Revert "Remove tools and web"

This reverts commit 966f162c87.
Remove tools and web
2009-08-27 07:08:17 -07:00 · 2009-08-27 07:06:08 -07:00 · 2009-08-26 15:45:04 -07:00 · 2009-08-26 15:29:29 -07:00 · 2009-08-26 12:50:08 -07:00 · 2009-08-26 12:46:53 -07:00
567 changed files with 41933 additions and 43053 deletions
--- a/Samples/Universal/interfaces
+++ b/Samples/Universal/interfaces
@@ -1,12 +0,0 @@
 #
 # Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 -	lo		-		ignore
 net	all		-		dhcp,physical=+,routeback,optional
--- a/Samples/Universal/policy
+++ b/Samples/Universal/policy
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 $FW	net	ACCEPT
 net	all	DROP
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -1,18 +0,0 @@
 #
 # Shorewall version 4 - Rules File
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -1,216 +0,0 @@
 ###############################################################################
 #
 #  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
 #  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=Yes
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=1
 ###############################################################################
 #		                L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 MACLIST_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall-init.log
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
 TC=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=Yes
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=15
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=Yes
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
 TRACK_PROVIDERS=Yes
 USE_DEFAULT_RT=No
 WIDE_TC_MARKS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/Universal/zones
+++ b/Samples/Universal/zones
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ip
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # For additional information, see
 # http://shorewall.net/Documentation.htm#Interfaces
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 #
 # See http://shorewall.net/Documentation.htm#Policy for additional information.
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,13 +10,12 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
 #
 # For more information, see http://www.shorewall.net/Documentation.htm#Zones
 #
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -29,179 +29,167 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 STARTUP_LOG=
 LOG_VERBOSITY=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
 TC=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
-ACCOUNTING_TABLE=filter
+ADD_IP_ALIASES=Yes
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=Off
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+CLEAR_TC=Yes
-TRACK_PROVIDERS=Yes
+MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
-WIDE_TC_MARKS=Yes
+RESTORE_DEFAULT_ROUTE=Yes
-ZONE2ZONE=2
+AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -211,17 +199,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/one-interface/zones
+++ b/Samples/one-interface/zones
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #-----------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
 #
 # For more information, see http://www.shorewall.net/Documentation.htm#Zones
 #
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # For additional information, see
 # http://shorewall.net/Documentation.htm#Interfaces
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 #
 # For additional information, see http://shorewall.net/Documentation.htm#Masq
 #
 ##############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
--- a/Samples/three-interfaces/policy
+++ b/Samples/three-interfaces/policy
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 #
 # See http://shorewall.net/Documentation.htm#Policy for additional information.
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
--- a/Samples/three-interfaces/routestopped
+++ b/Samples/three-interfaces/routestopped
@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # See http://shorewall.net/Documentation.htm#Routestopped and
 # http://shorewall.net/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ##############################################################################
 #INTERFACE	HOST(S)
 eth1		-
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,17 +10,12 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
 #
 # For additional information, see http://shorewall.net/Documentation.htm#Rules
 #
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -18,6 +17,9 @@
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=No
 ###############################################################################
@@ -27,179 +29,167 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_MARTIANS=Yes
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 STARTUP_LOG=
 LOG_VERBOSITY=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
 TC=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
-ACCOUNTING_TABLE=filter
+ADD_IP_ALIASES=Yes
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=Yes
 CLEAR_TC=Yes
 COMPLETE=No
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+CLEAR_TC=Yes
-TRACK_PROVIDERS=Yes
+MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=Yes
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
-WIDE_TC_MARKS=Yes
+RESTORE_DEFAULT_ROUTE=Yes
-ZONE2ZONE=2
+AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -209,17 +199,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/zones
+++ b/Samples/three-interfaces/zones
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
 #
 # For more information, see http://www.shorewall.net/Documentation.htm#Zones
 #
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@@ -10,6 +10,10 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # For additional information, see
 # http://shorewall.net/Documentation.htm#Interfaces
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
 #
 # For additional information, see http://shorewall.net/Documentation.htm#Masq
 #
 ###############################################################################
 #INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-policy"
 #
 # See http://shorewall.net/Documentation.htm#Policy for additional information.
 #
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
--- a/Samples/two-interfaces/routestopped
+++ b/Samples/two-interfaces/routestopped
@@ -10,6 +10,11 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # See http://shorewall.net/Documentation.htm#Routestopped and
 # http://shorewall.net/starting_and_stopping_shorewall.htm for additional
 # information.
 #
 ##############################################################################
 #INTERFACE	HOST(S)                  OPTIONS
 eth1		-
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,17 +10,12 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
 #
 # For more information, see http://www.shorewall.net/Documentation.htm#Rules
 #
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
 #               2011 by Thomas M. Eastep            
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -30,179 +29,174 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#                              C O M P I L E R
 #      (setting this to 'perl' requires installation of Shorewall-perl)
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+SHOREWALL_COMPILER=
-LOG_MARTIANS=Yes
+###############################################################################
-
+#			       L O G G I N G
-LOG_VERBOSITY=2
+###############################################################################
 LOGALLNEW=
 LOGFILE=/var/log/messages
 STARTUP_LOG=
 LOG_VERBOSITY=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
-LOGLIMIT=
+LOGRATE=
 LOGBURST=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
 TC=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
-ACCOUNTING_TABLE=filter
+ADD_IP_ALIASES=Yes
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=Yes
 CLEAR_TC=Yes
 COMPLETE=No
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+CLEAR_TC=Yes
-TRACK_PROVIDERS=Yes
+MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=Yes
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
-WIDE_TC_MARKS=Yes
+RESTORE_DEFAULT_ROUTE=Yes
-ZONE2ZONE=2
+AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
@@ -212,17 +206,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/two-interfaces/zones
+++ b/Samples/two-interfaces/zones
@@ -10,6 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-zones"
 #
 # For more information, see http://www.shorewall.net/Documentation.htm#Zones
 #
 ###############################################################################
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
--- a/Samples6/Universal/interfaces
+++ b/Samples6/Universal/interfaces
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Interfaces File
 #
 # For information about entries in this file, type "man shorewall-interfaces"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 -	lo		-		ignore
 net	all		-		dhcp,physical=+,routeback
--- a/Samples6/Universal/policy
+++ b/Samples6/Universal/policy
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Policy File
 #
 # For information about entries in this file, type "man shorewall-policy"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-policy.html
 #
 ###############################################################################
 #SOURCE	DEST	POLICY		LOG	LIMIT:		CONNLIMIT:
 #				LEVEL	BURST		MASK
 fw	net	ACCEPT
 net	all	DROP
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -1,18 +0,0 @@
 #
 # Shorewall version 4 - Rules File
 #
 # For information on the settings in this file, type "man shorewall-rules"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 ####################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Samples6/Universal/zones
+++ b/Samples6/Universal/zones
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Zones File
 #
 # For information about this file, type "man shorewall-zones"
 #
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-zones.html
 #
 ###############################################################################
 #ZONE	TYPE		OPTIONS		IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
 net	ip
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -13,10 +13,6 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
+# See the file README.txt for further details.
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#
 # For information about the settings in this file, type "man shorewall6.conf"
 #
 # The manpage is also online at 
 # http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,121 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
-LOG_VERBOSITY=2
+STARTUP_LOG=
-LOGALLNEW=
+LOG_VERBOSITY=
 LOGFILE=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
-MACLIST_LOG_LEVEL=info
+LOGRATE=
-SFILTER_LOG_LEVEL=info
+LOGBURST=
-SMURF_LOG_LEVEL=info
+LOGALLNEW=
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 TC_ENABLED=No
 TC_EXPERT=No
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+CLEAR_TC=Yes
-TRACK_PROVIDERS=Yes
+MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=No
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/three-interfaces/interfaces
+++ b/Samples6/three-interfaces/interfaces
@@ -12,6 +12,6 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
+net     eth0            detect          tcpflags
-loc     eth1            detect          tcpflags,forward=1
+loc     eth1            detect          tcpflags
-dmz     eth2            detect		tcpflags,forward=1
+dmz     eth2            detect
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -13,14 +13,6 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
+# See the file README.txt for further details.
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#
 # For information about the settings in this file, type "man shorewall6.conf"
 #
 # The manpage is also online at 
 # http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,121 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 STARTUP_LOG=
 LOG_VERBOSITY=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
-MACLIST_LOG_LEVEL=info
+LOGRATE=
-SFILTER_LOG_LEVEL=info
+LOGBURST=
-SMURF_LOG_LEVEL=info
+LOGALLNEW=
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 TC_ENABLED=No
 TC_EXPERT=No
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+CLEAR_TC=Yes
-TRACK_PROVIDERS=Yes
+MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/three-interfaces/zones
+++ b/Samples6/three-interfaces/zones
@@ -15,6 +15,6 @@
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
-net	ipv6
+net	ipv4
-loc	ipv6
+loc	ipv4
-dmz	ipv6
+dmz	ipv4
--- a/Samples6/two-interfaces/interfaces
+++ b/Samples6/two-interfaces/interfaces
@@ -12,5 +12,5 @@
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
+net     eth0            detect          tcpflags
-loc     eth1            detect          tcpflags,forward=1
+loc     eth1            detect          tcpflags
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -13,14 +13,6 @@
 #############################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall version 3.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
+# See the file README.txt for further details.
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#
 # For information about the settings in this file, type "man shorewall6.conf"
 #
 # The manpage is also online at 
 # http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,121 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 STARTUP_LOG=
 LOG_VERBOSITY=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
-MACLIST_LOG_LEVEL=info
+LOGRATE=
-SFILTER_LOG_LEVEL=info
+LOGBURST=
-SMURF_LOG_LEVEL=info
+LOGALLNEW=
-STARTUP_LOG=/var/log/shorewall6-init.log
+BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 TC_ENABLED=No
 TC_EXPERT=No
-TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
+CLEAR_TC=Yes
-TRACK_PROVIDERS=Yes
+MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=No
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 ZONE2ZONE=2
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall-init/README.txt
+++ b/Shorewall-init/README.txt
@@ -1 +0,0 @@
 This is the Shorewall-init stable 4.4 branch of Git.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -1,196 +0,0 @@
 #!/bin/sh
 #
 # ifupdown script for Shorewall-based products
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 Debian_SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"
    case $0 in
 	/etc/ppp/ip-*)
 	    #
 	    # IPv4
 	    #
 	    for product in $PRODUCTS; do
 		case $product in
 		    shorewall|shorewall-lite)
 			NEWPRODUCTS="$NEWPRODUCTS $product";
 			;;
 		esac
 	    done
 	    ;;
 	/etc/ppp/ipv6-*)
 	    #
 	    # IPv6
 	    #
 	    for product in $PRODUCTS; do
 		case $product in
 		    shorewall6|shorewall6-lite)
 			NEWPRODUCTS="$NEWPRODUCTS $product";
 			;;
 		esac
 	    done
 	    ;;
 	*)
 	    exit 0
 	    ;;
    esac
    PRODUCTS="$NEWPRODUCTS"
    case $0 in
 	*up/*)
 	    COMMAND=up
 	    ;;
 	*)
 	    COMMAND=down
 	    ;;
    esac
 }
 IFUPDOWN=0
 PRODUCTS=
 if [ -f /etc/default/shorewall-init ]; then
    . /etc/default/shorewall-init
 elif [ -f /etc/sysconfig/shorewall-init ]; then
    . /etc/sysconfig/shorewall-init
 fi
 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
 if [ -f /etc/debian_version ]; then
    case $0 in
 	/etc/ppp*)
 	    #
 	    # Debian ppp
 	    #
 	    Debian_SuSE_ppp
 	    ;;
 	*)
            #
            # Debian ifupdown system
            #
 	    INTERFACE="$IFACE"
 	    if [ "$MODE" = start ]; then
 		COMMAND=up
 	    elif [ "$MODE" = stop ]; then
 		COMMAND=down
 	    else
 		exit 0
 	    fi
 	    case "$PHASE" in
 		pre-*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
    case $0 in
 	/etc/ppp*)
 	    #
 	    # SUSE ppp
 	    #
 	    Debian_SuSE_ppp
 	    ;;
 	*)
            #
            # SuSE ifupdown system
            #
 	    INTERFACE="$2"
 	    case $0 in
 		*if-up.d*)
 		    COMMAND=up
 		    ;;
 		*if-down.d*)
 		    COMMAND=down
 		    ;;
 		*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
 	    case $0 in
 		*ip-up.local)
 		    COMMAND=up
 		    ;;
 		*ip-down.local)
 		    COMMAND=down
 		    ;;
 		*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
 	*)
 	    #
 	    # RedHat ifup/down system
 	    #
 	    INTERFACE="$1"
 	    case $0 in 
 		*ifup*)
 		    COMMAND=up
 		    ;;
 		*ifdown*)
 		    COMMAND=down
 		    ;;
 		*dispatcher.d*)
 		    COMMAND="$2"
 		    ;;
 		*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 fi
 for PRODUCT in $PRODUCTS; do
    VARDIR=/var/lib/$PRODUCT
    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
    if [ -x $VARDIR/firewall ]; then
 	  ( . /usr/share/$PRODUCT/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off
 	  )
    fi
 done
 exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,146 +0,0 @@
 #!/bin/sh
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 ### BEGIN INIT INFO
 # Provides:          shorewall-init
 # Required-Start:    $local_fs
 # X-Start-Before:    $network
 # Required-Stop:     $local_fs
 # X-Stop-After:      $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time prior to
 #                    bringing up the network
 ### END INIT INFO
 export VERBOSITY=0
 if [ "$(id -u)" != "0" ]
 then
  echo "You must be root to start, stop or restart \"Shorewall \"."
  exit 1
 fi
 echo_notdone () {
  echo "not done."
  exit 1
 }
 not_configured () {
 	echo "#### WARNING ####"
 	echo "the firewall won't be initialized unless it is configured"
 	if [ "$1" != "stop" ]
 	then
 		echo ""
 		echo "Please read about Debian specific customization in"
 		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
 	fi
 	echo "#################"
 	exit 0
 }
 # check if shorewall-init is configured or not
 if [ -f "/etc/default/shorewall-init" ]
 then
 	. /etc/default/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		not_configured
 	fi
 else
 	not_configured
 fi
 # Initialize the firewall
 shorewall_start () {
  local product
  local VARDIR
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for product in $PRODUCTS; do
      VARDIR=/var/lib/$product
      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
      if [ -x ${VARDIR}/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
 	      . /usr/share/$product/lib.base
 	      #
 	      # Get mutex so the firewall state is stable
 	      #
 	      mutex_on
 	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
 		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
 	      mutex_off
 	  )
      fi
  done
  echo "done."
  return 0
 }
 # Clear the firewall
 shorewall_stop () {
  local product
  local VARDIR
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for product in $PRODUCTS; do
      VARDIR=/var/lib/$product
      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
      if [ -x ${VARDIR}/firewall ]; then
 	  ( . /usr/share/$product/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall clear || echo_notdone
 	    mutex_off
 	  )
      fi
  done
  echo "done."
  return 0
 }
 case "$1" in
  start)
     shorewall_start
     ;;
  stop)
     shorewall_stop
     ;;
  reload|force-reload)
     ;;
  *)
     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
     exit 1
 esac
 exit 0
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -1,121 +0,0 @@
 #! /bin/bash
 #
 # chkconfig: - 09 91
 # description: Initialize the shorewall firewall at boot time
 #
 ### BEGIN INIT INFO
 # Provides: shorewall-init
 # Required-Start: $local_fs
 # Required-Stop:  $local_fs
 # Default-Start:
 # Default-Stop:	  0 1 2 3 4 5 6
 # Short-Description: Initialize the shorewall firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
 prog="shorewall-init"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 # Get startup options (override default)
 OPTIONS=
 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]; then
    . /etc/sysconfig/shorewall-init
 else
    echo "/etc/sysconfig/shorewall-init not found"
    exit 6
 fi
 # Initialize the firewall
 start () {
    local product
    local vardir
    if [ -z "$PRODUCTS" ]; then
 	echo "No firewalls configured for shorewall-init"
 	failure
 	return 6 #Not configured
    fi
    echo -n "Initializing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
 	vardir=/var/lib/$product
 	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
    done
    if [ retval -eq 0 ]; then
 	touch $lockfile 
 	success
    else
 	failure
    fi
    echo
    return $retval
 }
 # Clear the firewall
 stop () {
    local product
    local vardir
    echo -n "Clearing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
 	vardir=/var/lib/$product
 	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
    done
    if [ retval -eq 0 ]; then
 	rm -f $lockfile
 	success
    else
 	failure
    fi
    echo
    return $retval
 }
 status_q() {
    status > /dev/null 2>&1
 }
 case "$1" in
    start)
 	status_q && exit 0
 	$1
 	;;
    stop)
 	status_q || exit 0
 	$1
 	;;
    restart|reload|force-reload)
 	echo "Not implemented"
 	exit 3
 	;;
    condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
        ;;
    status)
 	status $prog
 	;;
  *)
 	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
 	exit 1
 esac
 exit 0
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,115 +0,0 @@
 #! /bin/bash
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # chkconfig: - 09 91
 #
 ### BEGIN INIT INFO
 # Provides: shorewall-init
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
 # Default-Stop:   6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
 if [ "$(id -u)" != "0" ]
 then
  echo "You must be root to start, stop or restart \"Shorewall \"."
  exit 1
 fi
 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]
 then
 	. /etc/sysconfig/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		exit 0
 	fi
 else
 	exit 0
 fi
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
  local VARDIR
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
  return 0
 }
 # Clear the firewall
 shorewall_stop () {
  local PRODUCT
  local VARDIR
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
  return 0
 }
 case "$1" in
  start)
     shorewall_start
     ;;
  stop)
     shorewall_stop
     ;;
  *)
     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
     exit 1
 esac
 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -1,391 +0,0 @@
 #!/bin/sh
 #
 # Script to install Shoreline Firewall Init
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 VERSION=xxx #The Build script inserts the actual version.
