Pass $CONFIG_PATH to compiler.pl

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Merge branch 'master' into 4.4.26
2011-12-02 09:31:26 -08:00 · 2011-12-01 13:07:46 -08:00 · 2011-12-01 13:04:53 -08:00 · 2011-12-01 12:58:38 -08:00 · 2011-12-01 12:14:58 -08:00 · 2011-12-01 11:23:50 -08:00
166 changed files with 7757 additions and 1731 deletions
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -136,8 +136,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -188,8 +186,6 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -206,6 +202,20 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -147,8 +147,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
@@ -199,8 +197,6 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -217,6 +213,20 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -145,8 +145,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -197,8 +195,6 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -215,6 +211,20 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -148,8 +148,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -200,8 +198,6 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -218,6 +214,20 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -125,8 +125,6 @@ FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

-HIGH_ROUTE_MARKS=No
-
 IMPLICIT_CONTINUE=No

 IP_FORWARDING=Off
@@ -163,7 +161,7 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

-WIDE_TC_MARKS=Yes
+USE_DEFAULT_RT=No

 ZONE2ZONE=2

@@ -181,4 +179,16 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -125,8 +125,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HIGH_ROUTE_MARKS=No
-
 IMPLICIT_CONTINUE=No

 IP_FORWARDING=Off
@@ -163,7 +161,7 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

-WIDE_TC_MARKS=Yes
+USE_DEFAULT_RT=No

 ZONE2ZONE=2

@@ -181,4 +179,16 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -125,8 +125,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HIGH_ROUTE_MARKS=No
-
 IMPLICIT_CONTINUE=No

 IP_FORWARDING=On
@@ -163,7 +161,7 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

-WIDE_TC_MARKS=Yes
+USE_DEFAULT_RT=No

 ZONE2ZONE=2

@@ -181,4 +179,16 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -125,8 +125,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HIGH_ROUTE_MARKS=No
-
 IMPLICIT_CONTINUE=No

 IP_FORWARDING=On
@@ -163,7 +161,7 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

-WIDE_TC_MARKS=Yes
+USE_DEFAULT_RT=No

 ZONE2ZONE=2

@@ -181,4 +179,16 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-#LAST LINE -- DO NOT REMOVE
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -14,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecReload=/sbin/shorewall-init $OPTIONS restart
 ExecStop=/sbin/shorewall-init $OPTIONS stop

 [Install]
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -109,6 +109,11 @@ shorewall_refresh () {
  return 0
 }

+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall_start
@@ -122,8 +127,11 @@ case "$1" in
  force-reload|restart)
     shorewall_restart
     ;;
+  status)
+     shorewall_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall-lite {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -365,8 +365,10 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   clear"
    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
+    echo "   enable <interface>"
    echo "   forget [ <file name> ]"
    echo "   help"
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
@@ -664,7 +666,7 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
@@ -754,6 +756,14 @@ case "$COMMAND" in
 	shift
 	add_command $@
 	;;
+    disable|enable)
+	get_config Yes
+	if shorewall_is_started; then
+	    run_it ${VARDIR}/firewall $g_debugging $@
+	else
+	    fatal_error "Shorewall is not running"
+	fi
+	;;
    save)
 	[ -n "$debugging" ] && set -x

--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -14,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecReload=/sbin/shorewall-lite $OPTIONS restart
 ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
--- a/Shorewall/Macros/macro.MSNP
+++ b/Shorewall/Macros/macro.MSNP
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - MSNP Macro
+#
+# /usr/share/shorewall/macro.MSNP
+#
+#	This macro handles MSNP (MicroSoft Notification Protocol)
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1863
--- a/Shorewall/Macros/macro.Syslog
+++ b/Shorewall/Macros/macro.Syslog
@@ -3,9 +3,10 @@
 #
 # /usr/share/shorewall/macro.Syslog
 #
-#	This macro handles syslog UDP traffic.
+#	This macro handles syslog traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	514
+PARAM	-	-	tcp	514
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -141,7 +141,10 @@ sub process_accounting_rule( ) {

    $jumpchainref = 0;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File', $accounting_commands;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';

    if ( $action eq 'COMMENT' ) {
 	process_comment;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -54,10 +54,10 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals() {
+sub initialize_package_globals( $ ) {
    Shorewall::Config::initialize($family);
    Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family);
+    Shorewall::Zones::initialize ($family, shift);
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
@@ -432,6 +432,10 @@ sub generate_script_3($) {
    save_policies;
    emit_unindented '__EOF__';

+    emit 'cat > ${VARDIR}/marks << __EOF__';
+    dump_mark_layout;
+    emit_unindented '__EOF__';
+
    pop_indent;

    emit "fi\n";
@@ -518,15 +522,15 @@ EOF

 }

-#1
+#
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');

    $export = 0;
    $test   = 0;
@@ -561,7 +565,9 @@ sub compiler {
 		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
-		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
+		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
+		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  config_path   => { store => \$config_path } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -579,7 +585,9 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals;
+    initialize_package_globals( $update );
+
+    set_config_path( $config_path ) if $config_path;

    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
@@ -673,7 +681,7 @@ sub compiler {
    #
    # Do all of the zone-independent stuff (mostly /proc)
    #
-    add_common_rules;
+    add_common_rules( $convert );
    #
    # More /proc
    #
@@ -757,12 +765,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
-	#
-	# Setup NETMAP
-	#
-	setup_netmap;
    }

+    #
+    # Setup NETMAP
+    #
+    setup_netmap;
    #
    # MACLIST Filtration
    #
@@ -794,7 +802,7 @@ sub compiler {
 	#
 	generate_matrix;

-	if ( $config{OPTIMIZE} & 0xE ) {
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -803,7 +811,7 @@ sub compiler {
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -863,7 +871,7 @@ sub compiler {
 	    #
 	    generate_matrix;

-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    if ( $config{OPTIMIZE} & 0x1E ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -872,7 +880,7 @@ sub compiler {
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -63,7 +63,7 @@ our @EXPORT = qw(
 		 require_capability
                );

-our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
+our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);

 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       finalize_script
@@ -87,6 +87,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_timestamp
 				       set_verbosity
 				       set_log
+				       set_config_path
 				       close_log
 				       set_command
 				       push_indent
@@ -126,6 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
+				       dump_mark_layout

 				       $product
 				       $Product
@@ -268,6 +270,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TIME_MATCH      => 'Time Match',
 		 GOTO_TARGET     => 'Goto Support',
 		 LOG_TARGET      => 'LOG Target',
+		 ULOG_TARGET     => 'ULOG Target',
+		 NFLOG_TARGET    => 'NFLOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
@@ -280,6 +284,9 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 ACCOUNT_TARGET  => 'ACCOUNT Target',
 		 AUDIT_TARGET    => 'AUDIT Target',
 		 RAWPOST_TABLE   => 'Rawpost Table',
+		 CONDITION_MATCH => 'Condition Match',
+		 IPTABLES_S      => 'iptables -S',
+		 BASIC_FILTER    => 'Basic Filter',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -383,6 +390,12 @@ my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip

+my $shell;                   # Type of shell that processed the params file
+
+use constant { BASH    => 1,
+	       OLDBASH => 2,
+	       ASH     => 3 };
+
 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
 	       F_IPV4 => 4,
@@ -438,7 +451,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40423 ,
+		    CAPVERSION => 40425 ,
 		  );
    #
    # From shorewall.conf file
@@ -472,16 +485,10 @@ sub initialize( $ ) {
 	  TC => undef,
 	  IPSET => undef,
 	  PERL => undef,
-	  #
-	  #PATH is inherited
-	  #
 	  PATH => undef,
 	  SHOREWALL_SHELL => undef,
 	  SUBSYSLOCK => undef,
 	  MODULESDIR => undef,
-	  #
-	  #CONFIG_PATH is inherited
-	  #
 	  CONFIG_PATH => undef,
 	  RESTOREFILE => undef,
 	  IPSECFILE => undef,
@@ -574,7 +581,8 @@ sub initialize( $ ) {
 	  TC_BITS => undef,
 	  PROVIDER_BITS => undef,
 	  PROVIDER_OFFSET => undef,
-	  MASK_BITS => undef
+	  MASK_BITS => undef,
+	  ZONE_BITS => undef,
 	);


@@ -597,6 +605,7 @@ sub initialize( $ ) {
 		     PANIC   => 0,
 		     NONE    => '',
 		     NFLOG   => 'NFLOG',
+		     LOGMARK => 'LOGMARK',
 		   );

    #
@@ -647,6 +656,8 @@ sub initialize( $ ) {
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
 	       LOG_TARGET => 1,         # Assume that we have it.
+	       ULOG_TARGET => undef,
+	       NFLOG_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
 	       TPROXY_TARGET => undef,
@@ -658,6 +669,9 @@ sub initialize( $ ) {
 	       HEADER_MATCH => undef,
 	       ACCOUNT_TARGET => undef,
 	       AUDIT_TARGET => undef,
+	       CONDITION_MATCH => undef,
+	       IPTABLES_S => undef,
+	       BASIC_FILTER => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1256,7 +1270,7 @@ sub set_debug( $$ ) {
 #
 sub find_file($)
 {
-    my $filename=$_[0];
+    my ( $filename, $nosearch ) = @_;

    return $filename if $filename =~ '/';

@@ -1267,7 +1281,7 @@ sub find_file($)
 	return $file if -f $file;
    }

-    "$globals{CONFDIR}/$filename";
+    "$config_path[0]$filename";
 }

 sub split_list( $$ ) {
@@ -1329,46 +1343,45 @@ sub supplied( $ ) {

 #    ensure that it has an appropriate number of columns.
 #    supply '-' in omitted trailing columns.
+#    Handles all of the supported forms of column/pair specification
 #
-sub split_line( $$$ ) {
-    my ( $mincolumns, $maxcolumns, $description ) = @_;
+sub split_line1( $$;$ ) {
+    my ( $description, $columnsref, $nopad) = @_;

-    fatal_error "Shorewall Configuration file entries may not contain single quotes, double quotes, single back quotes or backslashes" if $currentline =~ /["'`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
+    my @maxcolumns = ( keys %$columnsref );
+    my $maxcolumns = @maxcolumns;
+    #
+    # First see if there is a semicolon on the line; what follows will be column/value paris
+    #
+    my ( $columns, $pairs, $rest ) = split( ';', $currentline );

-    my @line = split( ' ', $currentline );
+    if ( supplied $pairs ) {
+	#
+	# Found it -- be sure there wasn't more than one.
+	#
+	fatal_error "Only one semicolon (';') allowed on a line" if defined $rest;
+    } elsif ( $currentline =~ /(.*){(.*)}$/ ) {
+	#
+	# Pairs are enclosed in curly brackets.
+	#
+	$columns = $1;
+	$pairs   = $2;
+    } else {
+	$pairs = '';
+    }

-    my $line = @line;
+    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;

-    fatal_error "Invalid $description entry (too many columns)" if $line > $maxcolumns;
-
-    $line-- while $line > 0 && $line[$line-1] eq '-';
-
-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
-    push @line, '-' while @line < $maxcolumns;
-
-    @line;
-}
-
-#
-# Version of 'split_line' used on files with exceptions
-#
-sub split_line1( $$$;$ ) {
-    my ( $mincolumns, $maxcolumns, $description, $nopad) = @_;
-
-    fatal_error "Shorewall Configuration file entries may not contain double quotes, single back quotes or backslashes" if $currentline =~ /["`\\]/;
-    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-
-    my @line = split( ' ', $currentline );
+    my @line = split( ' ', $columns );

    $nopad = { COMMENT => 0 } unless $nopad;

-    my $first   = $line[0];
-    my $columns = $nopad->{$first};
+    my $first     = supplied $line[0] ? $line[0] : '-';
+    my $npcolumns = $nopad->{$first};

-    if ( defined $columns ) {
-	fatal_error "Invalid $first entry" if $columns && @line != $columns;
+    if ( defined $npcolumns ) {
+	fatal_error "Invalid $first entry" if $npcolumns && @line != $npcolumns;
 	return @line
    }

@@ -1380,13 +1393,34 @@ sub split_line1( $$$;$ ) {

    $line-- while $line > 0 && $line[$line-1] eq '-';

-    fatal_error "Invalid $description entry (too few columns)"  if $line < $mincolumns;
-
    push @line, '-' while @line < $maxcolumns;

+    if ( supplied $pairs ) {
+	$pairs =~ s/^\s*//;
+	$pairs =~ s/\s*$//;
+
+	my @pairs = split( /,?\s+/, $pairs );
+
+	for ( @pairs ) {
+	    fatal_error "Invalid column/value pair ($_)" unless /^(\w+)(?:=>?|:)(.+)$/;
+	    my ( $column, $value ) = ( lc $1, $2 );
+	    fatal_error "Unknown column ($1)" unless exists $columnsref->{$column};
+	    $column = $columnsref->{$column};
+	    fatal_error "Non-ASCII gunk in file" if $columns =~ /[^\s[:print:]]/;
+	    $value = $1 if $value =~ /^"([^"]+)"$/;
+	    fatal_error "Column values may not contain embedded double quotes, single back quotes or backslashes" if $columns =~ /["`\\]/;
+	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
+	    $line[$column] = $value;
+	}
+    }   
+
    @line;
 }

+sub split_line($$) {
+    &split_line1( @_, {} );
+}
+
 #
 # Open a file, setting $currentfile. Returns the file's absolute pathname if the file
 # exists, is non-empty  and was successfully opened. Terminates with a fatal error
@@ -1538,6 +1572,8 @@ sub copy1( $ ) {

 			my $filename = find_file $line[1];

+			warning_message "Reserved filename ($1) in INCLUDE directive" if $filename =~ '/(.*)' && $config_files{$1};
+
 			fatal_error "INCLUDE file $filename not found" unless -f $filename;
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

@@ -1915,9 +1951,10 @@ sub expand_variables( \$ ) {
 #   - Handle INCLUDE <filename>
 #

-sub read_a_line(;$$) {
+sub read_a_line(;$$$) {
    my $embedded_enabled = defined $_[0] ? shift : 1;
    my $expand_variables = defined $_[0] ? shift : 1;
+    my $strip_comments   = defined $_[0] ? shift : 1;

    while ( $currentfile ) {

@@ -1937,7 +1974,7 @@ sub read_a_line(;$$) {
 	    # If this isn't a continued line, remove trailing comments. Note that
 	    # the result may now end in '\'.
 	    #
-	    s/\s*#.*$// unless /\\$/;
+	    s/\s*#.*$// if $strip_comments && ! /\\$/;
 	    #
 	    # Continuation
 	    #
@@ -1945,7 +1982,7 @@ sub read_a_line(;$$) {
 	    #
 	    # Now remove concatinated comments
 	    #
-	    $currentline =~ s/#.*$//;
+	    $currentline =~ s/#.*$// if $strip_comments;
 	    #
 	    # Ignore ( concatenated ) Blank Lines
 	    #
@@ -2105,65 +2142,77 @@ sub validate_level( $ ) {

    if ( supplied ( $level ) ) {
 	$level =~ s/!$//;
-	my $value = $validlevels{$level};
+	my $value = $level;
+	my $qualifier;

-	if ( defined $value ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq '';
+	unless ( $value =~ /^[0-7]$/ ) {
+	    level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
+	    $qualifier = $2;
+	}
+
+	if ( $value =~ /^[0-7]$/ ) {
+	    #
+	    # Syslog Level
+	    #
+	    level_error( $rawlevel ) if supplied $qualifier;
+
+	    require_capability ( 'LOG_TARGET' , "Log level $level", 's' );
 	    return $value;
 	}

-	if ( $level =~ /^[0-7]$/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $level;
-	}
+	return '' unless $value;

-	if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) {
-	    my $olevel  = $1;
-	    my @options = split /,/, $2;
-	    my $prefix  = lc $olevel;
-	    my $index   = $prefix eq 'ulog' ? 3 : 0;
+	require_capability( "${value}_TARGET", "Log level $level", 's' );

-	    level_error( $level ) if @options > 3;
+	if ( $value =~ /^(NFLOG|ULOG)$/ ) {
+	    my $olevel  = $value;

-	    for ( @options ) {
-		if ( supplied( $_ ) ) {
-		    level_error( $level ) unless /^\d+/;
-		    $olevel .= " --${prefix}-$suffixes[$index] $_";
+	    if ( $qualifier =~ /^[(](.*)[)]$/ ) {
+		my @options = split /,/, $1;
+		my $prefix  = lc $olevel;
+		my $index   = $prefix eq 'ulog' ? 3 : 0;
+
+		level_error( $rawlevel ) if @options > 3;
+
+		for ( @options ) {
+		    if ( supplied( $_ ) ) {
+			level_error( $rawlevel ) unless /^\d+/;
+			$olevel .= " --${prefix}-$suffixes[$index] $_";
+		    }
+
+		    $index++;
 		}

-		$index++;
+	    } elsif ( $qualifier =~ /^ --/ ) {
+		return $rawlevel;
+	    } else {
+		level_error( $rawlevel ) if $qualifier;
 	    }

-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    return $olevel;
 	}

-	if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $rawlevel;
-	}
+	#
+	# Must be LOGMARK
+	#
+	my $sublevel;

-	if ( $level =~ /^LOGMARK --/ ) {
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    return $rawlevel;
-	}
+	if ( supplied $qualifier ) {
+	    return $rawlevel if $qualifier =~ /^ --/;

-	if ( $level =~ /LOGMARK([(](.+)[)])?$/ ) {
-	    my $sublevel = $2;
+	    if ( $qualifier =~ /[(](.+)[)]$/ ) {
+		$sublevel = $1;

-	    if ( $1 ) {	    
 		$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
-		level_error( $level ) unless defined $sublevel && $sublevel  =~ /^[0-7]$/;
+		level_error( $rawlevel ) unless defined $sublevel && $sublevel  =~ /^[0-7]$/;
 	    } else {
-		$sublevel = 6; # info
+		level_error( $rawlevel );
 	    }
-	    
-	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
-	    require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
-	    return "LOGMARK --log-level $sublevel";
+	} else {
+	    $sublevel = 6; # info
 	}

-	level_error( $rawlevel );
+	return "LOGMARK --log-level $sublevel";
    }

    '';
@@ -2637,12 +2686,24 @@ sub Log_Target() {
    qt1( "$iptables -A $sillyname -j LOG" );
 }

+sub Ulog_Target() {
+    qt1( "$iptables -A $sillyname -j ULOG" );
+}
+
+sub NFLog_Target() {
+    qt1( "$iptables -A $sillyname -j NFLOG" );
+}
+
 sub Logmark_Target() {
    qt1( "$iptables -A $sillyname -j LOGMARK" );
 }

 sub Flow_Filter() {
-    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
+    $tc && system( "$tc filter add flow help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
+sub Basic_Filter() {
+    $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }

 sub Fwmark_Rt_Mask() {
@@ -2665,15 +2726,25 @@ sub Account_Target() {
    }
 }

+sub Condition_Match() {
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
+}
+
 sub Audit_Target() {
    qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
 }

+sub Iptables_S() {
+    qt1( "$iptables -S INPUT" )
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
+      BASIC_FILTER => \&Basic_Filter,
      CLASSIFY_TARGET => \&Classify_Target,
+      CONDITION_MATCH => \&Condition_Match,
      COMMENTS => \&Comments,
      CONNLIMIT_MATCH => \&Connlimit_Match,
      CONNMARK => \&Connmark,
@@ -2693,10 +2764,13 @@ our %detect_capability =
      IPSET_MATCH => \&IPSet_Match,
      OLD_IPSET_MATCH => \&Old_IPSet_Match,
      IPSET_V5 => \&IPSET_V5,
+      IPTABLES_S => \&Iptables_S,
      KLUDGEFREE => \&Kludgefree,
      LENGTH_MATCH => \&Length_Match,
      LOGMARK_TARGET => \&Logmark_Target,
      LOG_TARGET => \&Log_Target,
+      ULOG_TARGET => \&Ulog_Target,
+      NFLOG_TARGET => \&NFLog_Target,
      MANGLE_ENABLED => \&Mangle_Enabled,
      MANGLE_FORWARD => \&Mangle_Forward,
      MARK => \&Mark,
@@ -2840,6 +2914,8 @@ sub determine_capabilities() {
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
 	$capabilities{LOG_TARGET}      = detect_capability( 'LOG_TARGET' );
+	$capabilities{ULOG_TARGET}     = detect_capability( 'ULOG_TARGET' );
+	$capabilities{NFLOG_TARGET}    = detect_capability( 'NFLOG_TARGET' );
 	$capabilities{LOGMARK_TARGET}  = detect_capability( 'LOGMARK_TARGET' );
 	$capabilities{FLOW_FILTER}     = detect_capability( 'FLOW_FILTER' );
 	$capabilities{FWMARK_RT_MASK}  = detect_capability( 'FWMARK_RT_MASK' );
@@ -2847,6 +2923,9 @@ sub determine_capabilities() {
 	$capabilities{ACCOUNT_TARGET}  = detect_capability( 'ACCOUNT_TARGET' );
 	$capabilities{AUDIT_TARGET}    = detect_capability( 'AUDIT_TARGET' );
 	$capabilities{IPSET_V5}        = detect_capability( 'IPSET_V5' );
+	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
+	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
+	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );


 	qt1( "$iptables -F $sillyname" );
@@ -2940,6 +3019,22 @@ sub conditional_quote( $ ) {
 sub update_config_file( $ ) {
    my $annotate = shift;

+    sub is_set( $ ) {
+	my $value = $_[0];
+	defined( $value ) && lc( $value ) eq 'yes';
+    }
+
+    my $wide = is_set $config{WIDE_TC_MARKS};
+    my $high = is_set $config{HIGH_ROUTE_MARKS};
+
+    #
+    # Establish default values for the mark layout items
+    #
+    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless supplied $config{TC_BITS};
+    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless supplied $config{MASK_BITS};
+    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless supplied $config{PROVIDER_OFFSET};
+    $config{PROVIDER_BITS}   = 8                              unless supplied $config{PROVIDER_BITS};
+
    my $fn;

    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -2958,12 +3053,10 @@ sub update_config_file( $ ) {
    #
    my %deprecated = ( LOGRATE            => '' ,
 		       LOGBURST           => '' ,
-		       EXPORTPARAMS       => 'no' );
-    #
-    # Undocumented options -- won't be listed in the template
-    #
-    my @undocumented = ( qw( TC_BITS PROVIDER_BITS PROVIDER_OFFSET MASK_BITS ) );
-
+		       EXPORTPARAMS       => 'no',
+		       WIDE_TC_MARKS      => 'no',
+		       HIGH_ROUTE_MARKS   => 'no'
+		     );
    if ( -f $fn ) {
 	my ( $template, $output );

@@ -3012,29 +3105,6 @@ sub update_config_file( $ ) {

 	my $heading_printed;

-	for ( @undocumented ) {
-	    if ( defined ( my $val = $config{$_} ) ) {
-
-		unless ( $heading_printed ) {
-		    print $output <<'EOF';
-
-#################################################################################
-#                          U N D O C U M E N T E D
-#                               O P T I O N S
-#################################################################################
-
-EOF
-		    $heading_printed = 1;
-		}
-
-		$val = conditional_quote $val;
-
-		print $output "$_=$val\n\n";
-	    }
-	}
-
-	$heading_printed = 0;
-
 	for ( keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
@@ -3074,7 +3144,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.b";
 	    }

-	    exit 0;
+	    exit 0 unless -f find_file 'blacklist';
 	}
    } else {
 	fatal_error "$fn does not exist";
@@ -3269,6 +3339,8 @@ sub get_params() {
 	    # - Embedded double quotes are escaped with '\\'
 	    # - Valueless variables are supported (e.g., 'declare -x foo')
 	    #
+	    $shell = BASH;
+
 	    for ( @params ) {
 		if ( /^declare -x (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3277,11 +3349,11 @@ sub get_params() {
 		} elsif ( /^declare -x (.*)\s+$/ || /^declare -x (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3295,6 +3367,8 @@ sub get_params() {
 	    # - Embedded single quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
+	    $shell = OLDBASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)="(.*[^\\])"$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
@@ -3303,11 +3377,11 @@ sub get_params() {
 		} elsif ( /^export ([^\s=]+)\s*$/ || /^export (.*)=""$/ ) {
 		    $params{$1} = '';
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/"$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
 		}	
@@ -3320,6 +3394,8 @@ sub get_params() {
 	    # - Param values are delimited by single quotes.
 	    # - Embedded single quotes are transformed to the five characters '"'"'
 	    #
+	    $shell = ASH;
+
 	    for ( @params ) {
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
 		    $params{$variable=$1}="${2}\n";		    
@@ -3328,11 +3404,11 @@ sub get_params() {
 		} elsif ( /^export (.*?)='(.*)$/ ) {
 		    $params{$variable=$1}="${2}\n";
 		} else {
+		    chomp;
 		    if ($variable) {
 			s/'$//;
 			$params{$variable} .= $_;
 		    } else {
-			chomp;
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }				
 		}
@@ -3371,15 +3447,29 @@ sub export_params() {
 	#
 	next if exists $compiler_params{$param};
 	#
+	# Values in %params are generated from the output of 'export -p'.
+	# The different shells have different conventions for delimiting
+	# the value and for escaping embedded instances of the delimiter.
+	# The following logic removes the escape characters.
+	#
+	if ( $shell == BASH ) {
+	    $value =~ s/\\"/"/g;
+	} elsif ( $shell == OLDBASH ) {
+	    $value =~ s/\\'/'/g;
+	} else {
+	    $value =~ s/'"'"'/'/g;
+	}
+	#
 	# Don't export pairs from %ENV
 	#
-	if ( exists $ENV{$param} && defined $ENV{$param} ) {
-	    next if $value eq $ENV{$param};
-	}
+	next if defined $ENV{$param} && $value eq $ENV{$param};

 	emit "#\n# From the params file\n#" unless $count++;
-
-	if ( $value =~ /[\s()[]/ ) {
+	#
+	# We will use double quotes and escape embedded quotes with \.
+	#
+	if ( $value =~ /[\s()['"]/ ) {
+	    $value =~ s/"/\\"/g;
 	    emit "$param='$value'";
 	} else {
 	    emit "$param=$value";
@@ -3388,9 +3478,10 @@ sub export_params() {
 }

 #
+# - Process the params file
 # - Read the shorewall.conf file
 # - Read the capabilities file, if any
-# - establish global hashes %config , %globals and %capabilities
+# - establish global hashes %params, %config , %globals and %capabilities
 #
 sub get_configuration( $$$ ) {

@@ -3629,23 +3720,36 @@ sub get_configuration( $$$ ) {
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
    numeric_option 'PROVIDER_BITS' ,   8, 0;
    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
+    numeric_option 'ZONE_BITS'       , 0, 0;
+
+    require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS};

    if ( $config{PROVIDER_OFFSET} ) {
-	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
-	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
+	$config{PROVIDER_OFFSET}  = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
+	$globals{ZONE_OFFSET}     = $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS};
    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
-	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
+	$globals{ZONE_OFFSET}     = $config{MASK_BITS};
    } else {
-	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
+	$globals{ZONE_OFFSET}     = $config{PROVIDER_BITS};
    }

-    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
-    $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
-    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
-    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
+    
+    $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
+    $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};
+
+    $globals{TC_MAX}         = make_mask( $config{TC_BITS} );
+    $globals{TC_MASK}        = make_mask( $config{MASK_BITS} );
+    $globals{PROVIDER_MASK}  = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+
+    if ( $config{ZONE_BITS} ) {
+	$globals{ZONE_MASK} = make_mask( $config{ZONE_BITS} ) << $globals{ZONE_OFFSET};
+    } else {
+	$globals{ZONE_MASK} = 0;
+    }

    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+	
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
    } else {
 	$globals{USER_MASK} = 0;
@@ -3784,7 +3888,9 @@ sub get_configuration( $$$ ) {

    $val = numeric_value $config{OPTIMIZE};

-    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 15;
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 31;
+
+    require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;

    $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';

