Update known problems

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW
2010-09-21 07:50:13 -07:00 · 2010-09-20 09:40:31 -07:00 · 2010-09-20 08:15:24 -07:00 · 2010-09-20 07:25:33 -07:00 · 2010-09-19 15:19:48 -07:00 · 2010-09-19 15:13:54 -07:00
326 changed files with 16609 additions and 25979 deletions
--- a/Samples/Universal/rules
+++ b/Samples/Universal/rules
@@ -6,10 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Samples/Universal/shorewall.conf
+++ b/Samples/Universal/shorewall.conf
@@ -1,6 +1,6 @@
 ###############################################################################
 #
-#  Shorewall Version 4.4 -- /etc/shorewall/shorewall.conf
+#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
 #
 #  For information about the settings in this file, type "man shorewall.conf"
 #
@@ -18,180 +18,188 @@ STARTUP_ENABLED=Yes
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+LOGFILE=
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
-IPSET=
+TC=
-MODULESDIR=
+IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
 ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=Yes
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=15
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=Yes
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=Yes
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=15
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=Yes
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -200,17 +208,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -10,13 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -29,180 +29,188 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
-IPSET=
+TC=
-MODULESDIR=
+IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=Off
 ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=Off
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -211,17 +219,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for three-interface
 #                         configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -18,6 +17,9 @@
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
 STARTUP_ENABLED=No
 ###############################################################################
@@ -27,180 +29,188 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
-IPSET=
+TC=
-MODULESDIR=
+IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
 ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=Yes
 CLEAR_TC=Yes
 COMPLETE=No
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=Yes
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -209,17 +219,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -3,7 +3,6 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
 #               2011 by Thomas M. Eastep            
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -30,180 +29,195 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#                              C O M P I L E R
 #      (setting this to 'perl' requires installation of Shorewall-perl)
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+SHOREWALL_COMPILER=
-LOG_MARTIANS=Yes
+###############################################################################
-
+#			       L O G G I N G
-LOG_VERBOSITY=2
+###############################################################################
 LOGALLNEW=
 LOGFILE=/var/log/messages
 STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 IPTABLES=
 IP=
-IPSET=
+TC=
-MODULESDIR=
+IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=restore
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
 ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=Yes
 CLEAR_TC=Yes
 COMPLETE=No
 DISABLE_IPV6=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LOAD_HELPERS_ONLY=Yes
 LEGACY_FASTSTART=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=Yes
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -212,17 +226,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/Universal/rules
+++ b/Samples6/Universal/rules
@@ -6,10 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###########################################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -22,163 +22,147 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
 MACLIST_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall6-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
-IPSET=
+TC=
-MODULESDIR=
+IPSET=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=15
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=Yes
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=ko
 FASTACCEPT=Yes
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=15
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 OPTIMIZE_ACCOUNTING=No
 DYNAMIC_BLACKLIST=Yes
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=Yes
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=Yes
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECTTTT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/one-interface/rules
+++ b/Samples6/one-interface/rules
@@ -10,13 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
+#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
+# See the file README.txt for further details.
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#
 # For information about the settings in this file, type "man shorewall6.conf"
 #
 # The manpage is also online at 
 # http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,141 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
 MACLIST_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall6-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=ko
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=No
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
-###############################################################################
+ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ##############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/three-interfaces/rules
+++ b/Samples6/three-interfaces/rules
@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
+#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall6 version 4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006,2008 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
+# See the file README.txt for further details.
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#
 # For information about the settings in this file, type "man shorewall6.conf"
 #
 # The manpage is also online at 
 # http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,141 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
 MACLIST_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall6-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=ko
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Samples6/three-interfaces/zones
+++ b/Samples6/three-interfaces/zones
@@ -15,6 +15,6 @@
 #ZONE	TYPE	OPTIONS			IN			OUT
 #					OPTIONS			OPTIONS
 fw	firewall
-net	ipv6
+net	ipv4
-loc	ipv6
+loc	ipv4
-dmz	ipv6
+dmz	ipv4
--- a/Samples6/two-interfaces/rules
+++ b/Samples6/two-interfaces/rules
@@ -10,17 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
+#############################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 #       Don't allow connection pickup from the net
 #
 Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -1,11 +1,19 @@
 ###############################################################################
 #
-#  Shorewall Version 4 -- /etc/shorewall6/shorewall6.conf
+# Shorewall version 4.4 - Sample shorewall.conf for one-interface configuration.
 # Copyright (C) 2006 by the Shorewall Team
 #
-#  For information about the settings in this file, type "man shorewall6.conf"
+# This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
 # License as published by the Free Software Foundation; either
 # version 2.1 of the License, or (at your option) any later version.
 #
-#  Manpage also online at
+# See the file README.txt for further details.