 usage() # $1 = exit status
 {
    ME=$(basename $0)
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
    return 2
 }
 run_install()
 {
    if ! install $*; then
 	echo
 	echo "ERROR: Failed to install $*" >&2
 	exit 1
    fi
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi
 if [ -z "$INIT" ] ; then
 	INIT="shorewall-init"
 fi
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
 	    usage 0
 	    ;;
        -v)
 	    echo "Shorewall Init Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac
    shift
    ARGS="yes"
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ -n "${LIBEXEC:=/usr/share}" ]
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 #
 # Determine where to install the firewall script
 #
 case $(uname) in
    Darwin)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	T=
 	;;	
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -f /etc/debian_version ]; then
    DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
    SUSE=Yes
 elif [ -f /etc/redhat-release ]; then
    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
    echo "Shorewall-init is currently not supported on Slackware" >&2
    exit 1
 #   DEST="/etc/rc.d"
 #   INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
    echo "Shorewall-init is currently not supported on Arch Linux" >&2
    exit 1
 #   DEST="/etc/rc.d"
 #   INIT="shorewall-init"
 #   ARCHLINUX=yes
 elif [ -d /etc/sysconfig/network-scripts/ ]; then
    #
    # Assume RedHat-based
    #
    REDHAT=Yes
 else
    echo "Unknown distribution: Shorewall-init support is not available" >&2
    exit 1
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 echo "Installing Shorewall Init Version $VERSION"
 #
 # Check for /usr/share/shorewall-init/version
 #
 if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi
 #
 # Install the Init Script
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 elif [ -n "$FEDORA" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
 fi
 echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
 fi
 #
 # Create /usr/share/shorewall-init if needed
 #
 mkdir -p ${DESTDIR}/usr/share/shorewall-init
 chmod 755 ${DESTDIR}/usr/share/shorewall-init
 #
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
 chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/shorewall-init/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
 fi
 if [ -n "$DEBIAN" ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    fi
    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
 	    mkdir ${DESTDIR}/etc/default
 	fi
 	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
    fi
 else
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}/etc/sysconfig
 	if [ -z "$RPM" ]; then
 	    if [ -n "$SUSE" ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
 		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
 	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
    fi 
 fi
 #
 # Install the ifupdown script
 #
 mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
 install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 if [ -n "$DEBIAN" ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 elif [ -n "$SUSE" ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
 elif [ -n "$REDHAT" ]; then
    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
 	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
    else
 	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
 	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
    fi
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    update-rc.d shorewall-init defaults
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add shorewall-init ; then
 		    echo "Shorewall Init will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add shorewall-init default; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
    fi
 else
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
 	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
 	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
 if [ -f ${DESTDIR}/etc/ppp ]; then
    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
 	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
 	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
 	done
    elif [ -n "$REDHAT" ]; then
 	#
 	# Must use the dreaded ip_xxx.local file
 	#
 	for file in ip-up.local ip-down.local; do
 	    FILE=${DESTDIR}/etc/ppp/$file
 	    if [ -f $FILE ]; then
 		if fgrep -q Shorewall-based $FILE ; then
 		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		else
 		    echo "$FILE already exists -- ppp devices will not be handled"
 		    break
 		fi
 	    else
 		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 	    fi
 	done
    fi
 fi
 #
 #  Report Success
 #
 echo "shorewall Init Version $VERSION Installed"
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 After=syslog.target
 Before=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init $OPTIONS start
 ExecReload=/sbin/shorewall-init $OPTIONS restart
 ExecStop=/sbin/shorewall-init $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -1,18 +0,0 @@
 # List the Shorewall products that Shorewall-init is to
 # initialize (space-separated list).
 #
 # Sample: PRODUCTS="shorewall shorewall6"
 #
 PRODUCTS=""
 #
 # Set this to 1 if you want Shorewall-init to react to 
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
 #
 # Set this to the name of the file that is to hold
 # ipset contents. Shorewall-init will load those ipsets
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,117 +0,0 @@
 \#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #    Usage:
 #
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
    echo "usage: $ME"
    exit $1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 if [ -f /usr/share/shorewall-init/version ]; then
    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
    echo "WARNING: Shorewall Init Version $VERSION is not installed"
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Init $VERSION"
 INITSCRIPT=/etc/init.d/shorewall-init
 if [ -n "$INITSCRIPT" ]; then
    if [ -x /usr/sbin/updaterc.d ]; then
 	updaterc.d shorewall-init remove
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $INITSCRIPT
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
    remove_file $INITSCRIPT
 fi
 [ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
 [ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
 remove_file /etc/default/shorewall-init
 remove_file /etc/sysconfig/shorewall-init
 remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
 remove_file /etc/network/if-up.d/shorewall
 remove_file /etc/network/if-down.d/shorewall
 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
 remove_file /lib/systemd/system/shorewall.service
 if [ -d /etc/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file /etc/ppp/$directory/shorewall
    done
    for file in if-up.local if-down.local; do
 	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
 	    remove_file /etc/ppp/$FILE
 	fi
    done
 fi
 rm -rf /usr/share/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/COPYING
+++ b/Shorewall-lite/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +1 @@
-This is the Shorewall-lite stable 4.4 branch of Git.
+This is the Shorewall-lite development 4.3 branch of SVN.
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -21,16 +21,4 @@ startup=0
 OPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
 INITLOG=/dev/null
 #
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
 SAFESTOP=0
 # EOF
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -0,0 +1,104 @@
 #!/bin/sh
 #
 # Script to back out the installation of Shorewall Lite and to restore the previous version of
 # the program
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #    Usage:
 #
 #       You may only use this script to back out the installation of the version
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.
 VERSION=4.4.0.1
 usage() # $1 = exit status
 {
    echo "usage: $(basename $0)"
    exit $1
 }
 restore_directory() # $1 = directory to restore
 {
    if [ -d ${1}-${VERSION}.bkout ]; then
 	if mv -f $1 ${1}-${VERSION} && mv ${1}-${VERSION}.bkout $1; then
 	    echo
 	    echo "$1 restored"
 	    rm -rf ${1}-${VERSION}
 	else
 	    echo "ERROR: Could not restore $1"
 	    exit 1
 	fi
    fi
 }
 restore_file() # $1 = file to restore, $2 = (Optional) Directory to restore from
 {
    if [ -n "$2" ]; then
 	local file
 	file=$(basename $1)
 	if [ -f $2/$file ]; then
 	    if mv -f $2/$file $1 ; then
 		echo
 		echo "$1 restored"
 		return
 	    fi
 	    echo "ERROR: Could not restore $1"
 	    exit 1
        fi
    fi
    if [ -f ${1}-${VERSION}.bkout -o -L ${1}-${VERSION}.bkout ]; then
 	if (mv -f ${1}-${VERSION}.bkout $1); then
 	    echo
 	    echo "$1 restored"
        else
 	    echo "ERROR: Could not restore $1"
 	    exit 1
        fi
    fi
 }
 if [ ! -f /usr/share/shorewall-lite-${VERSION}.bkout/version ]; then
    echo "Shorewall Version $VERSION is not installed"
    exit 1
 fi
 echo "Backing Out Installation of Shorewall $VERSION"
 if [ -L /usr/share/shorewall-lite/init ]; then
    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
    restore_file $FIREWALL /usr/share/shorewall-lite-${VERSION}.bkout
 else
    restore_file /etc/init.d/shorewall /usr/share/shorewall-lite-${VERSION}.bkout
 fi
 restore_file /sbin/shorewall /var/lib/shorewall-lite-${VERSION}.bkout
 restore_directory /etc/shorewall-lite
 restore_directory /usr/share/shorewall-lite
 restore_directory /var/lib/shorewall-lite
 echo "Shorewall Lite Restored to Version $(cat /usr/share/shorewall-lite/version)"
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -2,8 +2,8 @@
 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network $remote_fs
+# Required-Start:    $network
-# Required-Stop:     $network $remote_fs
+# Required-Stop:     $network
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -15,14 +15,17 @@
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
-test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
+# Note, set INITLOG to /dev/null if you do not want to
 # keep logs of the firewall (not recommended)
 INITLOG=/var/log/shorewall-lite-init.log
-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 export SHOREWALL_INIT_SCRIPT
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
-test -n "$INITLOG" || {
+test -n $INITLOG || {
 	echo "INITLOG cannot be empty, please configure $0" ; 
 	exit 1;
 }
@@ -41,7 +44,6 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi
  exit 1
 }
 not_configured () {
@@ -87,11 +89,7 @@ shorewall_start () {
 # stop the firewall
 shorewall_stop () {
  echo -n "Stopping \"Shorewall firewall\": "
-  if [ "$SAFESTOP" = 1 ]; then
+  $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
      $SRWL $SRWL_OPTS stop >> $INITLOG 2>&1 && echo "done." || echo_notdone
  else
      $SRWL $SRWL_OPTS clear >> $INITLOG 2>&1 && echo "done." || echo_notdone
  fi
  return 0
 }
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -1,112 +0,0 @@
 #!/bin/sh
 #
 # Shorewall init script
 #
 # chkconfig: - 28 90
 # description: Packet filtering firewall
 ### BEGIN INIT INFO
 # Provides: shorewall-lite
 # Required-Start: $local_fs $remote_fs $syslog $network
 # Should-Start: VMware $time $named
 # Required-Stop:
 # Default-Start:
 # Default-Stop:	  0 1 2 3 4 5 6
 # Short-Description: Packet filtering firewall
 # Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
 #              Netfilter (iptables) based firewall
 ### END INIT INFO
 # Source function library.
 . /etc/rc.d/init.d/functions
 prog="shorewall-lite"
 shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
 if [ -f /etc/sysconfig/$prog ]; then
    . /etc/sysconfig/$prog
 fi
 start() {
    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	touch $lockfile
 	success
    else 
 	failure
    fi
    echo
    return $retval
 }
 stop() {
    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	rm -f $lockfile
 	success
    else 
 	failure
    fi
    echo
    return $retval
 }
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	touch $lockfile
 	success
    else # Failed to start, clean up lock file if present
 	rm -f $lockfile
 	failure
    fi
    echo
    return $retval
 }
 status(){
    $shorewall status
    return $?
 }
 status_q() {
    status > /dev/null 2>&1
 }
 case "$1" in
    start)
 	status_q && exit 0
 	$1
 	;;
    stop)
 	status_q || exit 0
 	$1
 	;;
    restart|reload|force-reload)
 	restart
 	;;
    condrestart|try-restart)
        status_q || exit 0
        restart
        ;;
    status)
 	$1
 	;;
    *)
 	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
 	exit 1
 	;;
 esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.0.1
 usage() # $1 = exit status
 {
@@ -82,16 +82,15 @@ delete_file() # $1 = file to delete
 install_file() # $1 = source $2 = target $3 = mode
 {
-    run_install $T $OWNERSHIP -m $3 $1 ${2}
+    run_install $OWNERSHIP -m $3 $1 ${2}
 }
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # RUNLEVELS is the chkconfig parmeters for firewall
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
@@ -104,6 +103,10 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall-lite"
 fi
 if [ -z "$RUNLEVELS" ] ; then
 	RUNLEVELS=""
 fi
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@@ -123,26 +126,15 @@ done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ -n "${LIBEXEC:=/usr/share}" ]
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 #
 # Determine where to install the firewall script
 #
 DEBIAN=
 CYGWIN=
 INSTALLD='-D'
 T='-T'
 case $(uname) in
    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
+	if [ -z "$PREFIX" ]; then
 	    DEST=
 	    INIT=
 	fi
@@ -150,10 +142,6 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
    Darwin)
 	INSTALLD=
 	T=
 	;;	   
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -162,18 +150,16 @@ esac
 OWNERSHIP="-o $OWNER -g $GROUP"
-if [ -n "$DESTDIR" ]; then
+if [ -n "$PREFIX" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${PREFIX}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+    install -d $OWNERSHIP -m 755 ${PREFIX}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
 elif [ -f /etc/redhat-release ]; then
    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
@@ -183,14 +169,6 @@ elif [ -f /etc/arch-release ] ; then
      ARCHLINUX=yes
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 #
 # Change to the directory containing this script
 #
@@ -201,238 +179,173 @@ echo "Installing Shorewall Lite Version $VERSION"
 #
 # Check for /etc/shorewall-lite
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$PREFIX" -a -d /etc/shorewall-lite ]; then
    first_install=""
    [ -f /etc/shorewall-lite/shorewall.conf ] && \
 	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
 else
    rm -rf ${DESTDIR}/etc/shorewall-lite
    rm -rf ${DESTDIR}/usr/share/shorewall-lite
    rm -rf ${DESTDIR}/var/lib/shorewall-lite
    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
 fi
 #
 # Check for /sbin/shorewall-lite
 #
 if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
    first_install=""
 else
    first_install="Yes"
    rm -rf ${PREFIX}/etc/shorewall-lite
    rm -rf ${PREFIX}/usr/share/shorewall-lite
    rm -rf ${PREFIX}/var/lib/shorewall-lite
 fi
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${PREFIX}/usr/share/shorewall-lite/xmodules
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file shorewall-lite ${PREFIX}/sbin/shorewall-lite 0544 ${PREFIX}/var/lib/shorewall-lite-${VERSION}.bkout
-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
+echo "Shorewall Lite control program installed in ${PREFIX}/sbin/shorewall-lite"
 echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 elif [ -n "$FEDORA" ]; then
    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 else
-    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
+    install_file init.sh ${PREFIX}${DEST}/$INIT 0544 ${PREFIX}/usr/share/shorewall-lite-${VERSION}.bkout
 fi
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "Shorewall Lite script installed in ${PREFIX}${DEST}/$INIT"
 #
 # Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
+mkdir -p ${PREFIX}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
+mkdir -p ${PREFIX}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
+mkdir -p ${PREFIX}/var/lib/shorewall-lite
 mkdir -p ${DESTDIR}/var/lib/shorewall-lite
-chmod 755 ${DESTDIR}/etc/shorewall-lite
+chmod 755 ${PREFIX}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${PREFIX}/usr/share/shorewall-lite
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
 fi
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
+if [ ! -f ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
+   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+   echo "Config file installed as ${PREFIX}/etc/shorewall-lite/shorewall-lite.conf"
 fi
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${PREFIX}/etc/shorewall-lite/shorewall.conf
 fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
+run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall-lite/Makefile
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+echo "Makefile installed as ${PREFIX}/etc/shorewall-lite/Makefile"
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
+install_file configpath ${PREFIX}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+echo "Default config path file installed as ${PREFIX}/usr/share/shorewall-lite/configpath"
 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
+	install_file $f ${PREFIX}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	echo "Library ${f#*.} file installed as ${PREFIX}/usr/share/shorewall-lite/$f"
    fi
 done
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${PREFIX}/usr/share/shorewall-lite/functions
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${PREFIX}/usr/share/shorewall-lite/functions"
 #
 # Install Shorecap
 #
-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${PREFIX}/usr/share/shorewall-lite/shorecap 0755
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${PREFIX}/usr/share/shorewall-lite/shorecap"
 #
 # Install wait4ifup
 #
-if [ -f wait4ifup ]; then
+install_file wait4ifup ${PREFIX}/usr/share/shorewall-lite/wait4ifup 0755
    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
-    echo
+echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
+echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall-lite/wait4ifup"
 fi
 #
-# Install the Modules files
+# Install the Modules file
 #
-
+run_install $OWNERSHIP -m 0600 modules ${PREFIX}/usr/share/shorewall-lite/modules
-if [ -f modules ]; then
+echo "Modules file installed as ${PREFIX}/usr/share/shorewall-lite/modules"
    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
 fi
 if [ -f helpers ]; then
    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
 fi
 for f in modules.*; do
    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
 done
 #
 # Install the Man Pages
 #
-if [ -d manpages ]; then
+cd manpages
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+for f in *.5; do
    gzip -c $f > $f.gz
    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man5/$f.gz
    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man5/$f.gz"
 done
-    for f in *.5; do
+for f in *.8; do
-	gzip -c $f > $f.gz
+    gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
+    run_install -D -m 644 $f.gz ${PREFIX}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
+    echo "Man page $f.gz installed to ${PREFIX}/usr/share/man/man8/$f.gz"
-    done
+done
-    for f in *.8; do
+cd ..
 	gzip -c $f > $f.gz
 	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
 	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
    done
    cd ..
    echo "Man Pages Installed"
 fi
 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
 fi
 echo "Man Pages Installed"
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${PREFIX}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+chmod 644 ${PREFIX}/usr/share/shorewall-lite/version
 #
 # Remove and create the symbolic link to the init script
 #
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" ]; then
    rm -f /usr/share/shorewall-lite/init
    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
 fi
-if [ -z "$DESTDIR" ]; then
+if [ -z "$PREFIX" -a -n "$first_install" ]; then
-    touch /var/log/shorewall-lite-init.log
+    if [ -n "$DEBIAN" ]; then
-
+	run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
-    if [ -n "$first_install" ]; then
+	ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
-	if [ -n "$DEBIAN" ]; then
+	echo "Shorewall Lite will start automatically at boot"
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	touch /var/log/shorewall-init.log
-
+    else
-	    update-rc.d shorewall-lite defaults
+	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-
+	    if insserv /etc/init.d/shorewall-lite ; then
-	    if [ -x /sbin/insserv ]; then
+		echo "Shorewall Lite will start automatically at boot"
 		insserv /etc/init.d/shorewall-lite
 	    else
 		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
 	    fi
 	    echo "Shorewall Lite will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable shorewall-lite; then
 		    echo "Shorewall Lite will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-lite ; then
 		    echo "Shorewall Lite will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add shorewall-lite ; then
 		    echo "Shorewall Lite will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-lite
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add shorewall-lite default; then
 		    echo "Shorewall Lite will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	    if chkconfig --add shorewall-lite ; then
 		echo "Shorewall Lite will start automatically in run levels as follows:"
 		chkconfig --list shorewall-lite
 	    else
 		cant_autostart
 	    fi
 	elif [ -x /sbin/rc-update ]; then
 	    if rc-update add shorewall-lite default; then
 		echo "Shorewall Lite will start automatically at boot"
 	    else
 		cant_autostart
 	    fi
 	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 	    cant_autostart
 	fi
    fi
 fi
--- a/Shorewall-lite/logrotate
+++ b/Shorewall-lite/logrotate
@@ -1,5 +0,0 @@
 /var/log/shorewall-lite-init.log {
  missingok
  notifempty
  create 0600 root root
 }
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
@@ -48,19 +48,18 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+PRODUCT="Shorewall Lite"
 . /usr/share/shorewall-lite/lib.base
 . /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
+VERSION=$(cat /usr/share/shorewall-lite/version)
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-VERBOSITY=0
+VERBOSE=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.1
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -94,9 +94,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
+	LOGREAD="logread | tac"
-    elif [ -r $LOGFILE ]; then
+    elif [ -f $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
+	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,6 +113,12 @@ get_config() {
    [ -n "$FW" ] || FW=fw
    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
    export LOGFORMAT
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -126,6 +132,8 @@ get_config() {
 	fi
    fi
    export IPTABLES
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -137,26 +145,15 @@ get_config() {
    validate_restorefile RESTOREFILE
    export RESTOREFILE
    [ -n "${VERBOSITY:=2}" ]
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
+    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
-    if [ $VERBOSITY -lt -1 ]; then
+    export VERBOSE
 	VERBOSITY=-1
    elif [ $VERBOSITY -gt 2 ]; then
 	VERBOSITY=2
    fi
-    g_hostname=$(hostname 2> /dev/null)
+    [ -n "${HOSTNAME:=$(hostname)}" ]
    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
 	echo "   ERROR: Can't find ip executable" >&2
 	exit 2
    fi
    IPSET=ipset
    TC=tc
 }
@@ -164,28 +161,19 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
+    if [ ! -f $FIREWALL ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
+	if [ -L $FIREWALL ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
+	    echo "          $FIREWALL is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $g_firewall does not exist" >&2
+	    echo "          The file $FIREWALL does not exist" >&2
 	fi
 	exit 2
    fi
 }
 #
 # Fatal error
 #
 startup_error() {
    echo "   ERROR: $@" >&2
    kill $$
    exit 1
 }
 #
 # Start Command Executor
 #
@@ -199,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on
 	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
+	    ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -231,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    g_fast=Yes
+			    FAST=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -260,21 +248,36 @@ start_command() {
 	    ;;
    esac
-    if [ -n "$g_fast" ]; then
+    export NOROUTES
    if [ -n "$FAST" ]; then
 	if qt mywhich make; then
-	    export RESTOREFILE
+	    #
-	    make -qf ${CONFDIR}/Makefile || g_fast=
+	    # RESTOREFILE is exported by get_config()
 	    #
 	    make -qf ${CONFDIR}/Makefile || FAST=
 	fi
-	if [ -n "$g_fast" ]; then
+	if [ -n "$FAST" ]; then
-	    g_restorepath=${VARDIR}/$RESTOREFILE
+	    RESTOREPATH=${VARDIR}/$RESTOREFILE
 	    if [ -x $RESTOREPATH ]; then
 		if [ -x ${RESTOREPATH}-ipsets ]; then
 		    echo Restoring Ipsets...
