 } ,
-		    unspec  => { number => UNSPEC_TABLE  , mark => 0 , optional => 0 } );
+    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    balance => { number => BALANCE_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    unspec  => { number => UNSPEC_TABLE  , mark => 0 , optional => 0 ,routes => [], rules => [] } );
    @providers = ();
 }

@@ -100,7 +107,7 @@ sub setup_route_marking() {

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

-    add_ijump $mangle_table->{$_} , j => "CONNMARK --restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;

    my $chainref  = new_chain 'mangle', 'routemark';
    my $chainref1 = new_chain 'mangle', 'setsticky';
@@ -122,14 +129,14 @@ sub setup_route_marking() {

 	if ( $providerref->{shared} ) {
 	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-	    add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	} else {
-	    add_ijump $chainref, j => "MARK --set-mark $providerref->{mark}", imatch_source_dev( $interface );
+	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
 	}
    }

-    add_ijump $chainref, j => "CONNMARK --save-mark --mask $mask", mark => "! --mark 0/$mask";
+    add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
 }

 sub copy_table( $$$ ) {
@@ -139,6 +146,8 @@ sub copy_table( $$$ ) {
    #
    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';

+    emit '';
+
    if ( $realm ) {
 	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
    } else {
@@ -170,6 +179,8 @@ sub copy_and_edit_table( $$$$ ) {
    # Shell and iptables use a different wildcard character
    #
    $copy =~ s/\+/*/;
+    
+    emit '';

    if ( $realm ) {
 	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
@@ -242,23 +253,33 @@ sub balance_fallback_route( $$$$ ) {
 sub start_provider( $$$ ) {
    my ($table, $number, $test ) = @_;

+    emit "\n#\n# Add Provider $table ($number)\n#";
+
+    emit "start_provider_$table() {";
+    push_indent;
    emit $test;
    push_indent;

-    emit "#\n# Add Provider $table ($number)\n#";
-
    emit "qt ip -$family route flush table $number";
-    emit "echo \"qt \$IP -$family route flush table $number\" >> \${VARDIR}/undo_routing";
+    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
 }

-sub add_a_provider( ) {
+#
+# Process a record in the providers file
+#
+sub process_a_provider() {

-    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) = split_line 6, 8, 'providers file';
+    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
+	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };

    fatal_error "Duplicate provider ($table)" if $providers{$table};

+    fatal_error 'NAME must be specified' if $table eq '-';
+    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;
+
    my $num = numeric_value $number;

+    fatal_error 'NUMBER must be specified' if $number eq '-';
    fatal_error "Invalid Provider number ($number)" unless defined $num;

    $number = $num;
@@ -267,6 +288,8 @@ sub add_a_provider( ) {
 	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
    }

+    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+
    ( $interface, my $address ) = split /:/, $interface;

    my $shared = 0;
@@ -281,7 +304,6 @@ sub add_a_provider( ) {
    fatal_error "A bridge port ($interface) may not be configured as a provider interface" if port_to_bridge $interface;

    my $physical    = get_physical $interface;
-    my $base        = uc chain_base $physical;
    my $gatewaycase = '';

    if ( $gateway eq 'detect' ) {
@@ -303,6 +325,7 @@ sub add_a_provider( ) {
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
 	    if ( $option eq 'track' ) {
+		require_capability( 'MANGLE_ENABLED' , q(The 'track' option) , 's' );
 		$track = 1;
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
@@ -326,23 +349,17 @@ sub add_a_provider( ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
 		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = $1;
-		    fatal_error 'fallback must be non-zero' unless $default;
-		}
+		$default = $1;
+		$default_balance = 0;
+		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
 		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = -1;
-		}
+		$default = -1;
+		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -351,6 +368,13 @@ sub add_a_provider( ) {

    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;

+    if ( $local ) {
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
+    }
+
    my $val = 0;
    my $pref;

@@ -358,6 +382,8 @@ sub add_a_provider( ) {

    if ( $mark ne '-' ) {

+	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
+
 	$val = numeric_value $mark;

 	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
@@ -385,8 +411,18 @@ sub add_a_provider( ) {

    $balance = $default_balance unless $balance;

+    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
+
+    if ( $duplicate ne '-' ) {
+	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
+    } elsif ( $copy ne '-' ) {
+	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
+	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column';
+    }
+
    $providers{$table} = { provider    => $table,
 			   number      => $number ,
+			   rawmark     => $mark ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
 			   physical    => $physical ,
@@ -394,7 +430,19 @@ sub add_a_provider( ) {
 			   gateway     => $gateway ,
 			   gatewaycase => $gatewaycase ,
 			   shared      => $shared ,
-			   default     => $default };
+			   default     => $default ,
+			   copy        => $copy ,
+			   balance     => $balance ,
+			   pref        => $pref ,
+			   mtu         => $mtu ,
+			   track       => $track ,
+			   loose       => $loose ,
+			   duplicate   => $duplicate ,
+			   address     => $address ,
+			   local       => $local ,
+			   rules       => [] ,
+			   routes      => [] ,
+			 };

    if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';
@@ -410,9 +458,39 @@ sub add_a_provider( ) {
 	push @routemarked_providers, $providers{$table};
    }

-    my $realm = '';
+    push @providers, $table;

-    fatal_error "Interface $interface is already associated with non-shared provider $provider_interfaces{$interface}" if $provider_interfaces{$table};
+}
+
+#
+# Generate the start_provider_...() function for the passed provider
+#
+sub add_a_provider( $$ ) {
+  
+    my ( $providerref, $tcdevices ) = @_;
+    
+    my $table       = $providerref->{provider};
+    my $number      = $providerref->{number};
+    my $mark        = $providerref->{rawmark};
+    my $interface   = $providerref->{interface};
+    my $physical    = $providerref->{physical};
+    my $optional    = $providerref->{optional};
+    my $gateway     = $providerref->{gateway};
+    my $gatewaycase = $providerref->{gatewaycase};
+    my $shared      = $providerref->{shared};
+    my $default     = $providerref->{default};
+    my $copy        = $providerref->{copy};
+    my $balance     = $providerref->{balance};
+    my $pref        = $providerref->{pref};
+    my $mtu         = $providerref->{mtu};
+    my $track       = $providerref->{track};
+    my $loose       = $providerref->{loose};
+    my $duplicate   = $providerref->{duplicate};
+    my $address     = $providerref->{address};
+    my $local       = $providerref->{local};
+    my $dev         = chain_base $physical;
+    my $base        = uc $dev;
+    my $realm = '';

    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
@@ -426,7 +504,6 @@ sub add_a_provider( ) {
 	} else {
 	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}
-
 	$provider_interfaces{$interface} = $table;

 	if ( $gatewaycase eq 'none' ) {
@@ -437,6 +514,11 @@ sub add_a_provider( ) {
 	    }
 	}
    }
+    
+    #
+    # /proc for this interface
+    #
+    setup_interface_proc( $interface );

    if ( $mark ne '-' ) {
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
@@ -444,12 +526,11 @@ sub add_a_provider( ) {
 	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};

 	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_routing"
+	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }

    if ( $duplicate ne '-' ) {
-	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
 	if ( $copy eq '-' ) {
 	    copy_table ( $duplicate, $number, $realm );
 	} else {
@@ -461,9 +542,6 @@ sub add_a_provider( ) {

 	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
 	}
-    } elsif ( $copy ne '-' ) {
-	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
-	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column';
    }

    if ( $gateway ) {
@@ -477,109 +555,195 @@ sub add_a_provider( ) {
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
-   	
+
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
- }
+    }

-    balance_default_route $balance , $gateway, $physical, $realm if $balance;
-
-    if ( $default > 0 ) {
-	balance_fallback_route $default , $gateway, $physical, $realm;
+    if ( $balance ) {
+	balance_default_route( $balance , $gateway, $physical, $realm );
+    } elsif ( $default > 0 ) {
+	balance_fallback_route( $default , $gateway, $physical, $realm );
    } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
-	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_routing);
+	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
+	}
+	
+	$fallback = 1;
+    }
+
+    unless ( $local ) {
+	if ( $loose ) {
+	    if ( $config{DELETE_THEN_ADD} ) {
+		emit ( "\nfind_interface_addresses $physical | while read address; do",
+		       "    qt \$IP -$family rule del from \$address",
+		       'done'
+		     );
+	    }
+	} elsif ( $shared ) {
+	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+	    emit( "run_ip rule add from $address pref 20000 table $number" ,
+		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
+	} else {
+	    my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
+
+	    emit "\nrulenum=$rulebase\n";
+
+	    emit  ( "find_interface_addresses $physical | while read address; do" );
+	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+	    emit  ( "    run_ip rule add from \$address pref \$rulenum table $number",
+		    "    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_${table}_routing",
+		    '    rulenum=$(($rulenum + 1))',
+		    'done'
+		  );
 	}
    }

-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-	fatal_error "MARK required with 'local'"              unless $mark;
-    } elsif ( $loose ) {
-	if ( $config{DELETE_THEN_ADD} ) {
-	    emit ( "\nfind_interface_addresses $physical | while read address; do",
-		   "    qt \$IP -$family rule del from \$address",
-		   'done'
-		 );
+    if ( @{$providerref->{rules}} ) {
+	emit '';
+	emit $_ for @{$providers{$table}->{rules}};
+    }
+    
+    if ( @{$providerref->{routes}} ) {
+	emit '';
+	emit $_ for @{$providers{$table}->{routes}};
+    }
+
+    emit( '' );
+
+    my ( $tbl, $weight );
+
+    if ( $optional ) {
+	emit( 'if [ $COMMAND = enable ]; then' );
+
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $weight = $balance ? $balance : $default;
+
+	    if ( $gateway ) {
+		emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	    } else {
+		emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+	    }
+
+	} else {
+	    $weight = 1;
 	}
-    } elsif ( $shared ) {
-	emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
-	emit( "run_ip rule add from $address pref 20000 table $number" ,
-	      "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_routing" );
+
+	emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
+
+	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+
+	pop_indent;
+ 
+	emit( 'else' ,
+	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	      qq(    progress_message "   Provider $table ($number) Started"),
+	      qq(fi\n)
+	    );
    } else {
-	my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
-
-	emit "\nrulenum=0\n";
-
-	emit  ( "find_interface_addresses $physical | while read address; do" );
-	emit  (	"    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
-	emit  (	"    run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
-		"    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_routing",
-		'    rulenum=$(($rulenum + 1))',
-		'done'
-	      );
+	emit( qq(progress_message "Provider $table ($number) Started") );
    }
-
-    emit qq(\nprogress_message "   Provider $table ($number) Added"\n);
-
+    
    pop_indent;
+
    emit 'else';

+    push_indent;
+
    if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "    error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );	    
+	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );	    
 	} else {
-	    emit ( "    error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Added\"" );
+	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
    } else {
 	if ( $shared ) {
-	    emit( "    fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Started\"" );
 	} else {
-	    emit( "    fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Added\"" );
+	    emit( "fatal_error \"Interface $physical is not usable -- Provider $table ($number) Cannot be Started\"" );
 	}
    }

-    emit "fi\n";
+    pop_indent;

-    push @providers, $table;
+    emit 'fi';
+
+    pop_indent;
+
+    emit '}'; # End of start_provider_$table();
+
+    if ( $optional ) {
+	emit( '',
+	      '#',
+	      "# Stop provider $table",
+	      '#',
+	      "stop_provider_$table() {" );
+
+	push_indent;
+
+	my $undo = "\${VARDIR}/undo_${table}_routing";
+
+	emit( "if [ -f $undo ]; then" );
+
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $weight = $balance ? $balance : $default;
+
+	    my $via;
+
+	    if ( $gateway ) {
+		$via = "via $gateway dev $physical";
+	    } else {    
+		$via = "dev $physical";
+	    }
+
+	    $via .= " weight $weight" unless $weight < 0;
+	    $via .= " $realm"         if $realm;
+
+	    emit( qq(delete_gateway "$via" $tbl $physical) );
+	}
+
+	emit (". $undo",
+	      "> $undo" );
+
+	emit( '', 
+	      "qt \$TC qdisc del dev $physical root",
+	      "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
+
+	emit( "progress_message2 \"Provider $table stopped\"" );
+
+	pop_indent;
+
+	emit( 'else',
+	      "    startup_error \"$undo does not exist\"",
+	      'fi'
+	    );
+
+	pop_indent;
+
+	emit '}';
+    }

    progress_message "   Provider \"$currentline\" $done";
 }

-#
-# Begin an 'if' statement testing whether the passed interface is available
-#
-sub start_new_if( $ ) {
-    our $current_if = shift;
-
-    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
-    push_indent;
-}
-
-#
-# Complete any current 'if' statement in the output script
-#
-sub finish_current_if() {
-    if ( our $current_if ) {
-	pop_indent;
-	emit ( "fi\n" );
-	$current_if = '';
-    }
-}
-
 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
+    my ( $source, $dest, $provider, $priority ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 };

    our $current_if;

@@ -601,6 +765,11 @@ sub add_an_rtrule( ) {
 	fatal_error "Unknown provider ($provider)" unless $found;
    }

+    my $providerref = $providers{$provider};
+
+    my $number = $providerref->{number};
+
+    fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
    fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';

    if ( $dest eq '-' ) {
@@ -641,29 +810,20 @@ sub add_an_rtrule( ) {

    $priority = "priority $priority";

-    finish_current_if, emit ( "qt \$IP -$family rule del $source $dest $priority" ) if $config{DELETE_THEN_ADD};
-
-    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
-
-    if ( $optional ) {
-	my $base = uc chain_base( $providers{$provider}{physical} );
-	finish_current_if if $base ne $current_if;
-	start_new_if( $base ) unless $current_if;
-    } else {
-	finish_current_if;
-    }
-
-    emit ( "run_ip rule add $source $dest $priority table $number",
-	   "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_routing" );
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source $dest $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "run_ip rule add $source $dest $priority table $number";
+    push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_${provider}_routing";

    progress_message "   Routing rule \"$currentline\" $done";
 }

 sub add_a_route( ) {
-    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
+    my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };

    our $current_if;

+    fatal_error 'PROVIDER must be specified' if $provider eq '-';
+
    unless ( $providers{$provider} ) {
 	my $found = 0;

@@ -673,7 +833,6 @@ sub add_a_route( ) {
 	    for ( keys %providers ) {
 		if ( $providers{$_}{number} == $provider_number ) {
 		    $provider = $_;
-		    fatal_error "You may not add routes to the $provider table" if $provider_number == LOCAL_TABLE || $provider_number == UNSPEC_TABLE;
 		    $found = 1;
 		    last;
 		}
@@ -683,34 +842,30 @@ sub add_a_route( ) {
 	fatal_error "Unknown provider ($provider)" unless $found;
    }

+    fatal_error 'DEST must be specified' if $dest eq '-';
    validate_net ( $dest, 1 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';

-    my ( $optional, $number ) = ( $providers{$provider}{optional} , $providers{$provider}{number} );
-
+    my $providerref = $providers{$provider};
+    my $number = $providerref->{number};
    my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device );
-    
-    if ( $providers{$provider}{optional} ) {
-	my $base = uc chain_base( $physical );
-	finish_current_if if $base ne $current_if;
-	start_new_if ( $base ) unless $current_if;
-    } else {
-	finish_current_if;
-    }
+    my $routes = $providerref->{routes};

+    fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
+    
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    emit qq(run_ip route add $dest via $gateway dev $physical table $number);
-	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
+	    push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
+	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    emit qq(run_ip route add $dest via $gateway table $number);
-	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE; 
+	    push @$routes, qq(run_ip route add $dest via $gateway table $number);
+	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; 
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	emit qq(run_ip route add $dest dev $physical table $number);
-	emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_routing) if $number >= DEFAULT_TABLE;
+	push @$routes, qq(run_ip route add $dest dev $physical table $number);
+	emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }

    progress_message "   Route \"$currentline\" $done";
@@ -718,17 +873,16 @@ sub add_a_route( ) {

 sub setup_null_routing() {
    save_progress_message "Null Routing the RFC 1918 subnets";
+    emit "> \${VARDIR}undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
 	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
 	      qq(    run_ip route replace unreachable $_),
-	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_routing),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
 	      qq(fi\n) );
    }
 }

 sub start_providers() {
-    require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
-
    emit  ( '#',
 	    '# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
 	    '#',
@@ -746,17 +900,22 @@ sub start_providers() {
    emit  ( '#',
 	    '# Capture the default route(s) if we don\'t have it (them) already.',
 	    '#',
-	    "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route",
-	    '#',
-	    '# Initialize the file that holds \'undo\' commands',
-	    '#',
-	    '> ${VARDIR}/undo_routing' );
+	    "[ -f \${VARDIR}/default_route ] || \$IP -$family route list | save_default_route > \${VARDIR}/default_route" );

    save_progress_message 'Adding Providers...';

    emit 'DEFAULT_ROUTE=';
    emit 'FALLBACK_ROUTE=';
    emit '';
+    
+    for my $provider ( qw/main default/ ) {
+	emit '';
+	emit qq(> \${VARDIR}/undo_${provider}_routing );
+	emit '';
+	emit $_ for @{$providers{$provider}{routes}};
+	emit '';
+	emit $_ for @{$providers{$provider}{rules}};
+    }
 }

 sub finish_providers() {
@@ -764,12 +923,14 @@ sub finish_providers() {
 	my $table = MAIN_TABLE;

 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
+	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+		   'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
 		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_routing',
+		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
 		   '' );
-	    $table = DEFAULT_TABLE;
+	    $table = BALANCE_TABLE;
 	}

 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
@@ -820,6 +981,8 @@ sub finish_providers() {
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'fi',
 	      '' );
+    } elsif ( $config{USE_DEFAULT_RT} ) {
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
    }

    unless ( $config{KEEP_RT_TABLES} ) {
@@ -832,7 +995,7 @@ sub finish_providers() {
 			      '#',
 			      LOCAL_TABLE   . "\tlocal",
 			      MAIN_TABLE    . "\tmain",
-			      DEFAULT_TABLE . "\tdefault",
+			      $config{USE_DEFAULT_RT} ? ( DEFAULT_TABLE . "\tdefault\n" . BALANCE_TABLE . "\tbalance" ) : DEFAULT_TABLE . "\tdefault",
 			      "0\tunspec",
 			      '#',
 			      '# local',
@@ -844,58 +1007,136 @@ sub finish_providers() {
    }
 }

-sub setup_providers() {
-    my $providers = 0;
+sub process_providers( $ ) {
+    my $tcdevices = shift;
+
+    our $providers = 0;

    $lastmark = 0;

    if ( my $fn = open_file 'providers' ) {
-
-	first_entry sub() {
-	    progress_message2 "$doing $fn...";
-	    emit "\nif [ -z \"\$g_noroutes\" ]; then";
-	    push_indent;
-	    start_providers; };
- 
-	add_a_provider, $providers++ while read_a_line;
+	first_entry "$doing $fn..."; 
+	process_a_provider, $providers++ while read_a_line;
    }

    if ( $providers ) {
-	finish_providers;
-
-	my $fn = open_file 'routes';
+	my $fn = open_file 'route_rules';

 	if ( $fn ) {
-	    our $current_if = '';
-
 	    first_entry "$doing $fn...";
-
-	    emit '';
-
-	    add_a_route while read_a_line;
-
-	    finish_current_if;
-	}
-
-	$fn = open_file 'route_rules';
-
-	if ( $fn ) {
-	    our $current_if = '';
-
-	    first_entry "$doing $fn...";
-
+	    
 	    emit '';

 	    add_an_rtrule while read_a_line;
-
-	    finish_current_if;
 	}

+	$fn = open_file 'routes';
+
+	if ( $fn ) {
+	    first_entry "$doing $fn...";
+	    emit '';
+	    add_a_route while read_a_line;
+	}
+    }
+
+    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    
+    emit << 'EOF';;
+
+#
+# Enable an optional provider
+#
+enable_provider() {
+    g_interface=$1;
+
+    case $g_interface in
+EOF
+
+    push_indent;
+    push_indent;
+
+    for my $provider (@providers ) {
+	my $providerref = $providers{$provider};
+
+	emit( "$providerref->{physical})",
+	      "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+	      "        start_provider_$provider",
+	      '    else',
+	      '        startup_error "Interface $g_interface is already enabled"',
+	      '    fi',
+	      '    ;;'
+	    ) if $providerref->{optional};
+    }
+
+    pop_indent;
+    pop_indent;
+
+    emit << 'EOF';;
+        *)
+            startup_error "$g_interface is not an optional provider interface"
+            ;;
+    esac
+}
+
+#
+# Disable an optional provider
+#
+disable_provider() {
+    g_interface=$1;
+
+    case $g_interface in
+EOF
+
+    push_indent;
+    push_indent;
+
+    for my $provider (@providers ) {
+	my $providerref = $providers{$provider};
+
+	emit( "$providerref->{physical})",
+	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+	      "        stop_provider_$provider",
+	      '    else',
+	      '        startup_error "Interface $g_interface is already disabled"',
+	      '    fi',
+	      '    ;;'
+	    ) if $providerref->{optional};
+    }
+
+    pop_indent;
+    pop_indent;
+
+    emit << 'EOF';;
+        *)
+            startup_error "$g_interface is not an optional provider interface"
+            ;;
+    esac
+}
+EOF
+
+}
+
+sub setup_providers() {
+    our $providers;
+
+    if ( $providers ) {
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
+	
+	push_indent;
+
+	start_providers;
+	
+	emit '';
+
+	emit "start_provider_$_" for @providers;
+
+	emit '';
+
+	finish_providers;
+
 	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";
-	#
-	# This completes the if-block begun in the first_entry closure above
-	#
+
 	pop_indent;
 	emit "fi\n";

@@ -909,10 +1150,6 @@ sub setup_providers() {
 	emit "restore_default_route $config{USE_DEFAULT_RT}";

 	if ( $config{NULL_ROUTE_RFC1918} ) {
-	    emit  ( '#',
-		    '# Initialize the file that holds \'undo\' commands',
-		    '#',
-		    '> ${VARDIR}/undo_routing' );
 	    setup_null_routing;
 	    emit "\nrun_ip route flush cache";
 	}
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -122,13 +122,15 @@ sub setup_proxy_arp() {

 	while ( read_a_line ) {

-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };

 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }

+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -84,7 +84,7 @@ sub setup_notrack() {

 	while ( read_a_line ) {

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };

 	    if ( $source eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -77,6 +77,21 @@ my $rule_commands   = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
 my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
 my $macro_commands  = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };

+my %rulecolumns = ( action    =>   0,
+		    source    =>   1,
+		    dest      =>   2,
+		    proto     =>   3,
+		    dport     =>   4,
+		    sport     =>   5,
+		    origdest  =>   6,
+		    rate      =>   7,
+		    user      =>   8,
+		    mark      =>   9,
+		    connlimit =>  10,
+		    time      =>  11,
+		    headers   =>  12,
+		    switch    =>  13 );
+
 use constant { MAX_MACRO_NEST_LEVEL => 5 };

 my $macro_nest_level;
@@ -130,7 +145,8 @@ sub initialize( $ ) {
    #
    # These are set to 1 as sections are encountered.
    #
-    %sections = ( ESTABLISHED => 0,
+    %sections = ( ALL         => 0,
+		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
 		  );
@@ -296,12 +312,17 @@ sub process_a_policy() {
    our %validpolicies;
    our @zonelist;

-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;

    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';

+    fatal_error 'SOURCE must be specified' if $client eq '-';
+    fatal_error 'DEST must be specified'   if $server eq '-';
+    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+
    my $clientwild = ( "\L$client" eq 'all' );

    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@@ -533,7 +554,7 @@ sub policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	
-	add_ijump( $chainref , j => 'AUDIT --type ' . lc $target ) if $chainref->{audit};
+	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
 }
@@ -1353,7 +1374,7 @@ sub process_actions() {
 	open_file $file;

 	while ( read_a_line ) {
-	    my ( $action ) = split_line 1, 1, 'action file';
+	    my ( $action ) = split_line 'action file' , { action => 0 };

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1381,7 +1402,7 @@ sub process_actions() {

 }

-sub process_rule1 ( $$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1414,16 +1435,19 @@ sub process_action( $) {

 	while ( read_a_line ) {

-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );

 	    if ( $format == 1 ) {
-		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands;
-		$origdest = $connlimit = $time = $headers = '-';
+		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
+		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
+		$origdest = $connlimit = $time = $headers = $condition = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers )
-		    = split_line1 1, 13, 'action file', $action_commands;
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }

+	    fatal_error 'TARGET must be specified' if $target eq '-';
+
 	    if ( $target eq 'COMMENT' ) {
 		process_comment;
 		next;
@@ -1455,6 +1479,7 @@ sub process_action( $) {
 			   $connlimit,
 			   $time,
 			   $headers,
+			   $condition,
 			   0 );
 	}

@@ -1484,8 +1509,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;

    my $nocomment = no_comment;

@@ -1503,15 +1528,17 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );

 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}

+	fatal_error 'TARGET must be specified' if $mtarget eq '-';
+	
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
@@ -1585,6 +1612,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
+				    merge_macro_column( $mcondition, $condition ),
 				    $wildcard
 				   );

@@ -1617,7 +1645,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action 
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target, 
 	 $current_param,
@@ -1633,6 +1661,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	 $connlimit,
 	 $time,
 	 $headers,
+	 $condition,
 	 $wildcard ) = @_;

    my ( $action, $loglevel) = split_action $target;
@@ -1684,6 +1713,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				       $connlimit,
 				       $time,
 				       $headers,
+				       $condition,
 				       $wildcard );

 	$macro_nest_level--;
@@ -1741,8 +1771,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
    }

-    if ( $inaction ) {
-	$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) 
+    if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
+	$targets{$inaction} |= NATRULE if $inaction;
+	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
    }
    #
    # Take care of irregular syntax and targets
@@ -1904,9 +1935,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    $chainref = ensure_rules_chain $chain;
 	    #
-	    # Don't let the rules in this chain be moved elsewhere
-	    #
-	    dont_move $chainref;
+ 	    # Don't let the rules in this chain be moved elsewhere
+ 	    #
+ 	    dont_move $chainref;
 	}
    }
    #
@@ -1922,7 +1953,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
-		      do_time( $time ) );
+		      do_time( $time ) ,
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
+		    );
    } else {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
@@ -1931,14 +1965,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
-		      do_headers( $headers )
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
    }

    unless ( $section eq 'NEW' || $inaction ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
-	$rule .= "$globals{STATEMATCH} $section "
+	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
    }

    #
@@ -2078,8 +2113,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -2106,11 +2143,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	my $chn;

 	if ( $inaction ) {
-	    $nonat_chain = ensure_chain 'nat', $chain;
+	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
-	    $nonat_chain = ensure_chain 'nat', dnat_chain $sourcezone;
+	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );

 	    my @interfaces = keys %{zone_interfaces $sourcezone};

@@ -2151,6 +2188,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    }
 	}

+	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
@@ -2162,19 +2201,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     '',
 		   );
-	#
-	# Possible optimization if the rule just generated was a simple jump to the nonat chain
-	#
-	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
-	    #
-	    # It was -- delete that rule
-	    #
-	    pop @{$nonat_chain->{rules}};
-	    #
-	    # And move the rules from the nonat chain to the zone dnat chain
-	    #
-	    move_rules ( $chn, $nonat_chain );
-	}
    }

    #
@@ -2185,6 +2211,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	if ( $actiontype & ACTION ) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
+	} else {
+	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
 	}

 	if ( $origdest ) {
@@ -2199,7 +2227,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {

 	verify_audit( $action ) if $actiontype & AUDIT;

-	expand_rule( ensure_chain( 'filter', $chain ) ,
+	expand_rule( $chainref ,
 		     $restriction ,
 		     $rule ,
 		     $source ,
@@ -2228,11 +2256,13 @@ sub process_section ($) {
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
    $sections{$sect} = 1;

-    if ( $sect eq 'RELATED' ) {
-	$sections{ESTABLISHED} = 1;
+    if ( $sect eq 'ESTABLISHED' ) {
+	$sections{ALL} = 1;
+    } elsif ( $sect eq 'RELATED' ) {
+	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
    } elsif ( $sect eq 'NEW' ) {
-	@sections{'ESTABLISHED','RELATED'} = ( 1, 1 );
+	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
    }

@@ -2308,8 +2338,10 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers )
-	= split_line1 1, 13, 'rules file', $rule_commands;
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+	= split_line1 'rules file', \%rulecolumns, $rule_commands;
+
+    fatal_error 'ACTION must be specified' if $target eq '-';

    process_comment,            return 1 if $target eq 'COMMENT';
    process_section( $source ), return 1 if $target eq 'SECTION';
@@ -2362,6 +2394,7 @@ sub process_rule ( ) {
 						 $connlimit,
 						 $time,
 						 $headers,
+						 $condition,
 						 $wild );
 		}
 	    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -38,7 +38,7 @@ use Shorewall::Providers;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_tc );
+our @EXPORT = qw( process_tc setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
 our $VERSION = 'MODULEVERSION';

@@ -151,8 +151,8 @@ my  $ipp2p;
 #                                                  leaf      => 0|1
 #                                                  guarantee => <sum of rates of sub-classes>
 #                                                  options   => { tos  => [ <value1> , <value2> , ... ];
-#                                                  tcp_ack => 1 ,
-#                                                  ...
+#                                                  tcp_ack   => 1 ,
+#                                                  filters   => [ filter list ]
 #                                                }
 #                                     }
 #             }
@@ -191,10 +191,13 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };

    our @tccmd;

+    fatal_error 'MARK must be specified' if $originalmark eq '-';
+
    if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -390,8 +393,47 @@ sub process_tc_rule( ) {
 			}

 			$target .= ' --tproxy-mark';
-		    }
+		    } elsif ( $target eq 'TTL' ) {
+			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );

+			$chain = 'tcfor';
+
+			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --ttl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --ttl-dec $param";
+			} else {
+			    $target .= " --ttl-set $param";
+			}
+		    } elsif ( $target eq 'HL' ) {
+			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+			$chain = 'tcfor';
+
+			$cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --hl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --hl-dec $param";
+			} else {
+			    $target .= " --hl-set $param";
+			}
+		    }

 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -492,8 +534,9 @@ sub process_flow($) {
 }

 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };

+    fatal_error 'INTERFACE must be specified'      if $device eq '-';
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

@@ -504,6 +547,8 @@ sub process_simple_device() {
    my $physical = physical_name $device;
    my $dev      = chain_base( $physical );

+    push @tcdevices, $device;
+
    if ( $type ne '-' ) {
 	if ( lc $type eq 'external' ) {
 	    $type = 'nfct-src';
@@ -530,6 +575,15 @@ sub process_simple_device() {
 	$in_bandwidth = rate_to_kbit( $in_bandwidth );
    }

+    emit( '',
+	  '#',
+	  "# Setup Simple Traffic Shaping for $physical",
+	  '#',
+	  "setup_${dev}_tc() {"
+	);
+
+    push_indent;
+
    emit "if interface_is_up $physical; then";

    push_indent;
@@ -607,15 +661,18 @@ sub process_simple_device() {
    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
    emit "${dev}_exists=";
    pop_indent;
-    emit "fi\n";
+    emit 'fi';
+    pop_indent;
+    emit "}\n";

    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }

 sub validate_tc_device( ) {
-    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
+    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };

-    fatal_error "Invalid tcdevices entry" if $outband eq '-';
+    fatal_error 'INTERFACE must be specified' if $device eq '-';
+    fatal_error "Invalid tcdevices entry"     if $outband eq '-';

    my $devnumber;

@@ -711,7 +768,8 @@ sub validate_tc_device( ) {
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
 			    name          => $device,
-			    physical      => physical_name $device
+			    physical      => physical_name $device,
+			    filters       => []
 			  } ,

    push @tcdevices, $device;
@@ -775,7 +833,8 @@ sub dev_by_number( $ ) {
 }

 sub validate_tc_class( ) {
-    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
+    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
+	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
    my $classnumber = 0;
    my $devref;
    my $device = $devclass;
@@ -783,6 +842,9 @@ sub validate_tc_class( ) {
    my $parentclass = 1;
    my $parentref;

+    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
+    fatal_error 'CEIL must be specified'      if $ceil eq '-';
+
    if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
 	fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@@ -996,7 +1058,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {

-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';

    my ($device, $class, $rest ) = split /:/, $devclass, 3;

@@ -1018,6 +1082,8 @@ sub process_tc_filter() {

    my $tcref = $tcclasses{$device};

+    my $filtersref = $devref->{filters};
+
    fatal_error "No Classes were defined for INTERFACE $device" unless $tcref;

    my $classnum = hex_value $class;
@@ -1036,17 +1102,6 @@ sub process_tc_filter() {

    my $have_rule = 0;

-    if ( $devref->{physical} ne $lastdevice ) {
-	if ( $lastdevice ) {
-	    pop_indent;
-	    emit "fi\n";
-	}
-
-	$lastdevice = $devref->{physical};
-	emit "if interface_is_up $lastdevice; then";
-	push_indent;
-    }
-
    my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32";

    if ( $source ne '-' ) {
@@ -1101,9 +1156,9 @@ sub process_tc_filter() {

    if ( $portlist eq '-' && $sportlist eq '-' ) {
 	if ( $have_rule ) {
-	    emit( "\nrun_tc $rule\\" ,
-		  "   flowid $devnum:$class" ,
-		  '' );
+	    push @$filtersref , ( "\nrun_tc $rule\\" ,
+				  "   flowid $devnum:$class" ,
+				  '' );
 	} else {
 	    warning_message "Degenerate tcfilter ignored";
 	}
@@ -1129,17 +1184,17 @@ sub process_tc_filter() {
 	    $lasttnum = $tnum;
 	    $lastrule = $rule;

-	    emit( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
+	    push @$filtersref, ( "\nrun_tc filter add dev $devref->{physical} parent $devnum:0 protocol $ip prio $prio handle $tnum: u32 divisor 1" );
 	}
 	#
 	# And link to it using the current contents of $rule
 	#
 	if ( $family == F_IPV4 ) {
-	    emit( "\nrun_tc $rule\\" ,
-		  "   link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
+	    push @$filtersref, ( "\nrun_tc $rule\\" ,
+				 "   link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
 	} else {
-	    emit( "\nrun_tc $rule\\" ,
-		  "   link $tnum:0 offset plus 40 eat" );
+	    push @$filtersref, ( "\nrun_tc $rule\\" ,
+				 "   link $tnum:0 offset plus 40 eat" );
 	}    
 	#
 	# The rule to match the port(s) will be inserted into the new table
@@ -1165,9 +1220,9 @@ sub process_tc_filter() {
 			$rule1 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" ,
 		    }

-		    emit( "\nrun_tc $rule\\" ,
-			  "   $rule1\\" ,
-			  "   flowid $devnum:$class" );
+		    push @$filtersref, ( "\nrun_tc $rule\\" ,
+					 "   $rule1\\" ,
+					 "   flowid $devnum:$class" );
 		}
 	    }
 	} else {
@@ -1183,9 +1238,9 @@ sub process_tc_filter() {

 		    my $rule1 = "   match icmp type $icmptype 0xff";
 		    $rule1   .= "\\\n   match icmp code $icmpcode 0xff" if defined $icmpcode;
-		    emit( "\nrun_tc ${rule}\\" ,
-			  "$rule1\\" ,
-			  "   flowid $devnum:$class" );
+		    push @$filtersref, ( "\nrun_tc ${rule}\\" ,
+					 "$rule1\\" ,
+					 "   flowid $devnum:$class" );
 		} elsif ( $protonumber == IPv6_ICMP ) {
 		    fatal_error "IPv6 ICMP not allowed with IPv4" unless $family == F_IPV4;
 		    fatal_error "SOURCE PORT(S) are not allowed with IPv6 ICMP" if $sportlist ne '-';
@@ -1194,9 +1249,9 @@ sub process_tc_filter() {

 		    my $rule1 = "   match icmp6 type $icmptype 0xff";
 		    $rule1   .= "\\\n   match icmp6 code $icmpcode 0xff" if defined $icmpcode;
-		    emit( "\nrun_tc ${rule}\\" ,
-			  "$rule1\\" ,
-			  "   flowid $devnum:$class" );
+		    push @$filtersref, ( "\nrun_tc ${rule}\\" ,
+					 "$rule1\\" ,
+					 "   flowid $devnum:$class" );
 		} else {
 		    my @portlist = expand_port_range $protonumber , $portrange;

@@ -1214,9 +1269,9 @@ sub process_tc_filter() {
 			}

 			if ( $sportlist eq '-' ) {
-			    emit( "\nrun_tc ${rule}\\" ,
-				  "   $rule1\\" ,
-				  "   flowid $devnum:$class" );
+			    push @$filtersref, ( "\nrun_tc ${rule}\\" ,
+						 "   $rule1\\" ,
+						 "   flowid $devnum:$class" );
 			} else {
 			    for my $sportrange ( split_list $sportlist , 'port list' ) {
 				my @sportlist = expand_port_range $protonumber , $sportrange;
@@ -1234,10 +1289,10 @@ sub process_tc_filter() {
 					$rule2 = "match u32 0x${sport}0000 0x${smask}0000 at nexthdr+0" ,
 				    }

-				    emit( "\nrun_tc ${rule}\\",
-					  "   $rule1\\" ,
-					  "   $rule2\\" ,
-					  "   flowid $devnum:$class" );
+				    push @$filtersref, ( "\nrun_tc ${rule}\\",
+							 "   $rule1\\" ,
+							 "   $rule2\\" ,
+							 "   flowid $devnum:$class" );
 				}
 			    }
 			}
@@ -1254,30 +1309,27 @@ sub process_tc_filter() {
 	progress_message "  IPv4 TC Filter \"$currentline\" $done";

 	$currentline =~ s/\s+/ /g;
-
-	save_progress_message_short qq('   IPv4 TC Filter \"$currentline\" defined.');
    } else {
 	progress_message "  IPv6 TC Filter \"$currentline\" $done";

 	$currentline =~ s/\s+/ /g;
-
-	save_progress_message_short qq('   IPv6 TC Filter \"$currentline\" defined.');
    }

    emit '';

 }

+#
+# Process the tcfilter file storing the compiled filters in the %tcdevices table
+#
 sub process_tcfilters() {

    my $fn = open_file 'tcfilters';

-    our $lastdevice = '';
-
    if ( $fn ) {
 	my @family = ( $family );
 	
-	first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );
+	first_entry( "$doing $fn..." );
 	
 	while ( read_a_line ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
@@ -1301,17 +1353,16 @@ sub process_tcfilters() {
 	}

 	Shorewall::IPAddrs::initialize( $family = pop @family );
-
-	if ( $lastdevice ) {
-	    pop_indent;
-	    emit "fi\n";
-	}
-
    }
 }

+#
+# Process a tcpri record
+#
 sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';

    if ( $band eq 'COMMENT' ) {
 	process_comment;
@@ -1371,27 +1422,31 @@ sub process_tc_priority() {
    }
 }

-sub setup_simple_traffic_shaping() {
-    my $interfaces;
-
-    save_progress_message q("Setting up Traffic Control...");
+#
+# Process tcinterfaces
+#
+sub process_tcinterfaces() {

    my $fn = open_file 'tcinterfaces';

    if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device, $interfaces++ while read_a_line;
-    } else {
-	$fn = find_file 'tcinterfaces';
+	process_simple_device while read_a_line;
    }
+}

+#
+# Process tcpri
+#
+sub process_tcpri() {
+    my $fn  = find_file 'tcinterfaces';
    my $fn1 = open_file 'tcpri';

    if ( $fn1 ) {
 	first_entry
 	    sub {
 		progress_message2 "$doing $fn1...";
-		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces || $family == F_IPV6;
+		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };

 	process_tc_priority while read_a_line;
@@ -1413,10 +1468,12 @@ sub setup_simple_traffic_shaping() {
    }
 }

-sub setup_traffic_shaping() {
-    our $lastrule = '';
+#
+# Process the compilex traffic shaping files storing the configuration in %tcdevices and %tcclasses
+#
+sub process_traffic_shaping() {

-    save_progress_message q("Setting up Traffic Control...");
+    our $lastrule = '';

    my $fn = open_file 'tcdevices';

@@ -1426,9 +1483,6 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
    }

-    my $sfq = 0;
-    my $sfqinhex;
-
    $devnum = $devnum > 10 ? 10 : 1;

    $fn = open_file 'tcclasses';
@@ -1439,6 +1493,11 @@ sub setup_traffic_shaping() {
 	validate_tc_class while read_a_line;
    }

+    process_tcfilters;
+
+    my $sfq = 0;
+    my $sfqinhex;
+
    for my $device ( @tcdevices ) {
 	my $devref  = $tcdevices{$device};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
@@ -1449,10 +1508,18 @@ sub setup_traffic_shaping() {

 	$device = physical_name $device;

-	my $dev = chain_base( $device );
-
 	unless ( $config{TC_ENABLED} eq 'Shared' ) {

+	    my $dev = chain_base( $device );
+
+	    emit( '',
+		  '#',
+		  "# Configure Traffic Shaping for $device",
+		  '#',
+		  "setup_${dev}_tc() {" );
+
+	    push_indent;
+
 	    emit "if interface_is_up $device; then";

 	    push_indent;
@@ -1500,6 +1567,85 @@ sub setup_traffic_shaping() {
 		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }

+	    for my $class ( @tcclasses ) {
+		#
+		# The class number in the tcclasses array is expressed in decimal.
+		#
+		my ( $d, $decimalclassnum ) = split /:/, $class;
+
+		next unless $d eq $device;
+		#
+		# For inclusion in 'tc' commands, we also need the hex representation
+		#
+		my $classnum = in_hexp $decimalclassnum;
+		#
+		# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
+		#
+		my $tcref    = $tcclasses{$device}{$decimalclassnum};
+		my $mark     = $tcref->{mark};
+		my $devicenumber  = in_hexp $devref->{number};
+		my $classid  = join( ':', $devicenumber, $classnum);
+		my $rate     = "$tcref->{rate}kbit";
+		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+
+		$classids{$classid}=$device;
+		$device = physical_name $device;
+
+		my $priority = $tcref->{priority} << 8;
+		my $parent   = in_hexp $tcref->{parent};
+		
+		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
+
+		if ( $devref->{qdisc} eq 'htb' ) {
+		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
+		} else {
+		    my $dmax = $tcref->{dmax};
+
+		    if ( $dmax ) {
+			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
+			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+		    } else {
+			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+		    }
+		}
+
+		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+		    1 while $devnums[++$sfq];
+
+		    $sfqinhex = in_hexp( $sfq);
+		    if ( $devref->{qdisc} eq 'htb' ) {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+		    } else {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+		    }
+		}
+		#
+		# add filters
+		#
+		unless ( $devref->{classify} ) {
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		}
+
+		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+		#
+		# options
+		#
+		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
+
+		for my $tospair ( @{$tcref->{tos}} ) {
+		    my ( $tos, $mask ) = split q(/), $tospair;
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		}
+		
+		save_progress_message_short qq("   TC Class $classid defined.");
+		emit '';
+
+	    }
+
+	    emit '';
+
+	    emit "$_" for @{$devref->{filters}};
+	
 	    save_progress_message_short qq("   TC Device $device defined.");

 	    pop_indent;
@@ -1510,113 +1656,54 @@ sub setup_traffic_shaping() {
 	    emit "${dev}_exists=";
 	    pop_indent;
 	    emit "fi\n";
+
+	    pop_indent;
+	    emit "}\n";
 	}
    }
+}

-    my $lastdevice = '';
-
-    for my $class ( @tcclasses ) {
-	#
-	# The class number in the tcclasses array is expressed in decimal.
-	#
-	my ( $device, $decimalclassnum ) = split /:/, $class;
-	#
-	# For inclusion in 'tc' commands, we also need the hex representation
-	#
-	my $classnum = in_hexp $decimalclassnum;
-	my $devref   = $tcdevices{$device};
-	#
-	# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
-	#
-	my $tcref    = $tcclasses{$device}{$decimalclassnum};
-	my $mark     = $tcref->{mark};
-	my $devicenumber  = in_hexp $devref->{number};
-	my $classid  = join( ':', $devicenumber, $classnum);
-	my $rate     = "$tcref->{rate}kbit";
-	my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-
-	$classids{$classid}=$device;
-	$device = physical_name $device;
-
-	unless ( $config{TC_ENABLED} eq 'Shared' ) {
-	    my $dev      = chain_base $device;
-	    my $priority = $tcref->{priority} << 8;
-	    my $parent   = in_hexp $tcref->{parent};
-
-	    if ( $lastdevice ne $device ) {
-		if ( $lastdevice ) {
-		    pop_indent;
-		    emit "fi\n";
-		}
-
-		emit qq(if [ -n "\$${dev}_exists" ]; then);
-		push_indent;
-		$lastdevice = $device;
-	    }
-
-	    emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
-
-	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
-	    } else {
-		my $dmax = $tcref->{dmax};
-
-		if ( $dmax ) {
-		    my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
-		} else {
-		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
-		}
-	    }
-
-	    if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-		1 while $devnums[++$sfq];
-
-		$sfqinhex = in_hexp( $sfq);
-		if ( $devref->{qdisc} eq 'htb' ) {
-		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-		} else {
-		    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
-		}
-	    }
-	    #
-	    # add filters
-	    #
-	    unless ( $devref->{classify} ) {
-		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
-	    }
-
-	    emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
-	    #
-	    # options
-	    #
-	    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
-
-	    for my $tospair ( @{$tcref->{tos}} ) {
-		my ( $tos, $mask ) = split q(/), $tospair;
-		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
-	    }
-
-	    save_progress_message_short qq("   TC Class $classid defined.");
-	    emit '';
-
-	}
-
+#
+# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
+#
+sub process_tc() {
+    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
+	process_traffic_shaping;
+    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
+	process_tcinterfaces;
    }
+    #
+    # The Providers module needs to know which devices are tc-enabled so that
+    # it can call the appropriate 'setup_x_tc" function when the device is
+    # enabled.