@@ -4014,6 +4120,52 @@ sub generate_aux_config() {
    finalize_aux_config;
 }

+sub dump_mark_layout() {
+    sub dumpout( $$$$$ ) {
+	my ( $name, $bits, $min, $max, $mask ) = @_;
+
+	if ( $bits ) {
+	    if ( $min == $max ) {
+		emit_unindented "$name:" . $min . ' mask ' . in_hex( $mask );
+	    } else {
+		emit_unindented "$name:" . join('-', $min, $max ) . ' (' . join( '-', in_hex( $min ), in_hex( $max ) ) . ') mask ' . in_hex( $mask );
+	    }
+	} else {
+	    emit_unindented "$name: Not Enabled";
+	}
+    }
+
+    dumpout( "Traffic Shaping",
+	     $config{TC_BITS},
+	     0,
+	     $globals{TC_MAX},
+	     $globals{TC_MASK} );
+
+    dumpout( "User",
+	     $globals{USER_MASK},
+	     $globals{TC_MAX} + 1,
+	     $globals{USER_MASK},
+	     $globals{USER_MASK} );
+    
+    dumpout( "Provider",
+	     $config{PROVIDER_BITS},
+	     $globals{PROVIDER_MIN},
+	     $globals{PROVIDER_MASK},
+	     $globals{PROVIDER_MASK} );
+
+    dumpout( "Zone",
+	     $config{ZONE_BITS},
+	     1 << $globals{ZONE_OFFSET},
+	     $globals{ZONE_MASK},
+	     $globals{ZONE_MASK} );
+
+    dumpout( "Exclusion",
+	     1,
+	     $globals{EXCLUSION_MASK},
+	     $globals{EXCLUSION_MASK},
+	     $globals{EXCLUSION_MASK} );
+}	
+
 END {
    cleanup;
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -530,13 +530,13 @@ sub valid_6address( $ ) {
 	return 0 unless valid_4address pop @address;
 	$max = 6;
 	$address = join ':', @address;
-	return 1 if @address eq ':';
+	return 1 if $address eq ':';
    } else {
 	$max = 8;
    }

    return 0 if @address > $max;
-    return 0 unless $address =~ /^[a-f:\d]+$/;
+    return 0 unless $address =~ /^[a-fA-F:\d]+$/;
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -82,7 +82,7 @@ sub process_tos() {

 	while ( read_a_line ) {

-	    my ($src, $dst, $proto, $sports, $ports , $tos, $mark ) = split_line 6, 7, 'tos file entry';
+	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;

 	    $first_entry = 0;

@@ -159,8 +159,9 @@ sub setup_ecn()

 	while ( read_a_line ) {

-	    my ($interface, $hosts ) = split_line 1, 2, 'ecn file entry';
+	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };

+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;

 	    $interfaces{$interface} = 1;
@@ -219,17 +220,7 @@ sub setup_blacklist() {
 	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;

 	if ( supplied $level ) {
-	    my $logchainref = new_standard_chain 'blacklog';
-
-	    $target =~ s/A_//;
-	    $target = 'reject' if $target eq 'REJECT';
-
-	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
-
-	    add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
-	    add_ijump( $logchainref, g => $target );
-
-	    $target = 'blacklog';
+	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
 	} elsif ( $audit ) {
 	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
@@ -256,7 +247,7 @@ sub setup_blacklist() {
 		    $first_entry = 0;
 		}

-		my ( $networks, $protocol, $ports, $options ) = split_line 1, 4, 'blacklist file';
+		my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };

 		if ( $options eq '-' ) {
 		    $options = 'src';
@@ -347,6 +338,222 @@ sub setup_blacklist() {
    }
 }

+#
+# Remove instances of 'blacklist' from the passed file. 
+#
+sub remove_blacklist( $ ) {
+    my $file = shift;
+
+    my $fn = find_file $file;
+
+    return 1 unless -f $file;
+
+    my $oldfile = open_file $fn;
+    my $newfile;
+    my $changed;
+	
+    open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
+
+    while ( read_a_line(1,1,0) ) {
+	my ( $rule, $comment ) = split '#', $currentline, 2;
+
+	if ( $rule =~ /blacklist/ ) {
+	    $changed = 1;
+
+	    if ( $comment ) {
+		$comment =~ s/^/          / while $rule =~ s/blacklist,//;
+		$rule =~ s/blacklist/         /g;
+		$currentline = join( '#', $rule, $comment );
+	    } else {
+		$currentline =~ s/blacklist/         /g;
+	    }	    
+	}
+   
+	print $newfile "$currentline\n";
+    }
+	
+    close $newfile;
+
+    if ( $changed ) {
+	rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	rename "$fn.new", $fn or fatal_error "Unable to rename $fn.new to $fn: $!";
+	progress_message2 "\u$file file $fn saved in $fn.bak"
+    }
+}
+
+#
+# Convert a pre-4.4.25 blacklist to a 4.4.25 blacklist
+#
+sub convert_blacklist() {
+    my $zones  = find_zones_by_option 'blacklist', 'in';
+    my $zones1 = find_zones_by_option 'blacklist', 'out';
+    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+    my $audit       = $disposition =~ /^A_/;
+    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+    my $orig_target = $target;
+    my @rules;
+    
+    if ( @$zones || @$zones1 ) {
+	if ( supplied $level ) {
+	    $target = 'blacklog';
+	} elsif ( $audit ) {
+	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+	    $target = verify_audit( $disposition );
+	}
+
+	my $fn = open_file 'blacklist';
+
+	first_entry "Converting $fn...";
+
+	while ( read_a_line ) {
+	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
+
+	    if ( $options eq '-' ) {
+		$options = 'src';
+	    } elsif ( $options eq 'audit' ) {
+		$options = 'audit,src';
+	    }
+
+	    my ( $to, $from, $whitelist, $auditone ) = ( 0, 0, 0, 0 );
+
+	    my @options = split_list $options, 'option';
+
+	    for ( @options ) {
+		$whitelist++ if $_ eq 'whitelist';
+		$auditone++  if $_ eq 'audit'; 
+	    }
+
+	    warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
+
+	    my $tgt = $whitelist ? 'WHITELIST' : $target;
+
+	    if ( $auditone ) {
+		fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
+
+		if ( $audit ) {
+		    warning_message "Superfluous 'audit' option ignored";
+		} else {
+		    warning_message "Duplicate 'audit' option ignored" if $auditone > 1;
+		}
+
+		$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
+	    }
+
+	    for ( @options ) {
+		if ( $_ =~ /^(?:src|from)$/ ) {
+		    if ( $from++ ) {
+			warning_message "Duplicate 'src' ignored";
+		    } else {
+			if ( @$zones ) {
+			    push @rules, [ 'src', $tgt, $networks, $protocol, $ports ];
+			} else {
+			    warning_message '"src" entry ignored because there are no "blacklist in" zones';
+			}
+		    }
+		} elsif ( $_ =~ /^(?:dst|to)$/ ) {
+		    if ( $to++ ) {
+			warning_message "Duplicate 'dst' ignored";
+		    } else {
+			if ( @$zones1 ) {
+			    push @rules, [ 'dst', $tgt, $networks, $protocol, $ports ];
+			} else {
+			    warning_message '"dst" entry ignored because there are no "blacklist out" zones';
+			}
+		    }
+		} else {
+		    fatal_error "Invalid blacklist option($_)" unless $_ eq 'whitelist' || $_ eq 'audit';
+		}
+	    }
+	}
+
+	if ( @rules ) {
+	    my $fn1 = find_file( 'blrules' );
+	    my $blrules;
+	    my $date = localtime;
+
+	    if ( -f $fn1 ) {
+		open $blrules, '>>', $fn1 or fatal_error "Unable to open $fn1: $!";
+	    } else {
+		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
+		print $blrules <<'EOF';
+#
+# Shorewall version 5 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###################################################################################################################################################################################################
+#ACTION		SOURCE		        DEST		        PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#							                PORT	PORT(S)		DEST		LIMIT		GROUP
+EOF
+	    }
+
+	    print( $blrules 
+		   "#\n" ,
+		   "# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
+		   "#\n" );
+
+	    for ( @rules ) {
+		my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;
+
+		$tgt .= "\t\t";
+
+		my $list = $srcdst eq 'src' ? $zones : $zones1;
+
+		for my $zone ( @$list ) {
+		    my $rule = $tgt;
+
+		    if ( $srcdst eq 'src' ) {
+			if ( $networks ne '-' ) {
+			    $rule .= "$zone:$networks\tall\t\t";
+			} else {
+			    $rule .= "$zone\t\t\tall\t\t";
+			}
+		    } else {
+			if ( $networks ne '-' ) {
+			    $rule .= "all\t\t\t$zone:$networks\t";
+			} else {
+			    $rule .= "all\t\t\t$zone\t\t\t";
+			}
+		    }
+		
+		    $rule .= "\t$protocols" if $protocols ne '-';
+		    $rule .= "\t$ports"     if $ports     ne '-';
+		
+		    print $blrules "$rule\n";
+		}
+	    }
+
+	    close $blrules;
+	} else {
+	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules;
+	}
+	
+	if ( -f $fn ) {
+	    rename $fn, "$fn.bak";
+	    progress_message2 "Blacklist file $fn saved in $fn.bak";
+	}
+	
+	for my $file ( qw(zones interfaces hosts) ) {
+	    remove_blacklist $file;
+	}
+
+	progress_message2 "Blacklist successfully converted";
+
+	return 1;	    
+    } else {
+	my $fn = find_file 'blacklist';
+	if ( -f $fn ) {
+	    rename $fn, "$fn.bak" or fatal_error "Unable to rename $fn to $fn.bak: $!";
+	    warning_message "No zones have the blacklist option - the blacklist file was saved in $fn.bak";
+	}
+
+	return 0;
+    }
+}
+
 sub process_routestopped() {

    if ( my $fn = open_file 'routestopped' ) {
@@ -358,10 +565,12 @@ sub process_routestopped() {

 	while ( read_a_line ) {

-	    my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
+	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
+		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };

 	    my $interfaceref;

+	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless $interfaceref = known_interface $interface;
 	    $hosts = ALLIP unless $hosts && $hosts ne '-';

@@ -470,7 +679,8 @@ sub process_routestopped() {

 sub setup_mss();

-sub add_common_rules() {
+sub add_common_rules ( $ ) {
+    my $upgrade = shift;
    my $interface;
    my $chainref;
    my $target;
@@ -591,7 +801,11 @@ sub add_common_rules() {

    run_user_exit1 'initdone';

-    setup_blacklist;
+    if ( $upgrade ) {
+	exit 0 unless convert_blacklist;
+    } else {
+	setup_blacklist;
+    }

    $list = find_hosts_by_option 'nosmurfs';

@@ -897,7 +1111,7 @@ sub setup_mac_lists( $ ) {

 	    while ( read_a_line ) {

-		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 3, 4, 'maclist file';
+		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };

 		if ( $original_disposition eq 'COMMENT' ) {
 		    process_comment;
@@ -1061,7 +1275,7 @@ sub generate_dest_rules( $$$;@ ) {
    my $z2ref            = find_zone( $z2 );
    my $type2            = $z2ref->{type};

-    if ( $type2 == VSERVER ) {
+    if ( $type2 & VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
 	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);

@@ -1158,8 +1372,6 @@ sub handle_loopback_traffic() {
 	    }
 	}
    }
-
-    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo';
 }

 #
@@ -1169,6 +1381,7 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
+    my  $lo_jump_added = 0;
    #
    # Add Nat jumps
    #
@@ -1200,6 +1413,8 @@ sub add_interface_jumps {
 	my $outputref    = $filter_table->{output_chain $interface};
 	my $interfaceref = find_interface($interface);

+	add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' if $interfaceref->{physical} eq '+' && ! $lo_jump_added++;
+
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
 	    add_ijump ( $filter_table->{forward_chain $bridge},
@@ -1227,15 +1442,17 @@ sub add_interface_jumps {
 	} else {
 	    add_ijump ( $filter_table->{FORWARD}, j => 'ACCEPT', imatch_source_dev( $interface) , imatch_dest_dev( $interface) ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};

-	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
-	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+	    add_ijump( $filter_table->{FORWARD} , j => $forwardref , imatch_source_dev( $interface ) ) if use_forward_chain( $interface, $forwardref ) && ! $forward_jump_added{$interface}++;
+	    add_ijump( $filter_table->{INPUT}   , j => $inputref ,   imatch_source_dev( $interface ) ) if use_input_chain( $interface, $inputref )     && ! $input_jump_added{$interface}++;

-	    unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
-		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
+	    if ( use_output_chain $interface, $outputref ) {
+		add_ijump $filter_table->{OUTPUT} , j => $outputref , imatch_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ) || $output_jump_added{$interface}++;
 	    }
 	}
    }

+    add_ijump $filter_table->{INPUT} , j => 'ACCEPT', i => 'lo' unless $lo_jump_added++;
+
    handle_loopback_traffic;
 }

@@ -1321,7 +1538,9 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

-	insert_ijump $frwd_ref , j => $filter_table->{blacklst}, -1, @state if $zoneref->{options}{in}{blacklist};
+	insert_ijump( $frwd_ref , j => $filter_table->{blacklst}, -1, @state ) if $zoneref->{options}{in}{blacklist};
+
+	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};

 	if ( have_ipsec ) {
 	    #
@@ -1465,7 +1684,7 @@ sub generate_matrix() {
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my @dest   = imatch_dest_net $net;

-			if ( $chain1 && zone_type ( $zone) != BPORT ) {
+			if ( $chain1 && ! ( zone_type( $zone) & BPORT ) ) {
 			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
@@ -1649,7 +1868,7 @@ sub generate_matrix() {
 		    next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! $zoneref->{options}{in_out}{routeback};
 		}

-		if ( $zone1ref->{type} == BPORT ) {
+		if ( $zone1ref->{type} & BPORT ) {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}

@@ -1699,7 +1918,7 @@ sub generate_matrix() {
 		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }

-	    if ( $zone1ref->{type} == BPORT ) {
+	    if ( $zone1ref->{type} & BPORT ) {
 		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -54,13 +54,16 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
    }

+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
@@ -374,7 +377,7 @@ sub setup_nat() {

 	while ( read_a_line ) {

-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
+	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

 	    if ( $external eq 'COMMENT' ) {
 		process_comment;
@@ -383,6 +386,9 @@ sub setup_nat() {

 		$digit = defined $digit ? ":$digit" : '';

+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+
 		for my $interface ( split_list $interfacelist , 'interface' ) {
 		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
@@ -403,14 +409,11 @@ sub setup_netmap() {

    if ( my $fn = open_file 'netmap' ) {

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
+	first_entry "$doing $fn...";

 	while ( read_a_line ) {

-	    my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-
-	    validate_net $net1, 0;
-	    validate_net $net2, 0;
+	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

 	    $net3 = ALLIP if $net3 eq '-';

@@ -420,30 +423,49 @@ sub setup_netmap() {

 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );

+		my @rule = do_iproto( $proto, $dport, $sport );
+
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
 		    
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
 		    }

+		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
+
 		    if ( $type eq 'DNAT' ) {
-			add_ijump ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+					  j => 'NETMAP' ,
+					  "--to $net2",
+					  $net1 ,
+					  @rulein  ,
+					  imatch_source_net( $net3 ) );
 		    } elsif ( $type eq 'SNAT' ) {
-			add_ijump ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
+			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
+					   j => 'NETMAP' ,
+					   "--to $net2" ,
+					   $net1 ,
+					   @ruleout ,
+					   imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
-		    my @match = ();
+		    my @match;

 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';

+		    validate_net $net2, 0;
+
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface ); 
 			$interface = $interfaceref->{name};
@@ -458,24 +480,31 @@ sub setup_netmap() {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
+
+		    my $chainref = ensure_chain( $table, $chain );
+
 		    
-		    if ( $target eq 'DNAT' ) { 
-			add_ijump( ensure_chain( $table, $chain ) ,
-				   j          => 'RAWDNAT',
-				   targetopts => "--to-dest $net2",
-				   imatch_source_net( $net3 ) ,
-				   imatch_dest_net( $net1 ) ,
-				   @match );
+		    if ( $target eq 'DNAT' ) {
+			dest_iexclusion( $chainref ,
+					 j => 'RAWDNAT' ,
+					 "--to-dest $net2" ,
+					 $net1 ,
+					 imatch_source_net( $net3 ) ,
+					 @rule ,
+					 @match
+				       );
 		    } else {
-			add_ijump( ensure_chain( $table, $chain ) ,
-				   j          => 'RAWSNAT',
-				   targetopts => "--to-source $net2",
-				   imatch_dest_net( $net3 ) ,
-				   imatch_source_net( $net1 ) ,
-				   @match );
+			source_iexclusion( $chainref ,
+					   j  => 'RAWSNAT' ,
+					   "--to-source $net2" ,
+					   $net1 ,
+					   imatch_dest_net( $net3 ) ,
+					   @rule ,
+					   @match );
 		    }
 		} else {
-		    fatal_error "Invalid type ($type)";
+		    fatal_error 'TYPE must be specified' if $type eq '-';
+		    fatal_error "Invalid TYPE ($type)";
 		}
 		
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -40,11 +40,12 @@ our @EXPORT = qw( process_providers
 		  handle_stickiness
 		  handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_24';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
 	       DEFAULT_TABLE => 253,
+	       BALANCE_TABLE => 250,
 	       UNSPEC_TABLE  => 0
 	       };

@@ -93,6 +94,7 @@ sub initialize( $ ) {
    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
+		    balance => { number => BALANCE_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    unspec  => { number => UNSPEC_TABLE  , mark => 0 , optional => 0 ,routes => [], rules => [] } );
    @providers = ();
 }
@@ -139,15 +141,13 @@ sub setup_route_marking() {

 sub copy_table( $$$ ) {
    my ( $duplicate, $number, $realm ) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+    
+    my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';

    emit '';

    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]_]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -155,9 +155,22 @@ sub copy_table( $$$ ) {
    emit ( '    case $net in',
 	   '        default)',
 	   '            ;;',
-	   '        *)',
-	   "            run_ip route add table $number \$net \$route $realm",
-	   '            ;;',
+	   '        *)' );
+	   
+    if ( $family == F_IPV4 ) {
+	emit ( '            case $net in',
+	       '                255.255.255.255*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
+    } else {
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
+    }
+
+    emit ( '            ;;',
 	   '    esac',
 	   "done\n"
 	 );
@@ -165,10 +178,8 @@ sub copy_table( $$$ ) {

 sub copy_and_edit_table( $$$$ ) {
    my ( $duplicate, $number, $copy, $realm) = @_;
-    #
-    # Hack to work around problem in iproute
-    #
-    my $filter = $family == F_IPV6 ? q(sed 's/ via :: / /' | ) : '';
+
+    my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
    #
    # Map physical names in $copy to logical names
    #
@@ -176,12 +187,12 @@ sub copy_and_edit_table( $$$$ ) {
    #
    # Shell and iptables use a different wildcard character
    #
-    $copy =~ s/\+/*/;
+    $copy =~ s/\+/*/g;
    
    emit '';

    if ( $realm ) {
-	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | while read net route; do" )
+	emit  ( "\$IP -$family -o route show table $duplicate | sed -r 's/ realm [[:alnum:]]+//' | ${filter}while read net route; do" )
    } else {
 	emit  ( "\$IP -$family -o route show table $duplicate | ${filter}while read net route; do" )
    }
@@ -191,9 +202,21 @@ sub copy_and_edit_table( $$$$ ) {
 	    '            ;;',
 	    '        *)',
 	    '            case $(find_device $route) in',
-	    "                $copy)",
-	    "                    run_ip route add table $number \$net \$route $realm",
-	    '                    ;;',
+	    "                $copy)" );
+    if ( $family == F_IPV4 ) {
+	emit (  '                    case $net in',
+		'                        255.255.255.255*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $number \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
+    } else {
+	emit (  "                    run_ip route add table $number \$net \$route $realm" );
+    } 
+
+    emit (  '                    ;;',
 	    '            esac',
 	    '            ;;',
 	    '    esac',
@@ -208,14 +231,27 @@ sub balance_default_route( $$$$ ) {
    emit '';

    if ( $first_default_route ) {
-	if ( $gateway ) {
-	    emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "DEFAULT_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "DEFAULT_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "DEFAULT_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_default_route = 0;
    } else {
+	fatal_error "Only one 'balance' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "DEFAULT_ROUTE=\"\$DEFAULT_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -232,14 +268,27 @@ sub balance_fallback_route( $$$$ ) {
    emit '';

    if ( $first_fallback_route ) {
-	if ( $gateway ) {
-	    emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	if ( $family == F_IPV4 ) {
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"nexthop via $gateway dev $interface weight $weight $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    }
 	} else {
-	    emit "FALLBACK_ROUTE=\"nexthop dev $interface weight $weight $realm\"";
+	    #
+	    # IPv6 doesn't support multi-hop routes
+	    #
+	    if ( $gateway ) {
+		emit "FALLBACK_ROUTE=\"via $gateway dev $interface $realm\"";
+	    } else {
+		emit "FALLBACK_ROUTE=\"dev $interface $realm\"";
+	    }
 	}

 	$first_fallback_route = 0;
    } else {
+	fatal_error "Only one 'fallback' provider is allowed with IPv6" if $family == F_IPV6;
+
 	if ( $gateway ) {
 	    emit "FALLBACK_ROUTE=\"\$FALLBACK_ROUTE nexthop via $gateway dev $interface weight $weight $realm\"";
 	} else {
@@ -267,14 +316,17 @@ sub start_provider( $$$ ) {
 #
 sub process_a_provider() {

-    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) = split_line 6, 8, 'providers file';
+    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
+	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };

    fatal_error "Duplicate provider ($table)" if $providers{$table};

+    fatal_error 'NAME must be specified' if $table eq '-';
    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;

    my $num = numeric_value $number;

+    fatal_error 'NUMBER must be specified' if $number eq '-';
    fatal_error "Invalid Provider number ($number)" unless defined $num;

    $number = $num;
@@ -283,6 +335,8 @@ sub process_a_provider() {
 	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
    }

+    fatal_error 'INTERFACE must be specified' if $interface eq '-';
+
    ( $interface, my $address ) = split /:/, $interface;

    my $shared = 0;
@@ -323,17 +377,19 @@ sub process_a_provider() {
 	    } elsif ( $option eq 'notrack' ) {
 		$track = 0;
 	    } elsif ( $option =~ /^balance=(\d+)$/ ) {
-		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
+		fatal_error q('balance=<weight>' is not available in IPv6) if $family == F_IPV6;
 		$balance = $1;
 	    } elsif ( $option eq 'balance' ) {
-		fatal_error q('balance' is not available in IPv6) if $family == F_IPV6;
 		$balance = 1;
 	    } elsif ( $option eq 'loose' ) {
 		$loose   = 1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'optional' ) {
-		warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead);
-		set_interface_option $interface, 'optional', 1;
+		unless ( $shared ) {
+		    warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead);
+		    set_interface_option $interface, 'optional', 1;
+		}
+
 		$optional = 1;
 	    } elsif ( $option =~ /^src=(.*)$/ ) {
 		fatal_error "OPTION 'src' not allowed on shared interface" if $shared;
@@ -341,24 +397,17 @@ sub process_a_provider() {
 	    } elsif ( $option =~ /^mtu=(\d+)$/ ) {
 		$mtu = "mtu $1 ";
 	    } elsif ( $option =~ /^fallback=(\d+)$/ ) {
-		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = $1;
-		    fatal_error 'fallback must be non-zero' unless $default;
-		}
+		fatal_error q('fallback=<weight>' is not available in IPv6) if $family == F_IPV6;
+		$default = $1;
+		$default_balance = 0;
+		fatal_error 'fallback must be non-zero' unless $default;
 	    } elsif ( $option eq 'fallback' ) {
-		fatal_error q('fallback' is not available in IPv6) if $family == F_IPV6;
-		if ( $config{USE_DEFAULT_RT} ) {
-		    warning_message "'fallback' is ignored when USE_DEFAULT_RT=Yes";
-		} else {
-		    $default = -1;
-		}
+		$default = -1;
+		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0 if$config{USE_DEFAULT_RT};
+		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -554,18 +603,19 @@ sub add_a_provider( $$ ) {
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
-   	
+
 	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
    }

-    balance_default_route( $balance , $gateway, $physical, $realm ) if $balance;
-
-    if ( $default > 0 ) {
+    if ( $balance ) {
+	balance_default_route( $balance , $gateway, $physical, $realm );
+    } elsif ( $default > 0 ) {
 	balance_fallback_route( $default , $gateway, $physical, $realm );
    } elsif ( $default ) {
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
+		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
@@ -576,12 +626,18 @@ sub add_a_provider( $$ ) {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
+	
+	$fallback = 1;
    }

+    emit ( qq(\nqt \$IP rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ) if $family == F_IPV6;
+
    unless ( $local ) {
+	emit '';
+
 	if ( $loose ) {
 	    if ( $config{DELETE_THEN_ADD} ) {
-		emit ( "\nfind_interface_addresses $physical | while read address; do",
+		emit ( "find_interface_addresses $physical | while read address; do",
 		       "    qt \$IP -$family rule del from \$address",
 		       'done'
 		     );
@@ -591,13 +647,9 @@ sub add_a_provider( $$ ) {
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
 	} else {
-	    my $rulebase = 20000 + ( 256 * ( $number - 1 ) );
-
-	    emit "\nrulenum=$rulebase\n";
-
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
-	    emit  ( "    run_ip rule add from \$address pref \$rulenum table $number",
+	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
 		    "    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_${table}_routing",
 		    '    rulenum=$(($rulenum + 1))',
 		    'done'
@@ -615,38 +667,56 @@ sub add_a_provider( $$ ) {
 	emit $_ for @{$providers{$table}->{routes}};
    }

-    emit( '',
-	  'if [ $COMMAND = enable ]; then'
-	);
+    emit( '' );

-    push_indent;
+    my ( $tbl, $weight );

-    my ( $tbl, $weight ); 
-    
-    if ( $balance || $default ) {
-	$tbl    = $default || $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE;
-	$weight = $balance ? $balance : $default;
+    if ( $optional ) {
+	emit( 'if [ $COMMAND = enable ]; then' );

-	if ( $gateway ) {
-	    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $weight = $balance ? $balance : $default;
+
+	    if ( $family == F_IPV4 ) {
+		if ( $gateway ) {
+		    emit qq(add_gateway "nexthop via $gateway dev $physical weight $weight $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+		}
+	    } else {
+		#
+		# IPv6 doesn't support multi-hop routes
+		#
+		if ( $gateway ) {
+		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
+		} else {
+		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
+		}
+	    }
 	} else {
-	    emit qq(add_gateway "nexthop dev $physical weight $weight $realm" ) . $tbl;
+	    $weight = 1;
 	}

+	unless ( $shared ) {
+	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
+	}
+
+	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+
+	pop_indent;
+ 
+	emit( 'else' ,
+	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	      qq(    progress_message "   Provider $table ($number) Started"),
+	      qq(fi\n)
+	    );
+    } else {
+	emit( qq(progress_message "Provider $table ($number) Started") );
    }
-
-    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
-
-    emit ( qq(progress_message2 "   Provider $table ($number) Started") );
-
-    pop_indent;
-	  
-    emit( 'else',
-	  qq(    echo $weight > \${VARDIR}/${physical}_weight),
-	  qq(    progress_message "   Provider $table ($number) Started"),
-	  "fi\n"
-	);
-
+    
    pop_indent;

    emit 'else';
@@ -686,30 +756,42 @@ sub add_a_provider( $$ ) {

 	my $undo = "\${VARDIR}/undo_${table}_routing";

-	emit( "if [ -f $undo ]; then",
-	      "    . $undo",
-	      "    > $undo" );
+	emit( "if [ -f $undo ]; then" );

-	if ( $balance || $default ) {
-	    $tbl    = $fallback || ( $config{USE_DEFAULT_RT} ? DEFAULT_TABLE : MAIN_TABLE );
+	push_indent;
+
+	if ( $balance || $default > 0 ) {
+	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
 	    $weight = $balance ? $balance : $default;

-	    my $via = 'via';
+	    my $via;

-	    $via .= " $gateway"       if $gateway;
-	    $via .= " dev $physical";
-	    $via .= " weight $weight";
+	    if ( $gateway ) {
+		$via = "via $gateway dev $physical";
+	    } else {    
+		$via = "dev $physical";
+	    }
+
+	    $via .= " weight $weight" unless $weight < 0 or $family == F_IPV6; # IPv6 doesn't support route weights
 	    $via .= " $realm"         if $realm;

-	    emit( qq(    delete_gateway "$via" $tbl $physical) );
+	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}
-	
-	emit( '', 
-	      "    qt \$TC qdisc del dev $physical root",
-	      "    qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};

-	emit( "    progress_message2 \"Provider $table stopped\"",
-              'else',
+	emit (". $undo",
+	      "> $undo" );
+
+	unless ( $shared ) {
+	    emit( '', 
+		  "qt \$TC qdisc del dev $physical root",
+		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
+	}
+
+	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+
+	pop_indent;
+
+	emit( 'else',
 	      "    startup_error \"$undo does not exist\"",
 	      'fi'
 	    );
@@ -723,7 +805,7 @@ sub add_a_provider( $$ ) {
 }

 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority ) = split_line 4, 4, 'route_rules file';
+    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };

    our $current_if;

@@ -786,22 +868,36 @@ sub add_an_rtrule( ) {
 	$source = "iif $source";
    }

+    my $mark = '';
+    my $mask;
+
+    if ( $originalmark ne '-' ) {
+	validate_mark( $originalmark );
+
+	( $mark, $mask ) = split '/' , $originalmark;
+	$mask = $globals{PROVIDER_MASK} unless supplied $mask;
+
+	$mark = ' fwmark ' . in_hex( $mark ) . '/' . in_hex( $mask );
+    }
+
    fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;

    $priority = "priority $priority";

-    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source $dest $priority" if $config{DELETE_THEN_ADD};
-    push @{$providerref->{rules}}, "run_ip rule add $source $dest $priority table $number";
-    push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source $dest $priority\" >> \${VARDIR}/undo_${provider}_routing";
+    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
+    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $number";
+    push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source ${dest}${mark} $priority\" >> \${VARDIR}/undo_${provider}_routing";

    progress_message "   Routing rule \"$currentline\" $done";
 }

 sub add_a_route( ) {
-    my ( $provider, $dest, $gateway, $device ) = split_line 2, 4, 'routes file';
+    my ( $provider, $dest, $gateway, $device ) = split_line 'routes file', { provider => 0, dest => 1, gateway => 2, device => 3 };

    our $current_if;