 		    #
 		    # We must purge iptables to be sure that there are no
 		    # references to ipsets
 		    #
 		    iptables -F
 		    iptables -X
 		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
 		fi
 	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
+		$SHOREWALL_SHELL $RESTOREPATH restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
+		progress_message3 Shorewall Lite restored from $RESTOREPATH
 	    else
 		do_it
 	    fi
@@ -310,12 +313,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    g_noroutes=Yes
+			    NOROUTES=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
+			    PURGE=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -339,10 +342,12 @@ restart_command() {
 	    ;;
    esac
    export NOROUTES
    [ -n "$nolock" ] || mutex_on
    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
+	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
 	rc=$?
    else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -361,14 +366,13 @@ usage() # $1 = exit status
 {
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   clear"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
    echo "   forget [ <file name> ]"
    echo "   help"
    echo "   hits [ -t ]"
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
@@ -377,7 +381,7 @@ usage() # $1 = exit status
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
@@ -385,71 +389,23 @@ usage() # $1 = exit status
    echo "   show classifiers"
    echo "   show config"
    echo "   show connections"
-    echo "   show filters"
+    echo "   show dynamic <zone>"
    echo "   show filter"
    echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
+    echo "   show [ -m ] log"
-    echo "   show [ -x ] mangle|nat|raw|routing"
+    echo "   show [ -x ] mangle|nat|raw"
-    echo "   show policies"
+    echo "   show routing"
-    echo "   show tc [ device ]"
+    echo "   show tc"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
+    echo "   start [ -n ] [ -p ]"
    echo "   stop"
    echo "   status"
-    echo "   version [ -a ]"
+    echo "   version"
    echo
    exit $1
 }
 version_command() {
    local finished
    finished=0
    local all
    all=
    local product
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			a*)
 			    all=Yes
 			    option=${option#a}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -gt 0 ] && usage 1
    echo $SHOREWALL_VERSION
    if [ -n "$all" ]; then
 	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
 	    if [ -f /usr/share/$product/version ]; then
 		echo "$product: $(cat /usr/share/$product/version)"
 	    fi
 	done
    fi
 }
 #
 # Execution begins here
 #
@@ -467,20 +423,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
    shift
 fi
-g_ipt_options="-nv"
+IPT_OPTIONS="-nv"
-g_fast=
+FAST=
-g_verbose_offset=0
+VERBOSE_OFFSET=0
-g_use_verbosity=
+USE_VERBOSITY=
-g_noroutes=
+NOROUTES=
-g_timestamp=
+EXPORT=
-g_recovering=
+export TIMESTAMP=
-g_logread=
+noroutes=
 #
 # Make sure that these variables are cleared
 #
 VERBOSE=
 VERBOSITY=
 finished=0
@@ -499,48 +449,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			g_ipt_options="-xnv"
+			IPT_OPTIONS="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
+			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			g_fast=Yes
+			FAST=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				g_use_verbosity=-1
+				USE_VERBOSITY=-1
 				option=${option#-1}
 				;;
 			    0*)
-				g_use_verbosity=0
+				USE_VERBOSITY=0
 				option=${option#0}
 				;;
 			    1*)
-				g_use_verbosity=1
+				USE_VERBOSITY=1
 				option=${option#1}
 				;;
 			    2*)
-				g_use_verbosity=2
+				USE_VERBOSITY=2
 				option=${option#2}
 				;;
 			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				g_use_verbosity=
+				USE_VERBOSITY=
 				;;
 			esac
 			;;
 		    n*)
-			g_noroutes=Yes
+			NOROUTES=Yes
 			option=${option#n}
 			;;
 		    t*)
-			g_timestamp=Yes
+			TIMESTAMP=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -565,12 +515,12 @@ if [ $# -eq 0 ]; then
 fi
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 export PATH
 MUTEX_TIMEOUT=
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
+export PRODUCT="Shorewall Lite"
 g_libexec=share
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
@@ -578,10 +528,17 @@ g_libexec=share
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
-version_file=$SHAREDIR/version
+LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
 VERSION_FILE=$SHAREDIR/version
 HELP=$SHAREDIR/help
-for library in base cli; do
+for library in $LIBRARIES; do
-    . ${SHAREDIR}/lib.$library
+    if [ -f $library ]; then
 	. $library
    else
 	echo "Installation error: $library does not exist!" >&2
 	exit 2
    fi
 done
 ensure_config_path
@@ -601,6 +558,7 @@ else
 fi
 ensure_config_path
 export CONFIG_PATH
 LITEDIR=${VARDIR}
@@ -608,17 +566,17 @@ LITEDIR=${VARDIR}
 get_config
-g_firewall=$LITEDIR/firewall
+FIREWALL=$LITEDIR/firewall
-if [ -f $version_file ]; then
+if [ -f $VERSION_FILE ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
+    version=$(cat $VERSION_FILE)
 else
    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
+    echo "          The file $VERSION_FILE does not exist" >&2
    exit 1
 fi
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
+banner="Shorewall Lite $version Status at $HOSTNAME -"
 case $(echo -e) in
    -e*)
@@ -647,12 +605,15 @@ case "$COMMAND" in
 	shift
 	start_command $@
 	;;
-    stop|reset|clear)
+    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
+	export NOROUTES
-	run_it $g_firewall $debugging $COMMAND
+	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
-	[ -n "$nolock" ] || mutex_off
+	;;
    reset)
 	verify_firewall_script
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
 	;;
    restart)
 	shift
@@ -665,7 +626,7 @@ case "$COMMAND" in
    status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
+	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -678,7 +639,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|Closed*|Clear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -699,8 +660,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	shift
+	echo $version Lite
 	version_command $@
 	;;
    logwatch)
 	logwatch_command $@
@@ -769,7 +729,7 @@ case "$COMMAND" in
 	    ;;
 	esac
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
 	[ "$nolock" ] || mutex_on
@@ -791,15 +751,20 @@ case "$COMMAND" in
 	esac
-	g_restorepath=${VARDIR}/$RESTOREFILE
+	RESTOREPATH=${VARDIR}/$RESTOREFILE
-	if [ -x $g_restorepath ]; then
+	if [ -x $RESTOREPATH ]; then
-	    rm -f $g_restorepath
+
-	    rm -f ${g_restorepath}-iptables
+	    if [ -x ${RESTOREPATH}-ipsets ]; then
-	    rm -f ${g_restorepath}-ipsets
+		rm -f ${RESTOREPATH}-ipsets
-	    echo "    $g_restorepath removed"
+		echo "    ${RESTOREPATH}-ipsets removed"
-	elif [ -f $g_restorepath ]; then
+	    fi
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
+
 	    rm -f $RESTOREPATH
 	    rm -f ${RESTOREPATH}-iptables
 	    echo "    $RESTOREPATH removed"
 	elif [ -f $RESTOREPATH ]; then
 	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -4,11 +4,12 @@
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
 #
-#  For information about the settings in this file, type
+#  This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#  "man shorewall-lite.conf"
+#
 #  This file should be placed in /etc/shorewall-lite
 #
 #  (c) 2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #  Manpage also online at
 #  http://www.shorewall.net/manpages/shorewall-lite.conf.html
 ###############################################################################
 #                                   N 0 T E
 ###############################################################################
@@ -21,7 +22,6 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=
 ###############################################################################
@@ -30,6 +30,8 @@ VERBOSITY=
 LOGFILE=
 LOGFORMAT=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,21 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=syslog.target
 After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecReload=/sbin/shorewall-lite $OPTIONS restart
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -0,0 +1,270 @@
 %define name shorewall-lite
 %define version 4.4.0
 %define release 1
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
 Version: %{version}
 Release: %{release}
 License: GPLv2
 Packager: Tom Eastep <teastep@shorewall.net>
 Group: Networking/Utilities
 Source: %{name}-%{version}.tgz
 URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
 %description
 The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
 (iptables) based firewall that can be used on a dedicated firewall system,
 a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 Shorewall Lite is a companion product to Shorewall that allows network
 administrators to centralize the configuration of Shorewall-based firewalls.
 %prep
 %setup
 %build
 %install
 export PREFIX=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
 %clean
 rm -rf $RPM_BUILD_ROOT
 %pre
 if [ -f /etc/shorewall-lite/shorewall.conf ]; then
    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
 fi
 %post
 if [ $1 -eq 1 ]; then
    if [ -x /sbin/insserv ]; then
 	/sbin/insserv /etc/rc.d/shorewall-lite
    elif [ -x /sbin/chkconfig ]; then
 	/sbin/chkconfig --add shorewall-lite;
    fi
 elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
 fi
 %preun
 if [ $1 -eq 0 ]; then
    if [ -x /sbin/insserv ]; then
 	/sbin/insserv -r /etc/init.d/shorewall-lite
    elif [ -x /sbin/chkconfig ]; then
 	/sbin/chkconfig --del shorewall-lite
    fi
 fi
 %files
 %defattr(0644,root,root,0755)
 %attr(0755,root,root) %dir /etc/shorewall-lite
 %attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
 %attr(0644,root,root) /etc/shorewall-lite/Makefile
 %attr(0544,root,root) /etc/init.d/shorewall-lite
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 %attr(0755,root,root) /sbin/shorewall-lite
 %attr(0644,root,root) /usr/share/shorewall-lite/version
 %attr(0644,root,root) /usr/share/shorewall-lite/configpath
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
 %attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
 %attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
 %attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Thu Aug 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-1
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0RC2
 * Sun Jul 12 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0RC1
 * Thu Jul 09 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta4
 * Sat Jun 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta3
 * Mon Jun 15 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta2
 * Fri Jun 12 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta1
 * Sun Jun 07 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.13-0base
 * Fri Jun 05 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.12-0base
 * Sun May 10 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.11-0base
 * Sun Apr 19 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.10-0base
 * Sat Apr 11 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.9-0base
 * Tue Mar 17 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.8-0base
 * Sun Mar 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.7-0base
 * Fri Feb 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.6-0base
 * Sun Feb 22 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.5-0base
 * Wed Feb 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.2.6-0base
 * Thu Jan 29 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.2.6-0base
 * Tue Jan 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.2.5-0base
 * Thu Dec 25 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0base
 * Fri Dec 05 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.3-0base
 * Wed Nov 05 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.2-0base
 * Wed Oct 08 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.1-0base
 * Fri Oct 03 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0base
 * Tue Sep 23 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC4
 * Mon Sep 15 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC3
 * Mon Sep 08 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC2
 * Tue Aug 19 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC1
 * Thu Jul 03 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0Beta3
 * Mon Jun 02 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0Beta2
 * Wed May 07 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0Beta1
 * Mon Apr 28 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.8-0base
 * Mon Mar 24 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.7-0base
 * Thu Mar 13 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.6-0base
 * Tue Feb 05 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.5-0base
 * Fri Jan 04 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.4-0base
 * Wed Dec 12 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.3-0base
 * Fri Dec 07 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.3-1
 * Tue Nov 27 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.2-1
 * Wed Nov 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.1-1
 * Mon Nov 19 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.0-1
 * Thu Nov 15 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-1
 * Sat Nov 10 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-0RC3
 * Wed Nov 07 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-0RC2
 * Thu Oct 25 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.4-1
 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.1-1
 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-1
 * Sun Jul 08 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0RC2
 * Mon Jul 02 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0RC1
 * Sun Jun 24 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta7
 * Wed Jun 20 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta6
 * Thu Jun 14 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta5
 * Fri Jun 08 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta4
 * Tue Jun 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta3
 * Tue May 15 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta1
 * Fri May 11 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.7-1
 * Sat May 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.6-1
 * Mon Apr 30 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.5-1
 * Mon Apr 23 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.4-1
 * Wed Apr 18 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.3-1
 * Sat Apr 14 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.2-1
 * Sat Apr 07 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.1-1
 * Thu Mar 15 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.1-1
 * Sat Mar 10 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-1
 * Sun Feb 25 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0RC3
 * Sun Feb 04 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0RC2
 * Wed Jan 24 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0RC1
 * Mon Jan 22 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0Beta3
 * Wed Jan 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0Beta2
 - Handle rename of shorewall.conf
 * Thu Dec 14 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0Beta1
 * Sat Nov 25 2006 Tom Eastep tom@shorewall.net
 - Added shorewall-exclusion(5)
 - Updated to 3.3.6-1
 * Sun Nov 19 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.5-1
 * Sun Oct 29 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.4-1
 * Mon Oct 16 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.3-1
 * Sat Sep 30 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.2-1
 * Wed Aug 30 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.1-1
 * Wed Aug 09 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.0-1
 * Wed Aug 09 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.0-1
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.0.1
 usage() # $1 = exit status
 {
@@ -72,8 +72,6 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Lite $VERSION"
 if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
@@ -81,20 +79,16 @@ if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
 fi
 if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(ls -l /usr/share/shorewall-lite/init | sed 's/^.*> //')
 else
    FIREWALL=/etc/init.d/shorewall-lite
 fi
 if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	updaterc.d shorewall-lite remove
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -111,11 +105,8 @@ rm -rf /etc/shorewall-lite-*.bkout
 rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
 rm -f  /lib/systemd/system/shorewall-lite.service
-echo "Shorewall Lite Uninstalled"
+echo "Shorewall Uninstalled"
--- a/Shorewall/COPYING
+++ b/Shorewall/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
@@ -224,7 +224,7 @@ while : ; do
 	# One of the interfaces changed state -- restart Shorewall
 	#
 	echo $if1_state > $VARDIR/${IF1}.status
-	echo $if2_state > $VARDIR/${IF2}.status
+	echo $if2_state > $VARDIR/${IF2}.status 
 	eval $COMMAND
 	state_changed=
    fi
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.4
+#     Shorewall WAN Interface monitor - V4.2
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -32,7 +32,7 @@
 ### BEGIN INIT INFO
 # Provides:	  swping
 # Required-Start: shorewall
-# Should-Start:
+# Should-Start: 
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
@@ -87,7 +87,7 @@ case "$command" in
 	    echo "swping is running"
 	    exit 0
 	else
-	    echo "swping is stopped"
+	    echo "swping is stopped" 
 	    exit 3
 	fi
 	;;
--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -1,15 +0,0 @@
 #
 # Shorewall version 4 - Audited AllowICMPs Macro
 #
 # /usr/share/shorewall/macro.AAllowICMPs
 #
 #	This macro A_ACCEPTs needed ICMP types
 #
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 COMMENT Needed ICMP types
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Audited DropDNSrep Macro
 #
 # /usr/share/shorewall/macro.ADropDNSrep
 #
 #	This macro silently audites and drops DNS UDP replies
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 COMMENT Late DNS Replies
 A_DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - ADropUPnP Macro
 #
 # /usr/share/shorewall/macro.ADropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 COMMENT UPnP
 A_DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -11,6 +11,5 @@
 COMMENT Needed ICMP types
-DEFAULT ACCEPT
+ACCEPT	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
 PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.BGP
+++ b/Shorewall/Macros/macro.BGP
@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.BGP
 #
-#	This macro handles BGP4 traffic.
+#       This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM	-	-	tcp	179	# BGP4
+PARAM   -       -       tcp     179     				# BGP4
--- a/Shorewall/Macros/macro.BitTorrent
+++ b/Shorewall/Macros/macro.BitTorrent
@@ -5,7 +5,7 @@
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	If you are running BitTorrent 3.2 or later, you should use the
+#	If you are running BitTorrent 3.2 or later, you should use the 
 #	BitTorrent32 macro.
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.Citrix
+++ b/Shorewall/Macros/macro.Citrix
@@ -3,12 +3,11 @@
 #
 # /usr/share/shorewall/macro.Citrix
 #
-#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
+# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a. ICA Session Reliability)
 #	ICA Session Reliability)
 #
 ####################################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM	-	-	tcp	1494	# ICA
+PARAM   -       -       tcp     1494 				   # ICA
-PARAM	-	-	udp	1604	# ICA Browser
+PARAM   -       -       udp     1604    			   # ICA Browser
-PARAM	-	-	tcp	2598	# CGP Session Reliabilty
+PARAM   -       -       tcp     2598    			   # CGP Session Reliabilty
--- a/Shorewall/Macros/macro.DHCPfwd
+++ b/Shorewall/Macros/macro.DHCPfwd
@@ -1,12 +0,0 @@
 #
 # Shorewall version 4 - DHCPfwd Macro
 #
 # /usr/share/shorewall/macro.DHCPfwd
 #
 #	This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
 #ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S) PORT(S) LIMIT	GROUP
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -11,5 +11,4 @@
 COMMENT Late DNS Replies
-DEFAULT DROP
+DROP	-	-	udp	-	53
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -11,5 +11,4 @@
 COMMENT UPnP
-DEFAULT DROP
+DROP	-	-	udp	1900
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.HKP
+++ b/Shorewall/Macros/macro.HKP
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - HKP Macro
 #
 # /usr/share/shorewall/macro.HKP
 #
 #	This macro handles OpenPGP HTTP keyserver protocol traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	11371
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - ICPV2 Macro
 #
 # /usr/share/shorewall/macro.ICPV2
 #
 #	This macro handles Internet Cache Protocol V2 (Squid) traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.IPPserver
+++ b/Shorewall/Macros/macro.IPPserver
@@ -15,7 +15,7 @@
 #	Example for a two-interface firewall which acts as a print
 #	server for loc:
 #		IPPserver/ACCEPT loc $FW
-#
+#	
 #	NOTE: If you want both to serve requests for local printers and
 #	listen to requests for remote printers (i.e. your CUPS server is
 #	also a client), you need to apply the rule twice, e.g.
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -13,5 +13,5 @@
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
+HTTPS/PARAM
-SSH(PARAM)
+SSH/PARAM
--- a/Shorewall/Macros/macro.Munin
+++ b/Shorewall/Macros/macro.Munin
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - Munin Macro
 #
 # /usr/share/shorewall/macro.Munin
 #
 #	This macro handles Munin networked resource monitoring traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	4949
--- a/Shorewall/Macros/macro.OSPF
+++ b/Shorewall/Macros/macro.OSPF
@@ -3,9 +3,9 @@
 #
 # /usr/share/shorewall/macro.OSPF
 #
-#	This macro handles OSPF multicast traffic
+#       This macro handles OSPF multicast traffic
 #
-###############################################################################
+#######################################################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/   ORIGINAL
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#                                               PORT(S) PORT(S) DEST            LIMIT   GROUP   DEST
-PARAM	-	-	89	# OSPF
+PARAM           -               -       89      -                                                       # OSPF
--- a/Shorewall/Macros/macro.Razor
+++ b/Shorewall/Macros/macro.Razor
@@ -3,7 +3,7 @@
 #
 # /usr/share/shorewall/macro.Razor
 #
-#	This macro handles traffic for the Razor Antispam System
+# This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
 #ACTION         SOURCE          DEST    PROTO   DEST    SOURCE  RATE    USER/
--- a/Shorewall/Macros/macro.Squid
+++ b/Shorewall/Macros/macro.Squid
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - Squid Macro
 #
 # /usr/share/shorewall/macro.Squid
 #
 #	This macro handles Squid web proxy traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3128
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,15 +1,12 @@
 #
 # Shorewall version 4 - Multicast DNS Macro
 #
-# /usr/share/shorewall/macro.mDNS
+# /usr/share/shorewall/macro.DNS
 #
 #	This macro handles multicast DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
+#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-	udp	5353
-PARAM	-	-			udp	32768:	5353
+PARAM	DEST	SOURCE	udp	5353
 PARAM	-	224.0.0.251		2
 PARAM	DEST	SOURCE:224.0.0.251	udp	5353
 PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -15,7 +15,295 @@
 #	- All entries in a macro undergo substitution when the macro is
 #	  invoked in the rules file.
 #
-# Columns are the same as in /etc/shorewall/rules.