-#  http://www.shorewall.net/manpages6/shorewall6.conf.html
+#
 # For information about the settings in this file, type "man shorewall6.conf"
 #
 # The manpage is also online at 
 # http://shorewall.net/manpages6/shorewall6.conf.html
 ###############################################################################
 #		       S T A R T U P   E N A B L E D
 ###############################################################################
@@ -22,163 +30,141 @@ VERBOSITY=1
 #			       L O G G I N G
 ###############################################################################
 BLACKLIST_LOGLEVEL=
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGLIMIT=
 LOGTAGONLY=No
 MACLIST_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 STARTUP_LOG=/var/log/shorewall6-init.log
 LOG_VERBOSITY=2
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
 IP6TABLES=
 IP=
 IPSET=
 MODULESDIR=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 RESTOREFILE=
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall6/:/usr/share/shorewall6:/usr/share/shorewall/
 RESTOREFILE=
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
 ACCEPT_DEFAULT="none"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
 REJECT_DEFAULT="Reject"
 ACCEPT_DEFAULT="none"
 QUEUE_DEFAULT="none"
 NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
 ACCOUNTING=Yes
 ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=No
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HIGH_ROUTE_MARKS=No
 IMPLICIT_CONTINUE=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
 LEGACY_FASTSTART=No
 LOAD_HELPERS_ONLY=Yes
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
 OPTIMIZE=1
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 TC_ENABLED=No
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=Yes
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 MODULE_SUFFIX=ko
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 OPTIMIZE=1
 EXPORTPARAMS=No
 EXPAND_POLICIES=No
 KEEP_RT_TABLES=Yes
 DELETE_THEN_ADD=Yes
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=Yes
 TRACK_PROVIDERS=Yes
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=Yes
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
 BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
 #LAST LINE -- DO NOT REMOVE
--- a/Shorewall-init/COPYING
+++ b/Shorewall-init/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -22,52 +22,6 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 Debian_SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"
    case $0 in
 	/etc/ppp/ip-*)
 	    #
 	    # IPv4
 	    #
 	    for product in $PRODUCTS; do
 		case $product in
 		    shorewall|shorewall-lite)
 			NEWPRODUCTS="$NEWPRODUCTS $product";
 			;;
 		esac
 	    done
 	    ;;
 	/etc/ppp/ipv6-*)
 	    #
 	    # IPv6
 	    #
 	    for product in $PRODUCTS; do
 		case $product in
 		    shorewall6|shorewall6-lite)
 			NEWPRODUCTS="$NEWPRODUCTS $product";
 			;;
 		esac
 	    done
 	    ;;
 	*)
 	    exit 0
 	    ;;
    esac
    PRODUCTS="$NEWPRODUCTS"
    case $0 in
 	*up/*)
 	    COMMAND=up
 	    ;;
 	*)
 	    COMMAND=down
 	    ;;
    esac
 }
 IFUPDOWN=0
 PRODUCTS=
@@ -80,103 +34,57 @@ fi
 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
 if [ -f /etc/debian_version ]; then
-    case $0 in
+    #
-	/etc/ppp*)
+    # Debian ifupdown system
-	    #
+    #
-	    # Debian ppp
+    if [ "$MODE" = start ]; then
-	    #
+	COMMAND=up
-	    Debian_SuSE_ppp
+    elif [ "$MODE" = stop ]; then
-	    ;;
+	COMMAND=down
-	
+    else
-	*)
+	exit 0
-            #
+    fi
            # Debian ifupdown system
            #
 	    INTERFACE="$IFACE"
-	    if [ "$MODE" = start ]; then
+    case "$PHASE" in
-		COMMAND=up
+	pre-*)
-	    elif [ "$MODE" = stop ]; then
+	    exit 0
 		COMMAND=down
 	    else
 		exit 0
 	    fi
 	    case "$PHASE" in
 		pre-*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
-    case $0 in
+    #
-	/etc/ppp*)
+    # SuSE ifupdown system
-	    #
+    #
-	    # SUSE ppp
+    IFACE="$2"
 	    #
 	    Debian_SuSE_ppp
 	    ;;
 	*)
            #
            # SuSE ifupdown system
            #
 	    INTERFACE="$2"
-	    case $0 in
+    case $0 in
-		*if-up.d*)
+	*if-up.d*)
-		    COMMAND=up
+	    COMMAND=up
-		    ;;
+	    ;;
-		*if-down.d*)
+	*if-down.d*)
-		    COMMAND=down
+	    COMMAND=down
-		    ;;
+	    ;;
-		*)
+	*)
-		    exit 0
+	    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
-    case $0 in
+    IFACE="$1"
-	/etc/ppp*)
+    
-	    INTERFACE="$1"
+    case $0 in 
-
+	*ifup*)
-	    case $0 in
+	    COMMAND=up
-		*ip-up.local)
+	    ;;
-		    COMMAND=up
+	*ifdown*)
-		    ;;
+	    COMMAND=down
-		*ip-down.local)
+	    ;;
-		    COMMAND=down
+	*dispatcher.d*)
-		    ;;
+	    COMMAND="$2"
 		*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
 	*)
-	    #
+	    exit 0
 	    # RedHat ifup/down system
 	    #
 	    INTERFACE="$1"
 	    case $0 in 
 		*ifup*)
 		    COMMAND=up
 		    ;;
 		*ifdown*)
 		    COMMAND=down
 		    ;;
 		*dispatcher.d*)
 		    COMMAND="$2"
 		    ;;
 		*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 fi
@@ -187,7 +95,7 @@ for PRODUCT in $PRODUCTS; do
    if [ -x $VARDIR/firewall ]; then
 	  ( . /usr/share/$PRODUCT/lib.base
 	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
+	    ${VARDIR}/firewall -V0 $COMMAND $IFACE || echo_notdone
 	    mutex_off
 	  )
    fi
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -1,121 +0,0 @@
 #! /bin/bash
 #
 # chkconfig: - 09 91
 # description: Initialize the shorewall firewall at boot time
 #
 ### BEGIN INIT INFO
 # Provides: shorewall-init
 # Required-Start: $local_fs
 # Required-Stop:  $local_fs
 # Default-Start:
 # Default-Stop:	  0 1 2 3 4 5 6
 # Short-Description: Initialize the shorewall firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
 prog="shorewall-init"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions
 # Get startup options (override default)
 OPTIONS=
 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]; then
    . /etc/sysconfig/shorewall-init
 else
    echo "/etc/sysconfig/shorewall-init not found"
    exit 6
 fi
 # Initialize the firewall
 start () {
    local product
    local vardir
    if [ -z "$PRODUCTS" ]; then
 	echo "No firewalls configured for shorewall-init"
 	failure
 	return 6 #Not configured
    fi
    echo -n "Initializing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
 	vardir=/var/lib/$product
 	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
    done
    if [ retval -eq 0 ]; then
 	touch $lockfile 
 	success
    else
 	failure
    fi
    echo
    return $retval
 }
 # Clear the firewall
 stop () {
    local product
    local vardir
    echo -n "Clearing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
 	vardir=/var/lib/$product
 	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
    done
    if [ retval -eq 0 ]; then
 	rm -f $lockfile
 	success
    else
 	failure
    fi
    echo
    return $retval
 }
 status_q() {
    status > /dev/null 2>&1
 }
 case "$1" in
    start)
 	status_q && exit 0
 	$1
 	;;
    stop)
 	status_q || exit 0
 	$1
 	;;
    restart|reload|force-reload)
 	echo "Not implemented"
 	exit 3
 	;;
    condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
        ;;
    status)
 	status $prog
 	;;
  *)
 	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
 	exit 1
 esac
 exit 0
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:   6
+# Default-Stop:
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -69,10 +69,6 @@ shorewall_start () {
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
  return 0
 }
@@ -90,13 +86,6 @@ shorewall_stop () {
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
  return 0
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
@@ -23,7 +23,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx #The Build script inserts the actual version.
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -88,6 +88,9 @@ install_file() # $1 = source $2 = target $3 = mode
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
 # Parse the run line
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
@@ -121,16 +124,6 @@ done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ -n "${LIBEXEC:=/usr/share}" ]
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 #
 # Determine where to install the firewall script
 #
@@ -160,8 +153,6 @@ elif [ -f /etc/debian_version ]; then
    DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
    SUSE=Yes
 elif [ -f /etc/redhat-release ]; then
    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
    echo "Shorewall-init is currently not supported on Slackware" >&2
    exit 1
@@ -183,14 +174,6 @@ else
    exit 1
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 #
 # Change to the directory containing this script
 #
@@ -212,8 +195,6 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 elif [ -n "$FEDORA" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
@@ -222,14 +203,6 @@ fi
 echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
 fi
 #
 # Create /usr/share/shorewall-init if needed
 #
@@ -286,9 +259,9 @@ fi
 # Install the ifupdown script
 #
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
-install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
+install_file ifupdown.sh ${DESTDIR}/usr/share/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
@@ -312,16 +285,15 @@ fi
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    
+	    if [ -x /sbin/insserv ]; then
-	    update-rc.d shorewall-init defaults
+		insserv /etc/init.d/shorewall-init
 	    else
 		ln -sf ../init.d/shorewall-init /etc/rcS.d/S38shorewall-init
 	    fi
 	    echo "Shorewall Init will start automatically at boot"
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -343,7 +315,6 @@ if [ -z "$DESTDIR" ]; then
 	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
    fi
 else
@@ -359,32 +330,6 @@ else
    fi
 fi
 if [ -f ${DESTDIR}/etc/ppp ]; then
    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
 	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
 	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
 	done
    elif [ -n "$REDHAT" ]; then
 	#
 	# Must use the dreaded ip_xxx.local file
 	#
 	for file in ip-up.local ip-down.local; do
 	    FILE=${DESTDIR}/etc/ppp/$file
 	    if [ -f $FILE ]; then
 		if fgrep -q Shorewall-based $FILE ; then
 		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		else
 		    echo "$FILE already exists -- ppp devices will not be handled"
 		    break
 		fi
 	    else
 		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 	    fi
 	done
    fi
 fi
 #
 #  Report Success
 #
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall
 After=syslog.target
 Before=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-init $OPTIONS start
 ExecStop=/sbin/shorewall-init $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-init/shorewall-init.spec
+++ b/Shorewall-init/shorewall-init.spec
@@ -0,0 +1,156 @@
 %define name shorewall-init
 %define version 4.4.13
 %define release 0base
 Summary: Shorewall-init adds functionality to Shoreline Firewall (Shorewall).
 Name: %{name}
 Version: %{version}
 Release: %{release}
 License: GPLv2
 Packager: Tom Eastep <teastep@shorewall.net>
 Group: Networking/Utilities
 Source: %{name}-%{version}.tgz
 URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: shoreline_firewall >= 4.4.10
 %description
 The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
 (iptables) based firewall that can be used on a dedicated firewall system,
 a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 Shorewall Init is a companion product to Shorewall that allows for tigher
 control of connections during boot and that integrates Shorewall with
 ifup/ifdown and NetworkManager.