-    if ( $lastdevice ) {
-	pop_indent;
-	emit "fi\n";
+    my %empty;
+    
+    $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
+}
+
+#
+# Call the setup_${dev}_tc functions
+#
+sub setup_traffic_shaping() {
+    save_progress_message q("Setting up Traffic Control...");
+
+    for my $device ( @tcdevices ) {
+	my $interfaceref = known_interface( $device );
+	my $dev          = chain_base( $interfaceref ? $interfaceref->{physical} : $device );
+
+	emit "setup_${dev}_tc";
    }
-
-    process_tcfilters;
 }

 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';

    if ( $secmark eq 'COMMENT' ) {
 	process_comment;
@@ -1723,10 +1810,9 @@ sub setup_tc() {
    if ( $globals{TC_SCRIPT} ) {
 	save_progress_message q('Setting up Traffic Control...');
 	append_file $globals{TC_SCRIPT};
-    } elsif ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
-	setup_traffic_shaping;
-    } elsif ( $config{TC_ENABLED} eq 'Simple' ) {
-	setup_simple_traffic_shaping;
+    } else {
+	process_tcpri if $config{TC_ENABLED} eq 'Simple';
+	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
    }

    if ( $config{TC_ENABLED} ) {
@@ -1775,6 +1861,18 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
+			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+			  target    => 'TTL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			  target    => 'HL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} 
 		      );

 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -284,7 +284,10 @@ sub setup_tunnels() {

 	while ( read_a_line ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';

 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -73,6 +73,7 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
+		  interface_has_option
 		  set_interface_option
 		  interface_zones
 		  verify_required_interfaces
@@ -401,7 +402,10 @@ sub process_zone( \$ ) {

    my @parents;

-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';

    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
@@ -870,7 +874,7 @@ sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
    my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    my $zoneref;
    my $bridge = '';

@@ -883,6 +887,8 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }

+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@@ -1375,8 +1381,7 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;

-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
-			( grep $interfaces{$_}{root}, keys %interfaces ) ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};

 	next unless defined $interfaceref->{physical};
@@ -1410,6 +1415,22 @@ sub get_interface_option( $$ ) {
    
 }

+#
+# Return the value of an option for an interface
+#
+sub interface_has_option( $$\$ ) {
+    my ( $interface, $option, $value ) = @_;
+
+    my $ref = $interfaces{$interface};
+
+    $ref = known_interface( $interface ) unless $ref;
+
+    if ( exists $ref->{options}{$option} ) {
+	$$value = $ref->{options}{$option};
+	1;
+    }
+}
+
 #
 # Set an option for an interface
 #
@@ -1711,7 +1732,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';

    my $zoneref = $zones{$zone};
    my $type    = $zoneref->{type};
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -20,7 +20,13 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
 if [ "$3" = 6 ]; then
    . /usr/share/shorewall6/lib.base
    . /usr/share/shorewall6/lib.cli
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,7 +5,21 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] <command>"
+    echo 
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
    echo
    echo "Options are:"
    echo
@@ -295,6 +309,26 @@ case "$COMMAND" in
 	updown $@
 	status=0;
 	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
+	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
@@ -113,6 +111,17 @@ find_device() {
    done
 }

+#
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+
+find_weight() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xweight ] && echo $2 && return
+	shift
+    done
+}
+
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
@@ -483,6 +492,8 @@ get_device_mtu1() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
+    local undofiles
+    local f

    if [ -z "$g_noroutes"  ]; then
 	#
@@ -495,10 +506,16 @@ undo_routing() {
 	#
 	# Restore the rest of the routing table
 	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall-generated routing tables and routing rules removed"
 	fi
    fi

@@ -583,6 +600,60 @@ restore_default_route() # $1 = USE_DEFAULT_RT
    return $result
 }

+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
+    else
+	delta=$1
+
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
+	    fi
+	fi
+
+	run_ip route replace default scope global table $2 $route $delta
+    fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
+}
+
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -805,13 +876,17 @@ debug_restore_input() {
 	qt1 $IPTABLES -t mangle -P $chain ACCEPT
    done

-    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw    -X
+    qt1 $IPTABLES -t raw     -F
+    qt1 $IPTABLES -t raw     -X
+    qt1 $IPTABLES -t rawpost -F
+    qt1 $IPTABLES -t rawpost -X

    for chain in PREROUTING OUTPUT; do
 	qt1 $IPTABLES -t raw -P $chain ACCEPT
    done

+    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
+
    run_iptables -t nat -F
    run_iptables -t nat -X

@@ -861,6 +936,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,5 +1,3 @@
-#!/bin/sh
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
@@ -486,7 +484,7 @@ undo_routing() {
 	if [ -f ${VARDIR}/undo_routing ]; then
 	    . ${VARDIR}/undo_routing
 	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_routing
+	    rm -f ${VARDIR}/undo_*routing
 	fi
    fi

@@ -824,6 +822,9 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -1,12 +1,10 @@
-#! /bin/sh
 #
 # Shorewall version 4 - Show Connections Filter
 #
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
-#       'show connections. Unlike other extension scripts, this file
-#       must be executable before Shorewall will use it.
+#       'show connections.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -248,6 +248,9 @@ else
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	    SPARSE=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
@@ -262,6 +265,14 @@ else
    fi
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -301,6 +312,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 elif [ -n "$SLACKWARE" ]; then
@@ -333,6 +346,14 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall.service ${DESTDIR}/lib/systemd/system/shorewall.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall.service"
+fi
+
 if [ -n "$ANNOTATED" ]; then
    suffix=.annotated
 else
@@ -997,7 +1018,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	touch /var/log/shorewall-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
    else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	if [ -n "$SYSTEMD" ]; then
+	    if systemctl enable shorewall; then
+		echo "Shorewall will start automatically at boot"
+	    fi
+	elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall ; then
 		echo "shorewall will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.base
 #
@@ -29,7 +28,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40421
+SHOREWALL_CAPVERSION=40424

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -102,6 +101,7 @@ mutex_on()
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -109,8 +109,22 @@ mutex_on()

 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.cli.
 #
@@ -526,7 +525,7 @@ show_command() {
 			    [ $# -eq 1 ] && usage 1

 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -603,6 +602,13 @@ show_command() {
 	    show_reset
 	    $IPTABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IPTABLES -t rawpost -L $g_ipt_options
+	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
@@ -1501,6 +1507,7 @@ hits_command() {
 	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
+	    [ -z "$port" ] && port=0
 	    printf '%7d %-15s %d\n' $count $address $port
 	done

@@ -1691,6 +1698,7 @@ determine_capabilities() {
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
+    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -1723,6 +1731,8 @@ determine_capabilities() {
    HEADER_MATCH=
    ACCOUNT_TARGET=
    AUDIT_TARGET=
+    CONDITION_MATCH=
+    IPTABLES_S=

    chain=fooX$$

@@ -1826,7 +1836,8 @@ determine_capabilities() {
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi

-    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
+    qt $IPTABLES -t raw	    -L -n && RAW_TABLE=Yes
+    qt $IPTABLES -t rawpost -L -n && RAWPOST_TABLE=Yes

    if qt mywhich ipset; then
 	qt ipset -X $chain # Just in case something went wrong the last time
@@ -1872,7 +1883,8 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
    qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
-
+    qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IPTABLES -S INPUT && IPTABLES_S=Yes
    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
    qt $IPTABLES -F $chain1
@@ -1934,6 +1946,7 @@ report_capabilities() {
 	report_capability "Connmark Match" $CONNMARK_MATCH
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
+	report_capability "Rawpost Table" $RAWPOST_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
@@ -1966,6 +1979,8 @@ report_capabilities() {
        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "iptables -S" $IPTABLES_S
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2003,6 +2018,7 @@ report_capabilities1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -2035,6 +2051,8 @@ report_capabilities1() {
    report_capability1 ACCOUNT_TARGET
    report_capability1 AUDIT_TARGET
    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall/lib.common.
 #
@@ -226,7 +225,31 @@ loadmodule() # $1 = module name, $2 - * arguments
    local modulefile
    local suffix

-    if ! list_search $modulename $DONT_LOAD $MODULES; then
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
+		done
+	    fi
+	fi
+    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift

 	for suffix in $MODULE_SUFFIX ; do
@@ -273,7 +296,7 @@ reload_kernel_modules() {
 	uname=$(uname -r) && \
 	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

-    MODULES=$(lsmod | cut -d ' ' -f1)
+    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -319,7 +342,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)

    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
+	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 	progress_message "Loading Modules..."
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -1435,7 +1435,7 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show actions"
    echo "   show [ -f ] capabilities"
    echo "   show classifiers"
@@ -1448,7 +1448,7 @@ usage() # $1 = exit status
    echo "   show [ -m ] log [<regex>]"
    echo "   show macro <macro>"
    echo "   show macros"
-    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   show policies"
    echo "   show tc [ device ]"
    echo "   show vardir"
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv4 firewall
+After=syslog.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall
+StandardOutput=syslog
+ExecStart=/sbin/shorewall $OPTIONS start
+ExecReload=/sbin/shorewall $OPTIONS restart
+ExecStop=/sbin/shorewall $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -92,6 +92,8 @@ if [ -n "$FIREWALL" ]; then
 	updaterc.d shorewall remove
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
    else
@@ -116,6 +118,7 @@ rm -rf /usr/share/shorewall-*.bkout
 rm -rf /usr/share/man/man5/shorewall*
 rm -rf /usr/share/man/man8/shorewall*
 rm -f  /etc/logrotate.d/shorewall
+rm -f  /lib/systemd/system/shorewall.service

 echo "Shorewall Uninstalled"

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall6-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall6-lite"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -171,6 +171,8 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
@@ -180,6 +182,14 @@ elif [ -f /etc/arch-release ] ; then
      ARCHLINUX=yes
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -222,6 +232,8 @@ echo "Shorewall6 Lite control program installed in ${DESTDIR}/sbin/shorewall6-li
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall6-lite 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh /etc/init.d/shorewall6-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544

@@ -247,6 +259,14 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall6-lite.service ${DESTDIR}/lib/systemd/system/shorewall6-lite.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6-lite.service"
+fi
+
 #
 # Install the config file
 #
@@ -380,7 +400,11 @@ if [ -z "$DESTDIR" ]; then

 	    echo "Shorewall6 Lite will start automatically at boot"
 	else
-	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable shorewall6-lite; then
+		    echo "Shorewall6 Lite will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall6-lite ; then
 		    echo "Shorewall6 Lite will start automatically at boot"
 		else
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv6 firewall (lite)
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecReload=/sbin/shorewall6-lite $OPTIONS restart
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -81,6 +81,8 @@ if [ -n "$FIREWALL" ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall6-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -100,6 +102,7 @@ rm -rf /usr/share/shorewall6-lite
 rm -rf ${LIBEXEC}/shorewall6-lite
 rm -rf /usr/share/shorewall6-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall6-lite
+rm -f  /lib/systemd/system/shorewall6-lite.service

 echo "Shorewall6 Lite Uninstalled"

--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -62,7 +62,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
 }
-    
+  
 log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
 add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );

--- a/Shorewall6/configfiles/netmap
+++ b/Shorewall6/configfiles/netmap
@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4	 - Netmap File
+#
+# For information about entries in this file, type "man shorewall-netmap"
+#
+# See http://shorewall.net/netmap.html for an example and usage
+# information.
+#
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-#######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME            HEADERS
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Shorewall6/configfiles/scfilter
+++ b/Shorewall6/configfiles/scfilter
@@ -1,12 +1,10 @@
-#! /bin/sh
 #
 # Shorewall version 4 - Show Connections Filter
 #
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
-#       'show connections. Unlike other extension scripts, this file
-#       must be executable before Shorewall will use it.
+#       'show connections. 
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -0,0 +1,112 @@
+#!/bin/sh
+#
+# Shorewall init script
+#
+# chkconfig: - 28 90
+# description: Packet filtering firewall
+
+### BEGIN INIT INFO
+# Provides: shorewall6
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Should-Start: VMware $time $named
+# Required-Stop:
+# Default-Start:
+# Default-Stop:	  0 1 2 3 4 5 6
+# Short-Description: Packet filtering firewall
+# Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
+#              Netfilter (iptables) based firewall
+### END INIT INFO
+
+# Source function library.
+. /etc/rc.d/init.d/functions
+
+prog="shorewall6"
+shorewall="/sbin/$prog"
+logger="logger -i -t $prog"
+lockfile="/var/lock/subsys/$prog"
+
+# Get startup options (override default)
+OPTIONS=
+
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
+fi
+
+start() {
+    echo -n $"Starting Shorewall: "
+    $shorewall $OPTIONS start 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+stop() {
+    echo -n $"Stopping Shorewall: "
+    $shorewall $OPTIONS stop 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	rm -f $lockfile
+	success
+    else 
+	failure
+    fi
+    echo
+    return $retval
+}
+
+restart() {
+# Note that we don't simply stop and start since shorewall has a built in
+# restart which stops the firewall if running and then starts it.
+    echo -n $"Restarting Shorewall: "
+    $shorewall $OPTIONS restart 2>&1 | $logger
+    retval=${PIPESTATUS[0]}
+    if [[ $retval == 0 ]]; then 
+	touch $lockfile
+	success
+    else # Failed to start, clean up lock file if present
+	rm -f $lockfile
+	failure
+    fi
+    echo
+    return $retval
+}
+
+status(){
+    $shorewall status
+    return $?
+}
+
+status_q() {
+    status > /dev/null 2>&1
+}
+
+case "$1" in
+    start)
+	status_q && exit 0
+	$1
+	;;
+    stop)
+	status_q || exit 0
+	$1
+	;;
+    restart|reload|force-reload)
+	restart
+	;;
+    condrestart|try-restart)
+        status_q || exit 0
+        restart
+        ;;
+    status)
+	$1
+	;;
+    *)
+	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
+	exit 1
+	;;
+esac
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -107,7 +107,6 @@ if [ -z "$INIT" ] ; then
 fi

 ANNOTATED=
-DEBIAN=
 CYGWIN=
 MAC=
 MACHOST=
@@ -242,6 +241,9 @@ else
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	    SPARSE=yes
+        elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
@@ -256,6 +258,14 @@ else
    fi
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
 #
 # Change to the directory containing this script
 #
@@ -295,6 +305,8 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh /etc/init.d/shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$SLACKWARE" ]; then
    install_file init.slackware.shorewall6.sh ${DESTDIR}${DEST}/rc.shorewall6 0544 ${DESTDIR}/usr/share/shorewall6-${VERSION}.bkout
 elif [ -n "$ARCHLINUX" ]; then
@@ -323,6 +335,14 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

+#
+# Install the .service file
+#
+if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall6.service ${DESTDIR}/lib/systemd/system/shorewall6.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall6.service"
+fi
+
 delete_file ${DESTDIR}/usr/share/shorewall6/compiler
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.accounting
 delete_file ${DESTDIR}/usr/share/shorewall6/lib.actions
@@ -874,7 +894,11 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	touch /var/log/shorewall6-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall6/shorewall6.conf
    else
-	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	if [ -n "$SYSTEMD" ]; then
+	    if systemctl enable shorewall6; then
+		echo "Shorewall6 will start automatically at boot"
+	    fi
+	elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall6 ; then
 		echo "shorewall6 will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall6/shorewall6.conf to enable"
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall6 4.2-- /usr/share/shorewall/lib.base
 #
@@ -33,7 +32,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40421
+SHOREWALL_CAPVERSION=40424

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -106,6 +105,7 @@ mutex_on()
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid

    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}

@@ -113,8 +113,22 @@ mutex_on()

 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall6 4.2 -- /usr/share/shorewall6/lib.cli.
 #
@@ -511,7 +510,7 @@ show_command() {
 			    [ $# -eq 1 ] && usage 1

 			    case $2 in
-				mangle|nat|filter|raw)
+				mangle|nat|filter|raw|rawpost)
 				    table=$2
 				    table_given=Yes
 				    ;;
@@ -576,6 +575,13 @@ show_command() {
 	    show_reset
 	    $IP6TABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IP6TABLES -t rawpost -L $g_ipt_options
+	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1

@@ -1520,6 +1526,7 @@ determine_capabilities() {
    CONNMARK_MATCH=
    XCONNMARK_MATCH=
    RAW_TABLE=
+    RAWPOST_TABLE=
    IPP2P_MATCH=
    OLD_IPP2P_MATCH=
    LENGTH_MATCH=
@@ -1551,6 +1558,8 @@ determine_capabilities() {
    ACCOUNT_TARGET=
    AUDIT_TARGET=
    IPSET_V5=
+    CONDITION_MATCH=
+    IPTABLES_S=

    chain=fooX$$

@@ -1664,6 +1673,7 @@ determine_capabilities() {
    fi

    qt $IP6TABLES -t raw	   -L -n && RAW_TABLE=Yes
+    qt $IP6TABLES -t rawpost	   -L -n && RAWPOST_TABLE=Yes

    if qt mywhich ipset; then
 	qt ipset -X $chain # Just in case something went wrong the last time
@@ -1701,6 +1711,8 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
    qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
    qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
    

    qt $IP6TABLES -F $chain
@@ -1763,6 +1775,7 @@ report_capabilities() {
 	report_capability "Connmark Match" $CONNMARK_MATCH
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
+	report_capability "Rawpost Table" $RAWPOST_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
@@ -1793,6 +1806,8 @@ report_capabilities() {
 	report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "ip6tables -S" $IPTABLES_S
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1829,6 +1844,7 @@ report_capabilities1() {
    report_capability1 CONNMARK_MATCH
    report_capability1 XCONNMARK_MATCH
    report_capability1 RAW_TABLE
+    report_capability1 RAWPOST_TABLE
    report_capability1 IPP2P_MATCH
    report_capability1 OLD_IPP2P_MATCH
    report_capability1 CLASSIFY_TARGET
@@ -1859,6 +1875,8 @@ report_capabilities1() {
    report_capability1 ACCOUNT_TARGET
    report_capability1 AUDIT_TARGET
    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -1,4 +1,3 @@
-#!/bin/sh
 #
 # Shorewall 4.4 -- /usr/share/shorewall6/lib.common.
 #
@@ -248,7 +247,31 @@ loadmodule() # $1 = module name, $2 - * arguments
    local modulefile
    local suffix

-    if ! list_search $modulename $MODULES $DONT_LOAD ; then
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift
+
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}
+
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
+		done
+	    fi
+	fi
+    elif ! list_search $modulename $MODULES $DONT_LOAD ; then
 	shift

 	for suffix in $MODULE_SUFFIX ; do
@@ -291,7 +314,7 @@ reload_kernel_modules() {
    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]

    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
-    MODULES=$(lsmod | cut -d ' ' -f1)
+    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -335,7 +358,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)

    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
+	[ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
 	progress_message "Loading Modules..."
 	. $modules
 	if [ $savemoduleinfo = Yes ]; then
@@ -395,7 +418,7 @@ find_first_interface_address() # $1 = interface
    #
    # get the line of output containing the first IP address
    #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
    #
    # If there wasn't one, bail out now
    #
@@ -412,7 +435,7 @@ find_first_interface_address_if_any() # $1 = interface
    #
    # get the line of output containing the first IP address
    #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
    #
    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
    # along with everything else on the line
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#
+#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#
+[Unit]
+Description=Shorewall IPv6 firewall
+After=syslog.target
+After=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall6
+StandardOutput=syslog
+ExecStart=/sbin/shorewall6 $OPTIONS start
+ExecReload=/sbin/shorewall6 $OPTIONS restart
+ExecStop=/sbin/shorewall6 $OPTIONS stop
+
+[Install]
+WantedBy=multi-user.target
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -93,6 +93,8 @@ if [ -n "$FIREWALL" ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
+    elif [ -x /sbin/systemctl ]; then
+	systemctl disable shorewall6
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -114,6 +116,7 @@ rm -rf /usr/share/shorewall6-*.bkout
 rm -rf /usr/share/man/man5/shorewall6*
 rm -rf /usr/share/man/man8/shorewall6*
 rm -f  /etc/logrotate.d/shorewall6
+rm -f  /lib/systemd/system/shorewall6.service

 echo "Shorewall6 Uninstalled"

--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -122,7 +122,7 @@
        <listitem>
          <para><filename class="directory">configfiles</filename> - A
          directory containing configuration files to copy to create a <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite export
+          url="Shorewall-Lite.html">Shorewall-lite export
          directory.</ulink></para>
        </listitem>

@@ -335,7 +335,7 @@
        <listitem>
          <para><filename class="directory">configfiles</filename> - A
          directory containing configuration files to copy to create a <ulink
-          url="CompiledPrograms.html#Lite">Shorewall6-lite export
+          url="Shorewall-Lite.html">Shorewall6-lite export
          directory.</ulink></para>
        </listitem>

@@ -535,7 +535,7 @@
        <listitem>
          <para><filename>shorecap</filename> - A shell program used for
          generating capabilities files. See the <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite
+          url="Shorewall-Lite.html">Shorewall-lite
          documentation</ulink>.</para>
        </listitem>

@@ -725,7 +725,7 @@
        <listitem>
          <para><filename>shorecap</filename> - A shell program used for
          generating capabilities files. See the <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite
+          url="Shorewall-Lite.html">Shorewall-lite
          documentation</ulink>.</para>
        </listitem>

--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2010</year>
+      <year>2001-2011</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -54,12 +54,23 @@
    <informaltable frame="none">
      <tgroup align="left" cols="3">
        <tbody>
+          <row>
+            <entry></entry>
+
+            <entry><ulink url="LXC.html">Linux Containers
+            (LXC)</ulink></entry>
+
+            <entry><ulink url="Laptop.html">Shorewall on a
+            Laptop</ulink></entry>
+          </row>
+
          <row>
            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>

            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>

-            <entry></entry>
+            <entry><ulink url="Shorewall-perl.html">Shorewall
+            Perl</ulink></entry>
          </row>

          <row>
@@ -68,8 +79,8 @@
            <entry><ulink url="ConnectionRate.html">Limiting Connection
            Rates</ulink></entry>

-            <entry><ulink url="Shorewall-perl.html">Shorewall
-            Perl</ulink></entry>
+            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
+            Guide</ulink></entry>
          </row>

          <row>
@@ -77,8 +88,7 @@

            <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>

-            <entry><ulink url="shorewall_setup_guide.htm">Shorewall Setup
-            Guide</ulink></entry>
+            <entry><ulink url="samba.htm">SMB</ulink></entry>
          </row>