+#	- Macros used in action bodies may not invoke other macros.
 #
 # The columns in the file are the same as those in the action.template file but
 # have different restrictions:
 #
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
 #			LOG, QUEUE, PARAM or an <action> name.
 #
 #				ACCEPT	 -- allow the connection request
 #				ACCEPT+	 -- like ACCEPT but also excludes the
 #					    connection from any subsequent
 #					    DNAT[-] or REDIRECT[-] rules
 #				NONAT	 -- Excludes the connection from any
 #					    subsequent DNAT[-] or REDIRECT[-]
 #					    rules but doesn't generate a rule
 #					    to accept the traffic.
 #				DROP	 -- ignore the request
 #				REJECT	 -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
 #				DNAT	 -- Forward the request to another
 #					    system (and optionally another
 #					    port).
 #				DNAT-	 -- Advanced users only.
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
 #				SAME	 -- Similar to DNAT except that the
 #					    port may not be remapped and when
 #					    multiple server addresses are
 #					    listed, all requests from a given
 #					    remote system go to the same
 #					    server.
 #				SAME-	 -- Advanced users only.
 #					    Like SAME but only generates the
 #					    NAT iptables rule and not
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				REDIRECT-
 #					 -- Advanced users only.
 #					    Like REDIRET but only generates the
 #					    REDIRECT iptables rule and not
 #					    the companion ACCEPT rule.
 #
 #				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If
 #					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
 #				LOG	 -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as ftwall
 #					    (http://p2pwall.sf.net).
 #				PARAM	 -- If you code PARAM as the action in
 #					    a macro then when you invoke the
 #					    macro, you can include the name of
 #					    the macro followed by a slash ("/")
 #					    and an ACTION (either builtin or
 #					    user-defined. All instances of
 #					    PARAM in the body of the macro will
 #					    be replaced with the ACTION.
 #				<action> -- The name of an action defined in
 #					    /usr/share/shorewall/actions.std or
 #					    in /etc/shorewall/actions.
 #
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			DNAT:debug). This causes the packet to be
 #			logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			Actions specifying logging may be followed by a
 #			log tag (a string of alphanumeric characters)
 #			are appended to the string generated by the
 #			LOGPREFIX (in /etc/shorewall/shorewall.conf).
 #
 #			Example: ACCEPT:info:ftp would include 'ftp '
 #			at the end of the log prefix generated by the
 #			LOGPREFIX setting.
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, "all", "all+" or "none" If the ACTION
 #			is DNAT	or REDIRECT, sub-zones of the specified zone
 #			may be excluded from the rule by following the zone
 #			name with "!' and a comma-separated list of sub-zone
 #			names.
 #
 #			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. When "all+" is
 #			used, intra-zone traffic is affected.
 #
 #			Except when "all[+]" is specified, clients may be
 #			further restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #			If you kernel and iptables have ipset match support
 #			then you may give the name of an ipset prefaced by "+".
 #			The ipset name may be optionally followed by a number
 #			from 1 to 6 enclosed in square brackets ([]) to
 #			indicate the number of levels of source bindings to be
 #			matched.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
 #						Internet
 #
 #			loc:192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2 in the local zone.
 #			loc:~00-A0-C9-15-39-78	Host in the local zone with
 #						MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
 #						Hosts 192.0.2.11-192.0.2.17 in
 #						the net zone.
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, loc:eth1 specifies a
 #			client that communicates with the firewall system
 #			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
 #			itself, "all". "all+" or "none".
 #
 #			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. When "all+" is
 #			used, intra-zone traffic is affected.
 #
 #			Except when "all[+]" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
 #			interface. See above.
 #
 #				Restrictions:
 #
 #				1. MAC addresses are not allowed.
 #				2. In DNAT rules, only IP addresses are
 #				   allowed; no FQDNs or subnet addresses
 #				   are permitted.
 #				3. You may not specify both an interface and
 #				   an address.
 #
 #			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
 #			If you kernel and iptables have ipset match support
 #			then you may give the name of an ipset prefaced by "+".
 #			The ipset name may be optionally followed by a number
 #			from 1 to 6 enclosed in square brackets ([]) to
 #			indicate the number of levels of destination bindings
 #			to be matched. Only one of the SOURCE and DEST columns
 #			may specify an ipset name.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
 #			destination port. A destination port may only be
 #			included if the ACTION is DNAT or REDIRECT.
 #
 #			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
 #			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
 #			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
 #	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
 #			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
 #                       "ipp2p*" requires ipp2p match support in your kernel
 #                       and iptables.
 #
 #			"tcp:syn" implies "tcp" plus the SYN flag must be
 #			set and the RST,ACK and FIN flags must be reset.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p*, this column is interpreted
 #			as an ipp2p option without the leading "--" (example
 #			"bit" for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ORIGINAL DEST in the next column, then
 #			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #       ORIGINAL        Original destination IP address. Must be omitted (
 #       DEST            or '-') if the macro is to be used from within
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
 #			this colume:
 #
 #				<rate>/<interval>[:<burst>]
 #
 #			where <rate> is the number of connections per
 #			<interval> ("sec" or "min") and <burst> is the
 #			largest burst permitted. If no <burst> is given,
 #			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
 #				Example: 10/sec:20
 #
 #	USER/GROUP	This column may only be non-empty if the SOURCE is
 #			the firewall itself.
 #
 #			The column may contain:
 #
 #	[!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
 #			the effective <user> and/or <group> specified (or is
 #			NOT running under that id if "!" is given).
 #
 #			Examples:
 #
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
 #				!:kids	#program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd	#program named upnpd (This feature was
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -74,6 +362,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#######################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	ORIGINAL
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#						PORT(S)	PORT(S)	DEST		LIMIT	GROUP   DEST
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -14,8 +14,4 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
 .PHONY: clean
 # EOF
--- a/Shorewall/Makefile-lite
+++ b/Shorewall/Makefile-lite
@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-#
+# 
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#
+#  
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities:
+capabilities: 
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean:
+clean: 
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -1,3 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <includepath />
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -1,17 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <projectDescription>
 	<name>Shorewall</name>
 	<comment></comment>
 	<projects>
 	</projects>
 	<buildSpec>
 		<buildCommand>
 			<name>org.epic.perleditor.perlbuilder</name>
 			<arguments>
 			</arguments>
 		</buildCommand>
 	</buildSpec>
 	<natures>
 		<nature>org.epic.perleditor.perlnature</nature>
 	</natures>
 </projectDescription>
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,101 +35,25 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.3_7';
 #
-# Per-IP accounting tables. Each entry contains the associated network.
+# Initialize globals -- we take this novel approach to globals initialization to allow
-#
+#                       the compiler to run multiple times in the same process. The
-my %tables;
+#                       initialize() function does globals initialization for this
-
+#                       module and is called from an INIT block below. The function is
-my $jumpchainref;
+#                       also called by Shorewall::Compiler::compiler at the beginning of
-my %accountingjumps;
+#                       the second and subsequent calls to that function or when compiling
-my $asection;
+#                       for IPv6.
 my $defaultchain;
 my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
 my $sectionname;
 my $acctable;
 #
 # Sections in the Accounting File
 #
 use constant {
 	      LEGACY      => 0,
 	      PREROUTING  => 1,
 	      INPUT       => 2,
 	      OUTPUT      => 3,
 	      FORWARD     => 4,
 	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
 our %asections = ( PREROUTING  => PREROUTING,
 		   INPUT       => INPUT,
 		   FORWARD     => FORWARD,
 		   OUTPUT      => OUTPUT,
 		   POSTROUTING => POSTROUTING
 		 );
 #
 # Called by the compiler to [re-]initialize this module's state
 #
 sub initialize() {
-    $jumpchainref       = undef;
+    our $jumpchainref;
-    %tables             = ();
+    $jumpchainref = undef;
    %accountingjumps    = ();
    #
    # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
    # the first non-commentary line in the accounting file isn't a section header
    #
    # This allows the section header processor to quickly check for correct order 
    #
    $asection           = -1;
    #
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
-#
+INIT {
-# Process a SECTION header
+    initialize;
 #
 sub process_section ($) {
    $sectionname = shift;
    my $newsect  = $asections{$sectionname};
    #
    # read_a_line has already verified that there are exactly two tokens on the line
    #
    fatal_error "Invalid SECTION ($sectionname)"                   unless defined $newsect;
    fatal_error "SECTION not allowed after un-sectioned rules"     unless $asection;
    fatal_error "Duplicate or out-of-order SECTION ($sectionname)" if     $newsect <= $asection;
    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
    $asection = $newsect;
 }
 #
@@ -137,36 +61,17 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {
-    $acctable = $config{ACCOUNTING_TABLE};
+    our $jumpchainref;
-    $jumpchainref = 0;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark ) = split_line1 1, 9, 'Accounting File';
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
    if ( $action eq 'COMMENT' ) {
 	process_comment;
 	return 0;
    }
    if ( $action eq 'SECTION' ) {
 	process_section( $chain );
 	return 0;
    }
    $asection = LEGACY if $asection < 0;
    our $disposition = '';
    sub reserved_chain_name($) {
 	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out|pre|post)|ipsecin|ipsecout)$/;
    }
    sub ipsec_chain_name($) {
 	if ( $_[0] =~ /^accipsec(in|out)$/ ) {
 	    $1;
 	}
    }
    sub check_chain( $ ) {
 	my $chainref = shift;
 	fatal_error "A non-accounting chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{policy};
@@ -178,11 +83,10 @@ sub process_accounting_rule( ) {
    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	$jumpchainref = ensure_accounting_chain( $jumpchain, 0, $defaultrestriction );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
-	$jumpchain;
+	"-j $jumpchain";
    }
    my $target = '';
@@ -191,67 +95,31 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; 
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, 0xFF );
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $rule2 = 0;
    my $jump  = 0;
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
-	    $target = 'RETURN';
+	    $target = '-j RETURN';
 	} elsif ( $action =~ /^ACCOUNT\(/ ) {
 	    if ( $action =~ /^ACCOUNT\((.+)\)$/ ) {
 		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
 		my ( $table, $net, $rest ) = split/,/, $1;
 		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
 		fatal_error "Missing Table Name"                       unless supplied $table;
 		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
 		fatal_error "Missing Network Address"                  unless defined $net;
 		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
 		fatal_error "Netmask ($1) out of range"                unless $1 >= 8;
 		validate_net $net, 0;
 		my $prevnet = $tables{$table};
 		if ( $prevnet ) {
 		    fatal_error "Previous net associated with $table ($prevnet) does not match this one ($net)" unless compare_nets( $net , $prevnet );
 		} else {
 		    $tables{$table} = $net;
 		}
 		$target = "ACCOUNT --addr $net --tname $table";
 	    } else {
 		fatal_error "Invalid ACCOUNT Action";
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
-		    $rule2 = 1;
+		    $rule2=1;
-		} elsif ( $cmd eq 'JUMP' ) {
+		} elsif ( $cmd ne 'JUMP' ) {
 		    $jump = 1;
 		} else {
 		    accounting_error;
 		}
-	    }
+	    } 
 	    $target = jump_to_chain $action;
 	}
    }
-    $restriction = $defaultrestriction;
+    my $restriction = NO_RESTRICT;
-    if ( $source eq 'any' || $source eq 'all' ) {
+    $source = ALLIP if $source eq 'any' || $source eq 'all';
        $source = ALLIP;
    } else { 
 	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }
-    if ( have_bridges && ! $asection ) {
+    if ( have_bridges ) {
 	my $fw = firewall_zone;
 	if ( $source =~ /^$fw:?(.*)$/ ) {
@@ -261,10 +129,9 @@ sub process_accounting_rule( ) {
 	    $dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
 	} else {
 	    $chain = 'accounting' unless $chain and $chain ne '-';
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_filter_chain( 'accountout' , 0 ) ,
 			    OUTPUT_RESTRICT ,
 			    $rule ,
 			    $source ,
@@ -277,66 +144,11 @@ sub process_accounting_rule( ) {
 	    }
 	}
    } else {
-	$chain = $defaultchain unless $chain and $chain ne '-';
+	$chain = 'accounting' unless $chain and $chain ne '-';
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }
-    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
+    my $chainref = ensure_accounting_chain $chain;
    my $dir;
    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
 	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; 
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	} elsif ( $asection ) {
 	    fatal_error "Unknown accounting chain ($chain)";
 	} else {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}
 	$dir      = ipsec_chain_name( $chain );
 	if ( $ipsec ne '-' ) {
 	    if ( $dir ) {
 		$rule .= do_ipsec( $dir, $ipsec );
 		$chainref->{ipsec} = $dir;
 	    } else {
 		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
 	} else {
 	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
 	    $chainref->{ipsec} = $dir;
 	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
 	if ( $ipsec ne '-' ) {
 	    $dir = $chainref->{ipsec};
 	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
 	    $rule .= do_ipsec( $dir , $ipsec );
 	} elsif ( $asection ) {
 	    $restriction |= $chainref->{restriction};
 	}
    }
    dont_optimize( $chainref ) if $target eq 'RETURN';
    if ( $jumpchainref ) {
 	if ( $asection ) {
 	    #
 	    # Check the jump-to chain to be sure that it doesn't contain rules that are incompatible with this section
 	    #
 	    my $jumprestricted = $jumpchainref->{restricted};
 	    fatal_error "Chain $jumpchainref->{name} contains rules that are incompatible with the $sectionname section" if $jumprestricted && $restriction && $jumprestricted ne $restriction;
 	    $restriction |= $jumpchainref->{restriction};
 	}
 	$accountingjumps{$jumpchainref->{name}}{$chain} = 1;
    }
    fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
    expand_rule
 	$chainref ,
@@ -350,22 +162,6 @@ sub process_accounting_rule( ) {
 	$disposition ,
 	'' ;
    if ( $rule2 || $jump ) {
 	if ( $chainref->{ipsec} ) {
 	    if ( $jumpchainref->{ipsec} ) {
 		fatal_error "IPSEC in/out mismatch on chains $chain and $jumpchainref->{name}";
 	    } else {
 		fatal_error "$jumpchainref->{name} is not an IPSEC chain" if keys %{$jumpchainref->{references}} > 1;
 		$jumpchainref->{ipsec} = $chainref->{ipsec};
 	    }
 	} elsif ( $jumpchainref->{ipsec} ) {
 	    fatal_error "Jump from a non-IPSEC chain to an IPSEC chain not allowed";
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
    }
    if ( $rule2 ) {
 	expand_rule
 	    $jumpchainref ,
@@ -385,93 +181,32 @@ sub process_accounting_rule( ) {
 sub setup_accounting() {
-    if ( my $fn = open_file 'accounting' ) {
+    my $fn = open_file 'accounting';
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
-	$nonEmpty |= process_accounting_rule while read_a_line;
+    $nonEmpty |= process_accounting_rule while read_a_line;
-	clear_comment;
+    fatal_error "Accounring rules are isolated" if $nonEmpty && ! $filter_table->{accounting};
-	if ( $nonEmpty ) {
+    clear_comment;
 	    my $tableref = $chain_table{$acctable};
-	    if ( have_bridges || $asection ) {
+    if ( have_bridges ) {
-		if ( $tableref->{accountin} ) {
+	if ( $filter_table->{accounting} ) {
-		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
+	    for my $chain ( qw/INPUT FORWARD/ ) {
-		}
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
 		}
 		if ( $tableref->{accountfwd} ) {
 		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
 		}
 		if ( $tableref->{accountout} ) {
 		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
 		}
 		if ( $tableref->{accountpre} ) {
 		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
 		}
 		if ( $tableref->{accountpost} ) {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
 	    }
 	}
-	    if ( $tableref->{accipsecin} ) {
+	if ( $filter_table->{accountout} ) {
-		for my $chain ( qw/INPUT FORWARD/ ) {
+	    insert_rule1 $filter_table->{OUTPUT}, 0, '-j accountout';
-		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
+	}
-		}
+    } else {
-	    }
+	if ( $filter_table->{accounting} ) {
-
+	    for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-	    if ( $tableref->{accipsecout} ) {
+		insert_rule1 $filter_table->{$chain}, 0, '-j accounting';
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
 		}
 	    }
 	    unless ( $asection ) {
 		for ( accounting_chainrefs ) {
 		    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
 		}
 	    }
 	    if ( my $chainswithjumps = keys %accountingjumps ) {
 		my $progress = 1;
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
 		    for my $chain1 (  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
 			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
 			    delete $accountingjumps{$chain1};
 			    $chainswithjumps--;
 			    $progress = 1;
 			}
 		    }
 		}
 		if ( $chainswithjumps ) {
 		    my @chainswithjumps = keys %accountingjumps;
 		    fatal_error "Jump loop involving the following chains: @chainswithjumps";
 		}
 	    }
 	}
    }
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -0,0 +1,900 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Actions.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2007,2008 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module contains the code for dealing with actions (built-in,
 #   standard and user-defined) and Macros.
 #
 package Shorewall::Actions;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( merge_levels
 		  isolate_basic_target
 		  get_target_param
 		  add_requiredby
 		  createactionchain
 		  find_logactionchain
 		  process_actions1
 		  process_actions2
 		  process_actions3
 		  find_macro
 		  split_action
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
 		  %usedactions
 		  %default_actions
 		  %actions
 		  %macros
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
 our $VERSION = '4.3_7';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
 #
 our %usedactions;
 #
 # Default actions for each policy.
 #
 our %default_actions;
 #  Action Table
 #
 #     %actions{ <action1> =>  { requires => { <requisite1> = 1,
 #                                             <requisite2> = 1,
 #                                             ...
 #                                           } ,
 #                               actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
 #
 our %actions;
 #
 # Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
 #
 our %logactionchains;
 our %macros;
 our $family;
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
 #                       initialize() function does globals initialization for this
 #                       module and is called from an INIT block below. The function is
 #                       also called by Shorewall::Compiler::compiler at the beginning of
 #                       the second and subsequent calls to that function or when compiling
 #                       for IPv6.
 #
 sub initialize( $ ) {
    $family          = shift;
    %usedactions     = ();
    %default_actions = ( DROP     => 'none' ,
 			 REJECT   => 'none' ,
 			 ACCEPT   => 'none' ,
 			 QUEUE    => 'none' );
    %actions         = ();
    %logactionchains = ();
    %macros          = ();
 }
 INIT {
    initialize( F_IPV4 );
 }
 #
 # This function determines the logging for a subordinate action or a rule within a superior action
 #
 sub merge_levels ($$) {
    my ( $superior, $subordinate ) = @_;
    my @supparts = split /:/, $superior;
    my @subparts = split /:/, $subordinate;
    my $subparts = @subparts;
    my $target   = $subparts[0];
    push @subparts, '' while @subparts < 3;   #Avoid undefined values
    my $level = $supparts[1];
    my $tag   = $supparts[2];
    if ( @supparts == 3 ) {
 	return "$target:none!:$tag"   if $level eq 'none!';
 	return "$target:$level:$tag"  if $level =~ /!$/;
 	return $subordinate           if $subparts >= 2;
 	return "$target:$level:$tag";
    }
    if ( @supparts == 2 ) {
 	return "$target:none!"        if $level eq 'none!';
 	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
    }
    $subordinate;
 }
 #
 # Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
 # If the file exists, the macro is entered into the 'targets' table and the fully-qualified
 # name of the file is stored in the 'macro' table.
 #
 sub find_macro( $ )
 {
    my $macro = $_[0];
    my $macrofile = find_file "macro.$macro";
    if ( -f $macrofile ) {
 	$macros{$macro} = $macrofile;
 	$targets{$macro} = MACRO;
    } else {
 	0;
    }
 }
 #
 # Return ( action, level[:tag] ) from passed full action
 #
 sub split_action ( $ ) {
    my $action = $_[0];
    my @a = split( /:/ , $action, 4 );
    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > 3 );
    ( shift @a, join ":", @a );
 }
 #
 # This function substitutes the second argument for the first part of the first argument up to the first colon (":")
 #
 # Example:
 #
 #         substitute_param DNAT PARAM:info:FTP
 #
 #         produces "DNAT:info:FTP"
 #
 sub substitute_param( $$ ) {
    my ( $param, $action ) = @_;
    if ( $action =~ /:/ ) {
 	my $logpart = (split_action $action)[1];
 	$logpart =~ s!/$!!;
 	return "$param:$logpart";
    }
    $param;
 }
 #
 # Combine fields from a macro body with one from the macro invocation
 #
 sub merge_macro_source_dest( $$ ) {
    my ( $body, $invocation ) = @_;
    if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
 	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^~|^!~/;
 	    return "$invocation:$body";
 	}
 	return $invocation;
    }
    $body || '';
 }
 sub merge_macro_column( $$ ) {
    my ( $body, $invocation ) = @_;
    if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
 	$invocation;
    } else {
 	$body;
    }
 }
 #
 # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
 #
 sub isolate_basic_target( $ ) {
    my $target = ( split '[/:]', $_[0])[0]; 
    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
 #
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
    my ( $target, $param ) = split '/', $_[0];
    unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
    }
    ( $target, $param );
 }
 #
 # Define an Action
 #
 sub new_action( $ ) {
    my $action = $_[0];
    $actions{$action} = { actchain => '', requires => {} };
 }
 #
 # Record a 'requires' relationship between a pair of actions.
 #
 sub add_requiredby ( $$ ) {
    my ($requiredby , $requires ) = @_;
    $actions{$requires}{requires}{$requiredby} = 1;
 }
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
 # the CHAIN, LEVEL and TAG variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set CHAIN to the name of the iptables chain where rules are to be added.