 %prep
 %setup
 %build
 %install
 export DESTDIR=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
 %clean
 rm -rf $RPM_BUILD_ROOT
 %post
 if [ $1 -eq 1 ]; then
    if [ -x /sbin/insserv ]; then
 	/sbin/insserv /etc/rc.d/shorewall-init
    elif [ -x /sbin/chkconfig ]; then
 	/sbin/chkconfig --add shorewall-init;
    fi
 fi
 if [ -f /etc/SuSE-release ]; then
    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-up.d/shorewall
    cp -pf /usr/share/shorewall-init/ifupdown /etc/sysconfig/network/if-down.d/shorewall
 else
    if [ -f /sbin/ifup-local -o -f /sbin/ifdown-local ]; then
 	if ! grep -q Shorewall /sbin/ifup-local || ! grep -q Shorewall /sbin/ifdown-local; then
 	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; ifup/ifdown events will not be handled" >&2
 	else
 	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
 	    cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
 	fi
    else
 	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifup-local
 	cp -pf /usr/share/shorewall-init/ifupdown /sbin/ifdown-local
    fi
    if [ -d /etc/NetworkManager/dispatcher.d/ ]; then
 	cp -pf /usr/share/shorewall-init/ifupdown /etc/NetworkManager/dispatcher.d/01-shorewall
    fi
 fi
 %preun
 if [ $1 -eq 0 ]; then
    if [ -x /sbin/insserv ]; then
 	/sbin/insserv -r /etc/init.d/shorewall-init
    elif [ -x /sbin/chkconfig ]; then
 	/sbin/chkconfig --del shorewall-init
    fi
    [ -f /sbin/ifup-local ]   && grep -q Shorewall /sbin/ifup-local   && rm -f /sbin/ifup-local
    [ -f /sbin/ifdown-local ] && grep -q Shorewall /sbin/ifdown-local && rm -f /sbin/ifdown-local
    rm -f /etc/NetworkManager/dispatcher.d/01-shorewall
 fi
 %files
 %defattr(0644,root,root,0755)
 %attr(0644,root,root) %config(noreplace) /etc/sysconfig/shorewall-init
 %attr(0544,root,root) /etc/init.d/shorewall-init
 %attr(0755,root,root) %dir /usr/share/shorewall-init
 %attr(0644,root,root) /usr/share/shorewall-init/version
 %attr(0544,root,root) /usr/share/shorewall-init/ifupdown
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta4
 * Tue May 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta3
 * Thu May 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta2
 * Tue May 18 2010 Tom Eastep tom@shorewall.net
 - Initial version
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -10,9 +10,3 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
 #
 # Set this to the name of the file that is to hold
 # ipset contents. Shorewall-init will load those ipsets
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,10 +1,10 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -60,21 +60,15 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Init $VERSION"
 INITSCRIPT=/etc/init.d/shorewall-init
 if [ -n "$INITSCRIPT" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	updaterc.d shorewall-init remove
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $INITSCRIPT
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
@@ -95,22 +89,8 @@ remove_file /etc/network/if-down.d/shorewall
 remove_file /etc/sysconfig/network/if-up.d/shorewall
 remove_file /etc/sysconfig/network/if-down.d/shorewall
 remove_file /lib/systemd/system/shorewall.service
 if [ -d /etc/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	remove_file /etc/ppp/$directory/shorewall
    done
    for file in if-up.local if-down.local; do
 	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
 	    remove_file /etc/ppp/$FILE
 	fi
    done
 fi
 rm -rf /usr/share/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/COPYING
+++ b/Shorewall-lite/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -17,9 +17,10 @@ SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
 test -n ${INITLOG:=/var/log/shorewall-lite-init.log}
-[ "$INITLOG" = "/dev/null" ] && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
+[ "$INITLOG" eq "/dev/null" && SHOREWALL_INIT_SCRIPT=1 || SHOREWALL_INIT_SCRIPT=0
 export SHOREWALL_INIT_SCRIPT
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -1,112 +0,0 @@
 #!/bin/sh
 #
 # Shorewall init script
 #
 # chkconfig: - 28 90
 # description: Packet filtering firewall
 ### BEGIN INIT INFO
 # Provides: shorewall-lite
 # Required-Start: $local_fs $remote_fs $syslog $network
 # Should-Start: VMware $time $named
 # Required-Stop:
 # Default-Start:
 # Default-Stop:	  0 1 2 3 4 5 6
 # Short-Description: Packet filtering firewall
 # Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
 #              Netfilter (iptables) based firewall
 ### END INIT INFO
 # Source function library.
 . /etc/rc.d/init.d/functions
 prog="shorewall-lite"
 shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
 if [ -f /etc/sysconfig/$prog ]; then
    . /etc/sysconfig/$prog
 fi
 start() {
    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	touch $lockfile
 	success
    else 
 	failure
    fi
    echo
    return $retval
 }
 stop() {
    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	rm -f $lockfile
 	success
    else 
 	failure
    fi
    echo
    return $retval
 }
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	touch $lockfile
 	success
    else # Failed to start, clean up lock file if present
 	rm -f $lockfile
 	failure
    fi
    echo
    return $retval
 }
 status(){
    $shorewall status
    return $?