          <row>
@@ -87,7 +97,9 @@

            <entry><ulink url="Macros.html">Macros</ulink></entry>

-            <entry><ulink url="samba.htm">SMB</ulink></entry>
+            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
+            (<firstterm>Source Network Address
+            Translation</firstterm>)</entry>
          </row>

          <row>
@@ -97,9 +109,8 @@
            <entry><ulink url="MAC_Validation.html">MAC
            Verification</ulink></entry>

-            <entry><ulink url="two-interface.htm#SNAT">SNAT</ulink>
-            (<firstterm>Source Network Address
-            Translation</firstterm>)</entry>
+            <entry><ulink url="SplitDNS.html">Split DNS the Easy
+            Way</ulink></entry>
          </row>

          <row>
@@ -108,8 +119,8 @@

            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>

-            <entry><ulink url="SplitDNS.html">Split DNS the Easy
-            Way</ulink></entry>
+            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
+            Shorewall</ulink></entry>
          </row>

          <row>
@@ -119,8 +130,9 @@
            <entry><ulink url="ManualChains.html">Manual
            Chains</ulink></entry>

-            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
-            Shorewall</ulink></entry>
+            <entry><ulink
+            url="starting_and_stopping_shorewall.htm">Starting/stopping the
+            Firewall</ulink></entry>
          </row>

          <row>
@@ -130,9 +142,8 @@
            <entry><ulink
            url="two-interface.htm#SNAT">Masquerading</ulink></entry>

-            <entry><ulink
-            url="starting_and_stopping_shorewall.htm">Starting/stopping the
-            Firewall</ulink></entry>
+            <entry><ulink url="NAT.htm">Static (one-to-one)
+            NAT</ulink></entry>
          </row>

          <row>
@@ -140,11 +151,9 @@
            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>

            <entry><ulink url="MultiISP.html">Multiple Internet Connections
-            from a Single Firewall</ulink> (<ulink
-            url="MultiISP_ru.html">Russian</ulink>)</entry>
+            from a Single Firewall</ulink></entry>

-            <entry><ulink url="NAT.htm">Static (one-to-one)
-            NAT</ulink></entry>
+            <entry><ulink url="support.htm">Support</ulink></entry>
          </row>

          <row>
@@ -154,7 +163,8 @@
            <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
            Interface</ulink></entry>

-            <entry><ulink url="support.htm">Support</ulink></entry>
+            <entry><ulink url="configuration_file_basics.htm">Tips and
+            Hints</ulink></entry>
          </row>

          <row>
@@ -164,27 +174,16 @@
            <entry><ulink url="MyNetwork.html">My Shorewall
            Configuration</ulink></entry>

-            <entry><ulink url="configuration_file_basics.htm">Tips and
-            Hints</ulink></entry>
+            <entry></entry>
          </row>

          <row>
-            <entry><ulink
-            url="starting_and_stopping_shorewall.htm">Commands</ulink></entry>
+            <entry><ulink url="CompiledPrograms.html"><ulink
+            url="starting_and_stopping_shorewall.htm">Commands</ulink></ulink></entry>

            <entry><ulink url="NetfilterOverview.html">Netfilter
            Overview</ulink></entry>

-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
-          </row>
-
-          <row>
-            <entry><ulink url="CompiledPrograms.html">Compiled Firewall
-            Programs</ulink></entry>
-
-            <entry><ulink url="netmap.html">Network Mapping</ulink></entry>
-
            <entry><ulink url="simple_traffic_shaping.html">Traffic
            Shaping/QOS - Simple</ulink></entry>
          </row>
@@ -193,8 +192,7 @@
            <entry><ulink url="configuration_file_basics.htm">Configuration
            File Basics</ulink></entry>

-            <entry><ulink url="NAT.htm">One-to-one NAT</ulink> (Static
-            NAT)</entry>
+            <entry><ulink url="netmap.html">Network Mapping</ulink></entry>

            <entry><ulink url="traffic_shaping.htm">Traffic Shaping/QOS -
            Complex</ulink></entry>
@@ -204,7 +202,7 @@
            <entry><ulink url="dhcp.htm">DHCP</ulink></entry>

            <entry><ulink url="Multiple_Zones.html"><ulink
-            url="OPENVPN.html">OpenVPN</ulink></ulink></entry>
+            url="NAT.htm">One-to-one NAT</ulink> (Static NAT)</ulink></entry>

            <entry><ulink url="Shorewall_Squid_Usage.html">Transparent
            Proxy</ulink></entry>
@@ -215,7 +213,7 @@
            url="two-interface.htm#DNAT">DNAT</ulink> (<firstterm>Destination
            Network Address Translation</firstterm>)</ulink></entry>

-            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
+            <entry><ulink url="OPENVPN.html">OpenVPN</ulink></entry>

            <entry><ulink url="UPnP.html">UPnP</ulink></entry>
          </row>
@@ -223,8 +221,7 @@
          <row>
            <entry><ulink url="Dynamic.html">Dynamic Zones</ulink></entry>

-            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
-            Shorewall</ulink></entry>
+            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>

            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>
          </row>
@@ -233,8 +230,8 @@
            <entry><ulink url="ECN.html">ECN Disabling by host or
            subnet</ulink></entry>

-            <entry><ulink url="PacketMarking.html">Packet
-            Marking</ulink></entry>
+            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
+            Shorewall</ulink></entry>

            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
@@ -245,8 +242,8 @@
            url="shorewall_extension_scripts.htm">Extension Scripts</ulink>
            (User Exits)</ulink></entry>

-            <entry><ulink url="PacketHandling.html">Packet Processing in a
-            Shorewall-based Firewall</ulink></entry>
+            <entry><ulink url="PacketMarking.html">Packet
+            Marking</ulink></entry>

            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>
@@ -255,7 +252,8 @@
            <entry><ulink
            url="fallback.htm">Fallback/Uninstall</ulink></entry>

-            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>
+            <entry><ulink url="PacketHandling.html">Packet Processing in a
+            Shorewall-based Firewall</ulink></entry>

            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
          </row>
@@ -263,8 +261,7 @@
          <row>
            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>

-            <entry><ulink url="two-interface.htm#DNAT">Port
-            Forwarding</ulink></entry>
+            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

            <entry><ulink url="blacklisting_support.htm#whitelisting">White
            List Creation</ulink></entry>
@@ -274,7 +271,8 @@
            <entry><ulink
            url="shorewall_features.htm">Features</ulink></entry>

-            <entry><ulink url="ports.htm">Port Information</ulink></entry>
+            <entry><ulink url="two-interface.htm#DNAT">Port
+            Forwarding</ulink></entry>

            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
            DomU</ulink></entry>
@@ -284,8 +282,7 @@
            <entry><ulink url="Multiple_Zones.html">Forwarding Traffic on the
            Same Interface</ulink></entry>

-            <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
-            of the 'Recent Match'</ulink></entry>
+            <entry><ulink url="ports.htm">Port Information</ulink></entry>

            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
            Xen Dom0</ulink></entry>
@@ -294,7 +291,8 @@
          <row>
            <entry><ulink url="FTP.html">FTP and Shorewall</ulink></entry>

-            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>
+            <entry><ulink url="PortKnocking.html">Port Knocking and Other Uses
+            of the 'Recent Match'</ulink></entry>

            <entry></entry>
          </row>
@@ -303,7 +301,7 @@
            <entry><ulink url="FoolsFirewall.html">Fool's
            Firewall</ulink></entry>

-            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>
+            <entry><ulink url="PPTP.htm">PPTP</ulink></entry>

            <entry></entry>
          </row>
@@ -312,8 +310,7 @@
            <entry><ulink url="support.htm">Getting help or answers to
            questions</ulink></entry>

-            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
-            Guides</ulink></entry>
+            <entry><ulink url="ProxyARP.htm">Proxy ARP</ulink></entry>

            <entry></entry>
          </row>
@@ -322,7 +319,8 @@
            <entry><ulink
            url="Install.htm">Installation/Upgrade</ulink></entry>

-            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
+            <entry><ulink url="shorewall_quickstart_guide.htm">QuickStart
+            Guides</ulink></entry>

            <entry></entry>
          </row>
@@ -330,6 +328,14 @@
          <row>
            <entry><ulink url="IPP2P.html">IPP2P</ulink></entry>

+            <entry><ulink url="NewRelease.html">Release Model</ulink></entry>
+
+            <entry></entry>
+          </row>
+
+          <row>
+            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+
            <entry><ulink
            url="shorewall_prerequisites.htm">Requirements</ulink></entry>

@@ -337,7 +343,7 @@
          </row>

          <row>
-            <entry><ulink url="IPSEC-2.6.html">IPSEC</ulink></entry>
+            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>

            <entry><ulink url="Shorewall_and_Routing.html">Routing and
            Shorewall</ulink></entry>
@@ -346,7 +352,7 @@
          </row>

          <row>
-            <entry><ulink url="ipsets.html">Ipsets</ulink></entry>
+            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Routing on One
            Interface</ulink></entry>
@@ -354,20 +360,11 @@
            <entry></entry>
          </row>

-          <row>
-            <entry><ulink url="IPv6Support.html">IPv6 Support</ulink></entry>
-
-            <entry><ulink url="samba.htm">Samba</ulink></entry>
-
-            <entry></entry>
-          </row>
-
          <row>
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="samba.htm">Samba</ulink></entry>

            <entry></entry>
          </row>
@@ -376,8 +373,8 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>

-            <entry><ulink url="CompiledPrograms.html#Lite">Shorewall
-            Lite</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>

            <entry></entry>
          </row>
@@ -386,8 +383,8 @@
            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
            Machine)</ulink></entry>

-            <entry><ulink url="Laptop.html">Shorewall on a
-            Laptop</ulink></entry>
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            Lite</ulink></entry>

            <entry></entry>
          </row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1596,7 +1596,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
        </varlistentry>

        <varlistentry>
-          <term>filter</term>
+          <term>sfilter</term>

          <listitem>
            <para>On systems running Shorewall 4.4.20 or later, either the
@@ -1604,7 +1604,7 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
            url="manpages/shorewall-interfaces.html">interface option</ulink>
            or it is being routed out of the same interface on which it
            arrived and the interface does not have the
-            <option>routeback</option> <ulink
+            <option>routeback</option> or <option>routefilter</option> <ulink
            url="manpages/shorewall-interfaces.html">interface
            option</ulink>.</para>
          </listitem>
@@ -2000,7 +2000,11 @@ Creating input Chains...
      <para>Beginning with Shorewall 4.4, when the Shorewall tarballs are
      installed on a Debian (or derivative) system, the
      <filename>/etc/init.d/shorewall</filename> file is the same as would be
-      installed by the .deb.</para>
+      installed by the .deb. The behavior of <command>/etc/init.d/shorewall
+      stop</command> is controlled by the setting of SAFESTOP in
+      <filename>/etc/default/shorewall</filename>. When set to 0 (the
+      default), the firewall is cleared; when set to 1, the firewall is placed
+      in a safe state.</para>
    </section>

    <section id="faq78">
@@ -2188,6 +2192,47 @@ We have an error talking to the kernel
          <member>sch_sfq</member>
        </simplelist></para>
    </section>
+
+    <section id="faq97">
+      <title>(FAQ 97) I enable Shorewall traffic shaping and now my upload
+      rate is way below what I specified</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: This is likely due to TCP
+      Segmentation Offload (TSO) and/or Generic Segmentation Offload (GSO)
+      being enabled in the network adapter. To verify, install the
+      <firstterm>ethtool</firstterm> package and use the -k command:</para>
+
+      <programlisting>root@gateway:~# ethtool -k eth1
+Offload parameters for eth1:
+rx-checksumming: on
+tx-checksumming: on
+scatter-gather: on
+tcp-segmentation-offload: <emphasis role="bold">on</emphasis>
+udp-fragmentation-offload: off
+generic-segmentation-offload: <emphasis role="bold">on</emphasis>
+generic-receive-offload: off
+large-receive-offload: off
+ntuple-filters: off
+receive-hashing: off
+root@gateway:~#</programlisting>
+
+      <para>If that is the case, you can correct the problem by adjusting the
+      <replaceable>minburst</replaceable> setting in
+      /etc/shorewall/tcinterfaces (complex traffic shaping) or
+      /etc/shorewall/tcdevices (simple traffic shaping). We suggest starting
+      at 10-12kb and adjust as necessary. Example (simple traffic
+      shaping):</para>
+
+      <programlisting>#INTERFACE	TYPE		IN-BANDWIDTH			OUT-BANDWIDTH
+eth0		External	50mbit:200kb			5.0mbit:100kb:200ms:100mbit:<emphasis
+          role="bold">10kb</emphasis>
+</programlisting>
+
+      <para>Alternatively, you can turn off TSO and GSO using this command in
+      <filename>/etc/shorewall/init</filename>:</para>
+
+      <programlisting><emphasis role="bold">ethtool -k eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
+    </section>
  </section>

  <section id="About">
@@ -2372,7 +2417,7 @@ etc...</programlisting>
      <para><emphasis role="bold">Answer:</emphasis> Shorewall Lite is a
      companion product to Shorewall and is designed to allow you to maintain
      all Shorewall configuration information on a single system within your
-      network. See the <ulink url="CompiledPrograms.html#Lite">Compiled
+      network. See the <ulink url="Shorewall-Lite.html">Compiled
      Firewall script documentation</ulink> for details.</para>
    </section>

--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -70,9 +70,9 @@
    <orderedlist>
      <listitem>
        <para>Standard Macros. These macros are released as part of Shorewall.
-        They are defined in macros.* files in <filename
+        They are defined in macro.* files in <filename
        class="directory">/usr/share/shorewall</filename>. Each
-        <filename>macros.*</filename> file has a comment at the beginning of
+        <filename>macro.*</filename> file has a comment at the beginning of
        the file that describes what the macro does. As an example, here is
        the definition of the <firstterm>SMB</firstterm> standard
        macro.</para>
@@ -101,8 +101,8 @@ PARAM    -              -               tcp     135,139,445

      <listitem>
        <para>User-defined Macros. These macros are created by end-users. They
-        are defined in macros.* files in /etc/shorewall or in another
-        directory listed in your CONFIG_PATH (defined in <ulink
+        are defined in macro.* files in /etc/shorewall or in another directory
+        listed in your CONFIG_PATH (defined in <ulink
        url="manpages/shorewall.conf.html">/etc/shorewall/shorewall.conf</ulink>).</para>
      </listitem>
    </orderedlist>
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -535,8 +535,10 @@
                  is given without a <replaceable>weight</replaceable>, a
                  separate default route is added through the provider's
                  gateway; the route has a metric equal to the provider's
-                  NUMBER. The option is ignored with a warning message if
-                  USE_DEFAULT_RT=Yes in
+                  NUMBER.</para>
+
+                  <para>Prior to Shorewall 4.4.24, the option is ignored with
+                  a warning message if USE_DEFAULT_RT=Yes in
                  <filename>shorewall.conf</filename>.</para>
                </listitem>
              </varlistentry>
@@ -1726,7 +1728,7 @@ defaults {
  min_successive_pkts_rcvd=10
  interval_ms=2000
  timeout_ms=2000
-  warn_email=teastep@shorewall.net
+  warn_email=you@yourdomain.com
  check_arp=0
  sourceip=
  ttl=0
@@ -1803,7 +1805,81 @@ echo $state &gt; ${VARDIR}/${DEVICE}.status

 exit 0

-#EOF</programlisting>:</para>
+#EOF</programlisting>Beginning with Shorewall 4.4.23, it is not necessary to
+        restart the firewall when an interface transitions between the usable
+        and unusable
+        states.<filename>/etc/lsm/script</filename><programlisting>#!/bin/sh
+#
+# (C) 2009 Mika Ilmaranta &lt;ilmis@nullnet.fi&gt;
+# (C) 2009 Tom Eastep &lt;teastep@shorewall.net&gt;
+#
+# License: GPLv2
+#
+
+STATE=${1}
+NAME=${2}
+CHECKIP=${3}
+DEVICE=${4}
+WARN_EMAIL=${5}
+REPLIED=${6}
+WAITING=${7}
+TIMEOUT=${8}
+REPLY_LATE=${9}
+CONS_RCVD=${10}
+CONS_WAIT=${11}
+CONS_MISS=${12}
+AVG_RTT=${13}
+
+if [ -f /usr/share/shorewall-lite/lib.base ]; then
+    VARDIR=/var/lib/shorewall-lite
+    STATEDIR=/etc/shorewall-lite
+else
+    VARDIR=/var/lib/shorewall
+    STATEDIR=/etc/shorewall
+fi
+
+[ -f ${STATEDIR}/vardir ] &amp;&amp; . ${STATEDIR}/vardir
+
+cat &lt;&lt;EOM | mail -s "${NAME} ${STATE}, DEV ${DEVICE}" ${WARN_EMAIL}
+
+Hi,
+
+Connection ${NAME} is now ${STATE}.
+
+Following parameters were passed:
+newstate     = ${STATE}
+name         = ${NAME}
+checkip      = ${CHECKIP}
+device       = ${DEVICE}
+warn_email   = ${WARN_EMAIL}
+
+Packet counters:
+replied      = ${REPLIED} packets replied
+waiting      = ${WAITING} packets waiting for reply
+timeout      = ${TIMEOUT} packets that have timed out (= packet loss)
+reply_late   = ${REPLY_LATE} packets that received a reply after timeout
+cons_rcvd    = ${CONS_RCVD} consecutively received replies in sequence
+cons_wait    = ${CONS_WAIT} consecutive packets waiting for reply
+cons_miss    = ${CONS_MISS} consecutive packets that have timed out
+avg_rtt      = ${AVG_RTT} average rtt, notice that waiting and timed out packets have rtt = 0 when calculating this
+
+Your LSM Daemon
+
+EOM
+
+<emphasis role="bold">if [ ${STATE} = up ]; then
+   echo 0 &gt; ${VARDIR}/${DEVICE}.status
+  ${VARDIR}/firewall enable ${DEVICE}
+else
+   echo 1 &gt; ${VARDIR}/${DEVICE}.status
+   ${VARDIR}/firewall disable ${DEVICE}
+fi
+</emphasis>
+/sbin/shorewall show routing &gt;&gt; /var/log/lsm
+
+exit 0
+
+#EOF</programlisting></para>
      </section>
    </section>

--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -489,6 +489,12 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1
    <section>
      <title>Shorewall Configuration on Server</title>

+      <warning>
+        <para>If you are running Debian Squeeze, Shorewall will not work in an
+        OpenVZ container. This is a Debian OpenVZ issue and not a Shorewall
+        issue.</para>
+      </warning>
+
      <para>I have set up Shorewall on Server (206.124.146.178) just to have
      an environment to test with. It is a quite vanilla one-interface
      configuration.</para>
--- a/docs/PortKnocking.xml
+++ b/docs/PortKnocking.xml
@@ -108,7 +108,7 @@ if ( $level ) {
                    '',
                    $tag,
                    'add',
-                    '-p tcp --dport ! 22 ' );
+                    '-p tcp ! --dport 22 ' );
 }

 add_rule( $chainref, '-p tcp --dport 22   -m recent --rcheck --seconds 60 --name SSH          -j ACCEPT' );
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -305,7 +305,7 @@ shorewall start</programlisting>
    <title>IPv6 - Proxy NDP</title>

    <para>The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery
-    Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
+    Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
    in a manner similar to Proxy ARP support in Shorewall:</para>

    <itemizedlist>
@@ -328,8 +328,8 @@ shorewall start</programlisting>
    discoverey requests for IPv6 addresses configured on the interface
    receiving the request. So if eth0 has address 2001:470:b:227::44/128 and
    eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to
-    neighbor discovery requests for 2001:470:b:227::44, the following entry in
-    /etc/shorewall6/proxyndp is required:</para>
+    neighbor discoverey requests for 2001:470:b:227::44, the following entry
+    in /etc/shorewall6/proxyndp is required:</para>