 # Similarly, LEVEL and TAG contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
 # this function truncates the original chain name where necessary before
 # it adds the leading "%" and trailing sequence number.
 #
 sub createlogactionchain( $$ ) {
    my ( $action, $level ) = @_;
    my $chain = $action;
    my $actionref = $actions{$action};
    my $chainref;
    my ($lev, $tag) = split ':', $level;
    validate_level $lev;
    $actionref = new_action $action unless $actionref;
    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
  CHECKDUP:
    {
 	$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
 	$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
    }
    $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
    unless ( $targets{$action} & STANDARD ) {
 	my $file = find_file $chain;
 	if ( -f $file ) {
 	    progress_message "Processing $file...";
 	    ( $level, my $tag ) = split /:/, $level;
 	    $tag = $tag || '';
 	    unless ( my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		fatal_error "Couldn't do $file: $!"    unless defined $return;
 		fatal_error "Couldn't run $file"       unless $return;
 	    }
 	}
    }
 }
 sub createsimpleactionchain( $ ) {
    my $action  = shift;
    my $chainref = new_standard_chain $action;
    $logactionchains{"$action:none"} = $chainref;
    unless ( $targets{$action} & STANDARD ) {
 	my $file = find_file $action;
 	if ( -f $file ) {
 	    progress_message "Processing $file...";
 	    my ( $level, $tag ) = ( '', '' );
 	    unless ( my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		fatal_error "Couldn't do $file: $!"    unless defined $return;
 		fatal_error "Couldn't run $file"       unless $return;
 	    }
 	}
    }
 }
 #
 # Create an action chain and run it's associated user exit
 #
 sub createactionchain( $ ) {
    my ( $action , $level ) = split_action $_[0];
    my $chainref;
    if ( defined $level && $level ne '' ) {
 	if ( $level eq 'none' ) {
 	    createsimpleactionchain $action;
 	} else {
 	    createlogactionchain $action , $level;
 	}
    } else {
 	createsimpleactionchain $action;
    }
 }
 #
 # Find the chain that handles the passed action. If the chain cannot be found,
 # a fatal error is generated and the function does not return.
 #
 sub find_logactionchain( $ ) {
    my $fullaction = $_[0];
    my ( $action, $level ) = split_action $fullaction;
    $level = 'none' unless $level;
    fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
 }
 #
 # Scans a macro file invoked from an action file ensuring that all targets mentioned in the file are known and that none are actions.
 #
 sub process_macro1 ( $$ ) {
    my ( $action, $macrofile ) = @_;
    progress_message "   ..Expanding Macro $macrofile...";
    push_open( $macrofile );
    while ( read_a_line ) {
 	my ( $mtarget, $msource,  $mdest,  $mproto,  $mports,  $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
 	$mtarget =~ s/:.*$//;
 	$mtarget = (split '/' , $mtarget)[0];
 	my $targettype = $targets{$mtarget};
 	$targettype = 0 unless defined $targettype;
 	fatal_error "Invalid target ($mtarget)"
 	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
    }
    progress_message "   ..End Macro $macrofile";
    pop_open;
 }
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
 # The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
 # and ${CONFDIR}/actions are scanned (in that order) and for each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
 #      c) A dependency graph is created using the 'requires' field in the 'actions' table.
 #
 # As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
 # is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
 # %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
 # length of the chain name does not exceed 30 characters.
 #
 # The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
 # %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
 #
 # The final phase (process_actions3) traverses the keys of %usedactions populating each chain appropriately
 # by reading the related action definition file and creating rules. Note that a given action definition file is
 # processed once for each unique [:level[:tag]] applied to an invocation of the action.
 #
 sub process_action1 ( $$ ) {
    my ( $action, $wholetarget ) = @_;
    my ( $target, $level ) = split_action $wholetarget;
    $level = 'none' unless $level;
    my $targettype = $targets{$target};
    if ( defined $targettype ) {
 	return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE |  NFQ | CHAIN ) );
 	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
 	fatal_error "An action may not invoke itself" if $target eq $action;
 	add_requiredby $wholetarget, $action if $targettype & ACTION;
    } elsif ( $target eq 'COMMENT' ) {
 	fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
    } else {
 	( $target, my $param ) = get_target_param $target;
 	return if $target eq 'NFQUEUE';
 	if ( defined $param ) {
 	    my $paramtype = $targets{$param} || 0;
 	    fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
 	}
 	fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
 	if ( find_macro $target ) {
 	    process_macro1( $action, $macros{$target} );
 	} else {
 	    fatal_error "Invalid TARGET ($target)";
 	}
    }
 }
 sub process_actions1() {
    progress_message2 "Preprocessing Action Files...";
    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
 	new_action $act;
    }
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
 	while ( read_a_line ) {
 	    my ( $action ) = split_line 1, 1, 'action file';
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
 	    next unless $action;
 	    if ( $targets{$action} ) {
 		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
 		next;
 	    }
 	    $targets{$action} = ACTION;
 	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
 	    new_action $action;
 	    my $actionfile = find_file "action.$action";
 	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 	    progress_message2 "   Pre-processing $actionfile...";
 	    push_open( $actionfile );
 	    while ( read_a_line ) {
 		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users ) = split_line 1, 8, 'action file';
 		process_action1( $action, $wholetarget );
 	    }
 	    pop_open;
 	}
    }
 }
 sub process_actions2 () {
    progress_message2 'Generating Transitive Closure of Used-action List...';
    my $changed = 1;
    while ( $changed ) {
 	$changed = 0;
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
 	    fatal_error "Null Action Reference in process_actions2" unless $actionref;
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
 		    $usedactions{ $action2 } = 1;
 		    createactionchain $action2;
 		    $changed = 1;
 		}
 	    }
 	}
    }
 }
 #
 # This function is called to process each rule generated from an action file.
 #
 sub process_action( $$$$$$$$$$ ) {
    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
    my ( $action , $level ) = split_action $target;
    if ( $action eq 'REJECT' ) {
 	$action = 'reject';
    } elsif ( $action eq 'CONTINUE' ) {
 	$action = 'RETURN';
    } elsif ( $action =~ /^NFQUEUE/ ) {
 	( $action, my $param ) = get_target_param $action;
 	$param = 1 unless defined $param;
 	$action = "NFQUEUE --queue-num $param";
    } elsif ( $action eq 'COUNT' ) {
 	$action = '';
    }
    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
 		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
 		  $action ? "-j $action" : '',
 		  $level ,
 		  $action ,
 		  '' );
 }
 #
 # Expand Macro in action files.
 #
 sub process_macro3( $$$$$$$$$$$ ) {
    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user ) = @_;
    my $nocomment = no_comment;
    my $format = 1;
    macro_comment $macro;
    my $fn = $macros{$macro};
    progress_message "..Expanding Macro $fn...";
    push_open $fn;
    while ( read_a_line ) {
 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser );
 	if ( $format == 1 ) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $morigdest ) = split_line1 1, 9, 'macro file', $macro_commands;
 	} else {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	}
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
 	}
 	if ( $mtarget eq 'FORMAT' ) {
 	    fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
 	    $format = $msource;
 	    next;
 	}
 	fatal_error "Invalid macro file entry (too many columns)" if $morigdest ne '-' && $format == 1;
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
 	}
 	fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
 	if ( $msource ) {
 	    if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
 		$msource = $source || '';
 	    } elsif ( $msource eq 'DEST' ) {
 		$msource = $dest || '';
 	    } else {
 		$msource = merge_macro_source_dest $msource, $source;
 	    }
 	} else {
 	    $msource = '';
 	}
 	$msource = '' if $msource eq '-';
 	if ( $mdest ) {
 	    if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
 		$mdest = $dest || '';
 	    } elsif ( $mdest eq 'SOURCE' ) {
 		$mdest = $source || '';
 	    } else {
 		$mdest = merge_macro_source_dest $mdest, $dest;
 	    }
 	} else {
 	    $mdest = '';
 	}
 	$mdest   = '' if $mdest eq '-';
 	$mproto  = merge_macro_column $mproto,  $proto;
 	$mports  = merge_macro_column $mports,  $ports;
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
 	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser;
    }
    pop_open;
    progress_message '..End Macro';
    clear_comment unless $nocomment;
 }
 #
 # Generate chain for non-builtin action invocation
 #
 sub process_action3( $$$$$ ) {
    my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
    my $actionfile = find_file "action.$action";
    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
    progress_message2 "Processing $actionfile for chain $chainref->{name}...";
    open_file $actionfile;
    while ( read_a_line ) {
 	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user ) = split_line1 1, 8, 'action file';
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
 	    next;
 	}
 	my $target2 = merge_levels $wholeaction, $target;
 	my ( $action2 , $level2 ) = split_action $target2;
 	( $action2 , my $param ) = get_target_param $action2;
 	my $action2type = $targets{$action2} || 0; 
 	unless ( $action2type == STANDARD ) {
 	    if ( $action2type & ACTION ) {
 		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
 	    } else {
 		assert( $action2type & ( MACRO | LOGRULE | NFQ | CHAIN ) );
 	    }
 	}
 	if ( $action2type == MACRO ) {
 	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user );
 	} else {
 	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user;
 	}
    }
    clear_comment;
 }
 #
 # The following small functions generate rules for the builtin actions of the same name
 #
 sub dropBcast( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	}
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
 	add_rule $chainref, '-d $address -j DROP';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
 	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
    }
    if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    } else {
 	add_rule $chainref, '-d ff00::/10 -j DROP';
    }
 }
 sub allowBcast( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	}
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
 	add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
 	add_rule $chainref, '-d $address -j ACCEPT';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
 	if ( $family == F_IPV4 ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ff00::/10 ' if $level ne '';
 	    add_rule $chainref, '-d ff00:/10 -j ACCEPT';
 	}
    }
 }
 sub dropNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
    add_rule $chainref , '-p tcp ! --syn -j DROP';
 }
 sub rejNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p tcp ! --syn ' if $level ne '';
    add_rule $chainref , '-p tcp ! --syn -j REJECT --reject-with tcp-reset';
 }
 sub dropInvalid ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
    add_rule $chainref , '-m state --state INVALID -j DROP';
 }
 sub allowInvalid ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', '-m state --state INVALID ' if $level ne '';
    add_rule $chainref , '-m state --state INVALID -j ACCEPT';
 }
 sub forwardUPnP ( $$$ ) {
 }
 sub allowinUPnP ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( $level ne '' ) {
 	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p udp --dport 1900 ';
 	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p tcp --dport 49152 ';
    }
    add_rule $chainref, '-p udp --dport 1900 -j ACCEPT';
    add_rule $chainref, '-p tcp --dport 49152 -j ACCEPT';
 }
 sub Limit( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    my @tag = split /,/, $tag;
    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
    my $set   = $tag[0];
    for ( @tag[1,2] ) {
 	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
    }
    my $count = $tag[1] + 1;
    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
    add_rule $chainref, "-m recent --name $set --set";
    if ( $level ne '' ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
 	add_rule $chainref,  "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
    } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
    }
    add_rule $chainref, '-j ACCEPT';
 }
 sub process_actions3 () {
    my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		       'allowBcast'     => \&allowBcast,
 		       'dropNotSyn'     => \&dropNotSyn,
 		       'rejNotSyn'      => \&rejNotSyn,
 		       'dropInvalid'    => \&dropInvalid, 
 		       'allowInvalid'   => \&allowInvalid,
 		       'allowinUPnP'    => \&allowinUPnP, 
 		       'forwardUPnP'    => \&forwardUPnP, 
 		       'Limit'          => \&Limit, );
    for my $wholeaction ( keys %usedactions ) {
 	my $chainref = find_logactionchain $wholeaction;
 	my ( $action, $level, $tag ) = split /:/, $wholeaction;
 	$level = '' unless defined $level;
 	$tag   = '' unless defined $tag;
 	if ( $targets{$action} & BUILTIN ) {
 	    $level = '' if $level =~ /none!?/;
 	    $builtinops{$action}->($chainref, $level, $tag);
 	} else {
 	    process_action3 $chainref, $wholeaction, $action, $level, $tag;
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -21,96 +21,87 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 package Shorewall::Compiler;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Policy;
 use Shorewall::Nat;
 use Shorewall::Providers;
 use Shorewall::Tc;
 use Shorewall::Tunnels;
 use Shorewall::Actions;
 use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
 use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 use strict;
 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler );
+our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_0';
-my $export;
+our $export;
-my $test;
+our $test;
-my $family;
+our $reused = 0;
 our $family = F_IPV4;
 #
-# Initilize the package-globals in the other modules
+# Reinitilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub reinitialize() {
    Shorewall::Config::initialize($family);
-    Shorewall::Chains::initialize ($family, 1, $export );
+    Shorewall::Chains::initialize ($family);
    Shorewall::Zones::initialize ($family);
    Shorewall::Policy::initialize;
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
    Shorewall::Actions::initialize( $family );
    Shorewall::Accounting::initialize;
    Shorewall::Rules::initialize($family);
    Shorewall::Proxyarp::initialize($family);
    Shorewall::IPAddrs::initialize($family);
    Shorewall::Misc::initialize($family);
 }
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header to the generated script.
 #    Generate the various user-exit jacket functions.
 #
-#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
+sub generate_script_1() {
 #          than those related to writing to the output script file.
 #
 sub generate_script_1( $ ) {
-    my $script = shift;
+    my $date = localtime;
-    if ( $script ) {
+    if ( $test ) {
-	if ( $test ) {
+	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
-	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+    } else {
 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
 	} else {
-	    my $date = localtime;
+	    copy $globals{SHAREDIRPL} . 'prog.header6';
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
 	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
 	}
    }
    my $lib = find_file 'lib.private';
    copy2( $lib, $debug ) if -f $lib;
    emit <<'EOF';
 ################################################################################
 # Functions to execute the various user exits (extension scripts)
 ################################################################################
 EOF
    my $lib = find_file 'lib.private';
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    copy1 $lib, emit "\n" if -f $lib;
    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -118,7 +109,7 @@ EOF
 	emit '}';
    }
-    for my $exit ( qw/isusable findgw/ ) {
+    for my $exit qw/isusable findgw/ {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';
@@ -140,7 +131,7 @@ EOF
 #    Generate the 'initialize()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 sub generate_script_2() {
@@ -165,24 +156,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'PRODUCT="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'PRODUCT=\'Shorewall\'',
 		 );
 	}
    } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'PRODUCT="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'PRODUCT=\'Shorewall6\'',
 		 );
 	}
    }
@@ -214,28 +205,26 @@ sub generate_script_2() {
    my @dont_load = split_list $config{DONT_LOAD}, 'module';
    emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSITY:=0}" ]',
+	   '[ -n "${VERBOSE:=0}" ]',
-	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );
+	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]),
 	   '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"' );
-    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
    emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
 	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );
    set_chain_variables;
-    if ( $config{EXPORTPARAMS} ) {
+    append_file 'params' if $config{EXPORTPARAMS};
 	append_file 'params';
    } else {
 	export_params;
    }
    emit ( '',
-	   "g_stopping=",
+	   "STOPPING=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -243,51 +232,41 @@ sub generate_script_2() {
 	   '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}'
 	   );
    pop_indent;
    emit "\n}\n"; # End of initialize()
    emit( '' ,
 	  '#' ,
 	  '# Set global variables holding detected IP information' ,
 	  '#' ,
 	  'detect_configuration()',
 	  '{' );
    my $global_variables = have_global_variables;
    push_indent;
    if ( $global_variables ) {
-
+	emit( '' ,
-	emit( 'case $COMMAND in' );
+	      '#' ,
 	      '# Set global variables holding detected IP information' ,
 	      '#' ,
 	      'case $COMMAND in' );
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
+	    emit( 'start|restart|refresh)' );
 	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
+	    emit( 'start|restart|refresh|restore)' );
 	}
-
+	 
 	push_indent;
 	set_global_variables(1);
-	handle_optional_interfaces(0);
+	handle_optional_interfaces;
 	emit ';;';
-
+    
 	if ( $global_variables == ( ALL_COMMANDS | NOT_RESTORE ) ) {
 	    pop_indent;
-
+	
 	    emit 'restore)';
 	    push_indent;
 	    set_global_variables(0);
-	    handle_optional_interfaces(0);
+	    handle_optional_interfaces;
 	    emit ';;';
 	}
@@ -296,25 +275,25 @@ sub generate_script_2() {
 	pop_indent;
 	emit ( 'esac' ) ,
    } else {
 	emit( 'true' ) unless handle_optional_interfaces(1);
    }
    pop_indent;
-    emit "\n}\n"; # End of detect_configuration()
+    emit "\n}\n"; # End of initialize()
 }
 #
 # Final stage of script generation.
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
 #    Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
 #
 #    Generate the 'setup_netfilter()' function that runs iptables-restore.
 #    Generate the 'define_firewall()' function.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
-#          than those related to writing to the output script file.