+    fatal_error 'PROVIDER must be specified' if $provider eq '-';
+
    unless ( $providers{$provider} ) {
 	my $found = 0;

@@ -820,6 +916,7 @@ sub add_a_route( ) {
 	fatal_error "Unknown provider ($provider)" unless $found;
    }

+    fatal_error 'DEST must be specified' if $dest eq '-';
    validate_net ( $dest, 1 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';
@@ -900,12 +997,14 @@ sub finish_providers() {
 	my $table = MAIN_TABLE;

 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE . ' pref 999',
+	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+		   'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
 		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE . ' pref 999" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
 		   '' );
-	    $table = DEFAULT_TABLE;
+	    $table = BALANCE_TABLE;
 	}

 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
@@ -956,6 +1055,8 @@ sub finish_providers() {
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'fi',
 	      '' );
+    } elsif ( $config{USE_DEFAULT_RT} ) {
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
    }

    unless ( $config{KEEP_RT_TABLES} ) {
@@ -968,7 +1069,7 @@ sub finish_providers() {
 			      '#',
 			      LOCAL_TABLE   . "\tlocal",
 			      MAIN_TABLE    . "\tmain",
-			      DEFAULT_TABLE . "\tdefault",
+			      $config{USE_DEFAULT_RT} ? ( DEFAULT_TABLE . "\tdefault\n" . BALANCE_TABLE . "\tbalance" ) : DEFAULT_TABLE . "\tdefault",
 			      "0\tunspec",
 			      '#',
 			      '# local',
@@ -1031,14 +1132,21 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};

-	emit( "$providerref->{physical})",
-	      "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
-	      "        start_provider_$provider",
-	      '    else',
-	      '        startup_error "Interface $g_interface is already enabled"',
-	      '    fi',
-	      '    ;;'
-	    ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
+		emit "$provider})";
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+		   "        start_provider_$provider",
+		   '    else',
+		   '        startup_error "Interface $g_interface is already enabled"',
+		   '    fi',
+		   '    ;;'
+		 );
+	}
    }

    pop_indent;
@@ -1046,7 +1154,7 @@ EOF

    emit << 'EOF';;
        *)
-            startup_error "$g_interface is not an optional provider interface"
+            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
 }
@@ -1312,17 +1420,17 @@ sub handle_stickiness( $ ) {

 		for my $chainref ( $stickyref, $setstickyref ) {
 		    if ( $chainref->{name} eq 'sticky' ) {
-			$rule1 = $_;
+			$rule1 = clone_rule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
 			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300" );

-			$rule2 = $_;
+			$rule2 = clone_rule( $_ );

 			clear_rule_target( $rule2 );
 			set_rule_option( $rule2, 'mark', "--mark 0/$mask -m recent --name $list --remove" );
 		    } else {
-			$rule1 = $_;
+			$rule1 = clone_rule( $_ );

 			clear_rule_target( $rule1 );
 			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" ); 
@@ -1345,17 +1453,29 @@ sub handle_stickiness( $ ) {

 		for my $chainref ( $stickoref, $setstickoref ) {
 		    if ( $chainref->{name} eq 'sticko' ) {
-			$rule1 = $_;
+			$rule1 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule1->{$key} = $value;
+			}

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300" );

-			$rule2 = $_;
+			$rule2 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule2->{$key} = $value;
+			}
 			
 			clear_rule_target( $rule2 );
 			set_rule_option  ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
 		    } else {
-			$rule1 = $_;
+			$rule1 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule1->{$key} = $value;
+			}

 			clear_rule_target( $rule1 );
 			set_rule_option  ( $rule1, 'mark', "--mark $mark -m recent --name $list --rdest --set" );
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -122,13 +122,15 @@ sub setup_proxy_arp() {

 	while ( read_a_line ) {

-	    my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, $file_opt;
+	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };

 	    if ( $first_entry ) {
 		progress_message2 "$doing $fn...";
 		$first_entry = 0;
 	    }

+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
 	    fatal_error "Unknown interface ($external)" unless known_interface $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -84,7 +84,7 @@ sub setup_notrack() {

 	while ( read_a_line ) {

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
+	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };

 	    if ( $source eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -77,6 +77,21 @@ my $rule_commands   = { COMMENT => 0, FORMAT => 2, SECTION => 2 };
 my $action_commands = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULTS => 2 };
 my $macro_commands  = { COMMENT => 0, FORMAT => 2, SECTION => 2, DEFAULT => 2 };

+my %rulecolumns = ( action    =>   0,
+		    source    =>   1,
+		    dest      =>   2,
+		    proto     =>   3,
+		    dport     =>   4,
+		    sport     =>   5,
+		    origdest  =>   6,
+		    rate      =>   7,
+		    user      =>   8,
+		    mark      =>   9,
+		    connlimit =>  10,
+		    time      =>  11,
+		    headers   =>  12,
+		    switch    =>  13 );
+
 use constant { MAX_MACRO_NEST_LEVEL => 5 };

 my $macro_nest_level;
@@ -130,7 +145,8 @@ sub initialize( $ ) {
    #
    # These are set to 1 as sections are encountered.
    #
-    %sections = ( ALL         => 0,
+    %sections = ( BLACKLIST   => 0,
+		  ALL         => 0,
 		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
@@ -297,12 +313,17 @@ sub process_a_policy() {
    our %validpolicies;
    our @zonelist;

-    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
+    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) =
+	split_line 'policy file', { source => 0, dest => 1, policy => 2, loglevel => 3, limit => 4, connlimit => 5 } ;

    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';

+    fatal_error 'SOURCE must be specified' if $client eq '-';
+    fatal_error 'DEST must be specified'   if $server eq '-';
+    fatal_error 'POLICY must be specified' if $originalpolicy eq '-';
+
    my $clientwild = ( "\L$client" eq 'all' );

    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
@@ -358,7 +379,7 @@ sub process_a_policy() {
    }

    unless ( $clientwild || $serverwild ) {
-	if ( zone_type( $server ) == BPORT ) {
+	if ( zone_type( $server ) & BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	}
@@ -494,11 +515,11 @@ sub process_policies()

    for $zone ( all_zones ) {
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL, 0 );
-	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) == BPORT;
+	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) & BPORT;

 	my $zoneref = find_zone( $zone );

-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} & VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1, 0 );
@@ -721,10 +742,12 @@ sub ensure_rules_chain( $ )
 {
    my ($chain) = @_;

-    my $chainref = ensure_chain 'filter', $chain;
+    my $chainref = $filter_table->{$chain};
+
+    $chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;

    unless ( $chainref->{referenced} ) {
-	if ( $section eq 'NEW' or $section eq 'DONE' ) {
+	if ( $section =~/^(NEW|DONE)$/ ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'RELATED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
@@ -1354,7 +1377,7 @@ sub process_actions() {
 	open_file $file;

 	while ( read_a_line ) {
-	    my ( $action ) = split_line 1, 1, 'action file';
+	    my ( $action ) = split_line 'action file' , { action => 0 };

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
@@ -1382,7 +1405,7 @@ sub process_actions() {

 }

-sub process_rule1 ( $$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1415,16 +1438,19 @@ sub process_action( $) {

 	while ( read_a_line ) {

-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );

 	    if ( $format == 1 ) {
-		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file', $rule_commands;
-		$origdest = $connlimit = $time = $headers = '-';
+		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
+		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
+		$origdest = $connlimit = $time = $headers = $condition = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers )
-		    = split_line1 1, 13, 'action file', $action_commands;
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }

+	    fatal_error 'TARGET must be specified' if $target eq '-';
+
 	    if ( $target eq 'COMMENT' ) {
 		process_comment;
 		next;
@@ -1456,6 +1482,7 @@ sub process_action( $) {
 			   $connlimit,
 			   $time,
 			   $headers,
+			   $condition,
 			   0 );
 	}

@@ -1485,8 +1512,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;

    my $nocomment = no_comment;

@@ -1504,15 +1531,17 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {

    while ( read_a_line ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );

 	if ( $format == 1 ) {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders ) = qw/- - - - -/;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders ) = split_line1 1, 13, 'macro file', $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}

+	fatal_error 'TARGET must be specified' if $mtarget eq '-';
+	
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
@@ -1586,6 +1615,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mconnlimit, $connlimit) ,
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
+				    merge_macro_column( $mcondition, $condition ),
 				    $wildcard
 				   );

@@ -1618,7 +1648,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action 
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target, 
 	 $current_param,
@@ -1634,6 +1664,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	 $connlimit,
 	 $time,
 	 $headers,
+	 $condition,
 	 $wildcard ) = @_;

    my ( $action, $loglevel) = split_action $target;
@@ -1643,6 +1674,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
    my $inaction = '';
    my $normalized_target;
    my $normalized_action;
+    my $blacklist = ( $section eq 'BLACKLIST' );
 
    ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;

@@ -1685,6 +1717,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				       $connlimit,
 				       $time,
 				       $headers,
+				       $condition,
 				       $wildcard );

 	$macro_nest_level--;
@@ -1708,7 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
    #
    # We can now dispense with the postfix character
    #
-    $action =~ s/[\+\-!]$//;
+    fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1742,8 +1775,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	fatal_error "The $basictarget TARGET does not accept parameters" if $action =~ s/\(\)$//;
    }

-    if ( $inaction ) {
-	$targets{$inaction} |= NATRULE if $actiontype & (NATRULE | NONAT | NATONLY ) 
+    if ( $actiontype & (NATRULE | NONAT | NATONLY ) ) {
+	$targets{$inaction} |= NATRULE if $inaction;
+	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
    }
    #
    # Take care of irregular syntax and targets
@@ -1755,7 +1789,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {

 	$bt =~ s/[-+!]$//;

-	my %functions = ( REDIRECT => sub () {
+	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+
+			  REDIRECT => sub () {
 			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
 			      if ( $dest eq '-' ) {
 				  $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
@@ -1765,9 +1801,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
 			      }
 			  } ,
+
 			  REJECT => sub { $action = 'reject'; } ,
+
 			  CONTINUE => sub { $action = 'RETURN'; } ,
+
+			  WHITELIST => sub { 
+			      fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist; 
+			      $action = 'RETURN';
+			  } ,
+
 			  COUNT => sub { $action = ''; } ,
+
 			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
 		     );

@@ -1844,10 +1889,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
    my $restriction = NO_RESTRICT;

    unless ( $inaction ) {
-	if ( $sourceref && ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ) ) {
-	    $restriction = $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
+	if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
+	    $restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
 	} else {
-	    $restriction = INPUT_RESTRICT if $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER );
+	    $restriction = INPUT_RESTRICT if $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) );
 	}
    }

@@ -1871,7 +1916,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Check for illegal bridge port rule
 	    #
-	    if ( $destref->{type} == BPORT ) {
+	    if ( $destref->{type} & BPORT ) {
 		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		    return 0 if $wildcard;
 		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
@@ -1892,7 +1937,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Handle Optimization
 	    #
-	    if ( $optimize > 0 ) {
+	    if ( $optimize > 0 && $section eq 'NEW' ) {
 		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 		if ( $loglevel ne '' ) {
 		    return 0 if $target eq "${policy}:$loglevel}";
@@ -1905,9 +1950,23 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    #
 	    $chainref = ensure_rules_chain $chain;
 	    #
-	    # Don't let the rules in this chain be moved elsewhere
+	    # Handle use of the blacklist chain
 	    #
-	    dont_move $chainref;
+	    if ( $blacklist ) {
+		my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
+		my $blacklistref = $filter_table->{$blacklistchain};
+		
+		unless ( $blacklistref  ) {
+		    my @state;
+		    $blacklistref = new_chain 'filter', $blacklistchain;
+		    $blacklistref->{blacklistsection} = 1;
+		    @state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
+		    add_ijump( $chainref, j => $blacklistref, @state );
+		}
+		    
+		$chain = $blacklistchain;
+		$chainref = $blacklistref;
+	    }
 	}
    }
    #
@@ -1925,6 +1984,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
    } else {
 	$rule = join( '',
@@ -1934,14 +1994,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
-		      do_headers( $headers )
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
 		    );
    }

    unless ( $section eq 'NEW' || $inaction ) {
 	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
-	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL';
+	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }

    #
@@ -2081,8 +2142,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
@@ -2109,11 +2172,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	my $chn;

 	if ( $inaction ) {
-	    $nonat_chain = ensure_chain 'nat', $chain;
+	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
-	    $nonat_chain = ensure_chain 'nat', dnat_chain $sourcezone;
+	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );

 	    my @interfaces = keys %{zone_interfaces $sourcezone};

@@ -2154,6 +2217,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	    }
 	}

+	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
@@ -2165,19 +2230,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 		     $log_action ,
 		     '',
 		   );
-	#
-	# Possible optimization if the rule just generated was a simple jump to the nonat chain
-	#
-	if ( $chn && ${$nonat_chain->{rules}}[-1] eq "-A -j $tgt" ) {
-	    #
-	    # It was -- delete that rule
-	    #
-	    pop @{$nonat_chain->{rules}};
-	    #
-	    # And move the rules from the nonat chain to the zone dnat chain
-	    #
-	    move_rules ( $chn, $nonat_chain );
-	}
    }

    #
@@ -2188,6 +2240,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {
 	if ( $actiontype & ACTION ) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
+	} else {
+	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
 	}

 	if ( $origdest ) {
@@ -2202,7 +2256,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ ) {

 	verify_audit( $action ) if $actiontype & AUDIT;

-	expand_rule( ensure_chain( 'filter', $chain ) ,
+	expand_rule( $chainref ,
 		     $restriction ,
 		     $rule ,
 		     $source ,
@@ -2231,13 +2285,15 @@ sub process_section ($) {
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
    $sections{$sect} = 1;

-    if ( $sect eq 'ESTABLISHED' ) {
-	$sections{ALL} = 1;
+    if ( $sect eq 'ALL' ) {
+	$sections{BLACKLIST} = 1;
+    } elsif ( $sect eq 'ESTABLISHED' ) {
+	$sections{'BLACKLIST','ALL'} = ( 1, 1);
    } elsif ( $sect eq 'RELATED' ) {
-	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
+	@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
 	finish_section 'ESTABLISHED';
    } elsif ( $sect eq 'NEW' ) {
-	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
+	@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
    }

@@ -2313,8 +2369,10 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers )
-	= split_line1 1, 13, 'rules file', $rule_commands;
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+	= split_line1 'rules file', \%rulecolumns, $rule_commands;
+
+    fatal_error 'ACTION must be specified' if $target eq '-';

    process_comment,            return 1 if $target eq 'COMMENT';
    process_section( $source ), return 1 if $target eq 'SECTION';
@@ -2367,6 +2425,7 @@ sub process_rule ( ) {
 						 $connlimit,
 						 $time,
 						 $headers,
+						 $condition,
 						 $wild );
 		}
 	    }
@@ -2382,8 +2441,32 @@ sub process_rule ( ) {
 # Process the Rules File
 #
 sub process_rules() {
+    my $fn = open_file 'blrules';

-    my $fn = open_file 'rules';
+    if ( $fn ) {
+	first_entry( sub () {
+			 my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+			 my $audit       = $disposition =~ /^A_/;
+			 my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+
+			 progress_message2 "$doing $fn...";
+
+			 if ( supplied $level ) {
+			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
+			 } elsif ( $audit ) {
+			     require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+			     verify_audit( $disposition );
+			 }
+		     } );
+	
+	$section = 'BLACKLIST';
+
+	process_rule while read_a_line;
+	    
+	$section = '';
+    }
+
+    $fn = open_file 'rules';

    if ( $fn ) {

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -191,10 +191,13 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = split_line1 2, 13, 'tcrules file';
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };

    our @tccmd;

+    fatal_error 'MARK must be specified' if $originalmark eq '-';
+
    if ( $originalmark eq 'COMMENT' ) {
 	process_comment;
 	return;
@@ -390,8 +393,47 @@ sub process_tc_rule( ) {
 			}

 			$target .= ' --tproxy-mark';
-		    }
+		    } elsif ( $target eq 'TTL' ) {
+			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );

+			$chain = 'tcfor';
+
+			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --ttl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --ttl-dec $param";
+			} else {
+			    $target .= " --ttl-set $param";
+			}
+		    } elsif ( $target eq 'HL' ) {
+			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+			$chain = 'tcfor';
+
+			$cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+			my $param =  $1;
+
+			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+			if ( $1 =~ /^\+/ ) {
+			    $target .= " --hl-inc $param";
+			} elsif ( $1 =~ /\-/ ) {
+			    $target .= " --hl-dec $param";
+			} else {
+			    $target .= " --hl-set $param";
+			}
+		    }

 		    if ( $rest ) {
 			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@@ -479,6 +521,88 @@ sub calculate_quantum( $$ ) {
    int( ( $rate * 125 ) / $r2q );
 }

+#
+# The next two function implement handling of the IN-BANDWIDTH column in both tcdevices and tcinterfaces
+#
+sub process_in_bandwidth( $ ) {
+    my $in_rate     = shift;
+    
+    return 0 if $in_rate eq '-';
+
+    my $in_burst    = '10kb';
+    my $in_avrate   = 0;
+    my $in_band     = $in_rate;
+    my $burst;
+    my $in_interval = '250ms';
+    my $in_decay    = '4sec';
+
+    if ( $in_rate =~ s/^~// ) {
+	require_capability 'BASIC_FILTER', 'An estimated policing filter', 's';
+
+	if ( $in_rate =~ /:/ ) {
+	    ( $in_rate, $in_interval, $in_decay ) = split /:/, $in_rate, 3;
+	    fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay );
+	    fatal_error "Invalid Interval ($in_interval)" unless $in_interval =~ /^(?:(?:250|500)ms|(?:1|2|4|8)sec)$/;
+	    fatal_error "Invalid Decay ($in_decay)"       unless $in_decay    =~ /^(?:500ms|(?:1|2|4|8|16|32|64)sec)$/;
+	    
+	    if ( $in_decay =~ /ms/ ) {
+		fatal_error "Decay must be at least twice the interval" unless $in_interval eq '250ms';
+	    } else {
+		unless ( $in_interval =~ /ms/ ) {
+		    my ( $interval, $decay ) = ( $in_interval, $in_decay );
+		    $interval =~ s/sec//;
+		    $decay    =~ s/sec//;
+
+		    fatal_error "Decay must be at least twice the interval" unless $decay > $interval;
+		} 
+	    }
+	}
+	    
+	$in_avrate = rate_to_kbit( $in_rate );
+	$in_rate = 0; 
+    } else {
+	if ( $in_band =~ /:/ ) {
+	    ( $in_band, $burst ) = split /:/, $in_rate, 2;
+	    fatal_error "Invalid burst ($burst)" unless $burst  =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
+	    $in_burst = $burst;
+	}
+
+	$in_rate = rate_to_kbit( $in_band );
+	
+    }
+
+    [ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
+}
+
+sub handle_in_bandwidth( $$ ) {
+    my ($physical, $arrayref ) = @_;
+
+    return 1 unless $arrayref;
+
+    my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;
+
+    emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
+    
+    if ( have_capability 'BASIC_FILTER' ) {
+	if ( $in_rate ) {
+	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
+		  "    police mpu 64 rate ${in_rate}kbit burst $in_burst action drop\n" );
+	} else {
+	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\",
+		  "    estimator $in_interval $in_decay basic \\",
+		  "    police avrate ${in_avrate}kbit action drop\n" );
+	}
+    } else {
+	emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
+	      "    u32 match ip src "  . ALLIPv4 . ' \\' ,
+	      "    police rate ${in_rate}kbit burst $in_burst drop flowid :1",
+	      '',
+	      "run_tc filter add dev $physical parent ffff: protocol all prio 10 \\" ,
+	      "    u32 match ip6 src " . ALLIPv6 . ' \\' ,
+	      "    police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" );
+    }
+}
+	
 sub process_flow($) {
    my $flow = shift;

@@ -492,8 +616,9 @@ sub process_flow($) {
 }

 sub process_simple_device() {
-    my ( $device , $type , $in_bandwidth , $out_part ) = split_line 1, 4, 'tcinterfaces';
+    my ( $device , $type , $in_rate , $out_part ) = split_line 'tcinterfaces', { interface => 0, type => 1, in_bandwidth => 2, out_bandwidth => 3 };

+    fatal_error 'INTERFACE must be specified'      if $device eq '-';
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

@@ -516,21 +641,8 @@ sub process_simple_device() {
 	}
    }

-    my $in_burst = '10kb';
+    $in_rate = process_in_bandwidth( $in_rate );

-    if ( $in_bandwidth =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $in_bandwidth, 2;
-
-	if ( supplied $burst ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$in_bandwidth = rate_to_kbit( $in_band );
-    } else {
-	$in_bandwidth = rate_to_kbit( $in_bandwidth );
-    }

    emit( '',
 	  '#',
@@ -545,15 +657,11 @@ sub process_simple_device() {

    push_indent;

-    emit ( "${dev}_exists=Yes",
-	   "qt \$TC qdisc del dev $physical root",
+    emit ( "qt \$TC qdisc del dev $physical root",
 	   "qt \$TC qdisc del dev $physical ingress\n"
 	 );

-    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src "  . ALLIPv4 . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n",
-	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip6 src " . ALLIPv6 . " police rate ${in_bandwidth}kbit burst $in_burst drop flowid :1\n"
-	 ) if $in_bandwidth;
+    handle_in_bandwidth( $physical, $in_rate );

    if ( $out_part ne '-' ) {
 	my ( $out_bandwidth, $burst, $latency, $peak, $minburst ) = split ':', $out_part;
@@ -606,8 +714,17 @@ sub process_simple_device() {
 	emit '';
    }
    
-    emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
-    emit "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32 match ip6 protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $number:1\n";
+    emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
+	  "\\\n    match ip protocol 6 0xff" .
+	  "\\\n    match u8 0x05 0x0f at 0" .
+	  "\\\n    match u16 0x0000 0xffc0 at 2" .
+	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );
+
+    emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
+	  "\\\n    match ip6 protocol 6 0xff" .
+	  "\\\n    match u8 0x05 0x0f at 0" .
+	  "\\\n    match u16 0x0000 0xffc0 at 2" .
+	  "\\\n    match u8 0x10 0xff at 33 flowid $number:1\n" );

    save_progress_message_short qq("   TC Device $physical defined.");

@@ -616,7 +733,6 @@ sub process_simple_device() {
    push_indent;

    emit qq(error_message "WARNING: Device $physical is not in the UP state -- traffic-shaping configuration skipped");
-    emit "${dev}_exists=";
    pop_indent;
    emit 'fi';
    pop_indent;
@@ -626,9 +742,10 @@ sub process_simple_device() {
 }

 sub validate_tc_device( ) {
-    my ( $device, $inband, $outband , $options , $redirected ) = split_line 3, 5, 'tcdevices';
+    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };

-    fatal_error "Invalid tcdevices entry" if $outband eq '-';
+    fatal_error 'INTERFACE must be specified' if $device eq '-';
+    fatal_error "Invalid tcdevices entry"     if $outband eq '-';

    my $devnumber;

@@ -696,22 +813,9 @@ sub validate_tc_device( ) {
 	}
    }

-    my $in_burst = '10kb';
+    $inband = process_in_bandwidth( $inband );

-    if ( $inband =~ /:/ ) {
-	my ( $in_band, $burst ) = split /:/, $inband, 2;
-
-	if ( supplied $burst ) {
-	    fatal_error "Invalid IN-BANDWIDTH" if $burst =~ /:/;
-	    fatal_error "Invalid burst ($burst)" unless $burst =~ /^\d+(k|kb|m|mb|mbit|kbit|b)?$/;
-	    $in_burst = $burst;
-	}
-
-	$inband = $in_band;
-    }
-
-    $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ),
-			    in_burst      => $in_burst,
+    $tcdevices{$device} = { in_bandwidth  => $inband,
 			    out_bandwidth => rate_to_kbit( $outband ) . 'kbit',
 			    number        => $devnumber,
 			    classify      => $classify,
@@ -789,7 +893,8 @@ sub dev_by_number( $ ) {
 }

 sub validate_tc_class( ) {
-    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) = split_line 4, 6, 'tcclasses file';
+    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
+	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
    my $classnumber = 0;
    my $devref;
    my $device = $devclass;
@@ -797,6 +902,9 @@ sub validate_tc_class( ) {
    my $parentclass = 1;
    my $parentref;

+    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
+    fatal_error 'CEIL must be specified'      if $ceil eq '-';
+
    if ( $devclass =~ /:/ ) {
 	( $device, my ($number, $subnumber, $rest ) )  = split /:/, $device, 4;
 	fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
@@ -852,7 +960,7 @@ sub validate_tc_class( ) {
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -1010,7 +1118,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {

-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 2, 8, 'tcfilters file';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';

    my ($device, $class, $rest ) = split /:/, $devclass, 3;

@@ -1310,7 +1420,9 @@ sub process_tcfilters() {
 # Process a tcpri record
 #
 sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 1, 6, 'tcpri';
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';

    if ( $band eq 'COMMENT' ) {
 	process_comment;
@@ -1446,34 +1558,33 @@ sub process_traffic_shaping() {
    my $sfq = 0;
    my $sfqinhex;

-    for my $device ( @tcdevices ) {
-	my $devref  = $tcdevices{$device};
+    for my $devname ( @tcdevices ) {
+	my $devref  = $tcdevices{$devname};
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};

-	fatal_error "No default class defined for device $device" unless $devref->{default};
+	fatal_error "No default class defined for device $devname" unless $devref->{default};

-	$device = physical_name $device;
-
-	my $dev = chain_base( $device );
-
-	emit( '',
-	      '#',
-	      "# Configure Traffic Shaping for $device",
-	      '#',
-	      "setup_${dev}_tc() {" );
-
-	push_indent;
+	my $device = physical_name $devname;

 	unless ( $config{TC_ENABLED} eq 'Shared' ) {

+	    my $dev = chain_base( $device );
+
+	    emit( '',
+		  '#',
+		  "# Configure Traffic Shaping for $device",
+		  '#',
+		  "setup_${dev}_tc() {" );
+
+	    push_indent;
+
 	    emit "if interface_is_up $device; then";

 	    push_indent;

-	    emit ( "${dev}_exists=Yes",
-		   "qt \$TC qdisc del dev $device root",
+	    emit ( "qt \$TC qdisc del dev $device root",
 		   "qt \$TC qdisc del dev $device ingress",
 		   "${dev}_mtu=\$(get_device_mtu $device)",
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
@@ -1504,11 +1615,7 @@ sub process_traffic_shaping() {
 		      qq(fi) );
 	    }

-	    if ( $devref->{in_bandwidth} ) {
-		emit ( "run_tc qdisc add dev $device handle ffff: ingress",
-		       "run_tc filter add dev $device parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate $devref->{in_bandwidth}kbit burst $devref->{in_burst} drop flowid :1"
-		     );
-	    }
+	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );

 	    for my $rdev ( @{$devref->{redirected}} ) {
 		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
@@ -1521,7 +1628,7 @@ sub process_traffic_shaping() {
 		#
 		my ( $d, $decimalclassnum ) = split /:/, $class;

-		next unless $d eq $device;
+		next unless $d eq $devname;
 		#
 		# For inclusion in 'tc' commands, we also need the hex representation
 		#
@@ -1529,7 +1636,7 @@ sub process_traffic_shaping() {
 		#
 		# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
 		#
-		my $tcref    = $tcclasses{$device}{$decimalclassnum};
+		my $tcref    = $tcclasses{$devname}{$decimalclassnum};
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
@@ -1537,7 +1644,6 @@ sub process_traffic_shaping() {
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );

 		$classids{$classid}=$device;
-		$device = physical_name $device;

 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1578,7 +1684,11 @@ sub process_traffic_shaping() {
 		#
 		# options
 		#
-		emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) ." u32 match ip protocol 6 0xff match u8 0x05 0x0f at 0 match u16 0x0000 0xffc0 at 2 match u8 0x10 0xff at 33 flowid $classid" if $tcref->{tcp_ack};
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		      "\\\n    match ip protocol 6 0xff" .
+		      "\\\n    match u8 0x05 0x0f at 0" .
+		      "\\\n    match u16 0x0000 0xffc0 at 2" .
+		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};

 		for my $tospair ( @{$tcref->{tos}} ) {
 		    my ( $tos, $mask ) = split q(/), $tospair;
@@ -1589,25 +1699,24 @@ sub process_traffic_shaping() {
 		emit '';

 	    }
-	}

-	emit '';
+	    emit '';

-	emit "$_" for @{$devref->{filters}};
+	    emit "$_" for @{$devref->{filters}};
 	
-	save_progress_message_short qq("   TC Device $device defined.");
+	    save_progress_message_short qq("   TC Device $device defined.");

-	pop_indent;
-	emit 'else';
-	push_indent;
+	    pop_indent;
+	    emit 'else';
+	    push_indent;

-	emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
-	emit "${dev}_exists=";
-	pop_indent;
-	emit "fi\n";
+	    emit qq(error_message "WARNING: Device $device is not in the UP state -- traffic-shaping configuration skipped");
+	    pop_indent;
+	    emit "fi\n";

-	pop_indent;
-	emit "}\n";
+	    pop_indent;
+	    emit "}\n";
+	}
    }
 }

@@ -1625,7 +1734,9 @@ sub process_tc() {
    # it can call the appropriate 'setup_x_tc" function when the device is
    # enabled.