 }
 status_q() {
    status > /dev/null 2>&1
 }
 case "$1" in
    start)
 	status_q && exit 0
 	$1
 	;;
    stop)
 	status_q || exit 0
 	$1
 	;;
    restart|reload|force-reload)
 	restart
 	;;
    condrestart|try-restart)
        status_q || exit 0
        restart
        ;;
    status)
 	$1
 	;;
    *)
 	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
 	exit 1
 	;;
 esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -123,19 +123,10 @@ done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ -n "${LIBEXEC:=/usr/share}" ]
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 #
 # Determine where to install the firewall script
 #
 DEBIAN=
 CYGWIN=
 INSTALLD='-D'
 T='-T'
@@ -172,8 +163,6 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
    DEBIAN=yes
 elif [ -f /etc/redhat-release ]; then
    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
@@ -183,14 +172,6 @@ elif [ -f /etc/arch-release ] ; then
      ARCHLINUX=yes
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 #
 # Change to the directory containing this script
 #
@@ -208,7 +189,6 @@ else
    rm -rf ${DESTDIR}/etc/shorewall-lite
    rm -rf ${DESTDIR}/usr/share/shorewall-lite
    rm -rf ${DESTDIR}/var/lib/shorewall-lite
    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
 fi
 #
@@ -224,21 +204,18 @@ delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
 install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
 eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
 echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh /etc/init.d/shorewall-lite 0544
 elif [ -n "$FEDORA" ]; then
    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
 elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
+    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
-    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
+    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
 fi
 echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
@@ -248,7 +225,6 @@ echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
 #
 mkdir -p ${DESTDIR}/etc/shorewall-lite
 mkdir -p ${DESTDIR}/usr/share/shorewall-lite
 mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
 mkdir -p ${DESTDIR}/var/lib/shorewall-lite
 chmod 755 ${DESTDIR}/etc/shorewall-lite
@@ -259,14 +235,6 @@ if [ -n "$DESTDIR" ]; then
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
 fi
 #
 # Install the config file
 #
@@ -309,24 +277,24 @@ echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functi
 # Install Shorecap
 #
-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}/usr/share/shorewall-lite/shorecap 0755
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}/usr/share/shorewall-lite/shorecap"
 #
 # Install wait4ifup
 #
 if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
+    install_file wait4ifup ${DESTDIR}/usr/share/shorewall-lite/wait4ifup 0755
    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
+    echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall-lite/wait4ifup"
 fi
 #
-# Install the Modules files
+# Install the Modules file
 #
 if [ -f modules ]; then
@@ -334,16 +302,6 @@ if [ -f modules ]; then
    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
 fi
 if [ -f helpers ]; then
    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
 fi
 for f in modules.*; do
    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
 done
 #
 # Install the Man Pages
 #
@@ -397,8 +355,6 @@ if [ -z "$DESTDIR" ]; then
 	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
 	    update-rc.d shorewall-lite defaults
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/shorewall-lite
 	    else
@@ -407,11 +363,7 @@ if [ -z "$DESTDIR" ]; then
 	    echo "Shorewall Lite will start automatically at boot"
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if systemctl enable shorewall-lite; then
 		    echo "Shorewall Lite will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/shorewall-lite ; then
 		    echo "Shorewall Lite will start automatically at boot"
 		else
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.1
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall-lite.
 #
@@ -94,9 +94,9 @@ get_config() {
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
+	LOGREAD="logread | tac"
    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
+	LOGREAD="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
@@ -113,6 +113,10 @@ get_config() {
    [ -n "$FW" ] || FW=fw
    [ -n "LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"
    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -141,12 +145,6 @@ get_config() {
    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
    if [ $VERBOSITY -lt -1 ]; then
 	VERBOSITY=-1
    elif [ $VERBOSITY -gt 2 ]; then
 	VERBOSITY=2
    fi
    g_hostname=$(hostname 2> /dev/null)
    IP=$(mywhich ip 2> /dev/null)
@@ -177,15 +175,6 @@ verify_firewall_script() {
    fi
 }
 #
 # Fatal error
 #
 startup_error() {
    echo "   ERROR: $@" >&2
    kill $$
    exit 1
 }
 #
 # Start Command Executor
 #
@@ -474,13 +463,6 @@ g_use_verbosity=
 g_noroutes=
 g_timestamp=
 g_recovering=
 g_logread=
 #
 # Make sure that these variables are cleared
 #
 VERBOSE=
 VERBOSITY=
 finished=0
@@ -570,7 +552,6 @@ MUTEX_TIMEOUT=
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 g_product="Shorewall Lite"
 g_libexec=share
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -21,7 +21,6 @@
 ###############################################################################
 #		              V E R B O S I T Y
 ###############################################################################
 VERBOSITY=
 ###############################################################################
@@ -30,6 +29,8 @@ VERBOSITY=
 LOGFILE=
 LOGFORMAT=
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,20 +0,0 @@
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
 After=syslog.target
 After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
 ExecStart=/sbin/shorewall-lite $OPTIONS start
 ExecStop=/sbin/shorewall-lite $OPTIONS stop
 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -0,0 +1,386 @@
 %define name shorewall-lite
 %define version 4.4.13
 %define release 0base
 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
 Version: %{version}
 Release: %{release}
 License: GPLv2
 Packager: Tom Eastep <teastep@shorewall.net>
 Group: Networking/Utilities
 Source: %{name}-%{version}.tgz
 URL: http://www.shorewall.net/
 BuildArch: noarch
 BuildRoot: %{_tmppath}/%{name}-%{version}-root
 Requires: iptables iproute
 Provides: shoreline_firewall = %{version}-%{release}
 %description
 The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter
 (iptables) based firewall that can be used on a dedicated firewall system,
 a multi-function gateway/ router/server or on a standalone GNU/Linux system.