+#          than those related to writing to the object file.
 #
 sub generate_script_3($) {
@@ -335,10 +314,10 @@ sub generate_script_3($) {
    save_progress_message 'Initializing...';
-    if ( $export || $config{EXPORTMODULES} ) {
+    if ( $export ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file 'modules';
-	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
+	if ( $fn ne "$globals{SHAREDIR}/modules" && -f $fn ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -346,7 +325,7 @@ sub generate_script_3($) {
 	    emit_unindented $currentline while read_a_line;
 	    emit_unindented 'EOF';
-	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
+	    emit 'reload_kernel_modules < ${VARDIR}/.modules';
 	} else {
 	    emit 'load_kernel_modules Yes';
 	}
@@ -354,28 +333,63 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
    }
    emit '';
    load_ipsets;
    if ( $family == F_IPV4 ) {
 	my @ipsets = all_ipsets;
 	if ( @ipsets ) {
 	    emit ( '',
 		   'case $IPSET in',
 		   '    */*)',
 		   '        [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
 		   '        ;;',
 		   '    *)',
 		   '        IPSET="$(mywhich $IPSET)"',
 		   '        [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"' ,
 		   '        ;;',
 		   'esac',
 		   '',
 		   'if [ "$COMMAND" = start ]; then' ,
 		   '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET -F' ,
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
 		   '' );
 	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 	    emit ( '' ,
 		   'elif [ "$COMMAND" = restart ]; then' ,
 		   '' );
 	    emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 	    emit ( '' , 
 		   '    if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
 		   '        grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	    emit ( 'fi',
 		   '' );
 	}
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
-	       '   run_refresh_exit' ,
+	       '   run_refresh_exit' );
-	       'else' ,
+
 	emit ( "   qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
 	emit ( 'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 	save_dynamic_chains;
 	mark_firewall_not_started;
-
+		       	       
-	emit ( '',
+	emit ('',
 	       'delete_proxyarp',
 	       ''
 	     );
-	if ( have_capability( 'NAT_ENABLED' ) ) {
+	if ( $capabilities{NAT_ENABLED} ) {
 	    emit(  'if [ -f ${VARDIR}/nat ]; then',
 		   '    while read external interface; do',
 		   '        del_ip_addr $external $interface',
@@ -388,20 +402,23 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
    } else {
-	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	emit ( '#',
-	       '   run_refresh_exit' ,
+	       '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here',
-	       'else' ,
+	       '#',
-	       '    run_init_exit',
+	       'qt1 $IP6TABLES -N foox1234',
-	       'fi',
+	       'qt1 $IP6TABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT',
 	       'result=$?',
 	       'qt1 $IP6TABLES -F foox1234',
 	       'qt1 $IP6TABLES -X foox1234',
 	       '[ $result = 0 ] || startup_error "Your kernel/ip6tables do not include state match support. No version of Shorewall6 will run on this system"',
 	       '' );
-	save_dynamic_chains;
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
-	mark_firewall_not_started;
+		   '',
-
+	       'qt1 $IP6TABLES -L shorewall -n && qt1 $IP6TABLES -F shorewall && qt1 $IP6TABLES -X shorewall',
 	emit ('',
 	       'delete_proxyndp',
 	       ''
 	     );
    }
    emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -410,12 +427,7 @@ sub generate_script_3($) {
    emit( 'setup_routing_and_traffic_shaping', '' );
-    if ( $family == F_IPV4 ) {
+    emit 'cat > ${VARDIR}/proxyarp << __EOF__';
 	emit 'cat > ${VARDIR}/proxyarp << __EOF__';
    } else {
 	emit 'cat > ${VARDIR}/proxyndp << __EOF__';
    } 
    dump_proxy_arp;
    emit_unindented '__EOF__';
@@ -428,10 +440,6 @@ sub generate_script_3($) {
    dump_zone_contents;
    emit_unindented '__EOF__';
    emit 'cat > ${VARDIR}/policies << __EOF__';
    save_policies;
    emit_unindented '__EOF__';
    pop_indent;
    emit "fi\n";
@@ -459,38 +467,31 @@ EOF
    pop_indent;
    setup_forwarding( $family , 1 );
    push_indent;
-
+    emit<<'EOF';
-    my $config_dir = $globals{CONFIGDIR};
+    set_state "Started"
    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
 else
-    if [ \$COMMAND = refresh ]; then
+    if [ $COMMAND = refresh ]; then
        chainlist_reload
 EOF
    setup_forwarding( $family , 0 );
-
+    emit<<'EOF';
    emit<<"EOF";
        run_refreshed_exit
        do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
    else
        setup_netfilter
        restore_dynamic_rules
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
-
+    emit<<'EOF';
    emit<<"EOF";
        run_start_exit
        do_iptables -N shorewall
-        set_state Started $config_dir
+        set_state "Started"
        run_started_exit
    fi
 EOF
    emit<<'EOF';
    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
 fi
@@ -498,16 +499,16 @@ date > ${VARDIR}/restarted
 case $COMMAND in
    start)
-        logger -p kern.info "$g_product started"
+        logger -p kern.info "$PRODUCT started"
        ;;
    restart)
-        logger -p kern.info "$g_product restarted"
+        logger -p kern.info "$PRODUCT restarted"
        ;;
    refresh)
-        logger -p kern.info "$g_product refreshed"
+        logger -p kern.info "$PRODUCT refreshed"
        ;;
    restore)
-        logger -p kern.info "$g_product restored"
+        logger -p kern.info "$PRODUCT restored"
        ;;
 esac
 EOF
@@ -518,21 +519,21 @@ EOF
 }
-#1
+#
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
+    my ( $objectfile, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity ) = 
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        );
+       ( '',          '',         -1,          '',          0,      '',       '',   -1 );
    $export = 0;
    $test   = 0;
    sub validate_boolean( $ ) {
-	 my $val = numeric_value( shift );
+	 my $val = numeric_value( shift ); 
 	 defined($val) && ($val >= 0) && ($val < 2);
     }
@@ -546,8 +547,7 @@ sub compiler {
 	defined($val) && ($val == F_IPV4 || $val == F_IPV6);
    }
-    my %parms = ( object        => { store => \$scriptfilename },    #Deprecated
+    my %parms = ( object        => { store => \$objectfile },
 		  script        => { store => \$scriptfilename },
 		  directory     => { store => \$directory  },
 		  family        => { store => \$family    ,    validate => \&validate_family    } ,
 		  verbosity     => { store => \$verbosity ,    validate => \&validate_verbosity } ,
@@ -558,10 +558,6 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
 		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -576,45 +572,37 @@ sub compiler {
 	${$ref->{store}} = $val;
    }
-    #
+    reinitialize if $reused++ || $family == F_IPV6;
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
    initialize_package_globals;
    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
    }
-    $verbosity = 1 if $debug && $verbosity < 1;
+    set_verbose( $verbosity );
    set_verbosity( $verbosity );
    set_log($log, $log_verbosity) if $log;
    set_timestamp( $timestamp );
-    set_debug( $debug , $confess );
+    set_debug( $debug );
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export );
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+    report_capabilities;
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{HIGH_ROUTE_MARKS};
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
-    if ( $scriptfilename ) {
+    set_command( 'check', 'Checking', 'Checked' ) unless $objectfile;
-	set_command( 'compile', 'Compiling', 'Compiled' );
+
-	create_temp_script( $scriptfilename , $export );
+    initialize_chain_table;
-    } else {
+
-	set_command( 'check', 'Checking', 'Checked' );
+    unless ( $command eq 'check' ) {
 	create_temp_object( $objectfile , $export );
    }
-    #
+
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
    # Allow user to load Perl modules
    #
@@ -639,25 +627,25 @@ sub compiler {
    #
    # Do action pre-processing.
    #
-    process_actions;
+    process_actions1;
    #
    #                                        P O L I C Y
    #                           (Produces no output to the compiled script)
    #
-    process_policies;
+    validate_policy;
    #
    #                                       N O T R A C K
    #                           (Produces no output to the compiled script)
    #
    setup_notrack;
-    enable_script;
+    enable_object;
-
+    
-    if ( $scriptfilename || $debug ) {
+    unless ( $command eq 'check' ) {
 	#
-	# Place Header in the script
+	# Place Header in the object
 	#
-	generate_script_1( $scriptfilename );
+	generate_script_1;
 	#
 	#                               C O M M O N _ R U L E S
 	#           (Writes the setup_common_rules() function to the compiled script)
@@ -669,13 +657,13 @@ sub compiler {
 	    );
 	push_indent;
-    }
+    } 
    #
-    # Do all of the zone-independent stuff (mostly /proc)
+    # Do all of the zone-independent stuff
    #
    add_common_rules;
    #
-    # More /proc
+    # /proc stuff
    #
    if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
@@ -689,34 +677,25 @@ sub compiler {
    #
    setup_proxy_arp;
    #
-    # Handle MSS settings in the zones file
+    # Handle MSS setings in the zones file
    #
    setup_zone_mss;
-    if ( $scriptfilename || $debug ) {
+    unless ( $command eq 'check' ) {
 	emit 'return 0';
 	pop_indent;
-	emit '}'; # End of setup_common_rules()
+	emit '}';
    }
-    disable_script;
+    disable_object;
    #
    #                      R O U T I N G _ A N D _ T R A F F I C _ S H A P I N G
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
-    enable_script;
+    enable_object;
-    #
+    
-    # Validate the TC files so that the providers will know what interfaces have TC
+    unless ( $command eq 'check' ) {
-    #
+
    my $tcinterfaces = process_tc;
    #
    # Generate a function to bring up each provider
    #
    process_providers( $tcinterfaces );
    #
    # [Re-]establish Routing
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
 	       '#',
@@ -725,19 +704,21 @@ sub compiler {
 	push_indent;
    }
-
+    #
    # [Re-]establish Routing
    #
    setup_providers;
    #
    # TCRules and Traffic Shaping
    #
    setup_tc;
-    if ( $scriptfilename || $debug ) {
+    unless ( $command eq 'check' ) {
 	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+	emit "}\n";
    }
-    disable_script;
+    disable_object;
    #
    #                                       N E T F I L T E R
    #       (Produces no output to the compiled script -- rules are stored in the chain table)
@@ -748,11 +729,11 @@ sub compiler {
 	#
 	# ECN
 	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
 	#
 	# Setup Masquerading/SNAT
 	#
-	setup_masq;
+	setup_masq; 
 	#
 	# Setup Nat
 	#
@@ -776,6 +757,11 @@ sub compiler {
    #
    setup_tunnels;
    #
    # Post-rules action processing.
    #
    process_actions2;
    process_actions3;
    #
    # MACLIST Filtration again
    #
    setup_mac_lists 2;
@@ -786,30 +772,24 @@ sub compiler {
    #
    # Accounting.
    #
-    setup_accounting if $config{ACCOUNTING};
+    setup_accounting;
-    if ( $scriptfilename ) {
+    if ( $command eq 'check' ) {
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
 	} else {
 	    progress_message3 "Shorewall6 configuration verified";
 	}
    } else {
 	#
-	# Compiling a script - generate the zone by zone matrix
+	# Generate the zone x zone matrix
 	#
 	generate_matrix;
-	if ( $config{OPTIMIZE} & 0xE ) {
+	enable_object;
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
 	    optimize_policy_chains if $config{OPTIMIZE} & 2;
 	    #
 	    # More Optimization
 	    #
 	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
 	}
 	enable_script;
 	#
-	#                             I N I T I A L I Z E
+	#                                    I N I T I A L I Z E
-	#           (Writes the initialize() function to the compiled script)
+	#                  (Writes the initialize() function to the compiled script)
 	#
 	generate_script_2;
 	#
@@ -817,24 +797,17 @@ sub compiler {
 	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#                               S T O P _ F I R E W A L L
 	#             (Writes the stop_firewall() function to the compiled script)
 	#
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
-	Shorewall::Chains::initialize( $family, 0 , $export );
+	Shorewall::Chains::initialize( $family );
-	initialize_chain_table(0);
+	initialize_chain_table;
 	compile_stop_firewall( $test ); 
 	#
-	#                           S T O P _ F I R E W A L L
+	# Copy the footer to the object
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
 	compile_stop_firewall( $test, $export );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
 	#
 	compile_updown;
 	#
 	# Copy the footer to the script
 	#
 	unless ( $test ) {
 	    if ( $family == F_IPV4 ) {
@@ -843,67 +816,16 @@ sub compiler {
 		copy $globals{SHAREDIRPL} . 'prog.footer6';
 	    }
 	}
-
+	
-	disable_script;
+	disable_object;
 	#
-	# Close, rename and secure the script
+	# Close, rename and secure the object
 	#
-	finalize_script ( $export );
+	finalize_object ( $export );
 	#
 	# And generate the auxilary config file
 	#
-	enable_script, generate_aux_config if $export;
+	enable_object, generate_aux_config if $export;
    } else {
 	#
 	# Just checking the configuration
 	#
 	if ( $preview || $debug ) {
 	    #
 	    # User wishes to preview the ruleset or we are tracing -- generate the rule matrix
 	    #
 	    generate_matrix;
 	    if ( $config{OPTIMIZE} & 0xE ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
 		optimize_policy_chains if $config{OPTIMIZE} & 2;
 		#
 		# Ruleset Optimization
 		#
 		optimize_ruleset if $config{OPTIMIZE} & 0xC;
 	    }
 	    enable_script if $debug;
 	    generate_script_2 if $debug;
 	    preview_netfilter_load if $preview;
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
 	Shorewall::Chains::initialize( $family , 0 , $export );
 	initialize_chain_table(0);
 	if ( $debug ) {
 	    compile_stop_firewall( $test, $export );
 	    disable_script;
 	} else {
 	    #
 	    # compile_stop_firewall() also validates the routestopped file. Since we don't
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
 	}
 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
 	} else {
 	    progress_message3 "Shorewall6 configuration verified";
 	}
    }
    close_log if $log;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,12 +21,12 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module provides interfaces for dealing with IPv4 addresses, protocol names, and
-#   port names. It also exports functions for validating protocol- and port- (service)
+#   port names. It also exports functions for validating protocol- and port- (service) 
 #   related constructs.
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 F_IPV4 F_IPV6 );
 use Socket;
 use strict;
@@ -34,23 +34,19 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
 	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
 	          IPv6_SITELOCAL
 	          IPv6_LINKLOCAL
 	          IPv6_LOOPBACK
 	          IPv6_LINK_ALLNODES
 	          IPv6_LINK_ALLRTRS
 	          IPv6_SITE_ALLNODES
 	          IPv6_SITE_ALLRTRS
 		  ALLIP
 		  NILIP
 		  ALL
 		  TCP
 		  UDP
 		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
@@ -59,7 +55,6 @@ our @EXPORT = qw( ALLIPv4
 		  validate_address
 		  validate_net
 		  decompose_net
 		  compare_nets
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -67,9 +62,6 @@ our @EXPORT = qw( ALLIPv4
 		  allipv4
 		  allipv6
 		  allip
 		  nilipv4
 		  nilipv6
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
 		  proto_name
@@ -80,52 +72,52 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.3_7';
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
+our @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
+our @allipv6 = ( '::/0' );
-my $allip;
+our $family;
 my @allip;
 my @nilipv4 = ( '0.0.0.0' );
 my @nilipv6 = ( '::' );
 my $nilip;
 my @nilip;
 my $valid_address;
 my $validate_address;
 my $validate_net;
 my $validate_range;
 my $validate_host;
 my $family;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
-	       NILIPv4             => '0.0.0.0' ,
+	       IPv6_MULTICAST      => 'FF00::/10' ,
-	       NILIPv6             => '::' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
-	       IPv4_MULTICAST      => '224.0.0.0/4' ,
+	       IPv6_SITELOCAL      => 'FFC0::/10' ,
-	       IPv6_MULTICAST      => 'ff00::/8' ,
+	       IPv6_LINKLOCAL      => 'FF80::/10' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
 	       IPv6_SITELOCAL      => 'feC0::/10' ,
 	       IPv6_LOOPBACK       => '::1' ,
-	       IPv6_LINK_ALLNODES  => 'ff01::1' ,
+	       IPv6_LINK_ALLNODES  => 'FF01::1' ,
-	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
+	       IPv6_LINK_ALLRTRS   => 'FF01::2' ,
-	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
+	       IPv6_SITE_ALLNODES  => 'FF02::1' ,
-	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       IPv6_SITE_ALLRTRS   => 'FF02::2' ,
-	       ICMP                => 1,
+	       ICMP                => 1, 
-	       TCP                 => 6,
+	       TCP                 => 6, 
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
+	       SCTP                => 132 };
 	       UDPLITE             => 136 };
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 #
-# Note: initialize() is declared at the bottom of the file
+# Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
 #                       initialize() function does globals initialization for this
 #                       module and is called from an INIT block below. The function is
 #                       also called by Shorewall::Compiler::compiler at the beginning of
 #                       the second and subsequent calls to that function.
 #
 sub initialize( $ ) {
    $family = shift;
 }
 INIT {
    initialize( F_IPV4 );
 }
 sub vlsm_to_mask( $ ) {
    my $vlsm = $_[0];
@@ -137,8 +129,8 @@ sub valid_4address( $ ) {
    my @address = split /\./, $address;
    return 0 unless @address == 4;
-    for ( @address ) {
+    for my $a ( @address ) {
-	return 0 unless /^\d+$/ && $_ < 256;
+	return 0 unless $a =~ /^\d+$/ && $a < 256;
    }
    1;
@@ -171,8 +163,8 @@ sub decodeaddr( $ ) {
    my $result = shift @address;
-    for ( @address ) {
+    for my $a ( @address ) {
-	$result = ( $result << 8 ) | $_;
+	$result = ( $result << 8 ) | $a;
    }
    $result;
@@ -197,16 +189,7 @@ sub validate_4net( $$ ) {
    $net = '' unless defined $net;
    fatal_error "Missing address" if $net eq '';
-
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
 	    fatal_error "An ipset list ($net) is not allowed in this context";
 	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
 	    fatal_error "An ipset name ($net) is not allowed in this context";
 	} else {
 	    fatal_error "Invalid ipset name ($net)";
 	}
    }
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -224,7 +207,7 @@ sub validate_4net( $$ ) {
 	    ( decodeaddr( $net ) , $vlsm );
 	} else {
 	    "$net/$vlsm";
-	}
+	}	    
    }
 }
@@ -281,19 +264,10 @@ sub decompose_net( $ ) {
    my $net = $_[0];
    ( $net, my $vlsm ) = validate_net( $net , 0 );
-    ( ( $family == F_IPV4 ? encodeaddr( $net) : normalize_6addr( $net ) )  , $vlsm );
+    ( encodeaddr( $net) , $vlsm );
 }
 sub compare_nets( $$ ) {
    my ( @net1, @net2 );
    @net1 = decompose_net( $_[0] );
    @net2 = decompose_net( $_[1] );
    $net1[0] eq $net2[0] && $net1[1] == $net2[1];
 }			    
 sub allipv4() {
    @allipv4;
 }
@@ -302,14 +276,6 @@ sub allipv6() {
    @allipv6;
 }
 sub nilipv4() {
    @nilipv4;
 }
 sub nilipv6() {
    @nilipv6;
 }
 sub rfc1918_networks() {
    @rfc1918_networks
 }
@@ -328,17 +294,7 @@ sub resolve_proto( $ ) {
    my $proto = $_[0];
    my $number;
-    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
+    $proto =~ /^(\d+)$/ ? $proto <= 65535 ? $proto : undef : defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
    } else {
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
 	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
    }
 }
 sub proto_name( $ ) {
@@ -352,19 +308,16 @@ sub validate_port( $$ ) {
    my $value;
-    if ( $port =~ /^(\d+)$/ || $port =~ /^0x/ ) {
+    if ( $port =~ /^(\d+)$/ ) {
-	$port = numeric_value $port;
+	return $port if $port <= 65535;
 	return $port if defined $port && $port && $port <= 65535;
    } else {
 	$proto = proto_name $proto if $proto =~ /^(\d+)$/;
 	$value = getservbyname( $port, $proto );
    }
-    return $value if defined $value;
+    fatal_error "Invalid/Unknown $proto port/service ($port)" unless defined $value;
-    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+    $value;
    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }
 sub validate_portpair( $$ ) {
@@ -377,7 +330,7 @@ sub validate_portpair( $$ ) {
    my @ports = split /:/, $portpair, 2;
-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    $_ = validate_port( $proto, $_) for ( @ports );
    if ( @ports == 2 ) {
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
@@ -445,6 +398,7 @@ my %icmp_types = ( any                          => 'any',
 		   'address-mask-reply'         => 18 );
 sub validate_icmp( $ ) {
    fatal_error "IPv4 ICMP not allowed in an IPv6 Rule" unless $family == F_IPV4;
    my $type = $_[0];
@@ -484,14 +438,14 @@ sub expand_port_range( $$ ) {
 	#
 	# Validate the ports
 	#
-	( $first , $last ) = ( validate_port( $proto, $first || 1 ) , validate_port( $proto, $last ) );
+	( $first , $last ) = ( validate_port( $proto, $first ) , validate_port( $proto, $last ) );
 	$last++; #Increment last address for limit testing.