-    \%tcdevices;
+    my %empty;
+    
+    $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
 }

 #
@@ -1640,14 +1751,16 @@ sub setup_traffic_shaping() {

 	emit "setup_${dev}_tc";
    }
-
 }

 #
 # Process a record in the secmarks file
 #
 sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = split_line1( 2, 9 , 'Secmarks file' );
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';

    if ( $secmark eq 'COMMENT' ) {
 	process_comment;
@@ -1756,7 +1869,7 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping;
+	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
    }

    if ( $config{TC_ENABLED} ) {
@@ -1805,6 +1918,18 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
+			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
+			  target    => 'TTL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
+			  target    => 'HL',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			} 
 		      );

 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -238,7 +238,7 @@ sub setup_tunnels() {

 	my $zonetype = zone_type( $zone );

-	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
+	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
@@ -253,6 +253,7 @@ sub setup_tunnels() {
 			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
 			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
 			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
 			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
 			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
 			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
@@ -284,7 +285,10 @@ sub setup_tunnels() {

 	while ( read_a_line ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+
+	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	    fatal_error 'ZONE must be specified' if $zone eq '-';

 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
 		  defined_zone
 		  zone_type
 		  zone_interfaces
+		  zone_mark
 		  all_zones
 		  all_parent_zones
 		  complex_zones
@@ -75,6 +76,7 @@ our @EXPORT = qw( NOTHING
 		  get_interface_option
 		  interface_has_option
 		  set_interface_option
+		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
@@ -97,6 +99,14 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
@@ -132,6 +142,7 @@ use constant { NOTHING    => 'NOTHING',
 #
 my @zones;
 my %zones;
+my %zonetypes;
 my $firewall_zone;

 my  %reservedName = ( all => 1,
@@ -177,15 +188,19 @@ my %physical;
 my %basemap;
 my %mapbase;
 my $family;
+my $upgrade;
 my $have_ipsec;
 my $baseseq;
 my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;

 use constant { FIREWALL => 1,
 	       IP       => 2,
-	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       BPORT    => 4,
+	       IPSEC    => 8,
+	       VSERVER  => 16 };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -221,8 +236,8 @@ my %validhostoptions;
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $ ) {
-    $family = shift;
+sub initialize( $$ ) {
+    ( $family , $upgrade ) = @_;
    @zones = ();
    %zones = ();
    $firewall_zone = '';
@@ -275,6 +290,7 @@ sub initialize( $ ) {
 			     destonly => 1,
 			     sourceonly => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
@@ -300,6 +316,7 @@ sub initialize( $ ) {
 			     routeback => 1,
 			     tcpflags => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
 }

@@ -309,9 +326,10 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$\$$)
 {
    my %validoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
@@ -323,13 +341,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );

-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );

-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -362,11 +380,12 @@ sub parse_zone_option_list($$\$)
 	    my $key = $key{$e};

 	    if ( $key ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
+		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
-		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
+		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
@@ -402,19 +421,14 @@ sub process_zone( \$ ) {

    my @parents;

-    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
+    my ($zone, $type, $options, $in_options, $out_options ) =
+	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
+
+    fatal_error 'ZONE must be specified' if $zone eq '-';

    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
 	@parents = split_list $2, 'zone';
-
-	for my $p ( @parents ) {
-	    fatal_error "Invalid Parent List ($2)" unless $p;
-	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
-	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
-	    push @{$zones{$p}{children}}, $zone;
-	}
    }

    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
@@ -427,10 +441,11 @@ sub process_zone( \$ ) {
 	$$ip = 1;
    } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	$type = IPSEC;
    } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
-	warning_message "Bridge Port zones should have a parent zone" unless @parents;
+	warning_message "Bridge Port zones should have a parent zone" unless @parents || $config{ZONE_BITS};
 	$type = BPORT;
 	push @bport_zones, $zone;
    } elsif ( $type eq 'firewall' ) {
@@ -449,11 +464,18 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)";
    }

-    if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
-	for ( @parents ) {
-	    set_super( $zones{$_} ) unless $zones{$_}{type} == IPSEC;
-	}
+    for my $p ( @parents ) {
+	fatal_error "Invalid Parent List ($2)" unless $p;
+	fatal_error "Unknown parent zone ($p)" unless $zones{$p};
+
+	my $ptype = $zones{$p}{type};
+
+	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
+	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+
+	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
+
+	push @{$zones{$p}{children}}, $zone;
    }

    my $complex = 0;
@@ -461,10 +483,10 @@ sub process_zone( \$ ) {
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
+						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -473,6 +495,28 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };

+    if ( $config{ZONE_BITS} ) {
+	my $mark;
+
+	if ( $type == FIREWALL ) {
+	    $mark = 0;
+	} else {
+	    unless ( $zoneref->{options}{in_out}{nomark} ) {
+		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
+		$mark      = $zonemark;
+		$zonemark += $zonemarkincr;
+		$zoneref->{options}{complex} = 1;
+	    }
+	}
+
+	if ( $zoneref->{options}{in_out}{nomark} ) {
+	    progress_message_nocompress "   Zone $zone:\tmark value not assigned";
+	} else {
+	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
+	}
+    }
+	
+
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -494,6 +538,10 @@ sub determine_zones()
    my @z;
    my $ip = 0;

+    $zonemark      = 1 << $globals{ZONE_OFFSET};
+    $zonemarkincr  = $zonemark;
+    $zonemarklimit = $zonemark << $config{ZONE_BITS};
+
    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
 	push @z, process_zone( $ip ) while read_a_line;
@@ -532,7 +580,7 @@ sub determine_zones()
 #
 sub haveipseczones() {
    for my $zoneref ( values %zones ) {
-	return 1 if $zoneref->{type} == IPSEC;
+	return 1 if $zoneref->{type} & IPSEC;
    }

    0;
@@ -545,22 +593,13 @@ sub zone_report()
 {
    progress_message2 "Determining Hosts in Zones...";

-    my @translate;
-
-    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
-    for my $zone ( @zones )
-    {
+    for my $zone ( @zones ) {
 	my $zoneref   = $zones{$zone};
 	my $hostref   = $zoneref->{hosts};
 	my $type      = $zoneref->{type};
 	my $optionref = $zoneref->{options};

-	progress_message_nocompress "   $zone ($translate[$type])";
+	progress_message_nocompress "   $zone ($zonetypes{$type})";

 	my $printed = 0;

@@ -592,7 +631,7 @@ sub zone_report()
 	}

 	unless ( $printed ) {
-	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
+	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
 	}

@@ -602,16 +641,7 @@ sub zone_report()
 #
 # This function is called to create the contents of the ${VARDIR}/zones file
 #
-sub dump_zone_contents()
-{
-    my @xlate;
-
-    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
+sub dump_zone_contents() {
    for my $zone ( @zones )
    {
 	my $zoneref    = $zones{$zone};
@@ -619,9 +649,10 @@ sub dump_zone_contents()
 	my $type       = $zoneref->{type};
 	my $optionref  = $zoneref->{options};

-	my $entry      =  "$zone $xlate[$type]";
+	my $entry      =  "$zone $zonetypes{$type}";

-	$entry .= ":$zoneref->{bridge}" if $type == BPORT;
+	$entry .= ":$zoneref->{bridge}" if $type & BPORT;
+	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
 	    for my $type ( sort keys %$hostref ) {
@@ -732,7 +763,7 @@ sub add_group_to_zone($$$$$)

    $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};

-    my $gtype = $type == IPSEC ? 'ipsec' : 'ip';
+    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';

    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
@@ -744,7 +775,7 @@ sub add_group_to_zone($$$$$)

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
-			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
+			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };

    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
@@ -772,6 +803,12 @@ sub zone_interfaces( $ ) {
    find_zone( $_[0] )->{interfaces};
 }

+sub zone_mark( $ ) {
+    my $zoneref = find_zone( $_[0] );
+    fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
+    $zoneref->{mark};
+}
+
 sub defined_zone( $ ) {
    $zones{$_[0]};
 }
@@ -781,11 +818,11 @@ sub all_zones() {
 }

 sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }

 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }

 sub all_parent_zones() {
@@ -801,7 +838,7 @@ sub complex_zones() {
 }

 sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
+    grep ( $zones{$_}{type} & VSERVER, @zones );
 }

 sub firewall_zone() {
@@ -871,7 +908,7 @@ sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
    my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    my $zoneref;
    my $bridge = '';

@@ -884,6 +921,8 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }

+    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
+
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;

    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
@@ -898,7 +937,7 @@ sub process_interface( $$ ) {

 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	$interfaces{$interface}{ports}++;
-	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
+	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! ( $zoneref->{type} & BPORT );

 	if ( $zone ) {
 	    if ( $zoneref->{bridge} ) {
@@ -907,15 +946,15 @@ sub process_interface( $$ ) {
 		$zoneref->{bridge} = $interface;
 	    }

-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
+	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} & VSERVER;
 	}

 	$bridge = $interface;
 	$interface = $port;
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
-	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
+	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} & BPORT;
+	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} & VSERVER;

 	$bridge = $interface;
    }
@@ -981,7 +1020,7 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

 	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
@@ -1618,7 +1657,7 @@ sub compile_updown() {
    if ( @$ignore ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;

-	$interfaces =~ s/\+/*/;
+	$interfaces =~ s/\+/*/g;

 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
@@ -1630,7 +1669,7 @@ sub compile_updown() {
    if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;

-	my $wildcard = ( $interfaces =~ s/\+/*/ );
+	my $wildcard = ( $interfaces =~ s/\+/*/g );

 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
@@ -1669,17 +1708,26 @@ sub compile_updown() {
    }

    if ( @$optional ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$optional;
+	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
+	my $interfaces = join '|', @interfaces; 

-	$interfaces =~ s/\+/*/;
+	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  '        echo 0 > ${VARDIR}/${1}.state',
+		  '    else',
+		  '        echo 1 > ${VARDIR}/${1}.state',
+		  '    fi' );
+	} else {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  "        echo 0 > \${VARDIR}/$interfaces.state",
+		  '    else',
+		  "        echo 1 > \${VARDIR}/$interfaces.state",
+		  '    fi' );
+	}

-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then',
-	      '        echo 0 > ${VARDIR}/${1}.state',
-	      '    else',
-	      '        echo 1 > ${VARDIR}/${1}.state',
-	      '    fi',
-	      '',
+	emit( '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
@@ -1727,7 +1775,10 @@ sub compile_updown() {
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+
+    fatal_error 'ZONE must be specified'  if $zone eq '-';
+    fatal_error 'HOSTS must be specified' if $hosts eq '-';

    my $zoneref = $zones{$zone};
    my $type    = $zoneref->{type};
@@ -1763,7 +1814,7 @@ sub process_host( ) {
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }

-    if ( $type == BPORT ) {
+    if ( $type & BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
 	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
@@ -1789,14 +1840,14 @@ sub process_host( ) {
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}

-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} & VSERVER;

 	$optionsref = \%options;
    }
@@ -1817,7 +1868,7 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';

    if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
+	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = chain_base( physical_name $interface );
 	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
@@ -1829,7 +1880,7 @@ sub process_host( ) {
    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
-    $interface = '%vserver%' if $type == VSERVER;
+    $interface = '%vserver%' if $type & VSERVER;

    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);

@@ -1871,7 +1922,7 @@ sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;

-    for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
+    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --config_path=<path-list>   # Search path for config files
 #
 use strict;
 use FindBin;
@@ -62,7 +63,9 @@ sub usage( $ ) {
    [ --preview ]
    [ --family={4|6} ]
    [ --annotate ]
-    [ --updatee ]
+    [ --update ]
+    [ --convert ]
+    [ --config_path=<path-list> ]
 ';

    exit shift @_;
@@ -86,6 +89,8 @@ my $family        = 4; # F_IPV4
 my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
+my $convert       = 0;
+my $config_path   = '';

 Getopt::Long::Configure ('bundling');

@@ -115,6 +120,8 @@ my $result = GetOptions('h'               => \$help,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
+			'convert'         => \$convert,
+			'config_path=s'   => \$config_path,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -134,5 +141,7 @@ compiler( script          => $ARGV[0] || '',
 	  family          => $family,
 	  confess         => $confess,
 	  update          => $update,
+	  convert         => $convert,
 	  annotate        => $annotate,
+	  config_path     => $config_path,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -20,7 +20,13 @@
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-
+#
+#  Parameters:
+#
+#      $1 = Path name of params file
+#      $2 = $CONFIG_PATH
+#      $3 = Address family (4 o4 6)
+#
 if [ "$3" = 6 ]; then
    . /usr/share/shorewall6/lib.base
    . /usr/share/shorewall6/lib.cli
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -5,7 +5,21 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
+    echo "Usage: $0 [ options ] <command>"
+    echo
+    echo "<command> is one of:"
+    echo "   start"
+    echo "   stop"
+    echo "   clear"
+    echo "   disable <interface>"
+    echo "   down <interface>"
+    echo "   enable <interface>"
+    echo "   reset"
+    echo "   refresh"
+    echo "   restart"
+    echo "   status"
+    echo "   up <interface>"
+    echo "   version"
    echo
    echo "Options are:"
    echo
@@ -330,6 +344,26 @@ case "$COMMAND" in
 	updown $1
 	status=0
 	;;
+    enable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    detect_configuration
+	    enable_provider $1
+	fi
+	status=0
+	;;
+    disable)
+	[ $# -eq 1 ] && exit 0
+	shift
+	[ $# -ne 1 ] && usage 2
+	if shorewall6_is_started; then
+	    detect_configuration
+	    disable_provider $1
+	fi
+	status=0
+	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -196,6 +196,35 @@ find_interface_full_addresses() # $1 = interface
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }

+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -469,6 +498,8 @@ get_device_mtu1() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
+    local undofiles
+    local f

    if [ -z "$g_noroutes"  ]; then
 	#
@@ -481,10 +512,16 @@ undo_routing() {
 	#
 	# Restore the rest of the routing table
 	#
-	if [ -f ${VARDIR}/undo_routing ]; then
-	    . ${VARDIR}/undo_routing
-	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_*routing
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall6-generated routing tables and routing rules removed"
 	fi
    fi

--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -0,0 +1,85 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS -
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $audit ) = get_action_params( 1 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+my $target;
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    'DROP',
+		    '',
+		    $tag,
+		    'add',
+		    '' );
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
+    } 
+	
+    add_ijump( $logchainref, j => 'DROP' );
+
+    $target = $logchainref;
+} else {
+    $target = 'DROP';
+}
+		    
+if ( have_capability( 'ADDRTYPE' ) ) {
+    if ( $family == F_IPV4 ) {
+	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
+    } else {
+	add_ijump $chainref , j => 'RETURN', s => '::';
+    }
+
+    add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
+} else {
+    if ( $family == F_IPV4 ) {
+	add_commands $chainref, 'for address in $ALL_BCASTS; do';
+    } else {
+	add_commands $chainref, 'for address in $ALL_ACASTS; do';
+    }
+    
+    incr_cmd_level $chainref;
+    add_ijump( $chainref, g => $target, s => '$address' );
+    decr_cmd_level $chainref;
+    add_commands $chainref, 'done';
+}
+
+if ( $family == F_IPV4 ) {
+    add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
+} else {
+    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
+}
+
+END PERL;
+
+
+    
+
+
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -0,0 +1,63 @@
+#
+# Shorewall version 4 - Drop Smurfs Action
+#
+# /usr/share/shorewall/action.DropSmurfs
+#
+#   Accepts a single optional parameter:
+#
+#          -     = Do not Audit
+#          audit = Audit dropped packets.
+#
+#################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+use strict;
+use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::Chains;
+
+
+my ( $disposition, $audit ) = get_action_params( 2 );
+
+my $chainref        = get_action_chain;
+my ( $level, $tag ) = get_action_logging;
+
+fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
+
+if ( $level ne '-' || $audit ne '-' ) {
+    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
+
+    log_rule_limit( $level,
+		    $logchainref,
+		    $chainref->{name},
+		    $disposition,
+		    '',
+		    $tag,
+		    'add',
+		    '' ) if $level;
+
+    if ( supplied $audit ) {
+	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
+	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
+	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
+    } 
+
+    add_ijump( $logchainref, g => $disposition );
+
+    $disposition = $logchainref;
+}
+		    
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
+add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
+add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+
+END PERL;
+
+
+    
+
+
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -37,6 +37,8 @@ A_Drop 		    # Audited Default Action for DROP policy
 A_Reject	    # Audited Default action for REJECT policy
 Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/configfiles/blrules
+++ b/Shorewall/configfiles/blrules
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Blacklist Rules File
+#
+# For information about entries in this file, type "man shorewall-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###################################################################################################################################################################################################
+#ACTION		SOURCE			DEST			PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#									PORT	PORT(S)		DEST		LIMIT		GROUP
+
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -6,5 +6,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-###############################################################################
-#TYPE	NET1			INTERFACE	NET2		NET3
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)
--- a/Shorewall/configfiles/route_rules
+++ b/Shorewall/configfiles/route_rules
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-route_rules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
-##############################################################################
-#SOURCE			DEST			PROVIDER	PRIORITY
+####################################################################################
+#SOURCE			DEST			PROVIDER	PRIORITY	MASK
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -136,8 +136,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -188,8 +186,6 @@ TRACK_PROVIDERS=No

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=No
-
 ZONE2ZONE=2

 ###############################################################################
@@ -206,6 +202,20 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -115,6 +115,11 @@ shorewall_refresh () {
  return 0
 }

+# status of the firewall
+shorewall_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall_start
@@ -128,8 +133,11 @@ case "$1" in
  force-reload|restart)
     shorewall_restart
     ;;
+  status)
+     shorewall_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -605,17 +605,22 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tunnels ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tunnels${suffix} ${DESTDIR}/etc/shorewall/tunnels
    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall/tunnels"
 fi
-#
-# Install the blacklist file
-#
-run_install $OWNERSHIP -m 0644 configfiles/blacklist           ${DESTDIR}/usr/share/shorewall/configfiles
-run_install $OWNERSHIP -m 0644 configfiles/blacklist.annotated ${DESTDIR}/usr/share/shorewall/configfiles

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
    run_install $OWNERSHIP -m 0600 configfiles/blacklist${suffix} ${DESTDIR}/etc/shorewall/blacklist
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
 fi
 #
+# Install the blacklist rules file
+#
+run_install $OWNERSHIP -m 0644 configfiles/blrules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blrules ]; then
+    run_install $OWNERSHIP -m 0600 configfiles/blrules${suffix} ${DESTDIR}/etc/shorewall/blrules
+    echo "Blacklist rules file installed as ${DESTDIR}/etc/shorewall/blrules"
+fi
+#
 # Install the findgw file
 #
 run_install $OWNERSHIP -m 0644 configfiles/findgw ${DESTDIR}/usr/share/shorewall/configfiles
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -28,7 +28,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40423
+SHOREWALL_CAPVERSION=40426

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -121,8 +121,10 @@ mutex_on()
 	fi

 	if qt mywhich lockfile; then
-	    lockfile -r${MUTEX_TIMEOUT} -s1 ${lockf}
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -29,7 +29,7 @@
 #
 fatal_error() # $@ = Message
 {
-    echo "   $@" >&2
+    echo "   ERROR: $@" >&2
    exit 2
 }

@@ -751,6 +751,12 @@ show_command() {
 	    [ $# -gt 1 ] && usage 1
 	    perip_accounting
 	    ;;
+	marks)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
+	    echo
+	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
+	    ;;
 	*)
 	    if [ "$g_product" = Shorewall ]; then
 		case $1 in
@@ -992,6 +998,11 @@ do_dump_command() {
 	$IPTABLES -t raw -L $g_ipt_options
    fi

+    if qt $IPTABLES -t rawpost -L -n; then
+	heading "Rawpost Table"
+	$IPTABLES -t rawpost -L $g_ipt_options
+    fi
+
    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)

@@ -1724,6 +1735,8 @@ determine_capabilities() {
    LOGMARK_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
+    ULOG_TARGET=
+    NFLOG_TARGET=
    PERSISTENT_SNAT=
    FLOW_FILTER=
    FWMARK_RT_MASK=
@@ -1731,6 +1744,9 @@ determine_capabilities() {
    HEADER_MATCH=
    ACCOUNT_TARGET=
    AUDIT_TARGET=
+    CONDITION_MATCH=
+    IPTABLES_S=
+    BASIC_FILTER=

    chain=fooX$$

@@ -1878,15 +1894,20 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IPTABLES -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $IPTABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
    qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IPTABLES -S INPUT && IPTABLES_S=Yes
    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
    qt $IPTABLES -F $chain1
    qt $IPTABLES -X $chain1

    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
@@ -1966,6 +1987,8 @@ report_capabilities() {
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "ULOG Target" $ULOG_TARGET
+	report_capability "NFLOG Target" $NFLOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
@@ -1975,6 +1998,9 @@ report_capabilities() {
        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "iptables -S" $IPTABLES_S
+	report_capability "Basic Filter" $BASIC_FILTER
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2036,6 +2062,8 @@ report_capabilities1() {
    report_capability1 LOGMARK_TARGET
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
+    report_capability1 ULOG_TARGET
+    report_capability1 NFLOG_TARGET
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
@@ -2045,6 +2073,9 @@ report_capabilities1() {
    report_capability1 ACCOUNT_TARGET
    report_capability1 AUDIT_TARGET
    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
+    report_capability1 BASIC_FILTER

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -226,26 +226,28 @@ loadmodule() # $1 = module name, $2 - * arguments
    local suffix

    if [ -d /sys/module/ ]; then
-	if [ ! -d /sys/module/$modulename ]; then
-	    shift
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift

-	    for suffix in $MODULE_SUFFIX ; do
-		for directory in $moduledirectories; do
-		    modulefile=$directory/${modulename}.${suffix}
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}

-		    if [ -f $modulefile ]; then
-			case $moduleloader in
-			    insmod)
-				insmod $modulefile $*
-				;;
-			    *)
-				modprobe $modulename $*
-				;;
-			esac
-			break 2
-		    fi
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
 		done
-	    done
+	    fi
 	fi
    elif ! list_search $modulename $DONT_LOAD $MODULES; then
 	shift
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -22,4 +22,5 @@ loadmodule sch_tbf
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow
+loadmodule cls_basic
 loadmodule act_police
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -330,7 +330,7 @@ startup_error() {
 # Determine if there are config files newer than the passed object
 #
 uptodate() {
-    [ -f $1 ] || return 1
+    [ -x $1 ] || return 1

    local dir
    local ifs
@@ -366,6 +366,10 @@ compiler() {
    # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH
    #
    ensure_config_path
+    #
+    # Get the config from $SHOREWALL_DIR
+    #
+    [ -n "$SHOREWALL_DIR" -a "$SHOREWALL_DIR" != /etc/shorewall ] && get_config

    case $COMMAND in
 	*start|try|refresh)
@@ -386,7 +390,7 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift

-    options="--verbose=$VERBOSITY"
+    options="--verbose=$VERBOSITY --config_path=$CONFIG_PATH"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -398,6 +402,7 @@ compiler() {
    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
    [ -n "$g_confess" ] && options="$options --confess"
    [ -n "$g_update" ] && options="$options --update"
+    [ -n "$g_convert" ] && options="$options --convert"
    [ -n "$g_annotate" ] && options="$options --annotate"

    if [ -n "$PERL" ]; then
@@ -425,11 +430,10 @@ start_command() {
    local finished
    finished=0
    local object
+    local rc
+    rc=0

    do_it() {
-	local rc
-	rc=0
-
 	if [ -n "$AUTOMAKE" ]; then
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/firewall $g_debugging start
@@ -541,17 +545,15 @@ start_command() {
 	    AUTOMAKE=
 	fi

-	if [ -n "$g_fast" ]; then
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
-		echo Restoring Shorewall...
-		run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall restored from $g_restorepath
-	    else
-		do_it
-	    fi
+	if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then
+	    g_restorepath=${VARDIR}/$object
+	    [ -n "$nolock" ] || mutex_on
+	    echo Restoring Shorewall...
+	    run_it $g_restorepath restore
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	    [ $rc -eq 0 ] && progress_message3 "Shorewall restored from $g_restorepath"
+	    exit $rc
 	else
 	    do_it
 	fi
@@ -731,6 +733,94 @@ check_command() {
    compiler $g_debugging $nolock check
 }

+#
+# Update Command Executor
+#
+update_command() {
+    local finished
+    finished=0
+
+    g_update=Yes
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			e*)
+			    g_export=Yes
+			    option=${option#e}
+			    ;;
+			p*)
+			    g_profile=Yes
+			    option=${option#p}
+			    ;;
+			d*)
+			    g_debug=Yes;
+			    option=${option#d}
+			    ;;
+			r*)
+			    g_preview=Yes
+			    option=${option#r}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			a*)
+			    g_annotate=Yes
+			    option=${option#a}
+			    ;;
+			b*)
+			    g_convert=Yes
+			    option=${option#b}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    ;;
+	1)
+	    [ -n "$SHOREWALL_DIR" ] && usage 2
+
+	    if [ ! -d $1 ]; then
+		if [ -e $1 ]; then
+		    echo "$1 is not a directory" >&2 && exit 2
+		else
+		    echo "Directory $1 does not exist" >&2 && exit 2
+		fi
+	    fi
+
+	    SHOREWALL_DIR=$(resolve_file $1)
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+
+    progress_message3 "Updating..."
+
+    compiler $g_debugging $nolock check
+}
+
 #
 # Restart Command Executor
 #
@@ -1293,7 +1383,7 @@ reload_command() # $* = original arguments less the command.

 	progress_message "Getting Capabilities on system $system..."
 	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then
-	    fatal_error "ERROR: Capturing capabilities on system $system failed"
+	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi

@@ -1374,7 +1464,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "ERROR: Invalid command syntax (\"man shorewall\" for help)"
+	    fatal_error "Invalid command syntax (\"man shorewall\" for help)"
 	    ;;
    esac

@@ -1413,8 +1503,10 @@ usage() # $1 = exit status
    echo "   clear"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
+    echo "   enable <interface>"
    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"
@@ -1434,6 +1526,8 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
+    echo "   safe-restart [ <directory> ]"
+    echo "   safe-start [ <directory> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show actions"
@@ -1448,19 +1542,18 @@ usage() # $1 = exit status
    echo "   show [ -m ] log [<regex>]"
    echo "   show macro <macro>"
    echo "   show macros"
+    echo "   show marks"
    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   show policies"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
-    echo "   stop"
    echo "   status"
+    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
+    echo "   update [ -b ] [ -r ] [ -T ] [ <directory> ]"
    echo "   version [ -a ]"
-    echo "   safe-start [ <directory> ]"
-    echo "   safe-restart [ <directory> ]"
-    echo "   update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
    echo
    exit $1
 }
@@ -1544,6 +1637,7 @@ g_export=
 g_refreshchains=:none:
 g_confess=
 g_update=
+g_convert=
 g_annotate=

 #
@@ -1754,8 +1848,15 @@ case "$COMMAND" in
    update)
 	get_config Yes
 	shift
-	g_update=Yes
-	check_command $@
+	update_command $@
+	;;
+    disable|enable)
+	get_config Yes
+	if shorewall_is_started; then
+	    run_it ${VARDIR}/firewall $g_debugging $@
+	else
+	    fatal_error "Shorewall is not running"
+	fi
 	;;
    show|list)
 	get_config Yes No Yes
@@ -1774,7 +1875,7 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	get_config
 	echo "Shorewall-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -6,6 +6,7 @@
 [Unit]
 Description=Shorewall IPv4 firewall
 After=syslog.target
+After=network.target

 [Service]
 Type=oneshot
@@ -13,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
 ExecStart=/sbin/shorewall $OPTIONS start
-ExecReload=/sbin/shorewall $OPTIONS restart
 ExecStop=/sbin/shorewall $OPTIONS stop

 [Install]
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -110,6 +110,11 @@ shorewall6_refresh () {
  return 0
 }

+# status of the firewall
+shorewall6_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall6_start
@@ -123,8 +128,11 @@ case "$1" in
  force-reload|restart)
     shorewall6_restart
     ;;
+  status)
+     shorewall6_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall6-lite {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall6-lite {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -361,8 +361,10 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   allow <address> ..."
    echo "   clear"
+    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
+    echo "   enable <interface>"
    echo "   forget [ <file name> ]"
    echo "   help"
    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
@@ -648,7 +650,7 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	echo "Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall6_is_started ; then
@@ -728,6 +730,14 @@ case "$COMMAND" in
    allow)
 	allow_command $@
 	;;
+    disable|enable)
+	get_config Yes
+	if shorewall6_is_started; then
+	    run_it ${VARDIR}/firewall $g_debugging $@
+	else
+	    fatal_error "Shorewall is not running"
+	fi
+	;;
    save)
 	[ -n "$debugging" ] && set -x