 Shorewall Lite is a companion product to Shorewall that allows network
 administrators to centralize the configuration of Shorewall-based firewalls.
 %prep
 %setup
 %build
 %install
 export DESTDIR=$RPM_BUILD_ROOT ; \
 export OWNER=`id -n -u` ; \
 export GROUP=`id -n -g` ;\
 ./install.sh
 %clean
 rm -rf $RPM_BUILD_ROOT
 %pre
 if [ -f /etc/shorewall-lite/shorewall.conf ]; then
    cp -fa /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall.conf.rpmsave
 fi
 %post
 if [ $1 -eq 1 ]; then
    if [ -x /sbin/insserv ]; then
 	/sbin/insserv /etc/rc.d/shorewall-lite
    elif [ -x /sbin/chkconfig ]; then
 	/sbin/chkconfig --add shorewall-lite;
    fi
 elif [ -f /etc/shorewall-lite/shorewall.conf.rpmsave ]; then
    mv -f /etc/shorewall-lite/shorewall-lite.conf /etc/shorewall-lite/shorewall-lite.conf.rpmnew
    mv -f /etc/shorewall-lite/shorewall.conf.rpmsave /etc/shorewall-lite/shorewall-lite.conf
    echo "/etc/shorewall-lite/shorewall.conf retained as /etc/shorewall-lite/shorewall-lite.conf"
    echo "/etc/shorewall-lite/shorewall-lite.conf installed as /etc/shorewall-lite/shorewall-lite.conf.rpmnew"
 fi
 %preun
 if [ $1 -eq 0 ]; then
    if [ -x /sbin/insserv ]; then
 	/sbin/insserv -r /etc/init.d/shorewall-lite
    elif [ -x /sbin/chkconfig ]; then
 	/sbin/chkconfig --del shorewall-lite
    fi
 fi
 %files
 %defattr(0644,root,root,0755)
 %attr(0755,root,root) %dir /etc/shorewall-lite
 %attr(0644,root,root) %config(noreplace) /etc/shorewall-lite/shorewall-lite.conf
 %attr(0644,root,root) /etc/shorewall-lite/Makefile
 %attr(0544,root,root) /etc/init.d/shorewall-lite
 %attr(0755,root,root) %dir /usr/share/shorewall-lite
 %attr(0700,root,root) %dir /var/lib/shorewall-lite
 %attr(0644,root,root) /etc/logrotate.d/shorewall-lite
 %attr(0755,root,root) /sbin/shorewall-lite
 %attr(0644,root,root) /usr/share/shorewall-lite/version
 %attr(0644,root,root) /usr/share/shorewall-lite/configpath
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
 %attr(0644,root,root) %{_mandir}/man5/shorewall-lite.conf.5.gz
 %attr(0644,root,root) %{_mandir}/man5/shorewall-lite-vardir.5.gz
 %attr(0644,root,root) %{_mandir}/man8/shorewall-lite.8.gz
 %doc COPYING changelog.txt releasenotes.txt
 %changelog
 * Mon Sep 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0base
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0RC1
 * Fri Sep 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta6
 * Mon Sep 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta5
 * Sat Sep 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta4
 * Mon Aug 30 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta3
 * Wed Aug 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta2
 * Wed Aug 18 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.13-0Beta1
 * Sun Aug 15 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0base
 * Fri Aug 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0RC1
 * Sun Aug 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta4
 * Sat Jul 31 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta3
 * Sun Jul 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta2
 * Wed Jul 21 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.12-0Beta1
 * Fri Jul 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0base
 * Mon Jul 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0RC1
 * Sat Jul 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta3
 * Thu Jul 01 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta2
 * Sun Jun 06 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.11-0Beta1
 * Sat Jun 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0base
 * Fri Jun 04 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC2
 * Thu May 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0RC1
 * Wed May 26 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta4
 * Tue May 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta3
 * Thu May 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta2
 * Thu May 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta2
 * Thu May 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.10-0Beta1
 * Mon May 03 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0base
 * Sun May 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0RC2
 * Sun Apr 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0RC1
 * Sat Apr 24 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0Beta5
 * Fri Apr 16 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0Beta4
 * Fri Apr 09 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0Beta3
 * Thu Apr 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0Beta2
 * Sat Mar 20 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.9-0Beta1
 * Fri Mar 19 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0base
 * Tue Mar 16 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0RC2
 * Mon Mar 08 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0RC1
 * Sun Feb 28 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0Beta2
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.8-0Beta1
 * Fri Feb 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
 * Wed Jan 27 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC1
 * Mon Jan 25 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0Beta4
 * Fri Jan 22 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0Beta3
 * Fri Jan 22 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0Beta2
 * Sun Jan 17 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0Beta1
 * Wed Jan 13 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.6-0base
 * Tue Jan 12 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.6-0Beta1
 * Thu Dec 24 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.5-0base
 * Sat Nov 21 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0base
 * Fri Nov 13 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0Beta2
 * Wed Nov 11 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.4-0Beta1
 * Tue Nov 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.3-0base
 * Sun Sep 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Sep 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.2-0base
 * Fri Aug 14 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.1-0base
 * Mon Aug 03 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0base
 * Tue Jul 28 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0RC2
 * Sun Jul 12 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0RC1
 * Thu Jul 09 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta4
 * Sat Jun 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta3
 * Mon Jun 15 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta2
 * Fri Jun 12 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.4.0-0Beta1
 * Sun Jun 07 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.13-0base
 * Fri Jun 05 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.12-0base
 * Sun May 10 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.11-0base
 * Sun Apr 19 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.10-0base
 * Sat Apr 11 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.9-0base
 * Tue Mar 17 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.8-0base
 * Sun Mar 01 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.7-0base
 * Fri Feb 27 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.6-0base
 * Sun Feb 22 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.3.5-0base
 * Wed Feb 04 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.2.6-0base
 * Thu Jan 29 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.2.6-0base
 * Tue Jan 06 2009 Tom Eastep tom@shorewall.net