 	#
 	# Break the range into groups:
 	#
 	#      - If the first port in the remaining range is odd, then the next group is ( <first>, ffff ).
-	#      - Otherwise, find the largest power of two P that divides the first address such that
+	#      - Otherwise, find the largest power of two P that divides the first address such that 
 	#        the remaining range has less than or equal to P ports. The next group is
 	#        ( <first> , ~( P-1 ) ).
 	#
@@ -517,8 +471,8 @@ sub expand_port_range( $$ ) {
    } else {
 	( sprintf( '%04x' , validate_port( $proto, $range ) ) , 'ffff' );
-    }
+    } 
-}
+}   
 sub valid_6address( $ ) {
    my $address = $_[0];
@@ -530,26 +484,24 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
 	return 1 if @address eq ':';
    } else {
 	$max = 8;
    }
    return 0 if @address > $max;
    return 0 unless $address =~ /^[a-f:\d]+$/;
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;
-    unless ( $address =~ /^::/ ) {
+    if ( $address =~ /^:/ ) {
-	return 0 if $address =~ /^:/;
+	unless ( $address eq '::' ) {
-    }
+	    return 0 if $address =~ /:$/ || $address =~ /^:.*::/;
-
+	}
-    unless ( $address =~ /::$/  ) {
+    } elsif ( $address =~ /:$/ ) {
-	return 0 if $address =~ /:$/;
+	return 0 if $address =~ /::.*:$/;
    }
    for my $a ( @address ) {
-	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && length $a < 5 );
+	return 0 unless $a eq '' || ( $a =~ /^[a-fA-f\d]+$/ && oct "0x$a" < 65536 );
    }
    1;
@@ -580,15 +532,7 @@ sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[1];
-    if ( $net =~ /\+(\[?)/ ) {
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
 	if ( $1 ) {
 	    fatal_error "An ipset list ($net) is not allowed in this context";
 	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
 	    fatal_error "An ipset name ($net) is not allowed in this context";
 	} else {
 	    fatal_error "Invalid ipset name ($net)";
 	}
    }
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
@@ -597,16 +541,6 @@ sub validate_6net( $$ ) {
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }
    if ( defined wantarray ) {
 	assert ( ! $allow_name );
 	if ( wantarray ) {
 	    ( $net , $vlsm );
 	} else {
 	    "$net/$vlsm";
 	}
    }
 }
@@ -616,27 +550,13 @@ sub validate_6net( $$ ) {
 sub normalize_6addr( $ ) {
    my $addr = shift;
-    if ( $addr eq '::' ) {
+    while ( $addr =~ tr/:/:/ < 6 ) {
-	'0:0:0:0:0:0:0:0';
+	$addr =~ s/::/:0::/;
    } else {
 	#
 	# Suppress leading zeros
 	#
 	$addr =~ s/^0+//;
 	$addr =~ s/:0+/:/g;
 	$addr =~ s/^:/0:/;
 	$addr =~ s/:$/:0/;
 	$addr =~ s/::/:0::/ while $addr =~ tr/:/:/ < 7;
 	#
 	# Note: "s/::/:0:/g" doesn't work here
 	#
 	1 while $addr =~ s/::/:0:/;
 	$addr =~ s/^0+:/0:/;
 	$addr;
    }
    $addr =~ s/::/:0:/;
    $addr;
 }
 sub validate_6range( $$ ) {
@@ -660,7 +580,7 @@ sub validate_6range( $$ ) {
 }
 sub validate_6host( $$ ) {
-    my ( $host, $allow_name )  = @_;
+    my ( $host, $allow_name )  = $_[0];
    if ( $host =~ /^(.*:.*)-(.*:.*)$/ ) {
 	validate_6range $1, $2;
@@ -694,6 +614,7 @@ my %ipv6_icmp_types = ( any                          => 'any',
 sub validate_icmp6( $ ) {
    fatal_error "IPv6 ICMP not allowed in an IPv4 Rule" unless $family == F_IPV6;
    my $type = $_[0];
    my $value = $ipv6_icmp_types{$type};
@@ -708,75 +629,31 @@ sub validate_icmp6( $ ) {
 }
 sub ALLIP() {
-    $allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
 }
 sub allip() {
-    @allip;
+    $family == F_IPV4 ? ALLIPv4 : ALLIPv6;
-}
+}    
 sub NILIP() {
    $nilip;
 }
 sub nilip() {
    @nilip;
 }
 sub valid_address ( $ ) {
-    $valid_address->(@_);
+    $family == F_IPV4 ? valid_4address( $_[0] ) :  valid_6address( $_[0] );
 }
 sub validate_address ( $$ ) {
-    $validate_address->(@_);
+    $family == F_IPV4 ? validate_4address( $_[0], $_[1] ) :  validate_6address( $_[0], $_[1] );
 }
 sub validate_net ( $$ ) {
-    $validate_net->(@_);
+    $family == F_IPV4 ? validate_4net( $_[0], $_[1] ) :  validate_6net( $_[0], $_[1] );
 }
-sub validate_range ($$ ) {
+sub validate_range ($$ ) { 
-    $validate_range->(@_);
+    $family == F_IPV4 ? validate_4range( $_[0], $_[1] ) :  validate_6range( $_[0], $_[1] );
 }
-sub validate_host ($$ ) {
+sub validate_host ($$ ) { 
-    $validate_host->(@_);
+    $family == F_IPV4 ? validate_4host( $_[0], $_[1] ) :  validate_6host( $_[0], $_[1] );
 }
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
 #   1. Proper initialization depends on the address family which isn't
 #      known until the compiler has started.
 #
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
    $family = shift;
    if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;
 	@allip            = @allipv4;
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
    } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -29,6 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Providers qw( lookup_provider );
 use strict;
@@ -36,19 +37,79 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.3_7';
-my @addresses_to_add;
+our @addresses_to_add;
-my %addresses_to_add;
+our %addresses_to_add;
 #
-# Called by the compiler
+# Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
 #                       initialize() function does globals initialization for this
 #                       module and is called from an INIT block below. The function is
 #                       also called by Shorewall::Compiler::compiler at the beginning of
 #                       the second and subsequent calls to that function.
 #
 sub initialize() {
    @addresses_to_add = ();
    %addresses_to_add = ();
 }
 INIT {
    initialize;
 }
 #
 # Handle IPSEC Options in a masq record
 #
 sub do_ipsec_options($)
 {
    my %validoptions = ( strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
 			 spi          => NUMERIC,
 			 proto        => IPSECPROTO,
 			 mode         => IPSECMODE,
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
    my $list=$_[0];
    my $options = '-m policy --pol ipsec --dir out ';
    my $fmt;
    for my $e ( split_list $list, 'option' ) {
 	my $val    = undef;
 	my $invert = '';
 	if ( $e =~ /([\w-]+)!=(.+)/ ) {
 	    $val    = $2;
 	    $e      = $1;
 	    $invert = '! ';
 	} elsif ( $e =~ /([\w-]+)=(.+)/ ) {
 	    $val = $2;
 	    $e   = $1;
 	}
 	$fmt = $validoptions{$e};
 	fatal_error "Invalid Option ($e)" unless $fmt;
 	if ( $fmt eq NOTHING ) {
 	    fatal_error "Option \"$e\" does not take a value" if defined $val;
 	} else {
 	    fatal_error "Missing value for option \"$e\""        unless defined $val;
 	    fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	}
 	$options .= $invert;
 	$options .= "--$e ";
 	$options .= "$val " if defined $val;
    }
    $options;
 }
 #
 # Process a single rule from the the masq file
 #
@@ -100,16 +161,16 @@ sub process_one_masq( )
    # Handle IPSEC options, if any
    #
    if ( $ipsec ne '-' ) {
-	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless have_capability( 'POLICY_MATCH' );
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
 	if ( $ipsec =~ /^yes$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', '';
+	    $baserule .= '-m policy --pol ipsec --dir out ';
 	} elsif ( $ipsec =~ /^no$/i ) {
-	    $baserule .= do_ipsec_options 'out', 'none', '';
+	    $baserule .= '-m policy --pol none --dir out ';
 	} else {
-	    $baserule .= do_ipsec_options 'out', 'ipsec', $ipsec;
+	    $baserule .= do_ipsec_options $ipsec;
 	}
-    } elsif ( have_ipsec ) {
+    } elsif ( $capabilities{POLICY_MATCH} ) {
 	$baserule .= '-m policy --pol none --dir out ';
    }
@@ -117,15 +178,16 @@ sub process_one_masq( )
    # Handle Protocol and Ports
    #
    $baserule .= do_proto $proto, $ports, '';
    #
    # Handle Mark
    #
-    $baserule .= do_test( $mark, $globals{TC_MASK} ) if $mark ne '-';
+    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
-    $baserule .= do_user( $user )                    if $user ne '-';
+    $baserule .= do_user( $user )      if $user ne '-';
    for my $fullinterface (split_list $interfacelist, 'interface' ) {
 	my $rule = '';
-	my $target = 'MASQUERADE ';
+	my $target = '-j MASQUERADE ';
 	#
 	# Isolate and verify the interface part
 	#
@@ -145,7 +207,7 @@ sub process_one_masq( )
 	fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 	unless ( $interfaceref->{root} ) {
-	    $rule .= match_dest_dev( $interface );
+	    $rule .= "-o $interface ";
 	    $interface = $interfaceref->{name};
 	}
@@ -154,8 +216,6 @@ sub process_one_masq( )
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
 	my $persistent    = '';
 	my $conditional   = 0;
 	#
 	# Parse the ADDRESSES column
 	#
@@ -163,16 +223,13 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
+		$addresses =~ s/:random$// and $randomize = '--random ';
 		$addresses =~ s/:random$//     and $randomize  = ' --random ';
 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
 		if ( $addresses =~ /^SAME/ ) {
 		    fatal_error "The SAME target is no longer supported";
 		} elsif ( $addresses eq 'detect' ) {
 		    my $variable = get_interface_address $interface;
-		    $target = "SNAT --to-source $variable";
+		    $target = "-j SNAT --to-source $variable";
 		    if ( interface_is_optional $interface ) {
 			add_commands( $chainref,
@@ -182,35 +239,20 @@ sub process_one_masq( )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    $target = 'RETURN';
+		    $target = '-j RETURN';
 		    $add_snat_aliases = 0;
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
+			if ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
+			    $target = '-j SNAT ';
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
 				$addrlist .= '--to-source ' . record_runtime_address $1;
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+			    validate_address $ipaddr, 0;
 				validate_range( $1, $2 );
 			    } else {
 				validate_address $ipaddr, 0;
 			    }
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr; 
+			    $addr =~ s/^://;
-			    $ports =~ s/^://;
+			    $addrlist .= "--to-ports $addr ";
 			    my $portrange = $ports;
 			    $portrange =~ s/-/:/;
 			    validate_portpair( $proto, $portrange );
 			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    }
@@ -220,7 +262,6 @@ sub process_one_masq( )
 	    }
 	    $target .= $randomize;
 	    $target .= $persistent;
 	} else {
 	    $add_snat_aliases = 0;
 	}
@@ -238,7 +279,10 @@ sub process_one_masq( )
 		     '' ,
 		     $exceptionrule );
-	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	if ( $detectaddress ) {
 	    decr_cmd_level( $chainref );
 	    add_commands( $chainref , 'fi' );
 	}
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
@@ -249,6 +293,7 @@ sub process_one_masq( )
 		next if $addrs eq 'detect';
 		for my $addr ( ip_range_explicit $addrs ) {
 		    unless ( $addresses_to_add{$addr} ) {
 			emit "del_ip_addr $addr $interface" unless $config{RETAIN_ALIASES};
 			$addresses_to_add{$addr} = 1;
 			if ( defined $alias ) {
 			    push @addresses_to_add, $addr, "$interface:$alias";
@@ -271,14 +316,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    my $fn = open_file 'masq';
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
-	process_one_masq while read_a_line;
+    process_one_masq while read_a_line;
    clear_comment;
 	clear_comment;
    }
 }
 #
@@ -326,12 +371,12 @@ sub do_one_nat( $$$$$ )
    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
    unless ( $interfaceref->{root} ) {
-	$rulein  = match_source_dev $interface;
+	$rulein  = "-i $interface ";
-	$ruleout = match_dest_dev $interface;
+	$ruleout = "-o $interface ";
 	$interface = $interfaceref->{name};
    }
-    if ( have_ipsec ) {
+    if ( $capabilities{POLICY_MATCH} ) {
 	$policyin = ' -m policy --pol none --dir in';
 	$policyout =  '-m policy --pol none --dir out';
    }
@@ -361,6 +406,7 @@ sub do_one_nat( $$$$$ )
 	    push @addresses_to_add, ( $external , $fullinterface );
 	}
    }
 }
 #
@@ -368,32 +414,32 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
-    if ( my $fn = open_file 'nat' ) {
+    my $fn = open_file 'nat';
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
-	    if ( $external eq 'COMMENT' ) {
+	if ( $external eq 'COMMENT' ) {
-		process_comment;
+	    process_comment;
-	    } else {
+	} else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';
-		for my $interface ( split_list $interfacelist , 'interface' ) {
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
+		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 		}
 		progress_message "   NAT entry \"$currentline\" $done";
 	    }
 	    progress_message "   NAT entry \"$currentline\" $done";
 	}
 	clear_comment;
    }
    clear_comment;
 }
 #
@@ -401,101 +447,50 @@ sub setup_nat() {
 #
 sub setup_netmap() {
-    if ( my $fn = open_file 'netmap' ) {
+    my $fn = open_file 'netmap';
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
+	my ( $type, $net1, $interfacelist, $net2 ) = split_line 4, 4, 'netmap file';
-	    validate_net $net1, 0;
+	for my $interface ( split_list $interfacelist, 'interface' ) {
 	    validate_net $net2, 0;
-	    $net3 = ALLIP if $net3 eq '-';
+	    my $rulein = '';
 	    my $ruleout = '';
 	    my $iface = $interface;
-	    for my $interface ( split_list $interfacelist, 'interface' ) {
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = find_interface( $interface );
-		my $iface = $interface;
+	    unless ( $interfaceref->{root} ) {
-
+		$rulein  = "-i $interface ";
-		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+		$ruleout = "-o $interface ";
-
+		$interface = $interfaceref->{name};
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $type eq 'DNAT' ) {
 			add_ijump ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
 		    } elsif ( $type eq 'SNAT' ) {
 			add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
 		    my @match = ();
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface ); 
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
 		    } elsif ( $chain eq 'O' ) {
 			$chain = output_chain $interface;
 		    } else {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
 		    if ( $target eq 'DNAT' ) { 
 			add_ijump( ensure_chain( $table, $chain ) ,
 				   j          => 'RAWDNAT',
 				   targetopts => "--to-dest $net2",
 				   imatch_source_net( $net3 ) ,
 				   imatch_dest_net( $net1 ) ,
 				   @match );
 		    } else {
 			add_ijump( ensure_chain( $table, $chain ) ,
 				   j          => 'RAWSNAT',
 				   targetopts => "--to-source $net2",
 				   imatch_dest_net( $net3 ) ,
 				   imatch_source_net( $net1 ) ,
 				   @match );
 		    }
 		} else {
 		    fatal_error "Invalid type ($type)";
 		}
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
-	clear_comment;
+	    if ( $type eq 'DNAT' ) {
 		add_rule ensure_chain( 'nat' , input_chain $interface )  , $rulein  . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
 		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
 	    progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	}
    }
 }
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
 	my $arg = '';
 	my $addresses = 0;
-	while ( @addrs ) {
+	while ( @addresses_to_add ) {
-	    my $addr      = shift @addrs;
+	    my $addr      = shift @addresses_to_add;
-	    my $interface = shift @addrs;
+	    my $interface = shift @addresses_to_add;
 	    $arg = "$arg $addr $interface";
 	    unless ( $config{RETAIN_ALIASES} ) {
 		emit '' unless $addresses++;
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -0,0 +1,485 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Policy.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/policy file.