@@ -806,7 +816,6 @@ case "$COMMAND" in
 	temp=$(ip_network $address);       echo "   NETWORK=$temp"
 	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
 	;;
-
    iprange)
 	[ -n "$debugging" ] && set -x
 	case $2 in
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -14,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecReload=/sbin/shorewall6-lite $OPTIONS restart
 ExecStop=/sbin/shorewall6-lite $OPTIONS stop

 [Install]
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -25,6 +25,9 @@ A_AllowICMPs	    # Audited Accept needed ICMP6 types
 AllowICMPs	    # Accept needed ICMP6 types
 Broadcast           # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
+DropSmurfs	    # Handles packets with a broadcast source address
 Invalid		    # Handles packets in the INVALID conntrack state
 NotSyn		    # Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+TCPFlags	    # Handles bad flags combinations
+
--- a/Shorewall6/configfiles/blrules
+++ b/Shorewall6/configfiles/blrules
@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4 - Blacklist File
+#
+# For information about entries in this file, type "man shorewall6-blrules"
+#
+# Please see http://shorewall.net/blacklisting_support.htm for additional
+# information.
+#
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall6/configfiles/netmap
+++ b/Shorewall6/configfiles/netmap
@@ -0,0 +1,11 @@
+#
+# Shorewall6 version 4	 - Netmap File
+#
+# For information about entries in this file, type "man shorewall-netmap"
+#
+# See http://shorewall.net/netmap.html for an example and usage
+# information.
+#
+##############################################################################################
+#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#										PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/route_rules
+++ b/Shorewall6/configfiles/route_rules
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall6-route_rules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
-##############################################################################
-#SOURCE			DEST			PROVIDER	PRIORITY
+####################################################################################
+#SOURCE			DEST			PROVIDER	PRIORITY	MASK
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -6,9 +6,10 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-#######################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME            HEADERS
+###########################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
+#SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -125,8 +125,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=Yes

-HIGH_ROUTE_MARKS=No
-
 IMPLICIT_CONTINUE=No

 IP_FORWARDING=Off
@@ -163,7 +161,7 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=No

-WIDE_TC_MARKS=No
+USE_DEFAULT_RT=No

 ZONE2ZONE=2

@@ -180,3 +178,17 @@ SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP
+
+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -115,6 +115,11 @@ shorewall6_refresh () {
  return 0
 }

+# status of the firewall
+shorewall6_status () {
+  $SRWL $SRWL_OPTS status && exit 0 || exit $?
+}
+
 case "$1" in
  start)
     shorewall6_start
@@ -128,8 +133,11 @@ case "$1" in
  force-reload|restart)
     shorewall6_restart
     ;;
+  status)
+     shorewall6_status
+     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall6 {start|stop|refresh|restart|force-reload}"
+     echo "Usage: /etc/init.d/shorewall6 {start|stop|refresh|restart|force-reload|status}"
     exit 1
 esac

--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -575,17 +575,22 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/tunnels ]; then
    run_install $OWNERSHIP -m 0600 tunnels${suffix} ${DESTDIR}/etc/shorewall6/tunnels
    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall6/tunnels"
 fi
-#
-# Install the blacklist file
-#
-run_install $OWNERSHIP -m 0644 blacklist           ${DESTDIR}/usr/share/shorewall6/configfiles/
-run_install $OWNERSHIP -m 0644 blacklist.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blacklist ]; then
    run_install $OWNERSHIP -m 0600 blacklist${suffix} ${DESTDIR}/etc/shorewall6/blacklist
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall6/blacklist"
 fi
 #
+# Install the blacklist rules file
+#
+run_install $OWNERSHIP -m 0644 blrules           ${DESTDIR}/usr/share/shorewall6/configfiles/
+run_install $OWNERSHIP -m 0644 blrules.annotated ${DESTDIR}/usr/share/shorewall6/configfiles/
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall6/blrules ]; then
+    run_install $OWNERSHIP -m 0600 blrules${suffix} ${DESTDIR}/etc/shorewall6/blrules
+    echo "Blrules file installed as ${DESTDIR}/etc/shorewall6/blrules"
+fi
+#
 # Install the Providers file
 #
 run_install $OWNERSHIP -m 0644 providers           ${DESTDIR}/usr/share/shorewall6/configfiles/
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -32,7 +32,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40423
+SHOREWALL_CAPVERSION=40426

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@@ -125,8 +125,10 @@ mutex_on()
 	fi

 	if qt mywhich lockfile; then
-	    lockfile -r${MUTEX_TIMEOUT} -s1 ${lockf}
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -29,7 +29,7 @@
 #
 fatal_error() # $@ = Message
 {
-    echo "   $@" >&2
+    echo "   ERROR: $@" >&2
    exit 2
 }

@@ -575,6 +575,13 @@ show_command() {
 	    show_reset
 	    $IP6TABLES -t raw -L $g_ipt_options
 	    ;;
+	rawpost)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION rawpost Table at $g_hostname - $(date)"
+	    echo
+	    show_reset
+	    $IP6TABLES -t rawpost -L $g_ipt_options
+	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1

@@ -703,6 +710,12 @@ show_command() {
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
+	marks)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION Mark Layout at $g_hostname - $(date)"
+	    echo
+	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
+	    ;;
 	*)
 	    if [ "$g_product" = Shorewall6 ]; then
 		case $1 in
@@ -920,6 +933,11 @@ do_dump_command() {
 	$IP6TABLES -t raw -L $g_ipt_options
    fi

+    if qt $IP6TABLES -t rawpost -L -n; then
+	heading "Rawpost Table"
+	$IP6TABLES -t rawpost -L $g_ipt_options
+    fi
+
    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)

@@ -1544,6 +1562,9 @@ determine_capabilities() {
    GOTO_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
+    ULOG_TARGET=
+    NFLOG_TARGET=
+    LOGMARK_TARGET=
    FLOW_FILTER=
    FWMARK_RT_MASK=
    MARK_ANYWHERE=
@@ -1551,6 +1572,9 @@ determine_capabilities() {
    ACCOUNT_TARGET=
    AUDIT_TARGET=
    IPSET_V5=
+    CONDITION_MATCH=
+    IPTABLES_S=
+    BASIC_FILTER=

    chain=fooX$$

@@ -1697,11 +1721,16 @@ determine_capabilities() {
    qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
+    qt $IP6TABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
    qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
+    qt $IP6TABLES -A $chain -j ULOG && ULOG_TARGET=Yes
+    qt $IP6TABLES -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
    qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
    qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+    qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+    qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
    

    qt $IP6TABLES -F $chain
@@ -1710,6 +1739,7 @@ determine_capabilities() {
    qt $IP6TABLES -X $chain1

    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
@@ -1786,7 +1816,10 @@ report_capabilities() {
 	report_capability "Time Match" $TIME_MATCH
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
+	report_capability "ULOG Target" $ULOG_TARGET
+	report_capability "NFLOG Target" $NFLOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
 	report_capability "FLOW Classifier" $FLOW_FILTER
 	report_capability "fwmark route mask" $FWMARK_RT_MASK
@@ -1795,6 +1828,9 @@ report_capabilities() {
 	report_capability "ACCOUNT Target" $ACCOUNT_TARGET
 	report_capability "AUDIT Target" $AUDIT_TARGET
 	report_capability "ipset V5" $IPSET_V5
+	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "ip6tables -S" $IPTABLES_S
+	report_capability "Basic Filter" $BASIC_FILTER
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -1853,7 +1889,10 @@ report_capabilities1() {
    report_capability1 TIME_MATCH
    report_capability1 GOTO_TARGET
    report_capability1 IPMARK_TARGET
+    report_capability1 LOGMARK_TARGET
    report_capability1 LOG_TARGET
+    report_capability1 ULOG_TARGET
+    report_capability1 NFLOG_TARGET
    report_capability1 TPROXY_TARGET
    report_capability1 FLOW_FILTER
    report_capability1 FWMARK_RT_MASK
@@ -1862,6 +1901,9 @@ report_capabilities1() {
    report_capability1 ACCOUNT_TARGET
    report_capability1 AUDIT_TARGET
    report_capability1 IPSET_V5
+    report_capability1 CONDITION_MATCH
+    report_capability1 IPTABLES_S
+    report_capability1 BASIC_FILTER
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION    
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -247,27 +247,29 @@ loadmodule() # $1 = module name, $2 - * arguments
    local modulefile
    local suffix

-     if [ -d /sys/module/ ]; then
-	if [ ! -d /sys/module/$modulename ]; then
-	    shift
+    if [ -d /sys/module/ ]; then
+	if ! list_search $modulename $DONT_LOAD; then
+	    if [ ! -d /sys/module/$modulename ]; then
+		shift

-	    for suffix in $MODULE_SUFFIX ; do
-		for directory in $moduledirectories; do
-		    modulefile=$directory/${modulename}.${suffix}
+		for suffix in $MODULE_SUFFIX ; do
+		    for directory in $moduledirectories; do
+			modulefile=$directory/${modulename}.${suffix}

-		    if [ -f $modulefile ]; then
-			case $moduleloader in
-			    insmod)
-				insmod $modulefile $*
-				;;
-			    *)
-				modprobe $modulename $*
-				;;
-			esac
-			break 2
-		    fi
+			if [ -f $modulefile ]; then
+			    case $moduleloader in
+				insmod)
+				    insmod $modulefile $*
+				    ;;
+				*)
+				    modprobe $modulename $*
+				    ;;
+			    esac
+			    break 2
+			fi
+		    done
 		done
-	    done
+	    fi
 	fi
    elif ! list_search $modulename $MODULES $DONT_LOAD ; then
 	shift
@@ -416,7 +418,7 @@ find_first_interface_address() # $1 = interface
    #
    # get the line of output containing the first IP address
    #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
    #
    # If there wasn't one, bail out now
    #
@@ -433,7 +435,7 @@ find_first_interface_address_if_any() # $1 = interface
    #
    # get the line of output containing the first IP address
    #
-    addr=$(${IP:-ip} -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
    #
    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
    # along with everything else on the line
--- a/Shorewall6/modules.tc
+++ b/Shorewall6/modules.tc
@@ -22,4 +22,5 @@ loadmodule sch_tbf
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow
+loadmodule cls_basic
 loadmodule act_police
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -330,7 +330,7 @@ startup_error() {
 # Determine if there are config files newer than the passed object
 #
 uptodate() {
-    [ -f $1 ] || return 1
+    [ -x $1 ] || return 1

    local dir
    local ifs
@@ -366,6 +366,10 @@ compiler() {
    # We've now set SHOREWALL_DIR so recalculate CONFIG_PATH
    #
    ensure_config_path
+    #
+    # Get the config from $SHOREWALL_DIR
+    #
+    [ -n "$SHOREWALL_DIR" -a "$SHOREWALL_DIR" != /etc/shorewall6 ] && get_config

    case $COMMAND in
 	*start|try|refresh)
@@ -386,7 +390,7 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift

-    options="--verbose=$VERBOSITY --family=6"
+    options="--verbose=$VERBOSITY --family=6 --config_path=$CONFIG_PATH"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -398,6 +402,7 @@ compiler() {
    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
    [ -n "$g_confess" ] && options="$options --confess"
    [ -n "$g_update" ] && options="$options --update"
+    [ -n "$g_convert" ] && options="$options --convert"
    [ -n "$g_annotate" ] && options="$options --annotate"
    [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"

@@ -426,11 +431,10 @@ start_command() {
    local finished
    finished=0
    local object
+    local rc
+    rc=0

    do_it() {
-	local rc
-	rc=0
-
 	if [ -n "$AUTOMAKE" ]; then
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/firewall $g_debugging start
@@ -542,17 +546,15 @@ start_command() {
 	    AUTOMAKE=
 	fi

-	if [ -n "$g_fast" ]; then
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
-		echo Restoring Shorewall6...
-		run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall6 restored from $g_restorepath
-	    else
-		do_it
-	    fi
+	if [ -n "$g_fast" -a $object = $RESTOREFILE ]; then
+	    g_restorepath=${VARDIR}/$object
+	    [ -n "$nolock" ] || mutex_on
+	    echo Restoring Shorewall...
+	    run_it $g_restorepath restore
+	    rc=$?
+	    [ -n "$nolock" ] || mutex_off
+	    [ $rc -eq 0 ] && progress_message3 "Shorewall6 restored from $g_restorepath"
+	    exit $rc
 	else
 	    do_it
 	fi
@@ -732,6 +734,94 @@ check_command() {
    compiler $g_debugging $nolock check
 }

+#
+# Update Command Executor
+#
+update_command() {
+    local finished
+    finished=0
+
+    g_update=Yes
+
+    while [ $finished -eq 0 -a $# -gt 0 ]; do
+	option=$1
+	case $option in
+	    -*)
+		option=${option#-}
+
+		while [ -n "$option" ]; do
+		    case $option in
+			-)
+			    finished=1
+			    option=
+			    ;;
+			e*)
+			    g_export=Yes
+			    option=${option#e}
+			    ;;
+			p*)
+			    g_profile=Yes
+			    option=${option#p}
+			    ;;
+			d*)
+			    g_debug=Yes;
+			    option=${option#d}
+			    ;;
+			r*)
+			    g_preview=Yes
+			    option=${option#r}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			a*)
+			    g_annotate=Yes
+			    option=${option#a}
+			    ;;
+			b*)
+			    g_convert=Yes
+			    option=${option#b}
+			    ;;
+			*)
+			    usage 1
+			    ;;
+		    esac
+		done
+		shift
+		;;
+	    *)
+		finished=1
+		;;
+	esac
+    done
+
+    case $# in
+	0)
+	    ;;
+	1)
+	    [ -n "$SHOREWALL_DIR" ] && usage 2
+
+	    if [ ! -d $1 ]; then
+		if [ -e $1 ]; then
+		    echo "$1 is not a directory" >&2 && exit 2
+		else
+		    echo "Directory $1 does not exist" >&2 && exit 2
+		fi
+	    fi
+
+	    SHOREWALL_DIR=$(resolve_file $1)
+	    ;;
+	*)
+	    usage 1
+	    ;;
+    esac
+
+    progress_message3 "Updating..."
+
+    compiler $g_debugging $nolock check
+}
+
 #
 # Restart Command Executor
 #
@@ -1294,7 +1384,7 @@ reload_command() # $* = original arguments less the command.

 	progress_message "Getting Capabilities on system $system..."
 	if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
-	    fatal_error "ERROR: Capturing capabilities on system $system failed"
+	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi

@@ -1375,7 +1465,7 @@ export_command() # $* = original arguments less the command.
 	    target=$2
 	    ;;
 	*)
-	    fatal_error "ERROR: Invalid command syntax (\"man shorewall6\" for help)"
+	    fatal_error "Invalid command syntax (\"man shorewall6\" for help)"
 	    ;;
    esac

@@ -1414,8 +1504,10 @@ usage() # $1 = exit status
    echo "   clear"
    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
+    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
+    echo "   enable <interface>"
    echo "   export [ <directory1> ] [<user>@]<system>[:<directory2>]"
    echo "   forget [ <file name> ]"
    echo "   help"
@@ -1431,6 +1523,8 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
+    echo "   safe-restart [ <directory> ]"
+    echo "   safe-start [ <directory> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show actions"
@@ -1444,19 +1538,18 @@ usage() # $1 = exit status
    echo "   show [ -m ] log [<regex>]"
    echo "   show macro <macro>"
    echo "   show macros"
+    echo "   show marks"
    echo "   show [ -x ] mangle|raw|routing"
    echo "   show policies"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
-    echo "   stop"
    echo "   status"
+    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
+    echo "   update [ -b ] [ -r ] [ -T ] [ <directory> ]"
    echo "   version [ -a ]"
-    echo "   safe-start [ <directory> ]"
-    echo "   safe-restart [ <directory> ]"
-    echo "   update [ -e ] [ -d ] [ -p ] [ -r ] [ -T ] [ -a ] [ <directory> ]"
    echo
    exit $1
 }
@@ -1540,6 +1633,7 @@ g_export=
 g_refreshchains=:none:
 g_confess=
 g_update=
+g_convert=
 g_annotate=

 #
@@ -1750,8 +1844,15 @@ case "$COMMAND" in
    update)
 	get_config Yes
 	shift
-	g_update=Yes
-	check_command $@
+	update_command $@
+	;;
+    disable|enable)
+	get_config Yes
+	if shorewall6_is_started; then
+	    run_it ${VARDIR}/firewall $g_debugging $@
+	else
+	    fatal_error "Shorewall is not running"
+	fi
 	;;
    show|list)
 	get_config Yes No Yes
@@ -1770,7 +1871,7 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
+	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	get_config
 	echo "Shorewall6-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -14,7 +14,6 @@ RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
 ExecStart=/sbin/shorewall6 $OPTIONS start
-ExecReload=/sbin/shorewall6 $OPTIONS restart
 ExecStop=/sbin/shorewall6 $OPTIONS stop

 [Install]
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -122,7 +122,7 @@
        <listitem>
          <para><filename class="directory">configfiles</filename> - A
          directory containing configuration files to copy to create a <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite export
+          url="Shorewall-Lite.html">Shorewall-lite export
          directory.</ulink></para>
        </listitem>

@@ -335,7 +335,7 @@
        <listitem>
          <para><filename class="directory">configfiles</filename> - A
          directory containing configuration files to copy to create a <ulink
-          url="CompiledPrograms.html#Lite">Shorewall6-lite export
+          url="Shorewall-Lite.html">Shorewall6-lite export
          directory.</ulink></para>
        </listitem>

@@ -535,7 +535,7 @@
        <listitem>
          <para><filename>shorecap</filename> - A shell program used for
          generating capabilities files. See the <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite
+          url="Shorewall-Lite.html">Shorewall-lite
          documentation</ulink>.</para>
        </listitem>

@@ -725,7 +725,7 @@
        <listitem>
          <para><filename>shorecap</filename> - A shell program used for
          generating capabilities files. See the <ulink
-          url="CompiledPrograms.html#Lite">Shorewall-lite
+          url="Shorewall-Lite.html">Shorewall-lite
          documentation</ulink>.</para>
        </listitem>

--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -153,7 +153,7 @@

      <para>The <command>setversion</command> script updates the version
      number in a directory. The script is run with the current working
-      directory being <filename class="directory">trunk</filename>.</para>
+      directory being <filename class="directory">release</filename>.</para>

      <blockquote>
        <para><command>setversion</command>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -55,7 +55,7 @@
      <tgroup align="left" cols="3">
        <tbody>
          <row>
-            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>
+            <entry></entry>

            <entry><ulink url="LXC.html">Linux Containers
            (LXC)</ulink></entry>
@@ -65,7 +65,7 @@
          </row>

          <row>
-            <entry><ulink url="Accounting.html">Accounting</ulink></entry>
+            <entry><ulink url="6to4.htm">6to4 and 6in4 Tunnels</ulink></entry>

            <entry><ulink url="Vserver.html">Linux-vserver</ulink></entry>

@@ -74,7 +74,7 @@
          </row>

          <row>
-            <entry><ulink url="Actions.html">Actions</ulink></entry>
+            <entry><ulink url="Accounting.html">Accounting</ulink></entry>

            <entry><ulink url="ConnectionRate.html">Limiting Connection
            Rates</ulink></entry>
@@ -84,8 +84,7 @@
          </row>

          <row>
-            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
-            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>
+            <entry><ulink url="Actions.html">Actions</ulink></entry>

            <entry><ulink url="shorewall_logging.html">Logging</ulink></entry>

@@ -93,8 +92,8 @@
          </row>

          <row>
-            <entry><ulink url="Anatomy.html">Anatomy of
-            Shorewall</ulink></entry>
+            <entry><ulink url="Shorewall_and_Aliased_Interfaces.html">Aliased
+            (virtual) Interfaces (e.g., eth0:0)</ulink></entry>

            <entry><ulink url="Macros.html">Macros</ulink></entry>

@@ -104,8 +103,8 @@
          </row>

          <row>
-            <entry><ulink url="Audit.html">AUDIT Target
-            support</ulink></entry>
+            <entry><ulink url="Anatomy.html">Anatomy of
+            Shorewall</ulink></entry>

            <entry><ulink url="MAC_Validation.html">MAC
            Verification</ulink></entry>
@@ -115,8 +114,8 @@
          </row>

          <row>
-            <entry><ulink url="traffic_shaping.htm">Bandwidth
-            Control</ulink></entry>
+            <entry><ulink url="Audit.html">AUDIT Target
+            support</ulink></entry>

            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>

@@ -125,8 +124,8 @@
          </row>

          <row>
-            <entry><ulink
-            url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>
+            <entry><ulink url="traffic_shaping.htm">Bandwidth
+            Control</ulink></entry>

            <entry><ulink url="ManualChains.html">Manual
            Chains</ulink></entry>
@@ -137,8 +136,8 @@
          </row>

          <row>
-            <entry>Bridge: <ulink
-            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>
+            <entry><ulink
+            url="blacklisting_support.htm">Blacklisting/Whitelisting</ulink></entry>

            <entry><ulink
            url="two-interface.htm#SNAT">Masquerading</ulink></entry>
@@ -148,8 +147,8 @@
          </row>

          <row>
-            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
-            traffic between bridge port</ulink></entry>
+            <entry>Bridge: <ulink
+            url="bridge-Shorewall-perl.html">Bridge/Firewall</ulink></entry>

            <entry><ulink url="MultiISP.html">Multiple Internet Connections
            from a Single Firewall</ulink></entry>
@@ -158,8 +157,8 @@
          </row>

          <row>
-            <entry><ulink url="Build.html">Building Shorewall from
-            GIT</ulink></entry>
+            <entry>Bridge: <ulink url="SimpleBridge.html">No firewalling of
+            traffic between bridge port</ulink></entry>

            <entry><ulink url="Multiple_Zones.html">Multiple Zones Through One
            Interface</ulink></entry>
@@ -169,19 +168,18 @@
          </row>

          <row>
-            <entry><ulink
-            url="starting_and_stopping_shorewall.htm">Commands</ulink></entry>
+            <entry><ulink url="Build.html">Building Shorewall from
+            GIT</ulink></entry>

            <entry><ulink url="MyNetwork.html">My Shorewall
            Configuration</ulink></entry>

-            <entry><ulink url="Accounting.html">Traffic
-            Accounting</ulink></entry>
+            <entry></entry>
          </row>

          <row>
-            <entry><ulink url="CompiledPrograms.html">Compiled Firewall
-            Programs</ulink></entry>
+            <entry><ulink url="CompiledPrograms.html"><ulink
+            url="starting_and_stopping_shorewall.htm">Commands</ulink></ulink></entry>

            <entry><ulink url="NetfilterOverview.html">Netfilter
            Overview</ulink></entry>
@@ -385,7 +383,7 @@
            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
            Machine)</ulink></entry>

-            <entry><ulink url="CompiledPrograms.html#Lite">Shorewall
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
            Lite</ulink></entry>

            <entry></entry>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -37,9 +37,9 @@
  </articleinfo>

  <caution>
-    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    <para><emphasis role="bold">This article applies to Shorewall 4.4 and
    later. If you are running a version of Shorewall earlier than Shorewall
-    4.3.0 then please see the documentation for that
+    4.4.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>

@@ -519,9 +519,14 @@ DNAT       net           net:66.249.93.111:993  tcp      80          -         2
        eth0:<programlisting>#ZONE      INTERFACE     BROADCAST            OPTIONS
 net        eth0          detect               <emphasis role="bold">routeback</emphasis></programlisting></para>

-        <para>And in <filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
+        <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE          SOURCE      ADDRESS          PROTO        PORT
 eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlisting></para>

+        <para>and in
+        <filename>/etc/shorewall/shorewall.conf</filename>:</para>
+
+        <programlisting>IP_FORWARDING=On</programlisting>
+
        <para>Like the hack in FAQ 2, this one results in all forwarded
        connections looking to the server (66.249.93.11) as if they originated
        on your firewall (206.124.146.176).</para>
@@ -1108,7 +1113,25 @@ DNAT       loc           dmz:192.168.2.4    tcp      80          -         <emph
      <orderedlist>
        <listitem>
          <para>The default gateway on each local system isn't set to the IP
-          address of the local firewall interface.</para>
+          address of the local firewall interface. You can test this
+          by:</para>
+
+          <orderedlist numeration="loweralpha">
+            <listitem>
+              <para>At a root shell prompt, type 'shorewall clear'.</para>
+            </listitem>
+
+            <listitem>
+              <para>From a local system, attempt to ping the IP address of the
+              Shorewall system's internet (external) interface. If that
+              doesn't work, then the default gateway on the system from which
+              you pinged is not set correctly.</para>
+            </listitem>
+
+            <listitem>
+              <para>Be sure to 'shorewall start' after the test.</para>
+            </listitem>
+          </orderedlist>
        </listitem>

        <listitem>
@@ -1796,9 +1819,13 @@ teastep@ursa:~$ </programlisting>The first number determines the maximum log
      <title>(FAQ 36) My log is filling up with these BANDWIDTH
      messages!</title>

-      <programlisting>Dec 15 16:47:30 heath-desktop kernel: [17182740.184000] BANDWIDTH_IN:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:23:79:02:08:00 SRC=10.119.248.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=62081 PROTO=UDP SPT=67 DPT=68 LEN=308
+      <programlisting>Dec 15 16:47:30 heath-desktop kernel: [17182740.184000] BANDWIDTH_IN:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:23:79:02:08:00
+                                                        SRC=10.119.248.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64
+                                                        ID=62081 PROTO=UDP SPT=67 DPT=68 LEN=308
 Dec 15 16:47:30 heath-desktop last message repeated 2 times
-Dec 15 16:47:30 heath-desktop kernel: [17182740.188000] BANDWIDTH_IN:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:23:79:02:08:00 SRC=10.112.70.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=62082 PROTO=UDP SPT=67 DPT=68 LEN=308
+Dec 15 16:47:30 heath-desktop kernel: [17182740.188000] BANDWIDTH_IN:IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:01:5c:23:79:02:08:00
+                                                        SRC=10.112.70.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64
+                                                        ID=62082 PROTO=UDP SPT=67 DPT=68 LEN=308
 Dec 15 16:47:30 heath-desktop last message repeated 2 times</programlisting>

      <para><emphasis role="bold">Answer</emphasis>: The Webmin 'bandwidth'
@@ -2233,6 +2260,36 @@ eth0		External	50mbit:200kb			5.0mbit:100kb:200ms:100mbit:<emphasis

      <programlisting><emphasis role="bold">ethtool -k eth<emphasis>N</emphasis> tso off gso off</emphasis></programlisting>
    </section>
+
+    <section>
+      <title>(FAQ 97a) I enable Shorewall traffic shaping and now my download
+      rate is way below what I specified</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: This is likely due to
+      Generic Receive Offload (GRO) being enabled in the network adapter. To
+      verify, install the <firstterm>ethtool</firstterm> package and use the
+      -k command:</para>
+
+      <programlisting>root@gateway:/etc/shorewall# ethtool -k eth1
+Offload parameters for eth1:
+rx-checksumming: on
+tx-checksumming: on
+scatter-gather: on
+tcp-segmentation-offload: on
+udp-fragmentation-offload: off
+generic-segmentation-offload: on
+generic-receive-offload: <emphasis role="bold">on</emphasis>
+large-receive-offload: off
+ntuple-filters: off
+receive-hashing: off
+root@gateway:/etc/shorewall# 
+</programlisting>
+
+      <para>To work around the issue, use this command:</para>
+
+      <programlisting><emphasis role="bold">ethtool -k eth</emphasis>N <emphasis
+          role="bold">gro off</emphasis></programlisting>
+    </section>
  </section>

  <section id="About">
@@ -2417,8 +2474,8 @@ etc...</programlisting>
      <para><emphasis role="bold">Answer:</emphasis> Shorewall Lite is a
      companion product to Shorewall and is designed to allow you to maintain
      all Shorewall configuration information on a single system within your
-      network. See the <ulink url="CompiledPrograms.html#Lite">Compiled
-      Firewall script documentation</ulink> for details.</para>
+      network. See the <ulink url="Shorewall-Lite.html">Compiled Firewall
+      script documentation</ulink> for details.</para>
    </section>

    <section id="faq54">
--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -171,13 +171,15 @@

          <listitem>
            <para>You may not use the SAVE or RESTORE options unless you also
-            set HIGH_ROUTE_MARKS=Yes in
+            set HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET &gt; 0 with Shorewall
+            4.4.26 and later) in
            <filename>/etc/shorewall/shorewall.conf</filename>.</para>
          </listitem>

          <listitem>
            <para>You may not use connection marking unless you also set
-            HIGH_ROUTE_MARKS=Yes in
+            HIGH_ROUTE_MARKS=Yes (PROVIDER_OFFSET &gt; 0 with Shorewall 4.4.26
+            and later) in
            <filename>/etc/shorewall/shorewall.conf</filename>.</para>
          </listitem>
        </itemizedlist>
@@ -226,7 +228,8 @@
            value and will restore the packet mark in the PREROUTING CHAIN.
            Mark values must be in the range 1-255.</para>