 - Updated to 4.2.5-0base
 * Thu Dec 25 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.4-0base
 * Fri Dec 05 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.3-0base
 * Wed Nov 05 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.2-0base
 * Wed Oct 08 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.1-0base
 * Fri Oct 03 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0base
 * Tue Sep 23 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC4
 * Mon Sep 15 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC3
 * Mon Sep 08 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC2
 * Tue Aug 19 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0RC1
 * Thu Jul 03 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0Beta3
 * Mon Jun 02 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0Beta2
 * Wed May 07 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.2.0-0Beta1
 * Mon Apr 28 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.8-0base
 * Mon Mar 24 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.7-0base
 * Thu Mar 13 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.6-0base
 * Tue Feb 05 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.5-0base
 * Fri Jan 04 2008 Tom Eastep tom@shorewall.net
 - Updated to 4.1.4-0base
 * Wed Dec 12 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.3-0base
 * Fri Dec 07 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.3-1
 * Tue Nov 27 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.2-1
 * Wed Nov 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.1-1
 * Mon Nov 19 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.1.0-1
 * Thu Nov 15 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-1
 * Sat Nov 10 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-0RC3
 * Wed Nov 07 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-0RC2
 * Thu Oct 25 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.6-0RC1
 * Tue Oct 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.5-1
 * Wed Sep 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.4-1
 * Mon Aug 13 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.3-1
 * Thu Aug 09 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.2-1
 * Sat Jul 21 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.1-1
 * Wed Jul 11 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-1
 * Sun Jul 08 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0RC2
 * Mon Jul 02 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0RC1
 * Sun Jun 24 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta7
 * Wed Jun 20 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta6
 * Thu Jun 14 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta5
 * Fri Jun 08 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta4
 * Tue Jun 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta3
 * Tue May 15 2007 Tom Eastep tom@shorewall.net
 - Updated to 4.0.0-0Beta1
 * Fri May 11 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.7-1
 * Sat May 05 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.6-1
 * Mon Apr 30 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.5-1
 * Mon Apr 23 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.4-1
 * Wed Apr 18 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.3-1
 * Sat Apr 14 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.2-1
 * Sat Apr 07 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.9.1-1
 * Thu Mar 15 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.1-1
 * Sat Mar 10 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-1
 * Sun Feb 25 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0RC3
 * Sun Feb 04 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0RC2
 * Wed Jan 24 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0RC1
 * Mon Jan 22 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0Beta3
 * Wed Jan 03 2007 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0Beta2
 - Handle rename of shorewall.conf
 * Thu Dec 14 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.4.0-0Beta1
 * Sat Nov 25 2006 Tom Eastep tom@shorewall.net
 - Added shorewall-exclusion(5)
 - Updated to 3.3.6-1
 * Sun Nov 19 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.5-1
 * Sun Oct 29 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.4-1
 * Mon Oct 16 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.3-1
 * Sat Sep 30 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.2-1
 * Wed Aug 30 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.1-1
 * Wed Aug 09 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.0-1
 * Wed Aug 09 2006 Tom Eastep tom@shorewall.net
 - Updated to 3.3.0-1
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
-VERSION=xxx  #The Build script inserts the actual version
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -72,8 +72,6 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Lite $VERSION"
 if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
@@ -87,14 +85,10 @@ else
 fi
 if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	updaterc.d shorewall-lite remove
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
@@ -111,11 +105,9 @@ rm -rf /etc/shorewall-lite-*.bkout
 rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
 rm -f  /etc/logrotate.d/shorewall-lite
 rm -f  /lib/systemd/system/shorewall-lite.service
-echo "Shorewall Lite Uninstalled"
+echo "Shorewall Uninstalled"
--- a/Shorewall/COPYING
+++ b/Shorewall/COPYING
@@ -2,8 +2,7 @@
 		       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
-                          51 Franklin Street, Fifth Floor,
+                       59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -224,7 +224,7 @@ while : ; do
 	# One of the interfaces changed state -- restart Shorewall
 	#
 	echo $if1_state > $VARDIR/${IF1}.status
-	echo $if2_state > $VARDIR/${IF2}.status
+	echo $if2_state > $VARDIR/${IF2}.status 
 	eval $COMMAND
 	state_changed=
    fi
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -32,7 +32,7 @@
 ### BEGIN INIT INFO
 # Provides:	  swping
 # Required-Start: shorewall
-# Should-Start:
+# Should-Start: 
 # Required-Stop:
 # Default-Start:  2 3 5
 # Default-Stop:	  0 1 6
@@ -87,7 +87,7 @@ case "$command" in
 	    echo "swping is running"
 	    exit 0
 	else
-	    echo "swping is stopped"
+	    echo "swping is stopped" 
 	    exit 3
 	fi
 	;;
--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -1,15 +0,0 @@
 #
 # Shorewall version 4 - Audited AllowICMPs Macro
 #
 # /usr/share/shorewall/macro.AAllowICMPs
 #
 #	This macro A_ACCEPTs needed ICMP types
 #
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP
 COMMENT Needed ICMP types
 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - Audited DropDNSrep Macro
 #
 # /usr/share/shorewall/macro.ADropDNSrep
 #
 #	This macro silently audites and drops DNS UDP replies
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 COMMENT Late DNS Replies
 A_DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -1,14 +0,0 @@
 #
 # Shorewall version 4 - ADropUPnP Macro
 #
 # /usr/share/shorewall/macro.ADropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 COMMENT UPnP
 A_DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -11,6 +11,5 @@
 COMMENT Needed ICMP types
-DEFAULT ACCEPT
+ACCEPT	-	-	icmp	fragmentation-needed
-PARAM	-	-	icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
 PARAM	-	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.BitTorrent
+++ b/Shorewall/Macros/macro.BitTorrent
@@ -5,7 +5,7 @@
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	If you are running BitTorrent 3.2 or later, you should use the