    <programlisting>#ADDRESS	          INTERFACE    EXTERNAL    HAVEROUTE    PERSISTENT
 2001:470:b:227::44 -            eth1        Yes</programlisting>
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -0,0 +1,781 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall Lite</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2006-2011</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation appropriate for your
+    version.</emphasis></para>
+  </caution>
+
+  <section id="Overview">
+    <title>Overview</title>
+
+    <para>Shorewall has the capability to compile a Shorewall configuration
+    and produce a runnable firewall program script. The script is a complete
+    program which can be placed on a system with <emphasis>Shorewall
+    Lite</emphasis> installed and can serve as the firewall creation script
+    for that system.</para>
+
+    <section id="Lite">
+      <title>Shorewall Lite</title>
+
+      <para>Shorewall Lite is a companion product to Shorewall and is designed
+      to allow you to maintain all Shorewall configuration information on a
+      single system within your network.</para>
+
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>You install the full Shorewall release on one system within
+          your network. You need not configure Shorewall there and you may
+          totally disable startup of Shorewall in your init scripts. For ease
+          of reference, we call this system the 'administrative
+          system'.</para>
+
+          <para>The administrative system may be a GNU/Linux system, a Windows
+          system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
+          an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
+          running OS X. Install from a shell prompt <ulink
+          url="Install.htm">using the install.sh script</ulink>.</para>
+        </listitem>
+
+        <listitem>
+          <para>On each system where you wish to run a Shorewall-generated
+          firewall, you install Shorewall Lite. For ease of reference, we will
+          call these systems the 'firewall systems'.</para>
+
+          <note>
+            <para>The firewall systems do <emphasis role="bold">NOT</emphasis>
+            need to have the full Shorewall product installed but rather only
+            the Shorewall Lite product. Shorewall and Shorewall Lite may be
+            installed on the same system but that isn't encouraged.</para>
+          </note>
+        </listitem>
+
+        <listitem>
+          <para>On the administrative system you create a separate 'export
+          directory' for each firewall system. You copy the contents of
+          <filename
+          class="directory">/usr/share/shorewall/configfiles</filename> into
+          each export directory.</para>
+
+          <note>
+            <para>Users of Debian and derivatives that install the package
+            from their distribution will be disappointed to find that
+            <filename
+            class="directory">/usr/share/shorewall/configfiles</filename> does
+            not exist on their systems. They will instead need to
+            either:</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Copy the files in
+                /usr/share/doc/shorewall/default-config/ into each export
+                directory.</para>
+              </listitem>
+
+              <listitem>
+                <para>Copy /etc/shorewall/shorewall.conf into each export
+                directory and remove /etc/shorewall from the CONFIG_PATH
+                setting in the copied files.</para>
+              </listitem>
+            </itemizedlist>
+
+            <para>or</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Download the Shorewall tarball corresponding to their
+                package version.</para>
+              </listitem>
+
+              <listitem>
+                <para>Untar and copy the files from the
+                <filename>configfiles</filename> sub-directory in the untarred
+                <filename>shorewall-...</filename> directory.</para>
+              </listitem>
+            </itemizedlist>
+          </note>
+
+          <para>After copying, you may need to change two setting in the copy
+          of shorewall.conf:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>CONFIG_PATH=/usr/share/shorewall</para>
+            </listitem>
+
+            <listitem>
+              <para>STARTUP_LOG=/var/log/shorewall-lite-init.log</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>Older versions of Shorewall included copies of shorewall.conf
+          with these settings already modified. This practice was discontinued
+          in Shorewall 4.4.20.1.</para>
+        </listitem>
+
+        <listitem>
+          <para>The <filename>/etc/shorewall/shorewall.conf</filename> file is
+          used to determine the VERBOSITY setting which determines how much
+          output the compiler generates. All other settings are taken from the
+          <filename>shorewall.conf </filename>file in the remote systems
+          export directory.</para>
+
+          <caution>
+            <para>If you want to be able to allow non-root users to manage
+            remote firewall systems, then the files
+            <filename>/etc/shorewall/params</filename> and
+            <filename>/etc/shorewall/shorewall.conf</filename> must be
+            readable by all users on the administrative system. Not all
+            packages secure the files that way and you may have to change the
+            file permissions yourself.</para>
+          </caution>
+        </listitem>
+
+        <listitem id="Debian">
+          <para>On each firewall system, If you are running Debian or one of
+          its derivatives like Ubuntu then edit
+          <filename>/etc/default/shorewall-lite</filename> and set
+          startup=1.</para>
+        </listitem>
+
+        <listitem>
+          <para>On the administrative system, for each firewall system you do
+          the following (this may be done by a non-root user who has root ssh
+          access to the firewall system):</para>
+
+          <orderedlist>
+            <listitem>
+              <para>modify the files in the corresponding export directory
+              appropriately (i.e., <emphasis>just as you would if you were
+              configuring Shorewall on the firewall system itself</emphasis>).
+              It's a good idea to include the IP address of the administrative
+              system in the <ulink
+              url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+              file</ulink>.</para>
+
+              <para>It is important to understand that with Shorewall Lite,
+              the firewall's export directory on the administrative system
+              acts as <filename class="directory">/etc/shorewall</filename>
+              for that firewall. So when the Shorewall documentation gives
+              instructions for placing entries in files in the firewall's
+              <filename class="directory">/etc/shorewall</filename>, when
+              using Shorewall Lite you make those changes in the firewall's
+              export directory on the administrative system.</para>
+
+              <para>The CONFIG_PATH variable is treated as follows:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para>The value of CONFIG_PATH in
+                  <filename>/etc/shorewall/shorewall.conf</filename> is
+                  ignored when compiling for export (the -e option in given)
+                  and when the <command>load</command> or
+                  <command>reload</command> command is being executed (see
+                  below).</para>
+                </listitem>
+
+                <listitem>
+                  <para>The value of CONFIG_PATH in the
+                  <filename>shorewall.conf</filename> file in the export
+                  directory is used to search for configuration files during
+                  compilation of that configuration.</para>
+                </listitem>
+
+                <listitem>
+                  <para>The value of CONFIG_PATH used when the script is run
+                  on the firewall system is
+                  "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+
+            <listitem>
+              <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall load firewall</command></programlisting>
+
+              <para>The <ulink
+              url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+              command compiles a firewall script from the configuration files
+              in the current working directory (using <command>shorewall
+              compile -e</command>), copies that file to the remote system via
+              scp and starts Shorewall Lite on the remote system via
+              ssh.</para>
+
+              <para>Example (firewall's DNS name is 'gateway'):</para>
+
+              <para><command>/sbin/shorewall load gateway</command><note>
+                  <para>Although scp and ssh are used by default, you can use
+                  other utilities by setting RSH_COMMAND and RCP_COMMAND in
+                  <filename>/etc/shorewall/shorewall.conf</filename>.</para>
+                </note></para>
+
+              <para>The first time that you issue a <command>load</command>
+              command, Shorewall will use ssh to run
+              <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+              remote firewall to create a capabilities file in the firewall's
+              administrative direction. See <link
+              linkend="Shorecap">below</link>.</para>
+            </listitem>
+          </orderedlist>
+        </listitem>
+
+        <listitem>
+          <para>If you later need to change the firewall's configuration,
+          change the appropriate files in the firewall's export directory
+          then:</para>
+
+          <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall reload firewall</command></programlisting>
+
+          <para>The <ulink
+          url="manpages/shorewall.html"><command>reload</command></ulink>
+          command compiles a firewall script from the configuration files in
+          the current working directory (using <command>shorewall compile
+          -e</command>), copies that file to the remote system via scp and
+          restarts Shorewall Lite on the remote system via ssh. The <emphasis
+          role="bold">reload</emphasis> command also supports the '-c'
+          option.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>There is a <filename>shorewall-lite.conf</filename> file installed
+      as part of Shorewall Lite
+      (<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can
+      use that file on the firewall system to override some of the settings
+      from the shorewall.conf file in the export directory.</para>
+
+      <para>Settings that you can override are:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>VERBOSITY</member>
+
+          <member>LOGFILE</member>
+
+          <member>LOGFORMAT</member>
+
+          <member>IPTABLES</member>
+
+          <member>PATH</member>
+
+          <member>SHOREWALL_SHELL</member>
+
+          <member>SUBSYSLOCK</member>
+
+          <member>RESTOREFILE</member>
+        </simplelist>
+      </blockquote>
+
+      <para>You will normally never touch
+      <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
+      run Debian or one of its derivatives (see <link
+      linkend="Debian">above</link>).</para>
+
+      <para>The <filename>/sbin/shorewall-lite</filename> program included
+      with Shorewall Lite supports the same set of commands as the
+      <filename>/sbin/shorewall</filename> program in a full Shorewall
+      installation with the following exceptions:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>add</member>
+
+          <member>compile</member>
+
+          <member>delete</member>
+
+          <member>refresh</member>
+
+          <member>reload</member>
+
+          <member>try</member>
+
+          <member>safe-start</member>
+
+          <member>safe-restart</member>
+
+          <member>show actions</member>
+
+          <member>show macros</member>
+        </simplelist>
+      </blockquote>
+
+      <para>On systems with only Shorewall Lite installed, I recommend that
+      you create a symbolic link <filename>/sbin/shorewall</filename> and
+      point it at <filename>/sbin/shorewall-lite</filename>. That way, you can
+      use <command>shorewall</command> as the command regardless of which
+      product is installed.</para>
+
+      <blockquote>
+        <programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
+      </blockquote>
+
+      <section>
+        <title>Module Loading</title>
+
+        <para>As with a normal Shorewall configuration, the shorewall.conf
+        file can specify LOAD_HELPERS_ONLY which determines if the
+        <filename>modules</filename> file (LOAD_HELPERS_ONLY=No) or
+        <filename>helpers</filename> file (LOAD_HELPERS_ONLY=Yes) is used.
+        Normally, the file on the firewall system is used. If you want to
+        specify modules at compile time on the Administrative System, then you
+        must place a copy of the appropriate file
+        (<filename>modules</filename> or <filename>helpers</filename>) in the
+        firewall's configuration directory before compilation.</para>
+
+        <para>In Shorewall 4.4.17, the EXPORTMODULES option was added to
+        shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any
+        <filename>modules</filename> or <filename>helpers</filename> file
+        found on the CONFIG_PATH on the Administrative System during
+        compilation will be used.</para>
+      </section>
+
+      <section id="Converting">
+        <title>Converting a system from Shorewall to Shorewall Lite</title>
+
+        <para>Converting a firewall system that is currently running Shorewall
+        to run Shorewall Lite instead is straight-forward.</para>
+
+        <orderedlist numeration="loweralpha">
+          <listitem>
+            <para>On the administrative system, create an export directory for
+            the firewall system.</para>
+          </listitem>
+
+          <listitem>
+            <para>Copy the contents of <filename
+            class="directory">/etc/shorewall/</filename> from the firewall
+            system to the export directory on the administrative
+            system.</para>
+          </listitem>
+
+          <listitem>
+            <para>On the firewall system:</para>
+
+            <para>Be sure that the IP address of the administrative system is
+            included in the firewall's export directory
+            <filename>routestopped</filename> file.</para>
+
+            <programlisting><command>shorewall stop</command></programlisting>
+
+            <para><emphasis role="bold">We recommend that you uninstall
+            Shorewall at this point.</emphasis></para>
+          </listitem>
+
+          <listitem>
+            <para>Install Shorewall Lite on the firewall system.</para>
+
+            <para>If you are running Debian or one of its derivatives like
+            Ubuntu then edit <filename>/etc/default/shorewall-lite</filename>
+            and set startup=1.</para>
+          </listitem>
+
+          <listitem>
+            <para>On the administrative system:</para>
+
+            <para>It's a good idea to include the IP address of the
+            administrative system in the firewall system's <ulink
+            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+            file</ulink>.</para>
+
+            <para>Also, edit the <filename>shorewall.conf</filename> file in
+            the firewall's export directory and change the CONFIG_PATH setting
+            to remove <filename class="directory">/etc/shorewall</filename>.
+            You can replace it with <filename
+            class="directory">/usr/share/shorewall/configfiles</filename> if
+            you like.</para>
+
+            <para>Example:</para>
+
+            <blockquote>
+              <para>Before editing:</para>
+
+              <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
+
+              <para>After editing:</para>
+
+              <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
+            </blockquote>
+
+            <para>Changing CONFIG_PATH will ensure that subsequent
+            compilations using the export directory will not include any files
+            from <filename class="directory">/etc/shorewall</filename> other
+            than <filename>shorewall.conf</filename> and
+            <filename>params</filename>.</para>
+
+            <para>If you set variables in the params file, there are a couple
+            of issues:</para>
+
+            <para>The <filename>params</filename> file is not processed at run
+            time if you set EXPORTPARAMS=No in
+            <filename>shorewall.conf</filename>. For run-time setting of shell
+            variables, use the <filename>init</filename> extension script.
+            Beginning with Shorewall 4.4.17, the variables set in the
+            <filename>params</filename> file are available in the firewall
+            script when EXPORTPARAMS=No.</para>
+
+            <para>If the <filename>params</filename> file needs to set shell
+            variables based on the configuration of the firewall system, you
+            can use this trick:</para>
+
+            <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
+
+            <para>The <command>shorewall-lite call</command> command allows
+            you to to call interactively any Shorewall function that you can
+            call in an extension script.</para>
+
+            <para>After having made the above changes to the firewall's export
+            directory, execute the following commands.</para>
+
+            <blockquote>
+              <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall load &lt;firewall system&gt;</command>
+</programlisting>
+
+              <para>Example (firewall's DNS name is 'gateway'):</para>
+
+              <para><command>/sbin/shorewall load gateway</command></para>
+            </blockquote>
+
+            <para>The first time that you issue a <command>load</command>
+            command, Shorewall will use ssh to run
+            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+            remote firewall to create a capabilities file in the firewall's
+            administrative direction. See <link
+            linkend="Shorecap">below</link>.</para>
+
+            <para>The <ulink
+            url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+            command compiles a firewall script from the configuration files in
+            the current working directory (using <command>shorewall compile
+            -e</command>), copies that file to the remote system via
+            <command>scp</command> and starts Shorewall Lite on the remote
+            system via <command>ssh</command>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If you later need to change the firewall's configuration,
+            change the appropriate files in the firewall's export directory
+            then:</para>
+
+            <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall reload firewall</command></programlisting>
+
+            <para>The <ulink
+            url="starting_and_stopping_shorewall.htm#Reload"><command>reload</command></ulink>
+            command compiles a firewall script from the configuration files in
+            the current working directory (using <command>shorewall compile
+            -e</command>), copies that file to the remote system via
+            <command>scp</command> and restarts Shorewall Lite on the remote
+            system via <command>ssh</command>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If the kernel/iptables configuration on the firewall later
+            changes and you need to create a new
+            <filename>capabilities</filename> file, do the following on the
+            firewall system:</para>
+
+            <programlisting><command>/usr/share/shorewall-lite/shorecap &gt; capabilities</command>
+<command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
+
+            <para>Or simply use the -c option the next time that you use the
+            <command>reload</command> command (e.g., <command>shorewall reload
+            -c gateway</command>).</para>
+          </listitem>
+        </orderedlist>
+      </section>
+    </section>
+
+    <section id="Restrictions">
+      <title>Restrictions</title>
+
+      <para>While compiled Shorewall programs (as are used in Shorewall Lite)
+      are useful in many cases, there are some important restrictions that you
+      should be aware of before attempting to use them.</para>
+
+      <orderedlist>
+        <listitem>
+          <para>All extension scripts used are copied into the program (with
+          the exception of <ulink url="shorewall_extension_scripts.htm">those
+          executed at compile-time by the compiler</ulink>). The ramifications
+          of this are:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If you update an extension script, the compiled program
+              will not use the updated script.</para>
+            </listitem>
+
+            <listitem>
+              <para>The <filename>params</filename> file is only processed at
+              compile time if you set EXPORTPARAMS=No in
+              <filename>shorewall.conf</filename>. For run-time setting of
+              shell variables, use the <filename>init</filename> extension
+              script. Although the default setting is EXPORTPARAMS=Yes for
+              compatibility, the recommended setting is EXPORTPARAMS=No.
+              Beginning with Shorewall 4.4.17, the variables set in the
+              <filename>params</filename> file are available in the firewall
+              script when EXPORTPARAMS=No.</para>
+
+              <para>If the <filename>params</filename> file needs to set shell
+              variables based on the configuration of the firewall system, you
+              can use this trick:</para>
+
+              <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
+
+              <para>The <command>shorewall-lite call</command> command allows
+              you to to call interactively any Shorewall function that you can
+              call in an extension script.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>You must install Shorewall Lite on the system where you want
+          to run the script. You then install the compiled program in
+          /usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite
+          program included with Shorewall Lite to control the firewall just as
+          if the full Shorewall distribution was installed.</para>
+        </listitem>
+
+        <listitem>
+          <para>Beginning with Shorewall 4.4.9, the compiler detects bridges
+          and sets the <emphasis role="bold">bridge</emphasis> and <emphasis
+          role="bold">routeback</emphasis> options explicitly. That can't
+          happen when the compilation no longer occurs on the firewall
+          system.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
+  <section id="Compile">
+    <title>The "shorewall compile" command</title>
+
+    <para>A compiled script is produced using the <command>compile</command>
+    command:</para>
+
+    <blockquote>
+      <para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ] [
+      &lt;path name&gt; ]</command></para>
+    </blockquote>
+
+    <para>where</para>
+
+    <blockquote>
+      <variablelist>
+        <varlistentry>
+          <term>-e</term>
+
+          <listitem>
+            <para>Indicates that the program is to be "exported" to another
+            system. When this flag is set, neither the "detectnets" interface
+            option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The
+            created program may be run on a system that has only Shorewall
+            Lite installed</para>
+
+            <para>When this flag is given, Shorewall does not probe the
+            current system to determine the kernel/iptables features that it
+            supports. It rather reads those capabilities from
+            <filename>/etc/shorewall/capabilities</filename>. See below for
+            details.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>&lt;directory name&gt;</term>
+
+          <listitem>
+            <para>specifies a directory to be searched for configuration files
+            before those directories listed in the CONFIG_PATH variable in
+            <filename>shorewall.conf</filename>.</para>
+
+            <para>When -e &lt;directory-name&gt; is included, only the
+            SHOREWALL_SHELL and VERBOSITY settings from
+            <filename>/etc/shorewall/shorewall.conf</filename> are used and
+            these apply only to the compiler itself. The settings used by the
+            compiled firewall script are determined by the contents of
+            <filename>&lt;directory name&gt;/shorewall.conf</filename>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>&lt;path name&gt;</term>
+
+          <listitem>
+            <para>specifies the name of the script to be created. If not
+            given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is
+            <filename>/var/lib/shorewall/</filename>)</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </blockquote>
+
+    <para>The compile command can be used to stage a new compiled strict that
+    can be activated later using</para>
+
+    <simplelist>
+      <member><command>shorewall restart -f</command></member>
+    </simplelist>
+  </section>
+
+  <section id="Shorecap">
+    <title>The /etc/shorewall/capabilities file and the shorecap
+    program</title>
+
+    <para>As mentioned above, the
+    <filename>/etc/shorewall/capabilities</filename> file specifies that
+    kernel/iptables capabilities of the target system. Here is a sample
+    file:</para>
+
+    <blockquote>
+      <programlisting>#
+# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008
+#
+NAT_ENABLED=Yes
+MANGLE_ENABLED=Yes
+MULTIPORT=Yes
+XMULTIPORT=Yes
+CONNTRACK_MATCH=Yes
+USEPKTTYPE=Yes
+POLICY_MATCH=Yes
+PHYSDEV_MATCH=Yes
+PHYSDEV_BRIDGE=Yes
+LENGTH_MATCH=Yes
+IPRANGE_MATCH=Yes
+RECENT_MATCH=Yes
+OWNER_MATCH=Yes
+IPSET_MATCH=Yes
+CONNMARK=Yes
+XCONNMARK=Yes
+CONNMARK_MATCH=Yes
+XCONNMARK_MATCH=Yes
+RAW_TABLE=Yes
+IPP2P_MATCH=
+CLASSIFY_TARGET=Yes
+ENHANCED_REJECT=Yes
+KLUDGEFREE=Yes
+MARK=Yes
+XMARK=Yes
+MANGLE_FORWARD=Yes
+COMMENTS=Yes
+ADDRTYPE=Yes
+TCPMSS_MATCH=Yes
+HASHLIMIT_MATCH=Yes
+NFQUEUE_TARGET=Yes
+REALM_MATCH=Yes
+CAPVERSION=40190</programlisting>
+    </blockquote>
+
+    <para>As you can see, the file contains a simple list of shell variable
+    assignments — the variables correspond to the capabilities listed by the
+    <command>shorewall show capabilities</command> command and they appear in
+    the same order as the output of that command.</para>
+
+    <para>To aid in creating this file, Shorewall Lite includes a
+    <command>shorecap</command> program. The program is installed in the
+    <filename class="directory">/usr/share/shorewall-lite/</filename>
+    directory and may be run as follows:</para>
+
+    <blockquote>
+      <para><command>[ IPTABLES=&lt;iptables binary&gt; ] [
+      MODULESDIR=&lt;kernel modules directory&gt; ]
+      /usr/share/shorewall-lite/shorecap &gt; capabilities</command></para>
+    </blockquote>
+
+    <para>The IPTABLES and MODULESDIR options have their <ulink
+    url="manpages/shorewall.conf.html">usual Shorewall default
+    values</ulink>.</para>
+
+    <para>The <filename>capabilities</filename> file may then be copied to a
+    system with Shorewall installed and used when compiling firewall programs
+    to run on the remote system.</para>
+
+    <para>The <filename>capabilities</filename> file may also be creating
+    using <filename>/sbin/shorewall-lite</filename>:<blockquote>
+        <para><command>shorewall-lite show -f capabilities &gt;
+        capabilities</command></para>
+      </blockquote></para>
+
+    <para>Note that unlike the <command>shorecap</command> program, the
+    <command>show capabilities</command> command shows the kernel's current
+    capabilities; it does not attempt to load additional kernel
+    modules.</para>
+  </section>
+
+  <section id="Running">
+    <title>Running compiled programs directly</title>
+
+    <para>Compiled firewall programs are complete shell programs that support
+    the following command line forms:</para>
+
+    <blockquote>
+      <simplelist>
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        start</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        stop</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        clear</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        refresh</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        reset</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        restart</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        status</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        version</command></member>
+      </simplelist>
+    </blockquote>
+
+    <para>The options have the same meanings as when they are passed to
+    <filename>/sbin/shorewall</filename> itself. The default VERBOSITY level
+    is the level specified in the <filename>shorewall.conf</filename> file
+    used when the program was compiled.</para>
+  </section>
+</article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2010</year>
+      <year>2001-2011</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -492,6 +492,253 @@ ACCEPT      net:\
    </example>
  </section>

+  <section id="Pairs">
+    <title>Alternate Specification of Column Values - Shorewall 4.4.24 and
+    Later</title>
+
+    <para>Some of the configuration files now have a large number of columns.
+    That makes it awkward to specify a value for one of the right-most columns
+    as you must have the correct number of intervening '-' columns.</para>
+
+    <para>This problem is addressed by allowing column values to be specified
+    as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
+    pairs.</para>
+
+    <para>There is considerable flexibility in how you specify the
+    pairs:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>At any point, you can enter a semicolon (';') followed by one or
+        more specifications of the following forms:</para>
+
+        <simplelist>
+          <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>=<replaceable>&gt;value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
+        </simplelist>
+
+        <para>The value may optionally be enclosed in double quotes.</para>
+
+        <para>The pairs must be separated by white space, but you can add a
+        comma adjacent to the <replaceable>values</replaceable> for
+        readability as in:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">; proto=&gt;udp,
+          port=1024</emphasis></member>
+        </simplelist>
+      </listitem>
+
+      <listitem>
+        <para>You can enclose the pairs in curly brackets ("{...}") rather
+        than separating them from columns by a semicolon:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">{ proto:udp, port:1024
+          }</emphasis></member>
+        </simplelist>
+      </listitem>
+    </itemizedlist>
+
+    <para>The following table shows the column names for each of the
+    table-oriented configuration files.</para>
+
+    <note>
+      <para>Column names are <emphasis
+      role="bold">case-insensitive</emphasis>.</para>
+    </note>
+
+    <informaltable>
+      <tgroup cols="2">
+        <tbody>
+          <row>
+            <entry><emphasis role="bold">File</emphasis></entry>
+
+            <entry><emphasis role="bold">Column names</emphasis></entry>
+          </row>
+
+          <row>
+            <entry>accounting</entry>
+
+            <entry>action,chain, source, dest, proto, dport, sport, user,
+            mark, ipsec, headers</entry>
+          </row>
+
+          <row>
+            <entry>blacklist</entry>
+
+            <entry>networks,proto,port,options</entry>
+          </row>
+
+          <row>
+            <entry>ecn</entry>
+
+            <entry>interface,hosts</entry>
+          </row>
+
+          <row>
+            <entry>hosts</entry>
+
+            <entry>zone,hosts,options</entry>
+          </row>
+
+          <row>
+            <entry>interfaces</entry>
+
+            <entry>zone,interface,broadcast,options</entry>
+          </row>
+
+          <row>
+            <entry>maclist</entry>
+
+            <entry>disposition,interface,mac,addresses</entry>
+          </row>
+
+          <row>
+            <entry>masq</entry>
+
+            <entry>interface,source,address,proto,port,ipsec,mark,user</entry>
+          </row>
+
+          <row>
+            <entry>nat</entry>
+
+            <entry>external,interface,internal,allints,local</entry>
+          </row>
+
+          <row>
+            <entry>netmap</entry>
+
+            <entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>notrack</entry>
+
+            <entry>source,dest,proto,dport,sport,user</entry>
+          </row>
+
+          <row>
+            <entry>policy</entry>
+
+            <entry>source,dest,policy,loglevel,limit,connlimit</entry>
+          </row>
+
+          <row>
+            <entry>providers</entry>
+
+            <entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
+          </row>
+
+          <row>
+            <entry>proxyarp and proxyndp</entry>
+
+            <entry>address,interface,external,haveroute,persistent</entry>
+          </row>
+
+          <row>
+            <entry>route_rules</entry>
+
+            <entry>source,dest,provider,priority</entry>
+          </row>
+
+          <row>
+            <entry>routes</entry>
+
+            <entry>provider,dest,gateway,device</entry>
+          </row>
+
+          <row>
+            <entry>routestopped</entry>
+
+            <entry>interface,hosts,options,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>rules</entry>
+
+            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
+          </row>
+
+          <row>
+            <entry>secmarks</entry>
+
+            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
+          </row>
+
+          <row>
+            <entry>tcclasses</entry>
+
+            <entry>interface,mark,rate,ceil,prio,options</entry>
+          </row>
+
+          <row>
+            <entry>tcdevices</entry>
+
+            <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
+          </row>
+
+          <row>
+            <entry>tcfilters</entry>
+
+            <entry>class,source,dest,proto,dport,sport,tos,length</entry>
+          </row>
+
+          <row>
+            <entry>tcinterfaces</entry>
+
+            <entry>interface,type,in_bandwidth,out_bandwidth</entry>
+          </row>
+
+          <row>
+            <entry>tcpri</entry>
+
+            <entry>band,proto,port,address,interface,helper</entry>
+          </row>
+
+          <row>
+            <entry>tcrules</entry>
+
+            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+          </row>
+
+          <row>
+            <entry>tos</entry>
+
+            <entry>source,dest,proto,dport,sport,tos,mark</entry>
+          </row>
+
+          <row>
+            <entry>tunnels</entry>
+
+            <entry>type,zone,gateway,gateway_zone</entry>
+          </row>
+
+          <row>
+            <entry>zones</entry>
+
+            <entry>zone,type,options,in_options,out_options</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+
+    <para>Example (rules file):</para>
+
+    <programlisting>#ACTION         SOURCE            DEST            PROTO   DEST 
+#                                                         PORT(S)
+DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>
+
+    <para>Here's the same line in several equivalent formats:</para>
+
+    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
+; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
+DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
+  </section>
+
  <section>
    <title>Addresses</title>