-            <para>Alternatively, you may set HIGH_ROUTE_MARKS=Yes in
+            <para>Alternatively, you may set HIGH_ROUTE_MARKS=Yes
+            (PROVIDER_OFFSET &gt; 0 with Shorewall 4.4.26 and later) in
            <filename>/etc/shorewall/shorewall.conf</filename>. This allows
            you to:</para>

@@ -535,8 +538,10 @@
                  is given without a <replaceable>weight</replaceable>, a
                  separate default route is added through the provider's
                  gateway; the route has a metric equal to the provider's
-                  NUMBER. The option is ignored with a warning message if
-                  USE_DEFAULT_RT=Yes in
+                  NUMBER.</para>
+
+                  <para>Prior to Shorewall 4.4.24, the option is ignored with
+                  a warning message if USE_DEFAULT_RT=Yes in
                  <filename>shorewall.conf</filename>.</para>
                </listitem>
              </varlistentry>
@@ -1053,6 +1058,20 @@ gateway:~ #</programlisting>
              which they appear in the file.</para>
            </listitem>
          </varlistentry>
+
+          <varlistentry>
+            <term>MARK (Optional - added in Shorewall 4.4.25)</term>
+
+            <listitem>
+              <para>Mark and optional mask in the form
+              <replaceable>mark</replaceable>[/<replaceable>mask</replaceable>].
+              For this rule to be applied to a packet, the packet's mark value
+              must match the <replaceable>mark</replaceable> when logically
+              anded with the <replaceable>mask</replaceable>. If a
+              <replaceable>mask</replaceable> is not supplied, Shorewall
+              supplies a suitable provider mask.</para>
+            </listitem>
+          </varlistentry>
        </variablelist>
      </section>

--- a/docs/Multiple_Zones.xml
+++ b/docs/Multiple_Zones.xml
@@ -336,8 +336,8 @@ loc:net     ipv4</programlisting>

    <para><filename>/etc/shorewall/interfaces</filename></para>

-    <programlisting>#ZONE               INTERFACE           BROADCAST
-net                 eth0                detect</programlisting>
+    <programlisting>#ZONE               INTERFACE           BROADCAST      OPTIONS
+net                 eth0                detect         routefilter</programlisting>

    <para><filename>/etc/shorewall/hosts</filename></para>

--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -489,6 +489,12 @@ loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1
    <section>
      <title>Shorewall Configuration on Server</title>

+      <warning>
+        <para>If you are running Debian Squeeze, Shorewall will not work in an
+        OpenVZ container. This is a Debian OpenVZ issue and not a Shorewall
+        issue.</para>
+      </warning>
+
      <para>I have set up Shorewall on Server (206.124.146.178) just to have
      an environment to test with. It is a quite vanilla one-interface
      configuration.</para>
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -226,19 +226,20 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=

    <para>The mark value is held in a 32-bit field. Because packet marking is
    the Netfilter <emphasis>kludge of last resort</emphasis> for solving many
-    hard technical problems, Shorewall reserves half of this field (16 bits)
-    for future use. The remainder is split into two 8-bit values:</para>
+    hard technical problems, Shorewall originally reserved half of this field
+    (16 bits) for future use. The remainder was split into two 8-bit
+    values:</para>

    <itemizedlist>
      <listitem>
        <para>The low-order eight bits are used for traffic shaping marks.
-        These eight bits are also used for selecting among multiple providers
+        These eight bits were also used for selecting among multiple providers
        when HIGH_ROUTE_MARKS=No in <filename>shorewall.conf</filename>. Some
-        rules that deal with only these bits use a mask value of 0xff.</para>
+        rules that deal with only these bits used a mask value of 0xff.</para>
      </listitem>

      <listitem>
-        <para>The next 8 bits are used for selecting among multiple providers
+        <para>The next 8 bits were used for selecting among multiple providers
        when HIGH_ROUTE_MARKS=Yes in <filename>shorewall.conf</filename>.
        These bits are manipulated using a mask value of 0xff00.</para>
      </listitem>
@@ -268,9 +269,17 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
      </listitem>
    </itemizedlist>

+    <para>When WIDE_TC_MARKS was added, the number of bits reserved for TC
+    marks was increased to 14 when WIDE_TC_MARKS=Yes and the provider mark
+    field (when HIGH_ROUTE_MARKS=Yes) was offset 16 bits. Also, when
+    HIGH_ROUTE_MARKS=Yes, the mask used for setting/testing TC marks was
+    0xffff (16 bits).</para>
+
    <para>Shorewall actually allows you to have complete control over the
    layout of the 32-bit mark using the following options in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (these
+    options were documents in the shorewall.conf manpage in Shorewall
+    4.4.26):</para>

    <variablelist>
      <varlistentry>
@@ -313,6 +322,20 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
      </varlistentry>
    </variablelist>

+    <para>In Shorewall 4.4.26, a new option was added:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>ZONE_BITS</term>
+
+        <listitem>
+          <para>Number of bits in the mark to use for automatic zone marking
+          (see the <ulink url="bridge-Shorewall-perl.html">Shorewall
+          Bridge/Firewall HOWTO</ulink>).</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
    <para>The relationship between these options is shown in this
    diagram.</para>

@@ -366,9 +389,15 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
    PROVIDER_OFFSET can be used for any purpose you want.</para>

-    <para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
+    <para>Beginning with Shorewall 4.4.13, the first unused bit on the left is
    used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
    exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
+
+    <para>Beginning with Shorewall 4.4.26, WIDE_TC_MARKS and HIGH_ROUTE_MARKS
+    are deprecated in favor of the options described above. The
+    <command>shorewall update</command> (<command>shorewall6 update</command>)
+    command will set the above options based on the settings of WIDE_TC_MARKS
+    and HIGH_ROUTE_MARKS.</para>
  </section>

  <section id="Shorewall">
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -305,7 +305,7 @@ shorewall start</programlisting>
    <title>IPv6 - Proxy NDP</title>

    <para>The IPv6 analog of Proxy ARP is Proxy NDP (Neighbor Discovery
-    Protocol). Begiinning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
+    Protocol). Beginning with Shorewall 4.4.16, Shorewall6 supports Proxy NDP
    in a manner similar to Proxy ARP support in Shorewall:</para>

    <itemizedlist>
@@ -328,8 +328,8 @@ shorewall start</programlisting>
    discoverey requests for IPv6 addresses configured on the interface
    receiving the request. So if eth0 has address 2001:470:b:227::44/128 and
    eth1 has address 2001:470:b:227::1/64 then in order for eth1 to respond to
-    neighbor discovery requests for 2001:470:b:227::44, the following entry in
-    /etc/shorewall6/proxyndp is required:</para>
+    neighbor discoverey requests for 2001:470:b:227::44, the following entry
+    in /etc/shorewall6/proxyndp is required:</para>

    <programlisting>#ADDRESS	          INTERFACE    EXTERNAL    HAVEROUTE    PERSISTENT
 2001:470:b:227::44 -            eth1        Yes</programlisting>
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -0,0 +1,781 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>Shorewall Lite</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2006-2011</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <caution>
+    <para><emphasis role="bold">This article applies to Shorewall 4.3 and
+    later. If you are running a version of Shorewall earlier than Shorewall
+    4.3.5 then please see the documentation appropriate for your
+    version.</emphasis></para>
+  </caution>
+
+  <section id="Overview">
+    <title>Overview</title>
+
+    <para>Shorewall has the capability to compile a Shorewall configuration
+    and produce a runnable firewall program script. The script is a complete
+    program which can be placed on a system with <emphasis>Shorewall
+    Lite</emphasis> installed and can serve as the firewall creation script
+    for that system.</para>
+
+    <section id="Lite">
+      <title>Shorewall Lite</title>
+
+      <para>Shorewall Lite is a companion product to Shorewall and is designed
+      to allow you to maintain all Shorewall configuration information on a
+      single system within your network.</para>
+
+      <orderedlist numeration="loweralpha">
+        <listitem>
+          <para>You install the full Shorewall release on one system within
+          your network. You need not configure Shorewall there and you may
+          totally disable startup of Shorewall in your init scripts. For ease
+          of reference, we call this system the 'administrative
+          system'.</para>
+
+          <para>The administrative system may be a GNU/Linux system, a Windows
+          system running <ulink url="http://www.cygwin.com/">Cygwin</ulink> or
+          an <ulink url="http://www.apple.com/mac/">Apple MacIntosh</ulink>
+          running OS X. Install from a shell prompt <ulink
+          url="Install.htm">using the install.sh script</ulink>.</para>
+        </listitem>
+
+        <listitem>
+          <para>On each system where you wish to run a Shorewall-generated
+          firewall, you install Shorewall Lite. For ease of reference, we will
+          call these systems the 'firewall systems'.</para>
+
+          <note>
+            <para>The firewall systems do <emphasis role="bold">NOT</emphasis>
+            need to have the full Shorewall product installed but rather only
+            the Shorewall Lite product. Shorewall and Shorewall Lite may be
+            installed on the same system but that isn't encouraged.</para>
+          </note>
+        </listitem>
+
+        <listitem>
+          <para>On the administrative system you create a separate 'export
+          directory' for each firewall system. You copy the contents of
+          <filename
+          class="directory">/usr/share/shorewall/configfiles</filename> into
+          each export directory.</para>
+
+          <note>
+            <para>Users of Debian and derivatives that install the package
+            from their distribution will be disappointed to find that
+            <filename
+            class="directory">/usr/share/shorewall/configfiles</filename> does
+            not exist on their systems. They will instead need to
+            either:</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Copy the files in
+                /usr/share/doc/shorewall/default-config/ into each export
+                directory.</para>
+              </listitem>
+
+              <listitem>
+                <para>Copy /etc/shorewall/shorewall.conf into each export
+                directory and remove /etc/shorewall from the CONFIG_PATH
+                setting in the copied files.</para>
+              </listitem>
+            </itemizedlist>
+
+            <para>or</para>
+
+            <itemizedlist>
+              <listitem>
+                <para>Download the Shorewall tarball corresponding to their
+                package version.</para>
+              </listitem>
+
+              <listitem>
+                <para>Untar and copy the files from the
+                <filename>configfiles</filename> sub-directory in the untarred
+                <filename>shorewall-...</filename> directory.</para>
+              </listitem>
+            </itemizedlist>
+          </note>
+
+          <para>After copying, you may need to change two setting in the copy
+          of shorewall.conf:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>CONFIG_PATH=/usr/share/shorewall</para>
+            </listitem>
+
+            <listitem>
+              <para>STARTUP_LOG=/var/log/shorewall-lite-init.log</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>Older versions of Shorewall included copies of shorewall.conf
+          with these settings already modified. This practice was discontinued
+          in Shorewall 4.4.20.1.</para>
+        </listitem>
+
+        <listitem>
+          <para>The <filename>/etc/shorewall/shorewall.conf</filename> file is
+          used to determine the VERBOSITY setting which determines how much
+          output the compiler generates. All other settings are taken from the
+          <filename>shorewall.conf </filename>file in the remote systems
+          export directory.</para>
+
+          <caution>
+            <para>If you want to be able to allow non-root users to manage
+            remote firewall systems, then the files
+            <filename>/etc/shorewall/params</filename> and
+            <filename>/etc/shorewall/shorewall.conf</filename> must be
+            readable by all users on the administrative system. Not all
+            packages secure the files that way and you may have to change the
+            file permissions yourself.</para>
+          </caution>
+        </listitem>
+
+        <listitem id="Debian">
+          <para>On each firewall system, If you are running Debian or one of
+          its derivatives like Ubuntu then edit
+          <filename>/etc/default/shorewall-lite</filename> and set
+          startup=1.</para>
+        </listitem>
+
+        <listitem>
+          <para>On the administrative system, for each firewall system you do
+          the following (this may be done by a non-root user who has root ssh
+          access to the firewall system):</para>
+
+          <orderedlist>
+            <listitem>
+              <para>modify the files in the corresponding export directory
+              appropriately (i.e., <emphasis>just as you would if you were
+              configuring Shorewall on the firewall system itself</emphasis>).
+              It's a good idea to include the IP address of the administrative
+              system in the <ulink
+              url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+              file</ulink>.</para>
+
+              <para>It is important to understand that with Shorewall Lite,
+              the firewall's export directory on the administrative system
+              acts as <filename class="directory">/etc/shorewall</filename>
+              for that firewall. So when the Shorewall documentation gives
+              instructions for placing entries in files in the firewall's
+              <filename class="directory">/etc/shorewall</filename>, when
+              using Shorewall Lite you make those changes in the firewall's
+              export directory on the administrative system.</para>
+
+              <para>The CONFIG_PATH variable is treated as follows:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para>The value of CONFIG_PATH in
+                  <filename>/etc/shorewall/shorewall.conf</filename> is
+                  ignored when compiling for export (the -e option in given)
+                  and when the <command>load</command> or
+                  <command>reload</command> command is being executed (see
+                  below).</para>
+                </listitem>
+
+                <listitem>
+                  <para>The value of CONFIG_PATH in the
+                  <filename>shorewall.conf</filename> file in the export
+                  directory is used to search for configuration files during
+                  compilation of that configuration.</para>
+                </listitem>
+
+                <listitem>
+                  <para>The value of CONFIG_PATH used when the script is run
+                  on the firewall system is
+                  "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
+                </listitem>
+              </itemizedlist>
+            </listitem>
+
+            <listitem>
+              <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall load firewall</command></programlisting>
+
+              <para>The <ulink
+              url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+              command compiles a firewall script from the configuration files
+              in the current working directory (using <command>shorewall
+              compile -e</command>), copies that file to the remote system via
+              scp and starts Shorewall Lite on the remote system via
+              ssh.</para>
+
+              <para>Example (firewall's DNS name is 'gateway'):</para>
+
+              <para><command>/sbin/shorewall load gateway</command><note>
+                  <para>Although scp and ssh are used by default, you can use
+                  other utilities by setting RSH_COMMAND and RCP_COMMAND in
+                  <filename>/etc/shorewall/shorewall.conf</filename>.</para>
+                </note></para>
+
+              <para>The first time that you issue a <command>load</command>
+              command, Shorewall will use ssh to run
+              <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+              remote firewall to create a capabilities file in the firewall's
+              administrative direction. See <link
+              linkend="Shorecap">below</link>.</para>
+            </listitem>
+          </orderedlist>
+        </listitem>
+
+        <listitem>
+          <para>If you later need to change the firewall's configuration,
+          change the appropriate files in the firewall's export directory
+          then:</para>
+
+          <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall reload firewall</command></programlisting>
+
+          <para>The <ulink
+          url="manpages/shorewall.html"><command>reload</command></ulink>
+          command compiles a firewall script from the configuration files in
+          the current working directory (using <command>shorewall compile
+          -e</command>), copies that file to the remote system via scp and
+          restarts Shorewall Lite on the remote system via ssh. The <emphasis
+          role="bold">reload</emphasis> command also supports the '-c'
+          option.</para>
+        </listitem>
+      </orderedlist>
+
+      <para>There is a <filename>shorewall-lite.conf</filename> file installed
+      as part of Shorewall Lite
+      (<filename>/etc/shorewall-lite/shorewall-lite.conf</filename>). You can
+      use that file on the firewall system to override some of the settings
+      from the shorewall.conf file in the export directory.</para>
+
+      <para>Settings that you can override are:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>VERBOSITY</member>
+
+          <member>LOGFILE</member>
+
+          <member>LOGFORMAT</member>
+
+          <member>IPTABLES</member>
+
+          <member>PATH</member>
+
+          <member>SHOREWALL_SHELL</member>
+
+          <member>SUBSYSLOCK</member>
+
+          <member>RESTOREFILE</member>
+        </simplelist>
+      </blockquote>
+
+      <para>You will normally never touch
+      <filename>/etc/shorewall-lite/shorewall-lite.conf</filename> unless you
+      run Debian or one of its derivatives (see <link
+      linkend="Debian">above</link>).</para>
+
+      <para>The <filename>/sbin/shorewall-lite</filename> program included
+      with Shorewall Lite supports the same set of commands as the
+      <filename>/sbin/shorewall</filename> program in a full Shorewall
+      installation with the following exceptions:</para>
+
+      <blockquote>
+        <simplelist>
+          <member>add</member>
+
+          <member>compile</member>
+
+          <member>delete</member>
+
+          <member>refresh</member>
+
+          <member>reload</member>
+
+          <member>try</member>
+
+          <member>safe-start</member>
+
+          <member>safe-restart</member>
+
+          <member>show actions</member>
+
+          <member>show macros</member>
+        </simplelist>
+      </blockquote>
+
+      <para>On systems with only Shorewall Lite installed, I recommend that
+      you create a symbolic link <filename>/sbin/shorewall</filename> and
+      point it at <filename>/sbin/shorewall-lite</filename>. That way, you can
+      use <command>shorewall</command> as the command regardless of which
+      product is installed.</para>
+
+      <blockquote>
+        <programlisting><command>ln -sf shorewall-lite /sbin/shorewall</command></programlisting>
+      </blockquote>
+
+      <section>
+        <title>Module Loading</title>
+
+        <para>As with a normal Shorewall configuration, the shorewall.conf
+        file can specify LOAD_HELPERS_ONLY which determines if the
+        <filename>modules</filename> file (LOAD_HELPERS_ONLY=No) or
+        <filename>helpers</filename> file (LOAD_HELPERS_ONLY=Yes) is used.
+        Normally, the file on the firewall system is used. If you want to
+        specify modules at compile time on the Administrative System, then you
+        must place a copy of the appropriate file
+        (<filename>modules</filename> or <filename>helpers</filename>) in the
+        firewall's configuration directory before compilation.</para>
+
+        <para>In Shorewall 4.4.17, the EXPORTMODULES option was added to
+        shorewall.conf (and shorewall6.conf). When EXPORTMODULES=Yes, any
+        <filename>modules</filename> or <filename>helpers</filename> file
+        found on the CONFIG_PATH on the Administrative System during
+        compilation will be used.</para>
+      </section>
+
+      <section id="Converting">
+        <title>Converting a system from Shorewall to Shorewall Lite</title>
+
+        <para>Converting a firewall system that is currently running Shorewall
+        to run Shorewall Lite instead is straight-forward.</para>
+
+        <orderedlist numeration="loweralpha">
+          <listitem>
+            <para>On the administrative system, create an export directory for
+            the firewall system.</para>
+          </listitem>
+
+          <listitem>
+            <para>Copy the contents of <filename
+            class="directory">/etc/shorewall/</filename> from the firewall
+            system to the export directory on the administrative
+            system.</para>
+          </listitem>
+
+          <listitem>
+            <para>On the firewall system:</para>
+
+            <para>Be sure that the IP address of the administrative system is
+            included in the firewall's export directory
+            <filename>routestopped</filename> file.</para>
+
+            <programlisting><command>shorewall stop</command></programlisting>
+
+            <para><emphasis role="bold">We recommend that you uninstall
+            Shorewall at this point.</emphasis></para>
+          </listitem>
+
+          <listitem>
+            <para>Install Shorewall Lite on the firewall system.</para>
+
+            <para>If you are running Debian or one of its derivatives like
+            Ubuntu then edit <filename>/etc/default/shorewall-lite</filename>
+            and set startup=1.</para>
+          </listitem>
+
+          <listitem>
+            <para>On the administrative system:</para>
+
+            <para>It's a good idea to include the IP address of the
+            administrative system in the firewall system's <ulink
+            url="manpages/shorewall-routestopped.html"><filename>routestopped</filename>
+            file</ulink>.</para>
+
+            <para>Also, edit the <filename>shorewall.conf</filename> file in
+            the firewall's export directory and change the CONFIG_PATH setting
+            to remove <filename class="directory">/etc/shorewall</filename>.
+            You can replace it with <filename
+            class="directory">/usr/share/shorewall/configfiles</filename> if
+            you like.</para>
+
+            <para>Example:</para>
+
+            <blockquote>
+              <para>Before editing:</para>
+
+              <programlisting>CONFIG_PATH=<emphasis role="bold">/etc/shorewall</emphasis>:/usr/share/shorewall</programlisting>
+
+              <para>After editing:</para>
+
+              <programlisting>CONFIG_PATH=<emphasis role="bold">/usr/share/shorewall/configfiles</emphasis>:/usr/share/shorewall</programlisting>
+            </blockquote>
+
+            <para>Changing CONFIG_PATH will ensure that subsequent
+            compilations using the export directory will not include any files
+            from <filename class="directory">/etc/shorewall</filename> other
+            than <filename>shorewall.conf</filename> and
+            <filename>params</filename>.</para>
+
+            <para>If you set variables in the params file, there are a couple
+            of issues:</para>
+
+            <para>The <filename>params</filename> file is not processed at run
+            time if you set EXPORTPARAMS=No in
+            <filename>shorewall.conf</filename>. For run-time setting of shell
+            variables, use the <filename>init</filename> extension script.
+            Beginning with Shorewall 4.4.17, the variables set in the
+            <filename>params</filename> file are available in the firewall
+            script when EXPORTPARAMS=No.</para>
+
+            <para>If the <filename>params</filename> file needs to set shell
+            variables based on the configuration of the firewall system, you
+            can use this trick:</para>
+
+            <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
+
+            <para>The <command>shorewall-lite call</command> command allows
+            you to to call interactively any Shorewall function that you can
+            call in an extension script.</para>
+
+            <para>After having made the above changes to the firewall's export
+            directory, execute the following commands.</para>
+
+            <blockquote>
+              <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall load &lt;firewall system&gt;</command>
+</programlisting>
+
+              <para>Example (firewall's DNS name is 'gateway'):</para>
+
+              <para><command>/sbin/shorewall load gateway</command></para>
+            </blockquote>
+
+            <para>The first time that you issue a <command>load</command>
+            command, Shorewall will use ssh to run
+            <filename>/usr/share/shorewall-lite/shorecap</filename> on the
+            remote firewall to create a capabilities file in the firewall's
+            administrative direction. See <link
+            linkend="Shorecap">below</link>.</para>
+
+            <para>The <ulink
+            url="starting_and_stopping_shorewall.htm#Load"><command>load</command></ulink>
+            command compiles a firewall script from the configuration files in
+            the current working directory (using <command>shorewall compile
+            -e</command>), copies that file to the remote system via
+            <command>scp</command> and starts Shorewall Lite on the remote
+            system via <command>ssh</command>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If you later need to change the firewall's configuration,
+            change the appropriate files in the firewall's export directory
+            then:</para>
+
+            <programlisting><command>cd &lt;export directory&gt;</command>
+<command>/sbin/shorewall reload firewall</command></programlisting>
+
+            <para>The <ulink
+            url="starting_and_stopping_shorewall.htm#Reload"><command>reload</command></ulink>
+            command compiles a firewall script from the configuration files in
+            the current working directory (using <command>shorewall compile
+            -e</command>), copies that file to the remote system via
+            <command>scp</command> and restarts Shorewall Lite on the remote
+            system via <command>ssh</command>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If the kernel/iptables configuration on the firewall later
+            changes and you need to create a new
+            <filename>capabilities</filename> file, do the following on the
+            firewall system:</para>
+
+            <programlisting><command>/usr/share/shorewall-lite/shorecap &gt; capabilities</command>
+<command>scp capabilities &lt;admin system&gt;:&lt;this system's config dir&gt;</command></programlisting>
+
+            <para>Or simply use the -c option the next time that you use the
+            <command>reload</command> command (e.g., <command>shorewall reload
+            -c gateway</command>).</para>
+          </listitem>
+        </orderedlist>
+      </section>
+    </section>
+
+    <section id="Restrictions">
+      <title>Restrictions</title>
+
+      <para>While compiled Shorewall programs (as are used in Shorewall Lite)
+      are useful in many cases, there are some important restrictions that you
+      should be aware of before attempting to use them.</para>
+
+      <orderedlist>
+        <listitem>
+          <para>All extension scripts used are copied into the program (with
+          the exception of <ulink url="shorewall_extension_scripts.htm">those
+          executed at compile-time by the compiler</ulink>). The ramifications
+          of this are:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>If you update an extension script, the compiled program
+              will not use the updated script.</para>
+            </listitem>
+
+            <listitem>
+              <para>The <filename>params</filename> file is only processed at
+              compile time if you set EXPORTPARAMS=No in
+              <filename>shorewall.conf</filename>. For run-time setting of
+              shell variables, use the <filename>init</filename> extension
+              script. Although the default setting is EXPORTPARAMS=Yes for
+              compatibility, the recommended setting is EXPORTPARAMS=No.
+              Beginning with Shorewall 4.4.17, the variables set in the
+              <filename>params</filename> file are available in the firewall
+              script when EXPORTPARAMS=No.</para>
+
+              <para>If the <filename>params</filename> file needs to set shell
+              variables based on the configuration of the firewall system, you
+              can use this trick:</para>
+
+              <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>
+
+              <para>The <command>shorewall-lite call</command> command allows
+              you to to call interactively any Shorewall function that you can
+              call in an extension script.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+
+        <listitem>
+          <para>You must install Shorewall Lite on the system where you want
+          to run the script. You then install the compiled program in
+          /usr/share/shorewall-lite/firewall and use the /sbin/shorewall-lite
+          program included with Shorewall Lite to control the firewall just as
+          if the full Shorewall distribution was installed.</para>
+        </listitem>
+
+        <listitem>
+          <para>Beginning with Shorewall 4.4.9, the compiler detects bridges
+          and sets the <emphasis role="bold">bridge</emphasis> and <emphasis
+          role="bold">routeback</emphasis> options explicitly. That can't
+          happen when the compilation no longer occurs on the firewall
+          system.</para>
+        </listitem>
+      </orderedlist>
+    </section>
+  </section>
+
+  <section id="Compile">
+    <title>The "shorewall compile" command</title>
+
+    <para>A compiled script is produced using the <command>compile</command>
+    command:</para>
+
+    <blockquote>
+      <para><command>shorewall compile [ -e ] [ &lt;directory name&gt; ] [
+      &lt;path name&gt; ]</command></para>
+    </blockquote>
+
+    <para>where</para>
+
+    <blockquote>
+      <variablelist>
+        <varlistentry>
+          <term>-e</term>
+
+          <listitem>
+            <para>Indicates that the program is to be "exported" to another
+            system. When this flag is set, neither the "detectnets" interface
+            option nor DYNAMIC_ZONES=Yes in shorewall.conf are allowed. The
+            created program may be run on a system that has only Shorewall
+            Lite installed</para>
+
+            <para>When this flag is given, Shorewall does not probe the
+            current system to determine the kernel/iptables features that it
+            supports. It rather reads those capabilities from
+            <filename>/etc/shorewall/capabilities</filename>. See below for
+            details.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>&lt;directory name&gt;</term>
+
+          <listitem>
+            <para>specifies a directory to be searched for configuration files
+            before those directories listed in the CONFIG_PATH variable in
+            <filename>shorewall.conf</filename>.</para>
+
+            <para>When -e &lt;directory-name&gt; is included, only the
+            SHOREWALL_SHELL and VERBOSITY settings from
+            <filename>/etc/shorewall/shorewall.conf</filename> are used and
+            these apply only to the compiler itself. The settings used by the
+            compiled firewall script are determined by the contents of
+            <filename>&lt;directory name&gt;/shorewall.conf</filename>.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>&lt;path name&gt;</term>
+
+          <listitem>
+            <para>specifies the name of the script to be created. If not
+            given, ${VARDIR}/firewall is assumed (by default, ${VARDIR} is
+            <filename>/var/lib/shorewall/</filename>)</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+    </blockquote>
+
+    <para>The compile command can be used to stage a new compiled strict that
+    can be activated later using</para>
+
+    <simplelist>
+      <member><command>shorewall restart -f</command></member>
+    </simplelist>
+  </section>
+
+  <section id="Shorecap">
+    <title>The /etc/shorewall/capabilities file and the shorecap
+    program</title>
+
+    <para>As mentioned above, the
+    <filename>/etc/shorewall/capabilities</filename> file specifies that
+    kernel/iptables capabilities of the target system. Here is a sample
+    file:</para>
+
+    <blockquote>
+      <programlisting>#
+# Shorewall detected the following iptables/netfilter capabilities - Tue Jul 15 07:28:12 PDT 2008
+#
+NAT_ENABLED=Yes
+MANGLE_ENABLED=Yes
+MULTIPORT=Yes
+XMULTIPORT=Yes
+CONNTRACK_MATCH=Yes
+USEPKTTYPE=Yes
+POLICY_MATCH=Yes
+PHYSDEV_MATCH=Yes
+PHYSDEV_BRIDGE=Yes
+LENGTH_MATCH=Yes
+IPRANGE_MATCH=Yes
+RECENT_MATCH=Yes
+OWNER_MATCH=Yes
+IPSET_MATCH=Yes
+CONNMARK=Yes
+XCONNMARK=Yes
+CONNMARK_MATCH=Yes
+XCONNMARK_MATCH=Yes
+RAW_TABLE=Yes
+IPP2P_MATCH=
+CLASSIFY_TARGET=Yes
+ENHANCED_REJECT=Yes
+KLUDGEFREE=Yes
+MARK=Yes
+XMARK=Yes
+MANGLE_FORWARD=Yes
+COMMENTS=Yes
+ADDRTYPE=Yes
+TCPMSS_MATCH=Yes
+HASHLIMIT_MATCH=Yes
+NFQUEUE_TARGET=Yes
+REALM_MATCH=Yes
+CAPVERSION=40190</programlisting>
+    </blockquote>
+
+    <para>As you can see, the file contains a simple list of shell variable
+    assignments — the variables correspond to the capabilities listed by the
+    <command>shorewall show capabilities</command> command and they appear in
+    the same order as the output of that command.</para>
+
+    <para>To aid in creating this file, Shorewall Lite includes a
+    <command>shorecap</command> program. The program is installed in the
+    <filename class="directory">/usr/share/shorewall-lite/</filename>
+    directory and may be run as follows:</para>
+
+    <blockquote>
+      <para><command>[ IPTABLES=&lt;iptables binary&gt; ] [
+      MODULESDIR=&lt;kernel modules directory&gt; ]
+      /usr/share/shorewall-lite/shorecap &gt; capabilities</command></para>
+    </blockquote>
+
+    <para>The IPTABLES and MODULESDIR options have their <ulink
+    url="manpages/shorewall.conf.html">usual Shorewall default
+    values</ulink>.</para>
+
+    <para>The <filename>capabilities</filename> file may then be copied to a
+    system with Shorewall installed and used when compiling firewall programs
+    to run on the remote system.</para>
+
+    <para>The <filename>capabilities</filename> file may also be creating
+    using <filename>/sbin/shorewall-lite</filename>:<blockquote>
+        <para><command>shorewall-lite show -f capabilities &gt;
+        capabilities</command></para>
+      </blockquote></para>
+
+    <para>Note that unlike the <command>shorecap</command> program, the
+    <command>show capabilities</command> command shows the kernel's current
+    capabilities; it does not attempt to load additional kernel
+    modules.</para>
+  </section>
+
+  <section id="Running">
+    <title>Running compiled programs directly</title>
+
+    <para>Compiled firewall programs are complete shell programs that support
+    the following command line forms:</para>
+
+    <blockquote>
+      <simplelist>
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        start</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        stop</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        clear</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        refresh</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        reset</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        restart</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        status</command></member>
+
+        <member><command>&lt;program&gt; [ -q ] [ -v ] [ -n ]
+        version</command></member>
+      </simplelist>
+    </blockquote>
+
+    <para>The options have the same meanings as when they are passed to
+    <filename>/sbin/shorewall</filename> itself. The default VERBOSITY level
+    is the level specified in the <filename>shorewall.conf</filename> file
+    used when the program was compiled.</para>
+  </section>
+</article>
--- a/docs/Shorewall-perl.xml
+++ b/docs/Shorewall-perl.xml
@@ -801,6 +801,24 @@ DNAT-              net                192.168.1.3      tcp          21</programl
      annotated with documentation. Ignored unless <emphasis
      role="bold">--update</emphasis> is also specified.</para>