 #
 package Shorewall::Policy;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw( :DEFAULT :internal) ;
 use Shorewall::Actions;
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains );
 our @EXPORT_OK = qw(  );
 our $VERSION = '4.3_7';
 # @policy_chains is a list of references to policy chains in the filter table
 our @policy_chains;
 #
 # Initialize globals -- we take this novel approach to globals initialization to allow
 #                       the compiler to run multiple times in the same process. The
 #                       initialize() function does globals initialization for this
 #                       module and is called from an INIT block below. The function is
 #                       also called by Shorewall::Compiler::compiler at the beginning of
 #                       the second and subsequent calls to that function.
 #
 sub initialize() {
    @policy_chains = ();
 }
 INIT {
    initialize;
 }
 #
 # Convert a chain into a policy chain.
 #
 sub convert_to_policy_chain($$$$$)
 {
    my ($chainref, $source, $dest, $policy, $provisional ) = @_;
    $chainref->{is_policy}   = 1;
    $chainref->{policy}      = $policy;
    $chainref->{provisional} = $provisional;
    $chainref->{policychain} = $chainref->{name};
    $chainref->{policypair}  = [ $source, $dest ];
 }
 #
 # Create a new policy chain and return a reference to it.
 #
 sub new_policy_chain($$$$)
 {
    my ($source, $dest, $policy, $optional) = @_;
    my $chainref = new_chain( 'filter', "${source}2${dest}" );
    convert_to_policy_chain( $chainref, $source, $dest, $policy, $optional );
    $chainref;
 }
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
 sub set_policy_chain($$$$$)
 {
    my ($source, $dest, $chain1, $chainref, $policy ) = @_;
    my $chainref1 = $filter_table->{$chain1};
    $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
    unless ( $chainref1->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
 	    $chainref1->{policychain} = $chain1;
 	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
 	    if ( defined $chainref->{synparams} ) {
 		$chainref1->{synparams}   = $chainref->{synparams};
 		$chainref1->{synchain}    = $chainref->{synchain};
 	    }
 	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
 	    $chainref1->{is_policy}   = 1;
 	    push @policy_chains, $chainref1;
 	} else {
 	    $chainref1->{policychain} = $chainref->{name};
 	}
 	$chainref1->{policy} = $policy;
 	$chainref1->{policypair} = [ $source, $dest ];
    }
 }
 #
 # Process the policy file
 #
 use constant { OPTIONAL => 1 };
 sub add_or_modify_policy_chain( $$ ) {
    my ( $zone, $zone1 ) = @_;
    my $chain    = "${zone}2${zone1}";
    my $chainref = $filter_table->{$chain};
    if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
 	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', OPTIONAL );
 	    push @policy_chains, $chainref;
 	}
    } else {
 	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', OPTIONAL );
    }
 }    
 sub print_policy($$$$) {
    my ( $source, $dest, $policy , $chain ) = @_;
    unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
 	if ( $policy eq 'CONTINUE' ) {
 	    my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
 	    warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
 	}
 	progress_message_nocompress "   Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
    }
 }
 sub process_a_policy() {
    our %validpolicies;
    our @zonelist;
    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';
    my $clientwild = ( "\L$client" eq 'all' );
    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
    my $serverwild = ( "\L$server" eq 'all' );
    fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
    my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
    fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
    ( $policy , my $queue ) = get_target_param $policy;
    if ( $default ) {
 	if ( "\L$default" eq 'none' ) {
 	    $default = 'none';
 	} else {
 	    my $defaulttype = $targets{$default} || 0;
 	    if ( $defaulttype & ACTION ) {
 		unless ( $usedactions{$default} ) {
 		    $usedactions{$default} = 1;
 		    createactionchain $default;
 		}
 	    } else {
 		fatal_error "Unknown Default Action ($default)";
 	    }
 	}
    } else {
 	$default = $default_actions{$policy} || '';
    }
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
    if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
 	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); 
 	my $queuenum = numeric_value( $queue );
 	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
 	$policy = "NFQUEUE --queue-num $queuenum";
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    }
    unless ( $clientwild || $serverwild ) {
 	if ( zone_type( $server ) == BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	}
    }
    my $chain = "${client}2${server}";
    my $chainref;
    if ( defined $filter_table->{$chain} ) {
 	$chainref = $filter_table->{$chain};
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{provisional} ) {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
 	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
 	}
    } else {
 	$chainref = new_policy_chain $client, $server, $policy, 0;
 	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
    }
    $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
    if ( $synparams ne '' || $connlimit ne '' ) {
 	my $value = '';
 	fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/;
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
 	$chainref->{synchain}  = $chain
    }
    $chainref->{default}   = $default if $default;
    if ( $clientwild ) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
 		    set_policy_chain $client, $server, "${zone}2${zone1}", $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
 		set_policy_chain $client, $server, "${zone}2${server}", $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
 	    set_policy_chain $client, $server, "${client}2${zone}", $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
    } else {
 	print_policy $client, $server, $policy, $chain;
    }
 }
 sub validate_policy()
 {
    our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
 			  DROP   => undef,
 			  CONTINUE => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
    our %map = ( DROP_DEFAULT    => 'DROP' ,
 		 REJECT_DEFAULT  => 'REJECT' ,
 		 ACCEPT_DEFAULT  => 'ACCEPT' ,
 		 QUEUE_DEFAULT   => 'QUEUE' ,
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
    my $zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
 	my $action = $config{$option};
 	next if $action eq 'none';
 	my $actiontype = $targets{$action};
 	if ( defined $actiontype ) {
 	    fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
 	} else {
 	    fatal_error "Default Action $option=$action not found";
 	}
 	unless ( $usedactions{$action} ) {
 	    $usedactions{$action} = 1;
 	    createactionchain $action;
 	}
 	$default_actions{$map{$option}} = $action;
    }
    for $zone ( all_zones ) {
 	push @policy_chains, ( new_policy_chain $zone, $zone, 'ACCEPT', OPTIONAL );
 	if ( $config{IMPLICIT_CONTINUE} && ( @{find_zone( $zone )->{parents}} ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
 	    }
 	}
    }
    my $fn = open_file 'policy';
    first_entry "$doing $fn...";
    process_a_policy while read_a_line;
    for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
 	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{"${zone}2${zone1}"}{policy};
 	}
    }
 }
 #
 # Policy Rule application
 #
 sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/24 -j RETURN" if $dropmulticast && $target ne 'CONTINUE';
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
    }
 }
 sub report_syn_flood_protection() {
    progress_message_nocompress '      Enabled SYN flood protection';
 }
 sub default_policy( $$$ ) {
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
    my $default    = $policyref->{default};
    my $policy     = $policyref->{policy};
    my $loglevel   = $policyref->{loglevel};
    assert( $policyref );
    if ( $chainref eq $policyref ) {
 	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
 		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_jump $chainref,  $policyref, 1;
 		$chainref = $policyref;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
 	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_jump $chainref , $policyref, 1;
 	    $chainref = $policyref;
 	}
    }
    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
 sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
 	my $loglevel    = $chainref->{loglevel};
 	my $provisional = $chainref->{provisional};
 	my $default     = $chainref->{default};
 	my $name        = $chainref->{name};
 	if ( $policy ne 'NONE' ) {
 	    if ( ! $chainref->{referenced} && ( ! $provisional && $policy ne 'CONTINUE' ) ) {
 		ensure_filter_chain $name, 1;
 	    }
 	    if ( $name =~ /^all2|2all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
 	    my $chainref = $filter_table->{"${zone}2${zone1}"};
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
 		default_policy $chainref, $zone, $zone1;
 	    }
 	}
    }
 }
 #
 # Complete a standard chain
 #
 #	- run any supplied user exit
 #	- search the policy file for an applicable policy and add rules as
 #	  appropriate
 #	- If no applicable policy is found, add rules for an assummed
 #	  policy of DROP INFO
 #
 sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;
    add_rule $stdchainref, '-m state --state ESTABLISHED,RELATED -j ACCEPT' unless $config{FASTACCEPT};
    run_user_exit $stdchainref;
    my $ruleschainref = $filter_table->{"${zone}2${zone2}"} || $filter_table->{all2all};
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;
    $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
    ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
 sub setup_syn_flood_chains() {
    for my $chainref ( @policy_chains ) {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_rule_limit $level , $synchainref , $chainref->{name} , 'DROP', '-m limit --limit 5/min --limit-burst 5 ' , '' , 'add' , ''
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,8 +40,8 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( setup_interface_proc );
+our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.3_12';
 #
 # ARP Filtering
@@ -56,35 +56,27 @@ sub setup_arp_filtering() {
 	save_progress_message "Setting up ARP filtering...";
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'arp_filter';
 	    my $optional = interface_is_optional $interface;
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/arp_filter";
 	    my $value = get_interface_option $interface, 'arp_filter';
 	    emit ( '',
 		   "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
 	for my $interface ( @$interfaces1 ) {
 	    my $value = get_interface_option $interface, 'arp_ignore';
 	    my $optional = interface_is_optional $interface;
 	    $interface = get_physical $interface;
 	    my $file  = "/proc/sys/net/ipv4/conf/$interface/arp_ignore";
 	    my $value = get_interface_option $interface, 'arp_ignore';
 	    assert( defined $value );
 	    emit ( "if [ -f $file ]; then",
 		   "    echo $value > $file");
 	    emit ( 'else',
-		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set ARP filtering on $interface\"" ) unless interface_is_optional( $interface );
 	    emit   "fi\n";
 	}
    }
@@ -96,18 +88,16 @@ sub setup_arp_filtering() {
 sub setup_route_filtering() {
    my $interfaces = find_interfaces_by_option 'routefilter';
    my $config     = $config{ROUTE_FILTER};
-    if ( @$interfaces || $config ) {
+    if ( @$interfaces || $config{ROUTE_FILTER} ) {
 	progress_message2 "$doing Kernel Route Filtering...";
 	save_progress_message "Setting up Route Filtering...";
 	my $val = '';
-	if ( $config ne '' ) {
+	if ( $config{ROUTE_FILTER} ) {
-	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
+	    my $val = $config{ROUTE_FILTER} eq 'on' ? 1 : 0;
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
 		   "    [ -f \$file/rp_filter ] && echo $val > \$file/rp_filter",
@@ -116,29 +106,25 @@ sub setup_route_filtering() {
 	}
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'routefilter';
 	    my $optional = interface_is_optional $interface;
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/rp_filter";
 	    my $value = get_interface_option $interface, 'routefilter';
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set route filtering on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
-	if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
+	emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
-	    emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
+
-	} elsif ( $val ne '' ) {
+	if ( $config{ROUTE_FILTER} eq 'on' ) {
-	    emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
+	    emit 'echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	} elsif (  $config{ROUTE_FILTER} eq 'off' ) {
 	    emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
 	}
-	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';
+	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
 	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
    }
 }
@@ -167,18 +153,14 @@ sub setup_martian_logging() {
 	}
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'logmartians';
 	    my $optional = interface_is_optional $interface;
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv4/conf/$interface/log_martians";
 	    my $value = get_interface_option $interface, 'logmartians';
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless $optional;
+		   "    error_message \"WARNING: Cannot set Martian logging on $interface\"") unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
    }
@@ -198,17 +180,13 @@ sub setup_source_routing( $ ) {
 	save_progress_message 'Setting up Accept Source Routing...';
 	for my $interface ( @$interfaces ) {
 	    my $value = get_interface_option $interface, 'sourceroute';
 	    my $optional = interface_is_optional $interface;
 	    $interface = get_physical $interface;
 	    my $file = "/proc/sys/net/ipv$family/conf/$interface/accept_source_route";
 	    my $value = get_interface_option $interface, 'sourceroute';
 	    emit ( "if [ -f $file ]; then" ,
 		   "    echo $value > $file" );
 	    emit ( 'else' ,
-		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless interface_is_optional( $interface);
 	    emit   "fi\n";
 	}
    }
@@ -227,10 +205,6 @@ sub setup_forwarding( $$ ) {
 	}
 	emit '';
 	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
@@ -242,10 +216,6 @@ sub setup_forwarding( $$ ) {
 	emit '';
 	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 	my $interfaces = find_interfaces_by_option 'forward';
 	if ( @$interfaces ) {
@@ -257,17 +227,13 @@ sub setup_forwarding( $$ ) {
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'forward';
 		my $optional = interface_is_optional $interface;
 		$interface = get_physical $interface;
 		my $file = "/proc/sys/net/ipv6/conf/$interface/forwarding";
 		my $value = get_interface_option $interface, 'forward';
 		emit ( "if [ -f $file ]; then" ,
 		       "    echo $value > $file" );
 		emit ( 'else' ,
-		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless interface_is_optional( $interface);
 		emit   "fi\n";
 	    }
@@ -277,45 +243,4 @@ sub setup_forwarding( $$ ) {
    }
 }
 sub setup_interface_proc( $ ) {
    my $interface = shift;
    my $physical  = get_physical $interface;
    my $value;
    my @emitted;
    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
    }
    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
    }
    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
    }
    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
    }
    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
    }
    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
    }
    if ( @emitted ) {
 	emit( '',
 	      'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;
 	emit "fi\n";
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,31 +35,32 @@ our @EXPORT = qw(
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.3_7';
 our @proxyarp;
 our $family;
 #
-# Rather than initializing globals in an INIT block or during declaration,
+# Initialize globals -- we take this novel approach to globals initialization to allow
-# we initialize them in a function. This is done for two reasons:
+#                       the compiler to run multiple times in the same process. The
-#
+#                       initialize() function does globals initialization for this
-#   1. Proper initialization depends on the address family which isn't
+#                       module and is called from an INIT block below. The function is
-#      known until the compiler has started.
+#                       also called by Shorewall::Compiler::compiler at the beginning of
-#
+#                       the second and subsequent calls to that function.
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
    $family = shift;
    @proxyarp = ();
 }
-sub setup_one_proxy_arp( $$$$$$$ ) {
+INIT {
-    my ( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent) = @_;
+    initialize( F_IPV4 );
 }
-    my $proto = $family == F_IPV4 ? 'ARP' : 'NDP';
+sub setup_one_proxy_arp( $$$$$ ) {
    my ( $address, $interface, $external, $haveroute, $persistent) = @_;
    if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) {
 	$haveroute = '';
@@ -78,105 +79,94 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }
    unless ( $haveroute ) {
-	fatal_error "HAVEROUTE=No requires an INTERFACE" if $interface eq '-';
+	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
 	if ( $family == F_IPV4 ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
 		  "    qt \$IP -6 route del $address/128 dev $physical".
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
 	}
 	$haveroute = 1 if $persistent;
    }
-    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
+    emit ( "if ! arp -i $external -Ds $address $external pub; then",
-	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
 	   'fi' ,
 	   '',
 	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );
    push @proxyarp, "$address $interface $external $haveroute";
-    progress_message "   Host $address connected to $interface added to $proto on $external";
+    progress_message "   Host $address connected to $interface added to ARP on $external";
 }
 #
-# Setup Proxy ARP/NDP
+# Setup Proxy ARP
 #
 sub setup_proxy_arp() {
-    my $proto      = $family == F_IPV4 ? 'arp' : 'ndp';   # Protocol
+    if ( $family == F_IPV4 ) {
    my $file_opt   = 'proxy' . $proto;                    # Name of config file and of the interface option
    my $proc_file  = 'proxy_' . $proto;                   # Name of the corresponding file in /proc
-    my $interfaces= find_interfaces_by_option $file_opt;
+	my $interfaces= find_interfaces_by_option 'proxyarp';
-    my $fn = open_file $file_opt;
+	my $fn = open_file 'proxyarp';
-    if ( @$interfaces || $fn ) {
+	if ( @$interfaces || $fn ) {
-	my $first_entry = 1;
+	    my $first_entry = 1;
-	save_progress_message 'Setting up Proxy ' . uc($proto) . '...';
+	    save_progress_message "Setting up Proxy ARP...";
-	my ( %set, %reset );
+	    my ( %set, %reset );
-	while ( read_a_line ) {
+	    while ( read_a_line ) {
-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+		my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
-	    if ( $first_entry ) {
+		if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
+		    progress_message2 "$doing $fn...";
-		$first_entry = 0;
+		    $first_entry = 0;
-	    }
+		}
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};
 	    my $extphy   = get_physical $external;
 	    my $physical = '-';
 	    if ( $interface ne '-' ) {
 		fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 		fatal_error "Wildcard interface ($interface) not allowed" if $interface =~ /\+$/;
 		$physical = physical_name $interface;
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 		setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	    }
-	    setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent );
+	    emit '';
 	}
-	emit '';
+	    for my $interface ( keys %reset ) {
 		unless ( $set{interface} ) {
 		    emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
 			    "    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		    emit    "fi\n";
 		}
 	    }
-	for my $interface ( keys %reset ) {
+	    for my $interface ( keys %set ) {
-	    unless ( $set{interface} ) {
+		emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
-		my $physical = get_physical $interface;
+			"    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
-		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
+		emit  ( 'else' ,
-			"    echo 0 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
+			"    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
 		emit    "fi\n";
 	    }
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
 		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless interface_is_optional( $interface );
 		emit   "fi\n";
 	    }
 	}
    } else {
 	my $interfaces= find_interfaces_by_option 'proxyndp';
-	for my $interface ( keys %set ) {
+	if ( @$interfaces ) {
-	    my $physical = get_physical $interface;
+	    save_progress_message "Setting up Proxy NDP...";
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
 	    emit  ( 'else' ,
 		    "    error_message \"    WARNING: Cannot set the '$file_opt' option for interface $physical\"" ) unless interface_is_optional( $interface );
 	    emit    "fi\n";
 	}
-	for my $interface ( @$interfaces ) {
+	    for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, $file_opt;
+		my $value = get_interface_option $interface, 'proxyndp';
-	    my $optional = interface_is_optional $interface;
+		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
-
+		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
-	    $interface = get_physical $interface;
+		emit ( 'else' ,
-
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless interface_is_optional( $interface );
-	    emit ( "if [ -f /proc/sys/net/ipv$family/conf/$interface/$proc_file ] ; then" ,
+		emit   "fi\n";
-		   "    echo $value > /proc/sys/net/ipv$family/conf/$interface/$proc_file" );
+	    }
 	    emit ( 'else' ,
 		   "    error_message \"WARNING: Unable to set/reset the '$file_opt' option on $interface\"" ) unless $optional;
 	    emit   "fi\n";
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.3_7';
 #
 # Notrack
@@ -47,12 +47,12 @@ sub process_notrack_rule( $$$$$$ ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    ( my $zone, $source) = split /:/, $source, 2;
+    ( my $zone, $source) = split /:/, $source, 2;  
    my $zoneref  = find_zone $zone;
    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $restriction = $zone eq firewall_zone ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
@@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
 	$source ,
 	$dest ,
 	'' ,
-	'NOTRACK' ,
+	'-j NOTRACK' ,
 	'' ,
 	'NOTRACK' ,
 	'' ;
@@ -76,25 +76,24 @@ sub process_notrack_rule( $$$$$$ ) {
 sub setup_notrack() {
-    if ( my $fn = open_file 'notrack' ) {
+    my $fn = open_file 'notrack';
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
-	    if ( $source eq 'COMMENT' ) {
+	if ( $source eq 'COMMENT' ) {
-		process_comment;
+	    process_comment;
-	    } else {
+	} else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+	    process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
 	    }
 	}
 	clear_comment;
    }
    clear_comment;
 }
 1;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	73e73a19e6	Revert "Remove tools and web" This reverts commit `966f162c87`.	2009-08-27 07:08:17 -07:00
Tom Eastep	966f162c87	Remove tools and web	2009-08-27 07:06:08 -07:00
Tom Eastep	21f316abdd	Revert "Remove tools and web directories" This reverts commit `422d37900b`.	2009-08-26 15:45:04 -07:00
Tom Eastep	422d37900b	Remove tools and web directories	2009-08-26 15:29:29 -07:00
Tom Eastep	b85d024a6b	Update known problems	2009-08-26 12:50:08 -07:00
Tom Eastep	cdf0d8f64b	Fix nested IPSEC zones	2009-08-26 12:46:53 -07:00
Tom Eastep	4c3bb5bac8	Fix logging in rules at the end of INPUT and OUTPUT	2009-08-25 09:37:11 -07:00
Tom Eastep	640c1605f6	Update README.txt	2009-08-15 17:51:06 -07:00
Tom Eastep	ff5063e7a9	Prepare 4.4.0.1	2009-08-13 12:53:05 -07:00
		`@@ -1 +0,0 @@`
			`This is the Shorewall-init stable 4.4 branch of Git.`
`@@ -1 +1 @@`
	`This is the Shorewall-lite stable 4.4 branch of Git.`	`This is the Shorewall-lite development 4.3 branch of SVN.`
		`@@ -1,3 +0,0 @@`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<includepath />`