@@ -705,9 +952,9 @@ ACCEPT      net:\

    <caution>
      <para>Prior to Shorewall 4.4.17, if you are using <ulink
-      url="CompiledPrograms.html%23Lite">Shorewall Lite</ulink> , it is not
-      advisable to use INCLUDE in the <filename>params</filename> file in an
-      export directory if you set EXPORTPARAMS=Yes in <ulink
+      url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not advisable
+      to use INCLUDE in the <filename>params</filename> file in an export
+      directory if you set EXPORTPARAMS=Yes in <ulink
      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do
      that, you must ensure that the included file is also present on the
      firewall system's <filename
@@ -972,11 +1219,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
      </listitem>

      <listitem>
-        <para>If you are using <ulink
-        url="CompiledPrograms.html#Lite">Shorewall Lite</ulink> and if the
-        <filename>params</filename> script needs to set shell variables based
-        on the configuration of the firewall system, you can use this
-        trick:</para>
+        <para>If you are using <ulink url="Shorewall-Lite.html">Shorewall
+        Lite</ulink> and if the <filename>params</filename> script needs to
+        set shell variables based on the configuration of the firewall system,
+        you can use this trick:</para>

        <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>

@@ -997,7 +1243,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    time, there is no way to cause such variables to be expended at run time.
    Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
    include dynamic IP addresses in a <ulink
-    url="CompiledPrograms.html">Shorewall-lite</ulink> configuration.</para>
+    url="Shorewall-Lite.html">Shorewall-lite</ulink> configuration.</para>

    <para>Version 4.4.17 implemented <firstterm>Run-time address
    variables</firstterm>. In configuration files, these variables are
@@ -1604,7 +1850,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
      LOGLIMIT.</para>
    </note>

-    <para>Shorewall also supports per-IP rate limiting. </para>
+    <para>Shorewall also supports per-IP rate limiting.</para>

    <para>Another example from <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
@@ -1624,6 +1870,72 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    above.</para>
  </section>

+  <section id="Switches">
+    <title>Switches</title>
+
+    <para>There are times when you would like to enable or disable one or more
+    rules in the configuration without having to do a <command>shorewall
+    restart</command>. This may be accomplished using the SWITCH column in
+    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or
+    <ulink url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
+    Using this column requires that your kernel and iptables include
+    <firstterm>Condition Match Support</firstterm> and you must be running
+    Shorewall 4.4.24 or later. See the output of <command>shorewall show
+    capabilities</command> and <command>shorewall version</command> to
+    determine if you can use this feature. As of this writing, Condition Match
+    Support requires that you install xtables-addons.</para>
+
+    <para>The SWITCH column contains the name of a
+    <firstterm>switch.</firstterm> Each switch that is initially in the
+    <emphasis role="bold">off</emphasis> position. You can turn on the switch
+    named <emphasis>switch1</emphasis> by:</para>
+
+    <simplelist>
+      <member><command>echo 1 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>You can turn it off again by:</para>
+
+    <simplelist>
+      <member><command>echo 0 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>If you simply include the switch name in the SWITCH column, then the
+    rule is enabled only when the switch is <emphasis
+    role="bold">on</emphasis>. If you precede the switch name with ! (e.g.,
+    !switch1), then the rule is enabled only when the switch is <emphasis
+    role="bold">off</emphasis>. Switch settings are retained over
+    <command>shorewall restart</command>.</para>
+
+    <para>Shorewall requires that switch names:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>begin with a letter and be composed of letters, digits,
+        underscore ('_') or hyphen ('-'); and</para>
+      </listitem>
+
+      <listitem>
+        <para>be 30 characters or less in length.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Multiple rules can be controlled by the same switch.</para>
+
+    <para>Example:</para>
+
+    <blockquote>
+      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
+      on.</para>
+
+      <programlisting>#ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+#                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down  </programlisting>
+    </blockquote>
+  </section>
+
  <section id="Logical">
    <title>Logical Interface Names</title>

--- a/docs/images/Network2011a.dia
+++ b/docs/images/Network2011a.dia
--- a/docs/images/Network2011a.png
+++ b/docs/images/Network2011a.png
--- a/docs/images/Network2011b.dia
+++ b/docs/images/Network2011b.dia
--- a/docs/images/Network2011b.png
+++ b/docs/images/Network2011b.png
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@@ -22,6 +22,8 @@

      <year>2007</year>

+      <year>2011</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -113,8 +115,10 @@
        <term>NET1</term>

        <listitem>
-          <para>Must be expressed in CIDR format (e.g.,
-          192.168.1.0/24).</para>
+          <para>Must be expressed in CIDR format (e.g., 192.168.1.0/24).
+          Beginning with Shorewall 4.4.24, <ulink
+          url="manpages/shorewall-exclusion.html">exclusion</ulink> is
+          supported.</para>
        </listitem>
      </varlistentry>

@@ -135,6 +139,71 @@
          <para>A second network expressed in CIDR format.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET3 (Optional)</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
+          It specifies a SOURCE network for DNAT rules and a DESTINATON
+          network for SNAT rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO (Optional - Added in Shorewall
+        4.4.23.2)</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Only packets specifying this protocol will have their IP
+          header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        Shorewall 4.4.23.2)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Destination Ports. A comma-separated list of Port names (from
+          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
+          range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        Shorewall 4.4.23.2)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Source port(s). If omitted, any source port is acceptable.
+          Specified as a comma-separated list of port names, port numbers or
+          port ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>

    <para>Referring to the figure above, lets suppose that systems in the top
@@ -165,155 +234,234 @@
            firewall 1.</para>
          </listitem>
        </itemizedlist>
-      </important> The entries in
-    <filename><filename>/etc/shorewall/netmap</filename></filename> in
-    firewall1 would be as follows:</para>
+      </important></para>

-    <programlisting>#TYPE NET1           INTERFACE        NET2
+    <section>
+      <title>If you are running Shorewall 4.4.22 or Earlier</title>
+
+      <para>The entries in
+      <filename><filename>/etc/shorewall/netmap</filename></filename> in
+      firewall1 would be as follows:</para>
+
+      <programlisting>#TYPE NET1           INTERFACE        NET2
 SNAT  192.168.1.0/24 vpn              10.10.11.0/24        #RULE 1A
 DNAT  10.10.11.0/24  vpn              192.168.1.0/24       #RULE 1B</programlisting>

-    <para>The entry in <filename>/etc/shorewall/netmap</filename> in firewall2
-    would be:</para>
+      <para>The entry in <filename>/etc/shorewall/netmap</filename> in
+      firewall2 would be:</para>

-    <programlisting>#TYPE NET1           INTERFACE        NET2
+      <programlisting>#TYPE NET1           INTERFACE        NET2
 DNAT  10.10.10.0/24  vpn              192.168.1.0/24       #RULE 2A
 SNAT  192.168.1.0/24 vpn              10.10.10.0/24        #RULE 2B</programlisting>

-    <example id="Example1">
-      <title>192.168.1.4 in the top cloud connects to 192.168.1.27 in the
-      bottom cloud</title>
+      <example id="Example1">
+        <title>192.168.1.4 in the top cloud connects to 192.168.1.27 in the
+        bottom cloud</title>

-      <para>In order to make this connection, the client attempts a connection
-      to 10.10.10.27. The following table shows how the source and destination
-      IP addresses are modified as requests are sent and replies are returned.
-      The RULE column refers to the above
-      <filename>/etc/shorewall/netmap</filename> entries and gives the rule
-      which transforms the source and destination IP addresses to those shown
-      on the next line. <informaltable>
-          <tgroup cols="5">
-            <thead>
-              <row>
-                <entry>FROM</entry>
+        <para>In order to make this connection, the client attempts a
+        connection to 10.10.10.27. The following table shows how the source
+        and destination IP addresses are modified as requests are sent and
+        replies are returned. The RULE column refers to the above
+        <filename>/etc/shorewall/netmap</filename> entries and gives the rule
+        which transforms the source and destination IP addresses to those
+        shown on the next line. <informaltable>
+            <tgroup cols="5">
+              <thead>
+                <row>
+                  <entry>FROM</entry>

-                <entry>TO</entry>
+                  <entry>TO</entry>

-                <entry>SOURCE IP ADDRESS</entry>
+                  <entry>SOURCE IP ADDRESS</entry>

-                <entry>DESTINATION IP ADDRESS</entry>
+                  <entry>DESTINATION IP ADDRESS</entry>

-                <entry>RULE</entry>
-              </row>
-            </thead>
+                  <entry>RULE</entry>
+                </row>
+              </thead>

-            <tbody>
-              <row>
-                <entry>192.168.1.4 in upper cloud</entry>
+              <tbody>
+                <row>
+                  <entry>192.168.1.4 in upper cloud</entry>

-                <entry>Firewall 1</entry>
+                  <entry>Firewall 1</entry>

-                <entry>192.168.1.4</entry>
+                  <entry>192.168.1.4</entry>

-                <entry>10.10.10.27</entry>
+                  <entry>10.10.10.27</entry>

-                <entry>1A</entry>
-              </row>
+                  <entry>1A</entry>
+                </row>

-              <row>
-                <entry>Firewall 1</entry>
+                <row>
+                  <entry>Firewall 1</entry>

-                <entry>Firewall 2</entry>
+                  <entry>Firewall 2</entry>

-                <entry>10.10.11.4</entry>
+                  <entry>10.10.11.4</entry>

-                <entry>10.10.10.27</entry>
+                  <entry>10.10.10.27</entry>

-                <entry>2A</entry>
-              </row>
+                  <entry>2A</entry>
+                </row>

-              <row>
-                <entry>Firewall 2</entry>
+                <row>
+                  <entry>Firewall 2</entry>

-                <entry>192.168.1.27 in lower cloud</entry>
+                  <entry>192.168.1.27 in lower cloud</entry>

-                <entry>10.10.11.4</entry>
+                  <entry>10.10.11.4</entry>

-                <entry>192.168.1.27</entry>
+                  <entry>192.168.1.27</entry>

-                <entry></entry>
-              </row>
+                  <entry></entry>
+                </row>

-              <row>
-                <entry>192.168.1.27 in the lower cloud</entry>
+                <row>
+                  <entry>192.168.1.27 in the lower cloud</entry>

-                <entry>Firewall 2</entry>
+                  <entry>Firewall 2</entry>

-                <entry>192.168.1.27</entry>
+                  <entry>192.168.1.27</entry>

-                <entry>10.10.11.4</entry>
+                  <entry>10.10.11.4</entry>

-                <entry>2B</entry>
-              </row>
+                  <entry>2B</entry>
+                </row>

-              <row>
-                <entry>Firewall 2</entry>
+                <row>
+                  <entry>Firewall 2</entry>

-                <entry>Firewall 1</entry>
+                  <entry>Firewall 1</entry>

-                <entry>10.10.10.27</entry>
+                  <entry>10.10.10.27</entry>

-                <entry>10.10.11.4</entry>
+                  <entry>10.10.11.4</entry>

-                <entry>1B</entry>
-              </row>
+                  <entry>1B</entry>
+                </row>

-              <row>
-                <entry>Firewall 1</entry>
+                <row>
+                  <entry>Firewall 1</entry>

-                <entry>192.168.1.4 in upper cloud</entry>
+                  <entry>192.168.1.4 in upper cloud</entry>

-                <entry>10.10.10.27</entry>
+                  <entry>10.10.10.27</entry>

-                <entry>192.168.1.4</entry>
+                  <entry>192.168.1.4</entry>

-                <entry></entry>
-              </row>
-            </tbody>
-          </tgroup>
-        </informaltable></para>
-    </example>
+                  <entry></entry>
+                </row>
+              </tbody>
+            </tgroup>
+          </informaltable></para>
+
+        <para>See the<ulink url="OPENVPN.html"> OpenVPN documentation</ulink>
+        for a solution contributed by Nicola Moretti for resolving duplicate
+        networks in a roadwarrior VPN environment.</para>
+      </example>
+    </section>
+
+    <section>
+      <title>If you are running Shorewall 4.4.23 or Later</title>
+
+      <para>Beginning with Shorewall 4.4.23, you <emphasis>can</emphasis>
+      bridge two duplicate networks with one router, provided that your kernel
+      and iptables include <emphasis>Rawpost Table Support</emphasis>. That
+      support is used to implement Stateless NAT which allows for performing
+      DNAT in the rawpost table POSTROUTING and OUTPUT chains and for
+      performing SNAT in the raw table PREROUTING chain. Using this support,
+      only firewall1 requires <filename>/etc/shorewall/netmap</filename>. Two
+      additional entries are added.</para>
+
+      <programlisting>#TYPE NET1            INTERFACE        NET2
+SNAT   192.168.1.0/24 vpn              10.10.11.0/24
+DNAT   10.10.11.0/24  vpn              192.168.1.0/24
+<emphasis role="bold">SNAT:P 192.168.1.0/24 vpn              10.10.10.0/24
+DNAT:T 10.10.10.0/24  vpn              192.168.1.0/24</emphasis></programlisting>
+
+      <para>The last two entries define <firstterm>Stateless NAT</firstterm>
+      by specifying a chain designator (:P for PREROUTING and :T for
+      POSTROUTING respectively). See <ulink
+      url="manpages/shorewall-netlink.html">shorewall-netmap</ulink> (5) for
+      details.</para>
+    </section>
  </section>

-  <section id="Notes">
-    <title>Author's Notes</title>
+  <section>
+    <title>IPv6</title>

-    <para>This could all be made a bit simpler by eliminating the TYPE field
-    and have Shorewall generate both the SNAT and DNAT rules from a single
-    entry. I have chosen to include the TYPE in order to make the
-    implementation a bit more flexible. If you find cases where you can use an
-    SNAT or DNAT entry by itself, please let <ulink
-    url="mailto:webmaster@shorewall.net">me</ulink> know and I'll add the
-    example to this page.</para>
+    <para>Beginning with Shorewall6 4.4.24, IPv6 support for Netmap is
+    included. This provides a way to use private IPv6 addresses internally and
+    still have access to the IPv6 internet.</para>

-    <para>In the previous section, the table in the example contains a bit of
-    a lie. Because of Netfilter's connection tracking, rules 2B and 1B aren't
-    needed to handle the replies. They ARE needed though for hosts in the
-    bottom cloud to be able to establish connections with the 192.168.1.0/24
-    network in the top cloud.</para>
-  </section>
+    <warning>
+      <para>IPv6 netmap is <firstterm>stateless</firstterm> which means that
+      there are no Netfilter helpers for applications that need them. As a
+      consequence, applications that require a helper (FTP, IRC, etc.) may
+      experience issues.</para>
+    </warning>

-  <section id="WhyTwo">
-    <title>Can't I do this with one router? Why do I need two?</title>
+    <para>For IPv6, the chain designator (:P for PREROUTING or :T for
+    POSTROUTING) is required in the TYPE column. Normally SNAT rules are
+    placed in the POSTROUTING chain while DNAT rules are placed in
+    PREROUTING.</para>

-    <para>I wrote this article before Shorewall included <ulink
-    url="MultiISP.html">multiple provider support</ulink>. You should be able
-    to accomplish the same thing with just one router through careful use of
-    /etc/shorewall/netmap and <ulink url="MultiISP.html">multiple
-    providers</ulink>. If you try it and get it working, please contribute an
-    update to this article.</para>
+    <para>To use IPv6 Netmap, your kernel and iptables must include
+    <emphasis>Rawpost Table Support</emphasis>.</para>

-    <para>See the<ulink url="OPENVPN.html"> OpenVPN documentation</ulink> for
-    a solution contributed by Nicola Moretti for resolving duplicate networks
-    in a roadwarrior VPN environment.</para>
+    <para>IPv6 Netmap has been verified at shorewall.net using the
+    configuration shown below.</para>
+
+    <graphic align="center" fileref="images/Network2011b.png" />
+
+    <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
+    block is 2001:470:b:227::/64.</para>
+
+    <para>Because of the limitations of IPv6 NETMAP (no Netfilter helpers),
+    the servers in the DMZ have public addresses in the block
+    2001:470:b:227::/112. The local LAN uses the private network
+    fd00:470:b:227::/64 with the hosts autoconfigured using radvd. This block
+    is allocated from the range (fc00::/7) reserved for<firstterm> <ulink
+    url="http://en.wikipedia.org/wiki/Unique_local_address">Unique Local
+    Addresses</ulink></firstterm>.</para>
+
+    <para>The /etc/shorewall6/netmap file is as follows:</para>
+
+    <programlisting>#TYPE	NET1			INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#												PORT(S)	PORT(S)
+SNAT:T	fd00:470:b:227::/64	HE_IF		2001:470:b:227::/64
+DNAT:P  2001:470:b:227::/64!2001:470:b:227::/112\
+				HE_IF		fd00:470:b:227::/64
+</programlisting>
+
+    <para>HE_IF is the logical name for interface sit1. On output, the private
+    address block is mapped to the public block. Because autoconfiguration is
+    used, none of the local addresses falls into the range
+    fd00:470:b:227::/112. That range can therefore be excluded from
+    DNAT.</para>
+
+    <note>
+      <para>While the site local network that was used is very similar to the
+      public network (only the first word is different), that isn't a
+      requirement. We could have just as well used
+      fd00:bad:dead:beef::/64</para>
+    </note>
+
+    <note>
+      <para>The MacBook Pro running OS X Lion refused to autoconfigure when
+      radvd advertised a <ulink
+      url="http://tools.ietf.org/html/rfc3513">site-local</ulink> network
+      (fec0:470:b:227/64) but worked fine with the unique-local network
+      (fd00:470:b:227::/64). Note that site-local addresses were deprecated in
+      <ulink url="http://tools.ietf.org/html/rfc3879">RFC3879</ulink>.</para>
+    </note>
+
+    <note>
+      <para>This whole scheme isn't quite as useful as it might appear. Many
+      IPv6-enabled applications (web browsers, for example) are smart enough
+      to recognize unique local addresses and will only use IPv6 to
+      communicate with other such local addresses.</para>
+    </note>
  </section>
 </article>
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -94,7 +94,7 @@
          <listitem>
            <para>Centrally generated firewall scripts run on the firewalls
            under control of <ulink
-            url="CompiledPrograms.html#Lite">Shorewall-lite</ulink>.</para>
+            url="Shorewall-Lite.html">Shorewall-lite</ulink>.</para>
          </listitem>
        </itemizedlist>
      </listitem>
@@ -274,6 +274,10 @@
          <listitem>
            <para>VirtualBox</para>
          </listitem>
+
+          <listitem>
+            <para><ulink url="LXC.html">LXC</ulink></para>
+          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -1308,7 +1308,7 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
        </listitem>

        <listitem>
-          <para>Set TC_ENABLED=SHARED in <ulink
+          <para>Set TC_ENABLED=Shared in <ulink
          url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
          (5).</para>
        </listitem>
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -165,7 +165,9 @@
      </listitem>
    </itemizedlist>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax):</para>

    <variablelist>
      <varlistentry>
@@ -343,7 +345,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DESTINATION</emphasis> - {<emphasis
+        <term><emphasis role="bold">DESTINATION</emphasis> (dest) - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>interface</emphasis>|<emphasis>interface</emphasis><emphasis
@@ -358,7 +360,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> - {<emphasis
+        <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
@@ -377,8 +379,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">DEST PORT(S)</emphasis> (dport) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>ipp2p-option</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>

@@ -401,8 +403,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport)-
+        {<emphasis role="bold">-</emphasis>|<emphasis
        role="bold">any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>

@@ -418,7 +420,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> - [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
@@ -674,7 +676,7 @@
    the values <emphasis role="bold">-</emphasis>, <emphasis
    role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
    used as wildcards. Omitted trailing columns are also treated as
-    wildcards.</para>
+    wildcard.</para>
  </refsect1>

  <refsect1>
@@ -693,6 +695,9 @@
    <para><ulink
    url="http://shorewall.net/shorewall_logging.html">http://shorewall.net/shorewall_logging.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-actions(5), shorewall-blacklist(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
--- a/manpages/shorewall-blacklist.xml
+++ b/manpages/shorewall-blacklist.xml
@@ -26,12 +26,14 @@
    <para>The blacklist file is used to perform static blacklisting. You can
    blacklist by source address (IP or MAC), or by application.</para>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis
+        <term><emphasis role="bold">ADDRESS/SUBNET</emphasis> (networks) -
+        {<emphasis role="bold">-</emphasis>|<emphasis
        role="bold">~</emphasis><emphasis>mac-address</emphasis>|<emphasis>ip-address</emphasis>|<emphasis>address-range</emphasis>|<emphasis
        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