+      <simplelist>
+        <member><emphasis role="bold">--convert</emphasis></member>
+      </simplelist>
+
+      <para>Added in Shorewall 4.4.26. Causes the compiler to convert an
+      existing <ulink
+      url="manpages/shorewall-blacklist.html">blacklist</ulink> file into an
+      equivalent <ulink url="manpages/shorewall-blrules.html">blrules</ulink>
+      file.</para>
+
+      <simplelist>
+        <member><emphasis
+        role="bold">--config_path=<replaceable>path</replaceable>[:<replaceable>path</replaceable>]...</emphasis></member>
+      </simplelist>
+
+      <para>Added in Shorewall 4.4.26. Search path for configuration
+      files.</para>
+
      <para>Example (compiles the configuration in the current directory
      generating a script named 'firewall' and using VERBOSITY
      2).<programlisting><emphasis role="bold">/usr/share/shorewall/compiler.pl -v 2 -d . firewall</emphasis></programlisting><note>
--- a/docs/blacklisting_support.xml
+++ b/docs/blacklisting_support.xml
@@ -48,9 +48,10 @@
  <section id="Intro">
    <title>Introduction</title>

-    <para>Shorewall supports two different forms of blacklisting; static and
-    dynamic. The BLACKLISTNEWONLY option in /etc/shorewall/shorewall.conf
-    controls the degree of blacklist filtering:</para>
+    <para>Shorewall supports two different types of blackliisting; rule-based,
+    static and dynamic. The BLACKLISTNEWONLY option in
+    /etc/shorewall/shorewall.conf controls the degree of blacklist
+    filtering:</para>

    <orderedlist>
      <listitem>
@@ -62,10 +63,57 @@
      <listitem>
        <para>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for
        new connection requests. Blacklists may not be used to terminate
-        existing connections. Only the source address is checked against the
-        blacklists.</para>
+        existing connections.</para>
      </listitem>
    </orderedlist>
+  </section>
+
+  <section>
+    <title>Rule-based Blacklisting</title>
+
+    <para>Beginning with Shorewall 4.4.25, the preferred method of
+    blacklisting and whitelisting is to use the blrules file (<ulink
+    url="manpages/shorewall-blrules.html">shorewall-blrules</ulink> (5)).
+    There you have access to the DROP, ACCEPT, REJECT and WHITELIST actions,
+    standard and custom macros as well as standard and custom actions. See
+    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) for
+    details.</para>
+
+    <para>Example:</para>
+
+    <programlisting>#ACTION         SOURCE                  DEST                    PROTO   DEST
+#                                                                       PORTS(S)
+SECTION BLACKLIST
+WHITELIST       net:70.90.191.126       all
+DROP            net                     all                     udp     1023:1033,1434,5948,23773
+DROP            all                     net                     udp     1023:1033
+DROP            net                     all                     tcp     57,1433,1434,2401,2745,3127,3306,3410,4899,5554,5948,6101,8081,9898,23773
+DROP            net:221.192.199.48      all
+DROP            net:61.158.162.9        all
+DROP            net:81.21.54.100        all                     tcp     25
+DROP            net:84.108.168.139      all                             
+DROP            net:200.55.14.18        all
+</programlisting>
+
+    <para>Beginning with Shorewall 4.4.26, the <command>update</command>
+    command supports a <option>-b</option> option that causes your legacy
+    blacklisting configuration to use the blrules file.</para>
+
+    <note>
+      <para>If you prefer to keep your blacklisting rules in your rules file
+      (<ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink>
+      (5)), you can place them in the BLACKLIST section of that file rather
+      than in blrules.</para>
+    </note>
+  </section>
+
+  <section>
+    <title>Legacy Blacklisting</title>
+
+    <para>Prior to 4.4.25, two forms of blacklisting were supported; static
+    and dynamic. The dynamic variety is still appropriate for
+    <firstterm>on-the-fly</firstterm> blacklisting; the static form is
+    deprecated.</para>

    <important>
      <para><emphasis role="bold">By default, only the source address is
@@ -96,191 +144,197 @@
      load, and will have a very negative effect on firewall
      performance.</para>
    </important>
-  </section>

-  <section id="Static">
-    <title>Static Blacklisting</title>
+    <section id="Static">
+      <title>Static Blacklisting</title>

-    <para>Shorewall static blacklisting support has the following
-    configuration parameters:</para>
+      <para>Shorewall static blacklisting support has the following
+      configuration parameters:</para>

-    <itemizedlist>
-      <listitem>
-        <para>You specify whether you want packets from blacklisted hosts
-        dropped or rejected using the BLACKLIST_DISPOSITION setting in <ulink
-        url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
-      </listitem>
+      <itemizedlist>
+        <listitem>
+          <para>You specify whether you want packets from blacklisted hosts
+          dropped or rejected using the BLACKLIST_DISPOSITION setting in
+          <ulink
+          url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename>(5).</ulink></para>
+        </listitem>

-      <listitem>
-        <para>You specify whether you want packets from blacklisted hosts
-        logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
-        in <ulink
-        url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
-      </listitem>
+        <listitem>
+          <para>You specify whether you want packets from blacklisted hosts
+          logged and at what syslog level using the BLACKLIST_LOGLEVEL setting
+          in <ulink
+          url="manpages/shorewall.conf.html"><filename>shorewall.conf</filename></ulink>(5).</para>
+        </listitem>

-      <listitem>
-        <para>You list the IP addresses/subnets that you wish to blacklist in
-        <ulink
-        url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
-        (5). You may also specify PROTOCOL and Port numbers/Service names in
-        the blacklist file.</para>
-      </listitem>
+        <listitem>
+          <para>You list the IP addresses/subnets that you wish to blacklist
+          in <ulink
+          url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
+          (5). You may also specify PROTOCOL and Port numbers/Service names in
+          the blacklist file.</para>
+        </listitem>

-      <listitem>
-        <para>You specify the interfaces whose incoming packets you want
-        checked against the blacklist using the <quote>blacklist</quote>
-        option in <ulink
-        url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
-        (<ulink url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5)
-        in Shorewall 4.4.12 and later).</para>
-      </listitem>
-    </itemizedlist>
+        <listitem>
+          <para>You specify the interfaces whose incoming packets you want
+          checked against the blacklist using the <quote>blacklist</quote>
+          option in <ulink
+          url="manpages/shorewall-interfaces.html"><filename>shorewall-interfaces</filename></ulink>(5)
+          (<ulink
+          url="manpages/shorewall-zones.html">shorewall-zones</ulink>(5) in
+          Shorewall 4.4.12 and later).</para>
+        </listitem>
+      </itemizedlist>

-    <para>Users with a large static black list may want to set the
-    DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
-    2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new connections
-    before loading the blacklist rules. While this may allow connections from
-    blacklisted hosts to slip by during construction of the blacklist, it can
-    substantially reduce the time that all new connections are disabled during
-    "shorewall [re]start".</para>
+      <para>Prior to Shorewall 4.4.20, only source-address static blacklisting
+      was supported.</para>

-    <para>Beginning with Shorewall 2.4.0, you can use <ulink
-    url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
-    an example:</para>
+      <para>Users with a large static black list may want to set the
+      DELAYBLACKLISTLOAD option in shorewall.conf (added in Shorewall version
+      2.2.0). When DELAYBLACKLISTLOAD=Yes, Shorewall will enable new
+      connections before loading the blacklist rules. While this may allow
+      connections from blacklisted hosts to slip by during construction of the
+      blacklist, it can substantially reduce the time that all new connections
+      are disabled during "shorewall [re]start".</para>

-    <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
+      <para>Beginning with Shorewall 2.4.0, you can use <ulink
+      url="ipsets.html">ipsets</ulink> to define your static blacklist. Here's
+      an example:</para>
+
+      <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
 +Blacklistports[dst]
 +Blacklistnets[src,dst]
 +Blacklist[src,dst]
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>

-    <para>In this example, there is a portmap ipset
-    <emphasis>Blacklistports</emphasis> that blacklists all traffic with
-    destination ports included in the ipset. There are also
-    <emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>) and
-    <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>) ipsets
-    that allow blacklisting networks and individual IP addresses. Note that
-    [src,dst] is specified so that individual entries in the sets can be bound
-    to other portmap ipsets to allow blacklisting (<emphasis>source
-    address</emphasis>, <emphasis>destination port</emphasis>) combinations.
-    For example:</para>
+      <para>In this example, there is a portmap ipset
+      <emphasis>Blacklistports</emphasis> that blacklists all traffic with
+      destination ports included in the ipset. There are also
+      <emphasis>Blacklistnets</emphasis> (type <emphasis>nethash</emphasis>)
+      and <emphasis>Blacklist</emphasis> (type <emphasis>iphash</emphasis>)
+      ipsets that allow blacklisting networks and individual IP addresses.
+      Note that [src,dst] is specified so that individual entries in the sets
+      can be bound to other portmap ipsets to allow blacklisting
+      (<emphasis>source address</emphasis>, <emphasis>destination
+      port</emphasis>) combinations. For example:</para>

-    <programlisting>ipset -N SMTP portmap --from 1 --to 31
+      <programlisting>ipset -N SMTP portmap --from 1 --to 31
 ipset -A SMTP 25
 ipset -A Blacklist 206.124.146.177
 ipset -B Blacklist 206.124.146.177 -b SMTP</programlisting>

-    <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
-  </section>
+      <para>This will blacklist SMTP traffic from host 206.124.146.177.</para>
+    </section>

-  <section id="whitelisting">
-    <title>Static Whitelisting</title>
+    <section id="whitelisting">
+      <title>Static Whitelisting</title>

-    <para>Beginning with Shorewall 4.4.20, you can create
-    <firstterm>whitelist</firstterm> entries in the blacklist file.
-    Connections/packets matching a whitelist entry are not matched against the
-    entries in the blacklist file that follow. Whitelist entries are created
-    using the <emphasis role="bold">whitelist</emphasis> option (OPTIONS
-    column). See <ulink
-    url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
-    (5).</para>
-  </section>
+      <para>Beginning with Shorewall 4.4.20, you can create
+      <firstterm>whitelist</firstterm> entries in the blacklist file.
+      Connections/packets matching a whitelist entry are not matched against
+      the entries in the blacklist file that follow. Whitelist entries are
+      created using the <emphasis role="bold">whitelist</emphasis> option
+      (OPTIONS column). See <ulink
+      url="manpages/shorewall-blacklist.html"><filename>shorewall-blacklist</filename></ulink>
+      (5).</para>
+    </section>

-  <section id="Dynamic">
-    <title>Dynamic Blacklisting</title>
+    <section id="Dynamic">
+      <title>Dynamic Blacklisting</title>

-    <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
-    setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
-    Prior to that release, the feature is always enabled.</para>
+      <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
+      setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
+      Prior to that release, the feature is always enabled.</para>

-    <para>Once enabled, dynamic blacklisting doesn't use any configuration
-    parameters but is rather controlled using /sbin/shorewall[-lite] commands.
-    <emphasis role="bold">Note</emphasis> that <emphasis
-    role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
-    only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
-    later</emphasis>.</para>
+      <para>Once enabled, dynamic blacklisting doesn't use any configuration
+      parameters but is rather controlled using /sbin/shorewall[-lite]
+      commands. <emphasis role="bold">Note</emphasis> that <emphasis
+      role="bold">to</emphasis> and <emphasis role="bold">from</emphasis> may
+      only be specified when running <emphasis role="bold">Shorewall 4.4.12 or
+      later</emphasis>.</para>

-    <itemizedlist>
-      <listitem>
-        <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-        causes packets from the listed IP addresses to be silently dropped by
-        the firewall.</para>
-      </listitem>
+      <itemizedlist>
+        <listitem>
+          <para>drop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+          causes packets from the listed IP addresses to be silently dropped
+          by the firewall.</para>
+        </listitem>

-      <listitem>
-        <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
-        causes packets from the listed IP addresses to be rejected by the
-        firewall.</para>
-      </listitem>
+        <listitem>
+          <para>reject [to|from]<emphasis>&lt;ip address list&gt;</emphasis> -
+          causes packets from the listed IP addresses to be rejected by the
+          firewall.</para>
+        </listitem>

-      <listitem>
-        <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-        re-enables receipt of packets from hosts previously blacklisted by a
-        <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
-        command.</para>
-      </listitem>
+        <listitem>
+          <para>allow [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
+          re-enables receipt of packets from hosts previously blacklisted by a
+          <emphasis>drop</emphasis> or <emphasis>reject</emphasis>
+          command.</para>
+        </listitem>

-      <listitem>
-        <para>save - save the dynamic blacklisting configuration so that it
-        will be automatically restored the next time that the firewall is
-        restarted.</para>
+        <listitem>
+          <para>save - save the dynamic blacklisting configuration so that it
+          will be automatically restored the next time that the firewall is
+          restarted.</para>

-        <para><emphasis role="bold">Update:</emphasis> Beginning with
-        Shorewall 4.4.10, the dynamic blacklist is automatically retained over
-        <command>stop/start</command> sequences and over
-        <command>restart</command>.</para>
-      </listitem>
+          <para><emphasis role="bold">Update:</emphasis> Beginning with
+          Shorewall 4.4.10, the dynamic blacklist is automatically retained
+          over <command>stop/start</command> sequences and over
+          <command>restart</command>.</para>
+        </listitem>

-      <listitem>
-        <para>show dynamic - displays the dynamic blacklisting
-        configuration.</para>
-      </listitem>
+        <listitem>
+          <para>show dynamic - displays the dynamic blacklisting
+          configuration.</para>
+        </listitem>

-      <listitem>
-        <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis> -
-        causes packets from the listed IP addresses to be dropped and logged
-        by the firewall. Logging will occur at the level specified by the
-        BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be at
-        the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
-      </listitem>
+        <listitem>
+          <para>logdrop [to|from] <emphasis>&lt;ip address list&gt;</emphasis>
+          - causes packets from the listed IP addresses to be dropped and
+          logged by the firewall. Logging will occur at the level specified by
+          the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will
+          be at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
+        </listitem>

-      <listitem>
-        <para>logreject [to|from}<emphasis>&lt;ip address list&gt;</emphasis>
-        - causes packets from the listed IP addresses to be rejected and
-        logged by the firewall. Logging will occur at the level specified by
-        the BLACKLIST_LOGLEVEL setting at the last [re]start (logging will be
-        at the 'info' level if no BLACKLIST_LOGLEVEL was given).</para>
-      </listitem>
-    </itemizedlist>
+        <listitem>
+          <para>logreject [to|from}<emphasis>&lt;ip address
+          list&gt;</emphasis> - causes packets from the listed IP addresses to
+          be rejected and logged by the firewall. Logging will occur at the
+          level specified by the BLACKLIST_LOGLEVEL setting at the last
+          [re]start (logging will be at the 'info' level if no
+          BLACKLIST_LOGLEVEL was given).</para>
+        </listitem>
+      </itemizedlist>

-    <para>Dynamic blacklisting is not dependent on the
-    <quote>blacklist</quote> option in
-    <filename>/etc/shorewall/interfaces</filename>.</para>
+      <para>Dynamic blacklisting is not dependent on the
+      <quote>blacklist</quote> option in
+      <filename>/etc/shorewall/interfaces</filename>.</para>

-    <example id="Ignore">
-      <title>Ignore packets from a pair of systems</title>
+      <example id="Ignore">
+        <title>Ignore packets from a pair of systems</title>

-      <programlisting>    <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>
+        <programlisting>    <command>shorewall[-lite] drop 192.0.2.124 192.0.2.125</command></programlisting>

-      <para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
-    </example>
+        <para>Drops packets from hosts 192.0.2.124 and 192.0.2.125</para>
+      </example>

-    <example id="Allow">
-      <title>Re-enable packets from a system</title>
+      <example id="Allow">
+        <title>Re-enable packets from a system</title>

-      <programlisting>    <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>
+        <programlisting>    <command>shorewall[-lite] allow 192.0.2.125</command></programlisting>

-      <para>Re-enables traffic from 192.0.2.125.</para>
-    </example>
+        <para>Re-enables traffic from 192.0.2.125.</para>
+      </example>

-    <example>
-      <title>Displaying the Dynamic Blacklist</title>
+      <example>
+        <title>Displaying the Dynamic Blacklist</title>

-      <programlisting>    <command>shorewall show dynamic</command></programlisting>
+        <programlisting>    <command>shorewall show dynamic</command></programlisting>

-      <para>Displays the 'dynamic' chain which contains rules for the dynamic
-      blacklist. The <firstterm>source</firstterm> column contains the set of
-      blacklisted addresses.</para>
-    </example>
+        <para>Displays the 'dynamic' chain which contains rules for the
+        dynamic blacklist. The <firstterm>source</firstterm> column contains
+        the set of blacklisted addresses.</para>
+      </example>
+    </section>
  </section>
 </article>
--- a/docs/bridge-Shorewall-perl.xml
+++ b/docs/bridge-Shorewall-perl.xml
@@ -770,6 +770,224 @@ ACCEPT            $FW              $DMZ             tcp              53       </
    </orderedlist>
  </section>

+  <section id="veth">
+    <title>Using Back-to-back veth Devices to Interface with a Bridge</title>
+
+    <para>Beginning with Shorewall 4.4.26, Shorewall has limited support for
+    using back-to-back veth devices to interface with a bridge. This approach
+    has the advantage that traffic between any pair of zones can be filtered.
+    The disadvantage is the complexity of the approach.</para>
+
+    <para>This configuration is shown in the following diagram.</para>
+
+    <graphic align="center" fileref="images/veth1.png" />
+
+    <para>In this configuration, veth0 is assigned the internal IP address;
+    br0 does not have an IP address.</para>
+
+    <para>Traffic from the <emphasis role="bold">net</emphasis> and <emphasis
+    role="bold">fw</emphasis> zones to the <emphasis
+    role="bold">zone<emphasis>i</emphasis></emphasis> zones goes thru
+    veth0-&gt;veth1-&gt;ethN-&gt;. Traffic from the <emphasis
+    role="bold">zone<emphasis>i</emphasis></emphasis> zones to the <emphasis
+    role="bold">fw</emphasis> and <emphasis role="bold">net</emphasis> zones
+    takes the reverse path: ethN-&gt;veth1-&gt;veth0. As a consequence,
+    traffic between <emphasis role="bold">net</emphasis>,<emphasis
+    role="bold">fw</emphasis> and <emphasis
+    role="bold">zone<emphasis>i</emphasis></emphasis> goes through Netfilter
+    twice: once in the routed firewall (eth0,veth0) and once in the bridged
+    firewall (eth1,eth2,eth3,veth1).</para>
+
+    <para>The back-to-back veth devices (veth0 and veth1) are created using
+    this command:</para>
+
+    <programlisting>ip link add type veth</programlisting>
+
+    <para>If you have veth devices and want to assign specific names to the
+    created devices, use this format:</para>
+
+    <programlisting>ip link add name FOO type veth peer name BAR</programlisting>
+
+    <para>Here's an /etc/network/interfaces stanza that configures veth0,
+    veth1 and the bridge:</para>
+
+    <programlisting>auto veth0
+iface veth0 inet static
+      address 10.10.10.1
+      netmask 255.255.255.0
+      network 10.10.10.0
+      broadcast 10.10.10.255
+      
+      pre-up /sbin/ip link add name veth0 type veth peer name veth1
+      pre-up /sbin/ip link set eth1  up
+      pre-up /sbin/ip link set eth2  up
+
+      pre-up /sbin/ip link set eth3  up
+      pre-up /sbin/ip link set veth1 up
+      pre-up /usr/sbin/brctl addbr br0
+      pre-up /usr/sbin/brctl addif br0  eth1
+      pre-up /usr/sbin/brctl addif br0  eth2
+      pre-up /usr/sbin/brctl addif br0  eth3
+      pre-up /usr/sbin/brctl addif br0  veth1
+        
+      pre-down /usr/sbin/brctl delif br0 eth1
+      pre-down /sbin/ip link set eth2 down
+      pre-down /usr/sbin/brctl delif br0 eth2
+      pre-down /sbin/ip link set eth2 down
+      pre-down /usr/sbin/brctl delif br0 eth3
+      pre-down /sbin/ip link set eth3 down
+      pre-down /usr/sbin/brctl delif br0 veth1
+      pre-down /sbin/ip link set veth1 down
+        
+      post-down /usr/sbin/brctl delbr br0
+      post-down /sbin/ip link del veth0</programlisting>
+
+    <para>In <ulink url="manpages/shorewall.net.html">shorewall.conf</ulink>
+    (5), we need this:</para>
+
+    <programlisting>ZONE_BITS=3</programlisting>
+
+    <para>This does two things:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>It enables <firstterm>automatic packet
+        marking</firstterm>.</para>
+      </listitem>
+
+      <listitem>
+        <para>It allows up to 8 <replaceable>marked</replaceable> zones
+        (2**3). Zones are marked unless they have <option>nomark</option> in
+        the OPTIONS column of their entry in <ulink
+        url="manpages/shorewall-zones.html">shorewall-zones </ulink>(5).
+        Packets originating in a marked zone have a mark assigned
+        automatically by Shorewall.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>For this configuration, we need several additional zones as shown
+    here:</para>
+
+    <programlisting>#ZONE   TYPE    OPTIONS            IN                    OUT
+#                                  OPTIONS               OPTIONS
+fw      firewall
+net     ipv4
+zone1   bport
+zone2   bport
+zone3   bport
+<emphasis role="bold">loc     ipv4     nomark
+col     ipv4     nomark</emphasis></programlisting>
+
+    <note>
+      <para><emphasis role="bold">col</emphasis> is <emphasis
+      role="bold">loc</emphasis> spelled backward.</para>
+    </note>
+
+    <programlisting>#ZONE     INTERFACES        BROADCAST       OPTIONS
+net       eth0              ...
+-         br0               ...
+zone1     br0:eth1          ...
+zone2     br0:eth2          ...
+zone3     br0:eth3          ...
+loc       veth0             ...
+col       br0:veth1         ...</programlisting>
+
+    <para>Several things to note here</para>
+
+    <orderedlist>
+      <listitem>
+        <para>We have defined two unmarked zones: <emphasis
+        role="bold">loc</emphasis> and <emphasis role="bold">col</emphasis>.
+        This allows traffic from the <emphasis
+        role="bold">zone</emphasis><emphasis><emphasis
+        role="bold">i</emphasis></emphasis> zones to the fw and net zones to
+        retain the mark of their originating bport zones. It also allows
+        traffic from the <emphasis role="bold">fw</emphasis> and <emphasis
+        role="bold">net</emphasis> zones to the <emphasis
+        role="bold">zonei</emphasis> zones to retain the <emphasis
+        role="bold">fw</emphasis> and <emphasis role="bold">net</emphasis>
+        marks respectively.</para>
+      </listitem>
+
+      <listitem>
+        <para>That means that traffic entering the bridge on veth1 will have a
+        different mark value, depending on whether it originated in the
+        <emphasis role="bold">net</emphasis> zone or in the <emphasis
+        role="bold">fw</emphasis> zone.</para>
+      </listitem>
+
+      <listitem>
+        <para>Similarly, traffic arriving on the veth0 interface will have a
+        mark that indicates which of the <emphasis
+        role="bold">zonei</emphasis> zones each packet originated on.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>The basic idea here is that we want to filter traffic to the
+    <emphasis role="bold">zonei</emphasis> zones as it leaves veth1 and we
+    want to filter traffic from those zones as it leaves veth0. So we use this
+    type of polices:</para>
+
+    <programlisting>#SOURCE   DEST    POLICY
+fw        loc     ACCEPT
+net       loc     ACCEPT
+net       all     DROP:info
+zone1     col     ACCEPT
+zone2     col     ACCEPT
+zone3     col     ACCEPT
+all       all     REJECT:info</programlisting>
+
+    <para>Rules allowing traffic from the net to zone2 look like this:</para>
+
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+#                                            PORT(S) PORT(S)    DEST        LIMIT   GROUP
+ACCEPT      col          zone2        tcp    22      -          -           -       -       <emphasis
+        role="bold">net</emphasis></programlisting>
+
+    <para>or more compactly:</para>
+
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST
+#                                            PORT(S)
+ACCEPT      col          <emphasis role="bold">zone2</emphasis>        tcp    22      ; mark=<emphasis
+        role="bold">net</emphasis></programlisting>
+
+    <para>Similarly, rules allowing traffic from the firewall to zone3:</para>
+
+    <programlisting>#ACTION     SOURCE       DEST         PROTO  DEST
+#                                            PORT(S)
+ACCEPT      col          <emphasis role="bold">zone3</emphasis>        tcp    22      ; mark=<emphasis
+        role="bold">fw</emphasis></programlisting>
+
+    <para>The important point here is that, when ZONE_BITS is non-zero, you
+    are allowed to place zone names in the MARK column. Shorewall will
+    automatically replae the name with the zone's mark value.</para>
+
+    <para>Suppose that you want to forward tcp port 80 to 192.168.4.45 in
+    zone3:</para>
+
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+#                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
+DNAT-       net          loc:172.168.4.45   tcp    80
+ACCEPT      col          zone3:172.168.4.45 tcp    80      -          -           -       -       <emphasis
+        role="bold">net</emphasis></programlisting>
+
+    <para>Rules allowing traffic from the <emphasis
+    role="bold">zonei</emphasis> zones to the <emphasis
+    role="bold">net</emphasis> zone look like this: </para>
+
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+#                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
+ACCEPT      loc          net                tcp    21      -          -           -       -       <emphasis
+        role="bold">zone1</emphasis></programlisting>
+
+    <para>And to the firewall:</para>
+
+    <programlisting>#ACTION     SOURCE       DEST               PROTO  DEST    SOURCE     ORIGINAL    RATE    USER/   MARK
+#                                                  PORT(S) PORT(S)    DEST        LIMIT   GROUP
+ACCEPT      zone2        col                tcp          -          -           -       -       <emphasis
+        role="bold">zone2</emphasis></programlisting>
+  </section>
+
  <section id="Limitations">
    <title>Limitations</title>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2010</year>
+      <year>2001-2011</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -492,6 +492,253 @@ ACCEPT      net:\
    </example>
  </section>

+  <section id="Pairs">
+    <title>Alternate Specification of Column Values - Shorewall 4.4.24 and
+    Later</title>
+
+    <para>Some of the configuration files now have a large number of columns.
+    That makes it awkward to specify a value for one of the right-most columns
+    as you must have the correct number of intervening '-' columns.</para>
+
+    <para>This problem is addressed by allowing column values to be specified
+    as <replaceable>column-name</replaceable>/<replaceable>value</replaceable>
+    pairs.</para>
+
+    <para>There is considerable flexibility in how you specify the
+    pairs:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>At any point, you can enter a semicolon (';') followed by one or
+        more specifications of the following forms:</para>
+
+        <simplelist>
+          <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>=<replaceable>&gt;value</replaceable></member>
+
+          <member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
+        </simplelist>
+
+        <para>The value may optionally be enclosed in double quotes.</para>
+
+        <para>The pairs must be separated by white space, but you can add a
+        comma adjacent to the <replaceable>values</replaceable> for
+        readability as in:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">; proto=&gt;udp,
+          port=1024</emphasis></member>
+        </simplelist>
+      </listitem>
+
+      <listitem>
+        <para>You can enclose the pairs in curly brackets ("{...}") rather
+        than separating them from columns by a semicolon:</para>
+
+        <simplelist>
+          <member><emphasis role="bold">{ proto:udp, port:1024
+          }</emphasis></member>
+        </simplelist>
+      </listitem>
+    </itemizedlist>
+
+    <para>The following table shows the column names for each of the
+    table-oriented configuration files.</para>
+
+    <note>
+      <para>Column names are <emphasis
+      role="bold">case-insensitive</emphasis>.</para>
+    </note>
+
+    <informaltable>
+      <tgroup cols="2">
+        <tbody>
+          <row>
+            <entry><emphasis role="bold">File</emphasis></entry>
+
+            <entry><emphasis role="bold">Column names</emphasis></entry>
+          </row>
+
+          <row>
+            <entry>accounting</entry>
+
+            <entry>action,chain, source, dest, proto, dport, sport, user,
+            mark, ipsec, headers</entry>
+          </row>
+
+          <row>
+            <entry>blacklist</entry>
+
+            <entry>networks,proto,port,options</entry>
+          </row>
+
+          <row>
+            <entry>ecn</entry>
+
+            <entry>interface,hosts</entry>
+          </row>
+
+          <row>
+            <entry>hosts</entry>
+
+            <entry>zone,hosts,options</entry>
+          </row>
+
+          <row>
+            <entry>interfaces</entry>
+
+            <entry>zone,interface,broadcast,options</entry>
+          </row>
+
+          <row>
+            <entry>maclist</entry>
+
+            <entry>disposition,interface,mac,addresses</entry>
+          </row>
+
+          <row>
+            <entry>masq</entry>
+
+            <entry>interface,source,address,proto,port,ipsec,mark,user</entry>
+          </row>
+
+          <row>
+            <entry>nat</entry>
+
+            <entry>external,interface,internal,allints,local</entry>
+          </row>
+
+          <row>
+            <entry>netmap</entry>
+
+            <entry>type,net1,interface,net2,net3,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>notrack</entry>
+
+            <entry>source,dest,proto,dport,sport,user</entry>
+          </row>
+
+          <row>
+            <entry>policy</entry>
+
+            <entry>source,dest,policy,loglevel,limit,connlimit</entry>
+          </row>
+
+          <row>
+            <entry>providers</entry>
+
+            <entry>table,number,mark,duplicate,interface,gateway,options,copy</entry>
+          </row>
+
+          <row>
+            <entry>proxyarp and proxyndp</entry>
+
+            <entry>address,interface,external,haveroute,persistent</entry>
+          </row>
+
+          <row>
+            <entry>route_rules</entry>
+
+            <entry>source,dest,provider,priority</entry>
+          </row>
+
+          <row>
+            <entry>routes</entry>
+
+            <entry>provider,dest,gateway,device</entry>
+          </row>
+
+          <row>
+            <entry>routestopped</entry>
+
+            <entry>interface,hosts,options,proto,dport,sport</entry>
+          </row>
+
+          <row>
+            <entry>rules</entry>
+
+            <entry>action,source,dest,proto,dport,sport,origdest,rate,user,mark,connlimit,time,headers,switch</entry>
+          </row>
+
+          <row>
+            <entry>secmarks</entry>
+
+            <entry>secmark,chain,source,dest,proto,dport,sport,user,mark</entry>
+          </row>
+
+          <row>
+            <entry>tcclasses</entry>
+
+            <entry>interface,mark,rate,ceil,prio,options</entry>
+          </row>
+
+          <row>
+            <entry>tcdevices</entry>
+
+            <entry>interface,in_bandwidth,out_bandwidth,options,redirect</entry>
+          </row>
+
+          <row>
+            <entry>tcfilters</entry>
+
+            <entry>class,source,dest,proto,dport,sport,tos,length</entry>
+          </row>
+
+          <row>
+            <entry>tcinterfaces</entry>
+
+            <entry>interface,type,in_bandwidth,out_bandwidth</entry>
+          </row>
+
+          <row>
+            <entry>tcpri</entry>
+
+            <entry>band,proto,port,address,interface,helper</entry>
+          </row>
+
+          <row>
+            <entry>tcrules</entry>
+
+            <entry>mark,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
+          </row>
+
+          <row>
+            <entry>tos</entry>
+
+            <entry>source,dest,proto,dport,sport,tos,mark</entry>
+          </row>
+
+          <row>
+            <entry>tunnels</entry>
+
+            <entry>type,zone,gateway,gateway_zone</entry>
+          </row>
+
+          <row>
+            <entry>zones</entry>
+
+            <entry>zone,type,options,in_options,out_options</entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+
+    <para>Example (rules file):</para>
+
+    <programlisting>#ACTION         SOURCE            DEST            PROTO   DEST 
+#                                                         PORT(S)
+DNAT            net               loc:10.0.0.1    tcp     80    ; mark="88"</programlisting>
+
+    <para>Here's the same line in several equivalent formats:</para>
+
+    <programlisting>{ action=&gt;DNAT, source=&gt;net, dest=&gt;loc:10.0.0.1, proto=&gt;tcp, dport=&gt;80, mark=&gt;88 }
+; action:"DNAT" source:"net"  dest:"loc:10.0.0.1" proto:"tcp" dport:"80" mark:"88"
+DNAT { source=net dest=loc:10.0.0.1 proto=tcp dport=80 mark=88 }</programlisting>
+  </section>
+
  <section>
    <title>Addresses</title>

@@ -705,9 +952,9 @@ ACCEPT      net:\

    <caution>
      <para>Prior to Shorewall 4.4.17, if you are using <ulink
-      url="CompiledPrograms.html%23Lite">Shorewall Lite</ulink> , it is not
-      advisable to use INCLUDE in the <filename>params</filename> file in an
-      export directory if you set EXPORTPARAMS=Yes in <ulink
+      url="Shorewall-Lite.html">Shorewall Lite</ulink> , it is not advisable
+      to use INCLUDE in the <filename>params</filename> file in an export
+      directory if you set EXPORTPARAMS=Yes in <ulink
      url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5). If you do
      that, you must ensure that the included file is also present on the
      firewall system's <filename
@@ -972,11 +1219,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
      </listitem>

      <listitem>
-        <para>If you are using <ulink
-        url="CompiledPrograms.html#Lite">Shorewall Lite</ulink> and if the
-        <filename>params</filename> script needs to set shell variables based
-        on the configuration of the firewall system, you can use this
-        trick:</para>
+        <para>If you are using <ulink url="Shorewall-Lite.html">Shorewall
+        Lite</ulink> and if the <filename>params</filename> script needs to
+        set shell variables based on the configuration of the firewall system,
+        you can use this trick:</para>

        <programlisting>EXT_IP=$(ssh root@firewall "/sbin/shorewall-lite call find_first_interface_address eth0")</programlisting>

@@ -997,7 +1243,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    time, there is no way to cause such variables to be expended at run time.
    Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
    include dynamic IP addresses in a <ulink
-    url="CompiledPrograms.html">Shorewall-lite</ulink> configuration.</para>
+    url="Shorewall-Lite.html">Shorewall-lite</ulink> configuration.</para>

    <para>Version 4.4.17 implemented <firstterm>Run-time address
    variables</firstterm>. In configuration files, these variables are
@@ -1604,7 +1850,7 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
      LOGLIMIT.</para>
    </note>

-    <para>Shorewall also supports per-IP rate limiting. </para>
+    <para>Shorewall also supports per-IP rate limiting.</para>

    <para>Another example from <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
@@ -1624,6 +1870,72 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    above.</para>
  </section>

+  <section id="Switches">
+    <title>Switches</title>
+
+    <para>There are times when you would like to enable or disable one or more
+    rules in the configuration without having to do a <command>shorewall
+    restart</command>. This may be accomplished using the SWITCH column in
+    <ulink url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) or
+    <ulink url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
+    Using this column requires that your kernel and iptables include
+    <firstterm>Condition Match Support</firstterm> and you must be running
+    Shorewall 4.4.24 or later. See the output of <command>shorewall show
+    capabilities</command> and <command>shorewall version</command> to
+    determine if you can use this feature. As of this writing, Condition Match
+    Support requires that you install xtables-addons.</para>
+
+    <para>The SWITCH column contains the name of a
+    <firstterm>switch.</firstterm> Each switch that is initially in the
+    <emphasis role="bold">off</emphasis> position. You can turn on the switch
+    named <emphasis>switch1</emphasis> by:</para>
+
+    <simplelist>
+      <member><command>echo 1 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>You can turn it off again by:</para>
+
+    <simplelist>
+      <member><command>echo 0 &gt;
+      /proc/net/nf_condition/switch1</command></member>
+    </simplelist>
+
+    <para>If you simply include the switch name in the SWITCH column, then the
+    rule is enabled only when the switch is <emphasis
+    role="bold">on</emphasis>. If you precede the switch name with ! (e.g.,
+    !switch1), then the rule is enabled only when the switch is <emphasis
+    role="bold">off</emphasis>. Switch settings are retained over
+    <command>shorewall restart</command>.</para>
+
+    <para>Shorewall requires that switch names:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>begin with a letter and be composed of letters, digits,
+        underscore ('_') or hyphen ('-'); and</para>
+      </listitem>
+
+      <listitem>
+        <para>be 30 characters or less in length.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Multiple rules can be controlled by the same switch.</para>
+
+    <para>Example:</para>
+
+    <blockquote>
+      <para>Forward port 80 to dmz host $BACKUP if switch 'primary_down' is
+      on.</para>
+
+      <programlisting>#ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
+#                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
+DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down  </programlisting>
+    </blockquote>
+  </section>
+
  <section id="Logical">
    <title>Logical Interface Names</title>

--- a/docs/images/MarkGeometry.dia
+++ b/docs/images/MarkGeometry.dia
--- a/docs/images/MarkGeometry.png
+++ b/docs/images/MarkGeometry.png
--- a/docs/images/Network2011a.dia
+++ b/docs/images/Network2011a.dia
--- a/docs/images/Network2011a.png
+++ b/docs/images/Network2011a.png
--- a/docs/images/Network2011b.dia
+++ b/docs/images/Network2011b.dia
--- a/docs/images/Network2011b.png
+++ b/docs/images/Network2011b.png
--- a/docs/images/veth1.dia
+++ b/docs/images/veth1.dia
--- a/docs/images/veth1.png
+++ b/docs/images/veth1.png
--- a/docs/netmap.xml
+++ b/docs/netmap.xml
@@ -22,6 +22,8 @@

      <year>2007</year>

+      <year>2011</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -113,8 +115,10 @@
        <term>NET1</term>

        <listitem>
-          <para>Must be expressed in CIDR format (e.g.,
-          192.168.1.0/24).</para>
+          <para>Must be expressed in CIDR format (e.g., 192.168.1.0/24).
+          Beginning with Shorewall 4.4.24, <ulink
+          url="manpages/shorewall-exclusion.html">exclusion</ulink> is
+          supported.</para>
        </listitem>
      </varlistentry>

@@ -135,6 +139,71 @@
          <para>A second network expressed in CIDR format.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">NET3 (Optional)</emphasis> -
+        <emphasis>network-address</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
+          It specifies a SOURCE network for DNAT rules and a DESTINATON
+          network for SNAT rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROTO (Optional - Added in Shorewall
+        4.4.23.2)</emphasis> -
+        <emphasis>protocol-number-or-name</emphasis></term>
+
+        <listitem>
+          <para>Only packets specifying this protocol will have their IP
+          header modified.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        Shorewall 4.4.23.2)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Destination Ports. A comma-separated list of Port names (from
+          services(5)), <emphasis>port number</emphasis>s or <emphasis>port
+          range</emphasis>s; if the protocol is <emphasis
+          role="bold">icmp</emphasis>, this column is interpreted as the
+          destination icmp-type(s). ICMP types may be specified as a numeric
+          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          a typename. See <ulink
+          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
+
+          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
+          this column is interpreted as an ipp2p option without the leading
+          "--" (example <emphasis role="bold">bit</emphasis> for bit-torrent).
+          If no PORT is given, <emphasis role="bold">ipp2p</emphasis> is
+          assumed.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          icmp (1), tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if
+          any of the following field is supplied.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST PORT(S) (Optional - Added in
+        Shorewall 4.4.23.2)</emphasis> -
+        <emphasis>port-number-or-name-list</emphasis></term>
+
+        <listitem>
+          <para>Source port(s). If omitted, any source port is acceptable.
+          Specified as a comma-separated list of port names, port numbers or
+          port ranges.</para>
+
+          <para>An entry in this field requires that the PROTO column specify
+          tcp (6), udp (17), sctp (132) or udplite (136). Use '-' if any of
+          the following fields is supplied.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>

    <para>Referring to the figure above, lets suppose that systems in the top
@@ -167,7 +236,7 @@
        </itemizedlist>
      </important></para>

-    <section id="Solution">
+    <section>
      <title>If you are running Shorewall 4.4.22 or Earlier</title>

      <para>The entries in
@@ -311,28 +380,88 @@ DNAT   10.10.11.0/24  vpn              192.168.1.0/24
 <emphasis role="bold">SNAT:P 192.168.1.0/24 vpn              10.10.10.0/24
 DNAT:T 10.10.10.0/24  vpn              192.168.1.0/24</emphasis></programlisting>

-      <para>The last two entries define Stateless NAT by specifying a chain
-      designator (:P for PREROUTING and :T for POSTROUTING respectively). See
-      <ulink url="manpages/shorewall-netlink.html">shorewall-netmap</ulink>
-      (5) for details.</para>
+      <para>The last two entries define <firstterm>Stateless NAT</firstterm>
+      by specifying a chain designator (:P for PREROUTING and :T for
+      POSTROUTING respectively). See <ulink
+      url="manpages/shorewall-netlink.html">shorewall-netmap</ulink> (5) for
+      details.</para>
    </section>
  </section>

-  <section id="Notes">
-    <title>Author's Notes</title>
+  <section>
+    <title>IPv6</title>

-    <para>This could all be made a bit simpler by eliminating the TYPE field
-    and have Shorewall generate both the SNAT and DNAT rules from a single
-    entry. I have chosen to include the TYPE in order to make the
-    implementation a bit more flexible. If you find cases where you can use an
-    SNAT or DNAT entry by itself, please let <ulink
-    url="mailto:webmaster@shorewall.net">me</ulink> know and I'll add the
-    example to this page.</para>
+    <para>Beginning with Shorewall6 4.4.24, IPv6 support for Netmap is
+    included. This provides a way to use private IPv6 addresses internally and
+    still have access to the IPv6 internet.</para>

-    <para>In the previous section, the table in the example contains a bit of
-    a lie. Because of Netfilter's connection tracking, rules 2B and 1B aren't
-    needed to handle the replies. They ARE needed though for hosts in the
-    bottom cloud to be able to establish connections with the 192.168.1.0/24
-    network in the top cloud.</para>
+    <warning>
+      <para>IPv6 netmap is <firstterm>stateless</firstterm> which means that
+      there are no Netfilter helpers for applications that need them. As a
+      consequence, applications that require a helper (FTP, IRC, etc.) may
+      experience issues.</para>
+    </warning>
+
+    <para>For IPv6, the chain designator (:P for PREROUTING or :T for
+    POSTROUTING) is required in the TYPE column. Normally SNAT rules are
+    placed in the POSTROUTING chain while DNAT rules are placed in
+    PREROUTING.</para>
+
+    <para>To use IPv6 Netmap, your kernel and iptables must include
+    <emphasis>Rawpost Table Support</emphasis>.</para>
+
+    <para>IPv6 Netmap has been verified at shorewall.net using the
+    configuration shown below.</para>
+
+    <graphic align="center" fileref="images/Network2011b.png" />
+
+    <para>IPv6 support is supplied from Hurricane Electric; the IPv6 address
+    block is 2001:470:b:227::/64.</para>
+
+    <para>Because of the limitations of IPv6 NETMAP (no Netfilter helpers),
+    the servers in the DMZ have public addresses in the block
+    2001:470:b:227::/112. The local LAN uses the private network
+    fd00:470:b:227::/64 with the hosts autoconfigured using radvd. This block
+    is allocated from the range (fc00::/7) reserved for<firstterm> <ulink
+    url="http://en.wikipedia.org/wiki/Unique_local_address">Unique Local
+    Addresses</ulink></firstterm>.</para>
+
+    <para>The /etc/shorewall6/netmap file is as follows:</para>
+
+    <programlisting>#TYPE	NET1			INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#												PORT(S)	PORT(S)
+SNAT:T	fd00:470:b:227::/64	HE_IF		2001:470:b:227::/64
+DNAT:P  2001:470:b:227::/64!2001:470:b:227::/112\
+				HE_IF		fd00:470:b:227::/64
+</programlisting>
+
+    <para>HE_IF is the logical name for interface sit1. On output, the private
+    address block is mapped to the public block. Because autoconfiguration is
+    used, none of the local addresses falls into the range
+    fd00:470:b:227::/112. That range can therefore be excluded from
+    DNAT.</para>
+
+    <note>
+      <para>While the site local network that was used is very similar to the
+      public network (only the first word is different), that isn't a
+      requirement. We could have just as well used
+      fd00:bad:dead:beef::/64</para>
+    </note>
+
+    <note>
+      <para>The MacBook Pro running OS X Lion refused to autoconfigure when
+      radvd advertised a <ulink
+      url="http://tools.ietf.org/html/rfc3513">site-local</ulink> network
+      (fec0:470:b:227/64) but worked fine with the unique-local network
+      (fd00:470:b:227::/64). Note that site-local addresses were deprecated in
+      <ulink url="http://tools.ietf.org/html/rfc3879">RFC3879</ulink>.</para>
+    </note>
+
+    <note>
+      <para>This whole scheme isn't quite as useful as it might appear. Many
+      IPv6-enabled applications (web browsers, for example) are smart enough
+      to recognize unique local addresses and will only use IPv6 to
+      communicate with other such local addresses.</para>
+    </note>
  </section>
 </article>
--- a/docs/shorewall_features.xml
+++ b/docs/shorewall_features.xml
@@ -94,7 +94,7 @@
          <listitem>
            <para>Centrally generated firewall scripts run on the firewalls
            under control of <ulink
-            url="CompiledPrograms.html#Lite">Shorewall-lite</ulink>.</para>
+            url="Shorewall-Lite.html">Shorewall-lite</ulink>.</para>
          </listitem>
        </itemizedlist>
      </listitem>
@@ -274,6 +274,10 @@
          <listitem>
            <para>VirtualBox</para>
          </listitem>
+
+          <listitem>
+            <para><ulink url="LXC.html">LXC</ulink></para>
+          </listitem>
        </itemizedlist>
      </listitem>
    </itemizedlist>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -187,10 +187,12 @@
        <filename>/etc/shorewall/tcrules</filename> file.</para>

        <note>
-          <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+          <para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
          which specifies the width in bits of the traffic shaping mark field.
          The default is based on the setting of WIDE_TC_MARKS so as to
-          provide upward compatibility.</para>
+          provide upward compatibility. See the <ulink
+          url="PacketMarking.html#Values">Packet Marking using
+          /etc/shorewall/tcrules</ulink> article.</para>
        </note>
      </listitem>
    </orderedlist>
@@ -489,7 +491,7 @@ ppp0           6000kbit         500kbit</programlisting>

        <listitem>
          <para>MARK - The mark value which is an integer in the range 1-255
-          (1-16383 if you set WIDE_TC_MARKS=Yes in <ulink
+          (1-16383 if you set WIDE_TC_MARKS=Yes or set TC_BITS=14 in <ulink
          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
          define these marks in the tcrules file, marking the traffic you want
          to go into the queuing classes defined in here. You can use the same
@@ -829,12 +831,12 @@ ppp0           6000kbit         500kbit</programlisting>
        <listitem>
          <para>MARK or CLASSIFY - MARK specifies the mark value is to be
          assigned in case of a match. This is an integer in the range 1-255
-          (1-16383 if you set WIDE_TC_MARKS=Yes in <ulink
+          (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 in <ulink
          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
          ).</para>

          <note>
-            <para>In Shorewall 4.5.0, WIDE_TC_MARKS was superseded by TC_BITS
+            <para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
            which specifies the width in bits of the traffic shaping mark
            field. The default is based on the setting of WIDE_TC_MARKS so as
            to provide upward compatibility.</para>
@@ -950,12 +952,13 @@ ppp0           6000kbit         500kbit</programlisting>
          <orderedlist>
            <listitem>
              <para>Constructed by Shorewall. The method of construction
-              depends on the setting of WIDE_TC_MARKS (<ulink
+              depends on the setting of WIDE_TC_MARKS (TC_BITS in shorewall
+              4.4.26 and later) in (<ulink
              url="manpages/shorewall.conf.html">shorewall.conf</ulink>
              (5)).</para>

-              <para>When WIDE_TC_MARKS=No (the default), the &lt;minor&gt;
-              class is:</para>
+              <para>When WIDE_TC_MARKS=No (the default) or TC_BITS &gt; 14,
+              the &lt;minor&gt; class is:</para>

              <itemizedlist>
                <listitem>
@@ -967,8 +970,9 @@ ppp0           6000kbit         500kbit</programlisting>
                </listitem>
              </itemizedlist>

-              <para>When WIDE_TC_MARKS=Yes, the &lt;minor&gt; class is
-              assigned sequentially beginning with 2.</para>
+              <para>When WIDE_TC_MARKS=Yes (TC_BITS &gt;= 14), the
+              &lt;minor&gt; class is assigned sequentially beginning with
+              2.</para>
            </listitem>

            <listitem>
@@ -1308,7 +1312,7 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
        </listitem>

        <listitem>
-          <para>Set TC_ENABLED=SHARED in <ulink
+          <para>Set TC_ENABLED=Shared in <ulink
          url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
          (5).</para>
        </listitem>
@@ -1518,7 +1522,8 @@ IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
      assigned sequentially beginning with 2. The WIDE_TC_MARKS option in
      <filename>shorewall.conf</filename> selects which construction to use.
      WIDE_TC_MARKS=No (the default) produces pre-Shorewall 4.4 behavior.
-      WIDE_TC_MARKS=Yes produces the new behavior.</para>
+      WIDE_TC_MARKS=Yes (TC_BITS &gt;= 14 in Shorewall 4.4.26 and later)
+      produces the new behavior.</para>
    </section>

    <section id="Real">
--- a/docs/two-interface.xml
+++ b/docs/two-interface.xml
@@ -1202,15 +1202,28 @@ loc       wlan0           detect             maclist</programlisting>
      </listitem>

      <listitem>
-        <para>You need to add an entry to the
+        <para>You may need to add an entry to the
        <filename>/etc/shorewall/masq</filename> file to masquerade traffic
-        from the wireless network to the Internet. If your Internet interface
-        is <filename class="devicefile">eth0</filename> and your wireless
-        interface is <filename class="devicefile">wlan0</filename>, the entry
-        would be:</para>
+        from the wireless network to the Internet. If you file looks like
+        this:</para>

-        <programlisting>#INTERFACE           SUBNET             ADDRESS
-eth0                 wlan0</programlisting>
+        <programlisting>#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+eth0			10.0.0.0/8,\
+			169.254.0.0/16,\
+			172.16.0.0/12,\
+			192.168.0.0/16
+</programlisting>
+
+        <para>then you do <emphasis role="bold">not</emphasis> need to change
+        the contents.</para>
+
+        <para>Otherwise, if your Internet interface is <filename
+        class="devicefile">eth0</filename> and your wireless interface is
+        <filename class="devicefile">wlan0</filename>, the entry would
+        be:</para>
+
+        <programlisting>#INTERFACE           SOURCE             ADDRESS
+eth0                 10.10.11.0/24</programlisting>
      </listitem>
    </itemizedlist>

--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -200,6 +200,149 @@
        against the parent zone(s) rules. In 4.4.0, such traffic IS compared
        against the parent zone rules.</para>
      </listitem>
+
+      <listitem>
+        <para>The name <emphasis role="bold">any</emphasis> is now reserved
+        and may not be used as a zone name.</para>
+      </listitem>
+
+      <listitem>
+        <para>Perl module initialization has changed in Shorewall 4.4.1.
+        Previously, each Shorewall Perl package would initialize its global
+        variables for IPv4 in an INIT block. Then, if the compilation turned
+        out to be for IPv6, Shorewall::Compiler::compiler() would reinitialize
+        them for IPv6.</para>
+
+        <para>Beginning in Shorewall 4.4.1, the modules do not initialize
+        themselves in an INIT block. So if you use Shorewall modules outside
+        of the Shorewall compilation environment, then you must explicitly
+        call the module's 'initialize' function after the module has been
+        loaded.</para>
+      </listitem>
+
+      <listitem>
+        <para>Checking for zone membership has been tighened up. Previously, a
+        zone could contain &lt;interface&gt;:0.0.0.0/0 along with other hosts;
+        now, if the zone has &lt;interface&gt;:0.0.0.0/0 (even with
+        exclusions), then it may have no additional members in <ulink
+        url="manpages/shorewall-hosts.html">/etc/shorewall/hosts</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>ADD_IP_ALIASES=No is now the setting in the released<ulink
+        url="manpages/shorewall.conf.html"> shorewall.conf</ulink> and in all
+        of the samples. This will not affect you during upgrade unless you
+        choose to replace your current shorewall.conf with the one from the
+        release (not recommended).</para>
+      </listitem>
+
+      <listitem>
+        <para>The names of interface configuration variables in generated
+        scripts have been changed to ensure uniqueness. These names now begin
+        with SW_. This change will only affect you if your extension scripts
+        are using one or more of these variables.</para>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry>Old Variable Name</entry>
+
+                <entry>New Variable Name</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_address</entry>
+
+                <entry>SW_<replaceable>iface</replaceable>_ADDRESS</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_BCASTS</entry>
+
+                <entry>SW_<replaceable>iface</replaceable>_BCASTS</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_ACASTS</entry>
+
+                <entry>SW_<replaceable>iface</replaceable>_CASTS</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_GATEWAY</entry>
+
+                <entry>SW_<replaceable>iface</replaceable>_NETWORKS</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_ADDRESSES</entry>
+
+                <entry>SW_<literal>iface</literal>_ADDRESSES</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_NETWORKS</entry>
+
+                <entry>SW_<replaceable>iface</replaceable>_NETWORKS</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>iface</replaceable>_MAC</entry>
+
+                <entry>SW_<replaceable>iface</replaceable>_MAC</entry>
+              </row>
+
+              <row>
+                <entry><replaceable>provider</replaceable>_IS_USABLE</entry>
+
+                <entry>SW_<replaceable>provider</replaceable>_IS_USABLE</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+
+        <para>were <replaceable>iface</replaceable> is a capitalized interface
+        name (e.g., ETH0) and <replaceable>provider</replaceable> isthe
+        capitalized name of a provider.</para>
+      </listitem>
+
+      <listitem>
+        <para>If your <ulink
+        url="manpages/shorewall-params.html">/etc/shorewall/params</ulink> (or
+        <ulink
+        url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
+        file sends output to Standard Output, you need to be aware that the
+        output will be redirected to Standard Error beginning with Shorewall
+        4.4.16.</para>
+      </listitem>
+
+      <listitem>
+        <para> Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
+        deprecated. With EXPORTPARAMS=No, the variables set by <ulink
+        url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
+        (<ulink
+        url="manpages6/shorewall6-params.html">/etc/shorewall6/params</ulink>)
+        at compile time are now available in the compiled firewall
+        script.</para>
+      </listitem>
+
+      <listitem>
+        <para>The <command>iprange</command> and <command>ipaddr</command>
+        commands require the 'bc' utility.</para>
+      </listitem>
+
+      <listitem>
+        <para>Beginning with Shorewall 4.4.26, the WIDE_TC_MARKS and
+        HIGH_ROUTE_MARKS options are deprecated in favor of TC_BITS,
+        MASK_BITS, PROVIDER_BITS and PROVIDER_OFFSET. See the <ulink
+        url="PacketMarking.html#Values">Packet Marking using
+        /etc/shorewall/tcrules</ulink> article. The <command>shorewall
+        update</command> (<command>shorewall6 update</command>) command will
+        automatically generate the correct values for these new options
+        depending on your settings of WIDE_TC_MARKS and
+        HIGH_ROUTE_MARKS.</para>
+      </listitem>
    </orderedlist>

    <para>Be sure to check the latest 4.4 Release Notes linked from the <ulink
--- a/Show More
+++ b/Show More