@@ -55,34 +57,32 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PROTOCOL</emphasis> (Optional) -
-        {<emphasis
+        <term><emphasis role="bold">PROTOCOL</emphasis> (proto) - {<emphasis
        role="bold">-</emphasis>|[!]<emphasis>protocol-number</emphasis>|[!]<emphasis>protocol-name</emphasis>}</term>

        <listitem>
-          <para>If specified, must be a protocol number or a protocol name
-          from protocols(5).</para>
+          <para>Optional - If specified, must be a protocol number or a
+          protocol name from protocols(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PORTS</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PORTS</emphasis> - {<emphasis
        role="bold">-</emphasis>|[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>

        <listitem>
-          <para>May only be specified if the protocol is TCP (6) or UDP (17).
-          A comma-separated list of destination port numbers or service names
-          from services(5).</para>
+          <para>Optional - may only be specified if the protocol is TCP (6) or
+          UDP (17). A comma-separated list of destination port numbers or
+          service names from services(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term>OPTIONS (Optional - Added in 4.4.12) -
-        {-|{dst|src|whitelist|audit}[,...]}</term>
+        <term>OPTIONS - {-|{dst|src|whitelist|audit}[,...]}</term>

        <listitem>
-          <para>If specified, indicates whether traffic
-          <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
+          <para>Optional - added in 4.4.12. If specified, indicates whether
+          traffic <emphasis>from</emphasis> ADDRESS/SUBNET (<emphasis
          role="bold">src</emphasis>) or traffic <emphasis>to</emphasis>
          ADDRESS/SUBNET (<emphasis role="bold">dst</emphasis>) should be
          blacklisted. The default is <emphasis role="bold">src</emphasis>. If
@@ -182,6 +182,9 @@
    <para><ulink
    url="http://shorewall.net/blacklisting_support.htm">http://shorewall.net/blacklisting_support.htm</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
--- a/manpages/shorewall-hosts.xml
+++ b/manpages/shorewall-hosts.xml
@@ -271,6 +271,9 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
--- a/manpages/shorewall-interfaces.xml
+++ b/manpages/shorewall-interfaces.xml
@@ -520,8 +520,10 @@ loc     eth2            -</programlisting>
                the wildcard.</para>

                <para>Beginning with Shorewall 4.4.20, if you specify this
-                option, then you should also specify <option>filter</option>;
-                see above.</para>
+                option, then you should also specify either
+                <option>sfilter</option> (see below) or
+                <option>routefilter</option> on all interfaces (see
+                below).</para>
              </listitem>
            </varlistentry>

@@ -752,6 +754,9 @@ net     ppp0      -</programlisting>
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
--- a/manpages/shorewall-maclist.xml
+++ b/manpages/shorewall-maclist.xml
@@ -31,7 +31,9 @@
    url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
    file.</para>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -73,17 +75,17 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">IP ADDRESSES</emphasis> (Optional) -
+        <term><emphasis role="bold">IP ADDRESSES</emphasis> (addresses) -
        [<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>]...]</term>

        <listitem>
-          <para>If specified, both the MAC and IP address must match. This
-          column can contain a comma-separated list of host and/or subnet
-          addresses. If your kernel and iptables have iprange match support
-          then IP address ranges are also allowed. Similarly, if your kernel
-          and iptables include ipset support than set names (prefixed by "+")
-          are also allowed.</para>
+          <para>Optional - if specified, both the MAC and IP address must
+          match. This column can contain a comma-separated list of host and/or
+          subnet addresses. If your kernel and iptables have iprange match
+          support then IP address ranges are also allowed. Similarly, if your
+          kernel and iptables include ipset support than set names (prefixed
+          by "+") are also allowed.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -101,13 +103,17 @@
    <para><ulink
    url="http://shorewall.net/MAC_Validation.html">http://shorewall.net/MAC_Validation.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -560,6 +560,9 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-exclusion(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
--- a/manpages/shorewall-nat.xml
+++ b/manpages/shorewall-nat.xml
@@ -35,7 +35,9 @@
      solution that one-to-one NAT.</para>
    </warning>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -101,8 +103,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ALL INTERFACES</emphasis> - [<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        <term><emphasis role="bold">ALL INTERFACES</emphasis> (allints) -
+        [<emphasis role="bold">Yes</emphasis>|<emphasis
+        role="bold">No</emphasis>]</term>

        <listitem>
          <para>If Yes or yes, NAT will be effective from all hosts. If No or
@@ -137,13 +140,17 @@
    <para><ulink
    url="http://shorewall.net/NAT.htm">http://shorewall.net/NAT.htm</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-netmap.xml
+++ b/manpages/shorewall-netmap.xml
@@ -31,24 +31,46 @@
      support included.</para>
    </warning>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">TYPE</emphasis> - <emphasis
-        role="bold">DNAT</emphasis>|<emphasis
-        role="bold">SNAT</emphasis></term>
+        role="bold">{DNAT</emphasis>|<emphasis
+        role="bold">SNAT}[:{P|O|T}</emphasis>]</term>

        <listitem>
-          <para>Must be DNAT or SNAT.</para>
+          <para>Must be DNAT or SNAT; beginning with Shorewall 4.4.23, may be
+          optionally followed by :P, :O or :T to perform <firstterm>stateless
+          NAT</firstterm>. Stateless NAT requires <firstterm>Rawpost Table
+          support</firstterm> in your kernel and iptables (see the output of
+          <command>shorewall show capabilities</command>).</para>

-          <para>If DNAT, traffic entering INTERFACE and addressed to NET1 has
-          its destination address rewritten to the corresponding address in
-          NET2.</para>
+          <para>If DNAT or DNAT:P, traffic entering INTERFACE and addressed to
+          NET1 has its destination address rewritten to the corresponding
+          address in NET2.</para>

-          <para>If SNAT, traffic leaving INTERFACE with a source address in
-          NET1 has it's source address rewritten to the corresponding address
-          in NET2.</para>
+          <para>If SNAT or SNAT:T, traffic leaving INTERFACE with a source
+          address in NET1 has it's source address rewritten to the
+          corresponding address in NET2.</para>
+
+          <para>If DNAT:O, traffic originating on the firewall and leaving via
+          INTERFACE and addressed to NET1 has its destination address
+          rewritten to the corresponding address in NET2.</para>
+
+          <para>If DNAT:P, traffic entering via INTERFACE and addressed to
+          NET1 has its destination address rewritten to the corresponding
+          address in NET2.</para>
+
+          <para>If SNAT:P, traffic entering via INTERFACE with a destination
+          address in NET1 has it's source address rewritten to the
+          corresponding address in NET2.</para>
+
+          <para>If SNAT:O, traffic originating on the firewall and leaving via
+          INTERFACE with a source address in NET1 has it's source address
+          rewritten to the corresponding address in NET2.</para>
        </listitem>
      </varlistentry>

@@ -57,7 +79,10 @@
        <emphasis>network-address</emphasis></term>

        <listitem>
-          <para>Network in CIDR format (e.g., 192.168.1.0/24).</para>
+          <para>Network in CIDR format (e.g., 192.168.1.0/24). Beginning with
+          Shorewall 4.4.24, <ulink
+          url="shorewall-exclusion.html">exclusion</ulink> is
+          supported.</para>
        </listitem>
      </varlistentry>

@@ -98,6 +123,59 @@
          network for SNAT rules.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Optional -- added in Shorewall 4.4.23.2. Only packets
+          specifying this protocol will have their IP header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Optional - added in Shorewall 4.4.23.2. Destination Ports. A
+          comma-separated list of Port names (from services(5)),
+          <emphasis>port number</emphasis>s or <emphasis>port
+          range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE PORT(S) (sport)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Optional -- added in Shorewall 4.4.23.2. Source port(s). If
+          omitted, any source port is acceptable. Specified as a
+          comma-separated list of port names, port numbers or port
+          ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -113,13 +191,17 @@
    <para><ulink
    url="http://shorewall.net/netmap.html">http://shorewall.net/netmap.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-notrack.xml
+++ b/manpages/shorewall-notrack.xml
@@ -27,7 +27,9 @@
    connection tracking. Traffic matching entries in this file will not be
    tracked.</para>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -101,7 +103,7 @@
      </varlistentry>

      <varlistentry>
-        <term>DEST PORT(S) - port-number/service-name-list</term>
+        <term>DEST PORT(S) (dport) - port-number/service-name-list</term>

        <listitem>
          <para>A comma-separated list of port numbers and/or service names
@@ -113,7 +115,7 @@
      </varlistentry>

      <varlistentry>
-        <term>SOURCE PORT(S) - port-number/service-name-list</term>
+        <term>SOURCE PORT(S) (sport) - port-number/service-name-list</term>

        <listitem>
          <para>A comma-separated list of port numbers and/or service names
@@ -125,7 +127,7 @@
      </varlistentry>

      <varlistentry>
-        <term>USER/GROUP ‒
+        <term>USER/GROUP (user) ‒
        [<replaceable>user</replaceable>][:<replaceable>group</replaceable>]</term>

        <listitem>
@@ -146,13 +148,17 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
-    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-policy.xml
+++ b/manpages/shorewall-policy.xml
@@ -51,7 +51,9 @@
      in this file.</para>
    </important>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -204,14 +206,14 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">LOG LEVEL</emphasis> (Optional) -
+        <term><emphasis role="bold">LOG LEVEL</emphasis> (loglevel) -
        [<emphasis>log-level</emphasis>|<emphasis
        role="bold">ULOG|NFLOG</emphasis>]</term>

        <listitem>
-          <para>If supplied, each connection handled under the default POLICY
-          is logged at that level. If not supplied, no log message is
-          generated. See syslog.conf(5) for a description of log
+          <para>Optional - if supplied, each connection handled under the
+          default POLICY is logged at that level. If not supplied, no log
+          message is generated. See syslog.conf(5) for a description of log
          levels.</para>

          <para>You may also specify ULOG or NFLOG (must be in upper case).
@@ -225,7 +227,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">BURST:LIMIT</emphasis> -
+        <term><emphasis role="bold">BURST:LIMIT</emphasis> (limit) -
        [{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
@@ -312,13 +314,17 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-providers.xml
+++ b/manpages/shorewall-providers.xml
@@ -263,8 +263,10 @@
                specified <replaceable>weight</replaceable>. If the option is
                given without a <replaceable>weight</replaceable>, an separate
                default route is added through the provider's gateway; the
-                route has a metric equal to the provider's NUMBER. The option
-                is ignored with a warning message if USE_DEFAULT_RT=Yes in
+                route has a metric equal to the provider's NUMBER.</para>
+
+                <para>Prior to Shorewall 4.4.24, the option is ignored with a
+                warning message if USE_DEFAULT_RT=Yes in
                <filename>shorewall.conf</filename>.</para>
              </listitem>
            </varlistentry>
@@ -339,6 +341,9 @@
    <para><ulink
    url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-proxyarp.xml
+++ b/manpages/shorewall-proxyarp.xml
@@ -134,6 +134,9 @@
    <para><ulink
    url="http://shorewall.net/ProxyARP.htm">http://shorewall.net/ProxyARP.htm</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-route_rules.xml
+++ b/manpages/shorewall-route_rules.xml
@@ -164,13 +164,17 @@
    <para><ulink
    url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-routestopped(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-routes.xml
+++ b/manpages/shorewall-routes.xml
@@ -78,6 +78,9 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-routestopped.xml
+++ b/manpages/shorewall-routestopped.xml
@@ -33,7 +33,9 @@
      restart</command> command.</para>
    </warning>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -47,27 +49,27 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">HOST(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">HOST(S)</emphasis> (hosts) - [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>

        <listitem>
-          <para>Comma-separated list of IP/subnet addresses. If your kernel
-          and iptables include iprange match support, IP address ranges are
-          also allowed.</para>
+          <para>Optional. Comma-separated list of IP/subnet addresses. If your
+          kernel and iptables include iprange match support, IP address ranges
+          are also allowed.</para>

          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">OPTIONS</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">OPTIONS</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>option</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>option</emphasis>]...]</term>

        <listitem>
-          <para>A comma-separated list of options. The order of the options is
-          not important but the list can contain no embedded whitespace. The
-          currently-supported options are:</para>
+          <para>Optional. A comma-separated list of options. The order of the
+          options is not important but the list can contain no embedded
+          whitespace. The currently-supported options are:</para>

          <variablelist>
            <varlistentry>
@@ -133,26 +135,26 @@
      </varlistentry>

      <varlistentry>
-        <term>DEST PORT(S) (Optional) ‒
+        <term>DEST PORT(S) (dport) ‒
        <replaceable>service-name/port-number-list</replaceable></term>

        <listitem>
-          <para>A comma-separated list of port numbers and/or service names
-          from <filename>/etc/services</filename>. May also include port
-          ranges of the form
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term>SOURCE PORT(S) (Optional) ‒
+        <term>SOURCE PORT(S) (sport) ‒
        <replaceable>service-name/port-number-list</replaceable></term>

        <listitem>
-          <para>A comma-separated list of port numbers and/or service names
-          from <filename>/etc/services</filename>. May also include port
-          ranges of the form
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
        </listitem>
@@ -199,13 +201,17 @@
    <para><ulink
    url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -46,6 +46,16 @@
    <para>Sections are as follows and must appear in the order listed:</para>

    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ALL</emphasis></term>
+
+        <listitem>
+          <para>This section was added in Shorewall 4.4.23. rules in this
+          section are applied, regardless of the connection tracking state of
+          the packet.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">ESTABLISHED</emphasis></term>

@@ -126,7 +136,9 @@
      </listitem>
    </itemizedlist>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -849,7 +861,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
+        <term><emphasis role="bold">PROTO</emphasis>- {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">tcp:syn</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>|<emphasis
@@ -858,8 +870,8 @@
        role="bold">all}</emphasis></term>

        <listitem>
-          <para>Protocol - <emphasis role="bold">ipp2p</emphasis>* requires
-          ipp2p match support in your kernel and iptables. <emphasis
+          <para>Optional Protocol - <emphasis role="bold">ipp2p</emphasis>*
+          requires ipp2p match support in your kernel and iptables. <emphasis
          role="bold">tcp:syn</emphasis> implies <emphasis
          role="bold">tcp</emphasis> plus the SYN flag must be set and the
          RST,ACK and FIN flags must be reset.</para>
@@ -871,18 +883,18 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST PORT(S) </emphasis>(Optional) -
+        <term><emphasis role="bold">DEST PORT(S) (dport)</emphasis> -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>

        <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), port numbers or port ranges; if the protocol is
-          <emphasis role="bold">icmp</emphasis>, this column is interpreted as
-          the destination icmp-type(s). ICMP types may be specified as a
-          numeric type, a numberic type and code separated by a slash (e.g.,
-          3/4), or a typename. See <ulink
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), port numbers or port ranges; if the
+          protocol is <emphasis role="bold">icmp</emphasis>, this column is
+          interpreted as the destination icmp-type(s). ICMP types may be
+          specified as a numeric type, a numberic type and code separated by a
+          slash (e.g., 3/4), or a typename. See <ulink
          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
          Note that prior to Shorewall 4.4.19, only a single ICMP type may be
          listsed.</para>
@@ -914,15 +926,15 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        {<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...}</term>

        <listitem>
-          <para>Port(s) used by the client. If omitted, any source port is
-          acceptable. Specified as a comma- separated list of port names, port
-          numbers or port ranges.</para>
+          <para>Optional port(s) used by the client. If omitted, any source
+          port is acceptable. Specified as a comma- separated list of port
+          names, port numbers or port ranges.</para>

          <warning>
            <para>Unless you really understand IP, you should leave this
@@ -949,19 +961,19 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (Optional) -
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>

        <listitem>
-          <para>If ACTION is <emphasis role="bold">DNAT</emphasis>[<emphasis
-          role="bold">-</emphasis>] or <emphasis
-          role="bold">REDIRECT</emphasis>[<emphasis role="bold">-</emphasis>]
-          then if this column is included and is different from the IP address
-          given in the <emphasis role="bold">DEST</emphasis> column, then
-          connections destined for that address will be forwarded to the IP
-          and port specified in the <emphasis role="bold">DEST</emphasis>
-          column.</para>
+          <para>Optional. If ACTION is <emphasis
+          role="bold">DNAT</emphasis>[<emphasis role="bold">-</emphasis>] or
+          <emphasis role="bold">REDIRECT</emphasis>[<emphasis
+          role="bold">-</emphasis>] then if this column is included and is
+          different from the IP address given in the <emphasis
+          role="bold">DEST</emphasis> column, then connections destined for
+          that address will be forwarded to the IP and port specified in the
+          <emphasis role="bold">DEST</emphasis> column.</para>

          <para>A comma-separated list of addresses may also be used. This is
          most useful with the <emphasis role="bold">REDIRECT</emphasis>
@@ -1003,8 +1015,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">RATE LIMIT</emphasis> (Optional) -
-        [<emphasis role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
+        <term><emphasis role="bold">RATE LIMIT</emphasis> (rate) - [<emphasis
+        role="bold">-</emphasis>|[{<emphasis>s</emphasis>|<emphasis
        role="bold">d</emphasis>}:[[<replaceable>name</replaceable>]:]]]<emphasis>rate</emphasis><emphasis
        role="bold">/</emphasis>{<emphasis
        role="bold">sec</emphasis>|<emphasis
@@ -1013,8 +1025,8 @@
        role="bold">day</emphasis>}[:<emphasis>burst</emphasis>]</term>

        <listitem>
-          <para>You may rate-limit the rule by placing a value in this
-          column:</para>
+          <para>You may optionally rate-limit the rule by placing a value in
+          this column:</para>

          <para><emphasis>rate</emphasis> is the number of connections per
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
@@ -1040,15 +1052,14 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">USER/GROUP</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>

        <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>

          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
@@ -1257,6 +1268,54 @@
          </variablelist>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HEADERS</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.15. Not used in IPv4 configurations. If
+          you with to supply a value for one of the later columns, enter '-'
+          in this column.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.24 and allows enabling and disabling
+          the rule without requiring <command>shorewall
+          restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. <replaceable>switch-name</replaceable> must
+          begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1447,6 +1506,19 @@
        SSH(ACCEPT) net             all        -           -            -         -                s:1/min:3</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 12:</term>
+
+        <listitem>
+          <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down'
+          is on.</para>
+
+          <programlisting>        #ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+        #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1462,6 +1534,9 @@
    <para><ulink
    url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-secmarks.xml
+++ b/manpages/shorewall-secmarks.xml
@@ -34,7 +34,9 @@
    <para>The secmarks file is used to associate an SELinux context with
    packets. It was added in Shorewall version 4.4.13.</para>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -89,7 +91,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">CHAIN:STATE -
+        <term><emphasis role="bold">CHAIN:STATE (chain) -
        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>

        <listitem>
@@ -216,14 +218,14 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>

        <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
-          range</emphasis>s; if the protocol is <emphasis
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
          type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -243,26 +245,26 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>

        <listitem>
-          <para>Source port(s). If omitted, any source port is acceptable.
-          Specified as a comma-separated list of port names, port numbers or
-          port ranges.</para>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>

        <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>

          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
@@ -387,6 +389,9 @@ RESTORE                               I:ER</programlisting>
    <para><ulink
    url="http://james-morris.livejournal.com/11010.html">http://james-morris.livejournal.com/11010.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-tcclasses.xml
+++ b/manpages/shorewall-tcclasses.xml
@@ -500,6 +500,9 @@
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-tcdevices.xml
+++ b/manpages/shorewall-tcdevices.xml
@@ -91,7 +91,9 @@
      </listitem>
    </itemizedlist>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -120,7 +122,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">IN-BANDWIDTH</emphasis> -
+        <term><emphasis role="bold">IN-BANDWIDTH (in_bandwidth)</emphasis> -
        <replaceable>bandwidth</replaceable>[:<replaceable>burst</replaceable>]</term>

        <listitem>
@@ -147,7 +149,7 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">OUT-BANDWIDTH</emphasis> -
+        <term><emphasis role="bold">OUT-BANDWIDTH</emphasis> (out_bandwidth) -
        <emphasis>bandwidth</emphasis></term>

        <listitem>
@@ -178,7 +180,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">REDIRECTED INTERFACES</emphasis> -
+        <term><emphasis role="bold">REDIRECTED INTERFACES</emphasis>
+        (redirect)-
        [<emphasis>interface</emphasis>[,<emphasis>interface</emphasis>]...]</term>

        <listitem>
@@ -225,6 +228,9 @@
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/manpages/shorewall-tcfilters.xml
+++ b/manpages/shorewall-tcfilters.xml
@@ -57,7 +57,9 @@
      </varlistentry>
    </variablelist>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -112,25 +114,24 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">DEST PORT</emphasis> (Optional) -
-        [<emphasis
+        <term><emphasis role="bold">DEST PORT</emphasis> (dport) - [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>

        <listitem>
-          <para>Destination Ports. A Port name (from services(5)) or a
-          <emphasis>port number</emphasis>; if the protocol is <emphasis
+          <para>Optional destination Ports. A Port name (from services(5)) or
+          a <emphasis>port number</emphasis>; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT</emphasis> (sport) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>

        <listitem>
-          <para>Source port.</para>
+          <para>Optional source port.</para>
        </listitem>
      </varlistentry>

@@ -179,12 +180,12 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">LENGTH</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">LENGTH</emphasis> - [<emphasis
        role="bold">-</emphasis>|<emphasis>number</emphasis>]</term>

        <listitem>
-          <para>Must be a power of 2 between 32 and 8192 inclusive. Packets
-          with a total length that is strictly less than the specified
+          <para>Optional - Must be a power of 2 between 32 and 8192 inclusive.
+          Packets with a total length that is strictly less than the specified
          <replaceable>number</replaceable> will match the rule.</para>
        </listitem>
      </varlistentry>
@@ -238,6 +239,9 @@
    <para><ulink
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
--- a/manpages/shorewall-tcinterfaces.xml
+++ b/manpages/shorewall-tcinterfaces.xml
@@ -104,7 +104,9 @@
      </listitem>
    </itemizedlist>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
@@ -139,7 +141,7 @@
      </varlistentry>

      <varlistentry>
-        <term>IN-BANDWIDTH -
+        <term>IN-BANDWIDTH (in_bandwidth) -
        [<replaceable>rate</replaceable>[:<replaceable>burst</replaceable>]]</term>

        <listitem>
@@ -169,7 +171,7 @@
      </varlistentry>

      <varlistentry>
-        <term>OUT-BANDWIDTH -
+        <term>OUT-BANDWIDTH (out_bandwidth) -
        [<replaceable>rate</replaceable>[:[<replaceable>burst</replaceable>][:[<replaceable>latency</replaceable>][:[<replaceable>peek</replaceable>][:[<replaceable>minburst</replaceable>]]]]]]</term>

        <listitem>
@@ -203,12 +205,13 @@
    url="http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt">http://ace-host.stuart.id.au/russell/files/tc/doc/sch_tbf.txt</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcpri(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcpri(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages/shorewall-tcpri.xml
+++ b/manpages/shorewall-tcpri.xml
@@ -147,13 +147,17 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>PRIO(8), shorewall(8), shorewall-accounting(5),
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>prio(8), shorewall(8), shorewall-accounting(5),
    shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5),
-    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
+    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
+    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -38,11 +38,13 @@
      url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
    </important>

-    <para>The columns in the file are as follows.</para>
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
+        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
        <replaceable>mark</replaceable></term>

        <listitem>
@@ -415,6 +417,25 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                </listitem>
              </itemizedlist>
            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">TTL</emphasis>([<emphasis
+              role="bold">-</emphasis>|<emphasis
+              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.4.24. May be option followed by
+              <emphasis role="bold">:F</emphasis> but the resulting rule is
+              always added to the FORWARD chain. If <emphasis
+              role="bold">+</emphasis> is included, packets matching the rule
+              will have their TTL incremented by
+              <replaceable>number</replaceable>. Similarly, if <emphasis
+              role="bold">-</emphasis> is included, matching packets have
+              their TTL decremented by <replaceable>number</replaceable>. If
+              neither <emphasis role="bold">+</emphasis> nor <emphasis
+              role="bold">-</emphasis> is given, the TTL of matching packets
+              is set to <replaceable>number</replaceable>. The valid range of
+              values for <replaceable>number</replaceable> is 1-255.</para>
+            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -531,14 +552,14 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">PORT(S)</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">PORT(S)</emphasis> (dport) - [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>

        <listitem>
-          <para>Destination Ports. A comma-separated list of Port names (from
-          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
-          range</emphasis>s; if the protocol is <emphasis
+          <para>Optional destination Ports. A comma-separated list of Port
+          names (from services(5)), <emphasis>port number</emphasis>s or
+          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
          type, a numberic type and code separated by a slash (e.g., 3/4), or
@@ -558,15 +579,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (Optional) -
+        <term><emphasis role="bold">SOURCE PORT(S)</emphasis> (sport) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>port-name-number-or-range</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>port-name-number-or-range</emphasis>]...]</term>

        <listitem>
-          <para>Source port(s). If omitted, any source port is acceptable.
-          Specified as a comma-separated list of port names, port numbers or
-          port ranges.</para>
+          <para>Optional source port(s). If omitted, any source port is
+          acceptable. Specified as a comma-separated list of port names, port
+          numbers or port ranges.</para>

          <para>An entry in this field requires that the PROTO column specify
          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
@@ -575,14 +596,14 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">USER</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">USER</emphasis> - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>

        <listitem>
-          <para>This column may only be non-empty if the SOURCE is the
-          firewall itself.</para>
+          <para>This optional column may only be non-empty if the SOURCE is
+          the firewall itself.</para>

          <para>When this column is non-empty, the rule applies only if the
          program generating the output is running under the effective
@@ -635,13 +656,13 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">TEST</emphasis> (Optional) - [<emphasis
+        <term><emphasis role="bold">TEST</emphasis> - [<emphasis
        role="bold">!</emphasis>]<emphasis>value</emphasis>[/<emphasis>mask</emphasis>][<emphasis
        role="bold">:C</emphasis>]</term>

        <listitem>
-          <para>Defines a test on the existing packet or connection mark. The
-          rule will match only if the test returns true.</para>
+          <para>Optional - Defines a test on the existing packet or connection
+          mark. The rule will match only if the test returns true.</para>

          <para>If you don't want to define a test but need to specify
          anything in the following columns, place a "-" in this field.</para>
@@ -684,15 +705,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">LENGTH</emphasis> (Optional) -
+        <term><emphasis role="bold">LENGTH</emphasis> -
        [<emphasis>length</emphasis>|[<emphasis>min</emphasis>]<emphasis
        role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>

        <listitem>
-          <para>Packet Length. This field, if present allow you to match the
-          length of a packet against a specific value or range of values. You
-          must have iptables length support for this to work. A range is
-          specified in the form
+          <para>Optional - packet Length. This field, if present allow you to
+          match the length of a packet against a specific value or range of
+          values. You must have iptables length support for this to work. A
+          range is specified in the form
          <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
          <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
          may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
@@ -702,7 +723,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">TOS</emphasis> (Optional) -
+        <term><emphasis role="bold">TOS</emphasis> -
        <emphasis>tos</emphasis></term>

        <listitem>
@@ -718,7 +739,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">CONNBYTES</emphasis> (Optional) -
+        <term><emphasis role="bold">CONNBYTES</emphasis> -
        [!]<emphasis>min</emphasis>:[<emphasis>max</emphasis>[:{<emphasis
        role="bold">O</emphasis>|<emphasis role="bold">R</emphasis>|<emphasis
        role="bold">B</emphasis>}[:{<emphasis
@@ -726,8 +747,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
        role="bold">A</emphasis>}]]]</term>

        <listitem>
-          <para>Connection Bytes; defines a byte or packet range that the
-          connection must fall within in order for the rule to match.</para>
+          <para>Optional connection Bytes; defines a byte or packet range that
+          the connection must fall within in order for the rule to
+          match.</para>

          <para>A packet matches if the the packet/byte count is within the
          range defined by <emphasis>min</emphasis> and
@@ -765,7 +787,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">HELPER (Optional) -
+        <term><emphasis role="bold">HELPER -
        </emphasis><emphasis>helper</emphasis></term>

        <listitem>
@@ -840,6 +862,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
    <para><ulink
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>

+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	99b21fdfc5	Implement HL manipulation for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-09 14:01:40 -07:00
Tom Eastep	668926c2a6	Add BALANCE_TABLE. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-09 09:00:14 -07:00
Tom Eastep	a5010ec9a6	Correct alternate specification in the tunnels file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-09 08:50:55 -07:00
Tom Eastep	8115934adf	More alternate-specification fixes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-09 07:05:08 -07:00
Tom Eastep	2d6f5da6bc	Correct proto column of the netmap file	2011-10-08 18:19:08 -07:00
Tom Eastep	c304661217	Fix earlier change	2011-10-08 17:10:23 -07:00
Tom Eastep	b5963c6783	Fix alternate nat handling	2011-10-08 17:01:18 -07:00
Tom Eastep	e322e60d73	Fix 'fallback'	2011-10-08 12:32:29 -07:00
Tom Eastep	04c2007d53	Resolve merge conflicts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-08 07:03:01 -07:00
Tom Eastep	092da7ce67	Add proxyndp to 'pairs' documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-07 15:14:23 -07:00
Tom Eastep	0a5d5821ec	Support additional forms of column/value pair specification Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-02 11:45:55 -07:00
Tom Eastep	e728d663f9	Implement IPTABLES_S capability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-01 13:54:52 -07:00
Tom Eastep	2f0829596f	Fix format-1 Actions	2011-10-01 12:17:29 -07:00
Tom Eastep	f6092ee52d	Eliminate the maxcolumns argument to the split_line functions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-01 11:39:12 -07:00
Tom Eastep	072f4752fc	Get rid of minimum column requirement Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-10-01 09:56:25 -07:00
Tom Eastep	5aa4534fbe	Correct copyright date in the Shorewall Lite doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-29 07:20:01 -07:00
Tom Eastep	765ec27fbb	Correct URL in the Documentation Index	2011-09-27 18:34:23 -07:00
Tom Eastep	a3d4edfd1f	Reorganize Shorewall Lite docs	2011-09-27 18:13:57 -07:00
Tom Eastep	37da8b5808	Rename and refine Shorewall Lite doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-27 15:44:19 -07:00
Tom Eastep	11064202a5	Update features	2011-09-26 17:32:06 -07:00
Tom Eastep	2b7515f434	Refer manpage readers to the 'Pairs' information Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-26 10:16:52 -07:00
Tom Eastep	c76957cc39	Reword an error message Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-26 08:51:05 -07:00
Tom Eastep	4c7f1a03a0	Catch multiple semicolons on a line. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-26 07:42:44 -07:00
Tom Eastep	9a4dfc4394	Implement an alternate way of specifying column contents. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-25 17:08:53 -07:00
Tom Eastep	da5b6b99d4	Implement TTL support in tcrules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-24 16:17:52 -07:00
Tom Eastep	dbf5f17b41	More tweaks to switch implementation. 1) Switch names may be 30 characters long. 2) Switch settings are retained over restart. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-24 07:34:58 -07:00
Tom Eastep	40bc6df07a	Correct handling of SWITCH column - Handle exclusion - Correctly detect CONDITION_MATCH at compile time - Include condition match in the filter part of a NAT rule Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-23 15:01:40 -07:00
Tom Eastep	12bfc14c5f	More SWTICH changes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-23 14:44:20 -07:00
Tom Eastep	76707d29ba	Make find_first_interface_address() more lenient on IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-23 14:44:01 -07:00
Tom Eastep	caddd65412	Rename condition->switch and add more documentation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-23 12:33:55 -07:00
Tom Eastep	cf80dc8858	Document OpenVZ brokenness on Squeeze	2011-09-21 19:27:38 -07:00
Tom Eastep	13679187b9	Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-21 15:22:38 -07:00
Tom Eastep	75b4540d26	Add support for condition match in the rules file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-21 15:20:50 -07:00
Tom Eastep	e8f51150dd	Add support for condition match in the rules file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-21 08:13:44 -07:00
Tom Eastep	7978993d2b	Validate NET2 in IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-20 16:24:39 -07:00
Tom Eastep	d005536fcc	Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-20 16:20:34 -07:00
Tom Eastep	a5e05c9e8e	Don't allow long port lists or icmp lists in netmap	2011-09-19 13:27:27 -07:00
Tom Eastep	990d6e504d	Correct icmp-type and icmpv6-type	2011-09-19 10:05:58 -07:00
Tom Eastep	fd1e996fb1	Correct call to dest_iexclusion() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-19 08:28:29 -07:00
Tom Eastep	e894e15fa1	More netmap updates Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-19 08:28:04 -07:00
Tom Eastep	e01276225c	Correct port order in the netmap file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-19 06:17:02 -07:00
Tom Eastep	c2bcb08483	Add 'i' versions of exclusion functions. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-18 14:12:22 -07:00
Tom Eastep	379d1d3201	Document how to use IPv6 netmap Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-18 10:56:11 -07:00
Tom Eastep	2749857eb2	Support 'shorewall6 show rawpost' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-18 06:57:57 -07:00
Tom Eastep	95a83f7fdf	Allow exclusion in the netmap file's NET1 column	2011-09-17 09:20:15 -07:00
Tom Eastep	5aac5870a1	Call setup_netmap if IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-17 07:31:18 -07:00
Tom Eastep	b2a255f8c3	Merge branch '4.4.23'	2011-09-17 07:05:26 -07:00
Tom Eastep	dd836507e0	Correct capitalization (SHARED->Shared) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-16 10:27:49 -07:00
Tom Eastep	86847957bf	Merge branch '4.4.23'	2011-09-16 09:03:43 -07:00
Tom Eastep	76fc55d750	Fix TC_ENABLED=Shared Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-16 06:50:34 -07:00
Tom Eastep	551f93762d	Correct two typos in the Proxy ARP doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-15 14:46:50 -07:00
Tom Eastep	be1765f44d	Don't emit 'enable' code for required providers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-15 14:46:29 -07:00
Tom Eastep	895d2f34c5	Externalize stateless NAT for IPv6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-15 14:27:05 -07:00
Tom Eastep	a42e511638	Correct two typos in the Proxy ARP doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-14 13:37:55 -07:00
Tom Eastep	fcb8fa79c0	Don't emit 'enable' code for required providers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-14 08:25:47 -07:00
Tom Eastep	e1afc645ba	Allow IPv6 stateless NAT (undocumented) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-14 08:24:44 -07:00
Tom Eastep	fe9df4dfd1	Remove interface weight file if not balance or default. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-14 06:24:22 -07:00
Tom Eastep	e59bb25225	Cosmetic change Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-13 11:32:25 -07:00
Tom Eastep	55129204ac	Merge branch 'master' into 4.4.23	2011-09-13 07:43:33 -07:00
Tom Eastep	8fe6425690	Correct DONT_LOAD Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-13 07:42:26 -07:00
Tom Eastep	6b482cab88	Modify netmap manpage to reflect releasing the new functionality in 4.4.23.2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-12 17:01:47 -07:00
Tom Eastep	95d6e454ba	Merge branch 'master' into 4.4.23	2011-09-12 16:49:30 -07:00
Tom Eastep	e46b76789e	Better way of handling environmental variables with embedded quotes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-11 09:55:25 -07:00
Tom Eastep	ab1fac3fc6	Add some comments to getparams Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-11 09:52:12 -07:00
Tom Eastep	d4b37d1c52	Better way of handling environmental variables with embedded quotes. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-10 15:46:26 -07:00
Tom Eastep	fb6d4ffaf9	Merge branch '4.4.23'	2011-09-10 08:34:45 -07:00
Tom Eastep	8ce60ce825	Don't emit dangerous %ENV entries to the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-10 08:18:46 -07:00
Tom Eastep	a3f6b9292e	Change "see above" to "see below" in routefilter description Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-07 16:34:42 -07:00
Tom Eastep	7ed52360d5	Set all interfaces's 'routefilter' option if ROUTE_FILTER=on Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-07 12:19:13 -07:00
Tom Eastep	6f2fd75a8c	Merge branch '4.4.23'	2011-09-07 11:14:11 -07:00
Tom Eastep	d3ed864daa	Clarify routeback vs routefilter/sfilter in interfaces manpages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-07 11:13:26 -07:00
Tom Eastep	149e697d71	Clarify routeback vs routefilter/sfilter in interfaces manpages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-07 11:12:43 -07:00
Tom Eastep	5f85646418	Fix disable of last balanced route Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-07 07:00:18 -07:00
Tom Eastep	6ae184ccc7	Update the released netmap file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-06 15:36:33 -07:00
Tom Eastep	b19a6f0bfd	Merge branch '4.4.23'	2011-09-05 17:25:03 -07:00
Tom Eastep	a16986ddc3	s /filter/sfilter/ in FAQ 17 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-05 17:24:42 -07:00
Tom Eastep	5015aade0c	Document change to netmap Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-05 12:59:54 -07:00
Tom Eastep	43260e27fb	Correct netmap manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-05 12:41:57 -07:00
Tom Eastep	77ca62835f	Add PROTO and PORTS columns to netmap	2011-09-05 12:33:42 -07:00
Tom Eastep	02009ee060	Set 'use_..._chain' on interfaces with sfilters Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-05 06:23:18 -07:00
Tom Eastep	761ef37e74	Merge branch 'master' into 4.4.23	2011-09-04 15:17:44 -07:00
Tom Eastep	ee8a8978b2	Fix typo in the Shorewall6 interfaces manpage	2011-09-04 15:11:05 -07:00
Tom Eastep	88e28775c9	Document SAFESTOP in FAQ 73. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-04 07:49:04 -07:00
Tom Eastep	2285dce4d1	Fix debugging of ipv6 ruleset Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-03 13:58:05 -07:00
Tom Eastep	058b746f57	Use /sys/module/ to speed up module loading Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-03 11:49:31 -07:00
Tom Eastep	29e0f57928	Cosmetic/readability changes Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-03 08:44:15 -07:00
Tom Eastep	d1fea7c682	Correct 'disable' with dynamic gateway Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-02 11:01:06 -07:00
Tom Eastep	46d9faa63a	Correct sed invocation in add_gateway() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-02 10:28:41 -07:00
Tom Eastep	a63d4dad44	More sfilter tweaks Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-02 08:41:42 -07:00
Tom Eastep	6afd18646d	Remove backslashes from routes before processing them. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-02 08:41:15 -07:00
Tom Eastep	f5c2e9b211	Make the sfilter logic cleaner and add a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-01 14:15:15 -07:00
Tom Eastep	678f6b4091	Add FAQ 97 about low TC outbound bandwidth Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-01 10:48:48 -07:00
Tom Eastep	a0bbd72a39	Avoid a calculation in a loop in the generated code Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-09-01 06:06:50 -07:00
Tom Eastep	3fa646845f	Fix busybox anomaly	2011-08-31 16:38:58 -07:00
Tom Eastep	d08ddd30ff	Update copyright in Documentation Index Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-31 07:59:05 -07:00
Tom Eastep	82a806d788	Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-31 07:58:51 -07:00
Tom Eastep	8b67052e5d	Add LXC.html to the documentation index and provide Graphic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-31 07:49:43 -07:00
Tom Eastep	751094f408	Remove my email address from the LSM sample config	2011-08-31 07:07:25 -07:00
Tom Eastep	b8951259bd	Avoid emitting out-of-function statements. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-30 16:55:44 -07:00
Tom Eastep	78a25bb51b	Avoid undefined value error. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-30 16:43:38 -07:00
Tom Eastep	abdd6bec27	More corrections to undo_routing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-30 09:31:06 -07:00
Tom Eastep	3031c37edd	Handle routes and rules for main and default Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-29 10:05:36 -07:00
Tom Eastep	45bc3a7ea0	Split add_a_provider() into two functions. - Avoid generating add_xxx_routes() and add_xxx_rules - Only configure tc during 'enable' - Fix a bad bug (routes were actually rules) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-28 08:04:06 -07:00
Tom Eastep	65fe958e8e	Split add_a_provider() into two functions. - Avoid generating add_xxx_routes() and add_xxx_rules - Only configure tc during 'enable' - Fix a bad bug (routes were actually rules) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-28 07:54:47 -07:00
Tom Eastep	90f83fd9fd	Clear device TC on 'disable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-27 12:33:24 -07:00
Tom Eastep	ed7d70e54b	Merge branch 'EdW'	2011-08-27 11:45:37 -07:00
Tom Eastep	0ef8e3b1d6	Give tcpri processing its own function. Add some comments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-27 11:44:42 -07:00
Tom Eastep	eb9d798ad3	Correct traffic-shaping handling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-27 11:17:08 -07:00
Tom Eastep	5d21b55ecc	Configure /proc during 'enable' processing. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-27 09:21:02 -07:00
Tom Eastep	cedf203c21	Allow tc config during 'enable' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-27 08:29:55 -07:00
Tom Eastep	7d66b3e60f	Correct typo in prog.footer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-26 14:13:34 -07:00
Tom Eastep	bcb5d76c2f	Remove QUOTA_MATCH code from Shorewall.6 lib.cli Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-26 12:56:51 -07:00
Tom Eastep	a8d0f5f40b	Fix the log message when 'enable' fails. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-26 11:02:42 -07:00
Tom Eastep	eb5a105d5a	Correct Shorewall Lite installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-26 11:02:20 -07:00
Tom Eastep	528f2b0aa2	Implement enable and disable commands for IPv4 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-25 16:00:27 -07:00
Tom Eastep	f6920cf061	Merge branch 'EdW'	2011-08-24 17:51:48 -07:00
Tom Eastep	2ef7dd5201	Re-factor Provider startup	2011-08-24 17:37:39 -07:00
Tom Eastep	971adc3d5b	Add support for serviced in the installers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-23 14:07:44 -07:00
Tom Eastep	33afe26a19	Add Redhat/Fedora init scripts from Jonathan Underwood Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-22 09:05:40 -07:00
Tom Eastep	4e15786156	Add copyright statements to the .service files	2011-08-22 06:53:04 -07:00
Tom Eastep	e6a6a1a609	Add .service files for systemd	2011-08-22 06:27:23 -07:00
Tom Eastep	24aacd67e6	Improve lockfile arguments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-21 11:28:45 -07:00
Tom Eastep	56addf3d4c	Remove stale lock files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-21 10:53:24 -07:00
Tom Eastep	2963acee80	Remove stale lock files	2011-08-21 10:21:58 -07:00
Tom Eastep	8c8326fa58	Correct handling of Wildcard Providers Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-20 06:49:02 -07:00
Tom Eastep	8ae9b2948e	Make 'start debug' work with the rawpost table. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-16 16:17:02 -07:00
Tom Eastep	ca8e99ed51	Correct implementation of the ALL section. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-16 14:10:21 -07:00
Tom Eastep	e5886abed1	Take care of oversights in the Stateless NAT implementation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-16 14:10:07 -07:00
Tom Eastep	c597eb25fc	Delete QUOTA_MATCH Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-16 05:39:28 -07:00
Tom Eastep	bc706324e9	Add an ALL section to the rules files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-15 15:32:24 -07:00
Tom Eastep	d5290fc881	Correct typo that caused an internal error Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-15 10:11:12 -07:00
Tom Eastep	0b2a8b12c7	Implement Stateless NAT support. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-14 12:01:17 -07:00
Tom Eastep	71480ff647	Validate nets in the netmap file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-13 15:59:42 -07:00
Tom Eastep	97121116a3	Add rawpost table detection Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-13 11:14:29 -07:00
Tom Eastep	37b08dd991	Merge branch '4.4.22'	2011-08-13 10:48:27 -07:00
Tom Eastep	dec4f4f186	Separate target and targetopts in add_ijump calls. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-13 09:56:14 -07:00
Tom Eastep	11919fd6e6	Don't allow connection pickup from the Net (Samples)	2011-08-13 07:07:54 -07:00
Tom Eastep	7192960ffb	Correct typos in Macros HOWTO Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-12 14:54:06 -07:00
Tom Eastep	f49ae2762b	Correct typos in Macros HOWTO Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-12 14:49:34 -07:00
Tom Eastep	b1b323191c	Merge branch '4.4.22'	2011-08-11 20:19:47 -07:00
Tom Eastep	786455b287	Unlink .bak file if no changes to .conf. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-11 20:19:30 -07:00
Tom Eastep	39c71418da	Merge branch '4.4.22'	2011-08-10 09:34:37 -07:00
Tom Eastep	7708c251db	Fix ECN when MANGLE_FORWARD is not available. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-10 09:34:15 -07:00
Tom Eastep	8eff66dcfd	Fix handling or ORIGINAL DEST when CONNTRACK_MATCH is not available Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-10 07:12:13 -07:00
Tom Eastep	c923dfdade	Correct Port Knocking HOWTO for iptables 1.4.12 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-09 16:22:46 -07:00
Tom Eastep	67c1fa1e63	Fix old state match	2011-08-08 20:35:55 -07:00
Tom Eastep	ac8617bdc8	Merge branch '4.4.22' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.4.22	2011-08-08 20:34:04 -07:00
Tom Eastep	8fe064914b	Fix old state match	2011-08-08 20:32:02 -07:00
Tom Eastep	27353478a0	Fix old state match	2011-08-08 20:19:11 -07:00
Tom Eastep	4824c9b8ff	Add QUOTA_MATCH capability Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-08 14:37:47 -07:00
Tom Eastep	35457f4e95	Remove she-bang from lib.* Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-03 07:54:46 -07:00
Tom Eastep	b0fe8e1e60	Merge branch '4.4.22'	2011-08-03 07:20:57 -07:00
Tom Eastep	a548bddea8	Remove she-bang from first line of prog.header* Signed-off-by: Tom Eastep <teastep@shorewall.net>	2011-08-03 07:20:34 -07:00