+#	If you are running BitTorrent 3.2 or later, you should use the 
 #	BitTorrent32 macro.
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -11,5 +11,4 @@
 COMMENT Late DNS Replies
-DEFAULT DROP
+DROP	-	-	udp	-	53
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -11,5 +11,4 @@
 COMMENT UPnP
-DEFAULT DROP
+DROP	-	-	udp	1900
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - ICPV2 Macro
 #
 # /usr/share/shorewall/macro.ICPV2
 #
 #	This macro handles Internet Cache Protocol V2 (Squid) traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.IPPserver
+++ b/Shorewall/Macros/macro.IPPserver
@@ -15,7 +15,7 @@
 #	Example for a two-interface firewall which acts as a print
 #	server for loc:
 #		IPPserver/ACCEPT loc $FW
-#
+#	
 #	NOTE: If you want both to serve requests for local printers and
 #	listen to requests for remote printers (i.e. your CUPS server is
 #	also a client), you need to apply the rule twice, e.g.
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -13,5 +13,5 @@
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
+HTTPS/PARAM
-SSH(PARAM)
+SSH/PARAM
--- a/Shorewall/Macros/macro.Munin
+++ b/Shorewall/Macros/macro.Munin
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - Munin Macro
 #
 # /usr/share/shorewall/macro.Munin
 #
 #	This macro handles Munin networked resource monitoring traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	4949
--- a/Shorewall/Macros/macro.Squid
+++ b/Shorewall/Macros/macro.Squid
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - Squid Macro
 #
 # /usr/share/shorewall/macro.Squid
 #
 #	This macro handles Squid web proxy traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	3128
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -15,7 +15,389 @@
 #	- All entries in a macro undergo substitution when the macro is
 #	  invoked in the rules file.
 #
-# Columns are the same as in /etc/shorewall/rules.
+#	- Macros used in action bodies may not invoke other macros.
 #
 # The columns in the file are the same as those in the action.template file but
 # have different restrictions:
 #
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
 #			LOG, QUEUE, PARAM or an <action> name.
 #
 #				ACCEPT	 -- allow the connection request
 #				ACCEPT+	 -- like ACCEPT but also excludes the
 #					    connection from any subsequent
 #					    DNAT[-] or REDIRECT[-] rules
 #				NONAT	 -- Excludes the connection from any
 #					    subsequent DNAT[-] or REDIRECT[-]
 #					    rules but doesn't generate a rule
 #					    to accept the traffic.
 #				DROP	 -- ignore the request
 #				REJECT	 -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
 #				DNAT	 -- Forward the request to another
 #					    system (and optionally another
 #					    port).
 #				DNAT-	 -- Advanced users only.
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
 #				SAME	 -- Similar to DNAT except that the
 #					    port may not be remapped and when
 #					    multiple server addresses are
 #					    listed, all requests from a given
 #					    remote system go to the same
 #					    server.
 #				SAME-	 -- Advanced users only.
 #					    Like SAME but only generates the
 #					    NAT iptables rule and not
 #					    the companion ACCEPT rule.
 #				REDIRECT -- Redirect the request to a local
 #					    port on the firewall.
 #				REDIRECT-
 #					 -- Advanced users only.
 #					    Like REDIRET but only generates the
 #					    REDIRECT iptables rule and not
 #					    the companion ACCEPT rule.
 #
 #				CONTINUE -- (For experts only). Do not process
 #					    any of the following rules for this
 #					    (source zone,destination zone). If
 #					    The source and/or destination IP
 #					    address falls into a zone defined
 #					    later in /etc/shorewall/zones, this
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
 #				LOG	 -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as ftwall
 #					    (http://p2pwall.sf.net).
 #				PARAM	 -- If you code PARAM as the action in
 #					    a macro then when you invoke the
 #					    macro, you can include the name of
 #					    the macro followed by a slash ("/")
 #					    and an ACTION (either builtin or
 #					    user-defined. All instances of
 #					    PARAM in the body of the macro will
 #					    be replaced with the ACTION.
 #				<action> -- The name of an action defined in
 #					    /usr/share/shorewall/actions.std or
 #					    in /etc/shorewall/actions.
 #
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			DNAT:debug). This causes the packet to be
 #			logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			Actions specifying logging may be followed by a
 #			log tag (a string of alphanumeric characters)
 #			are appended to the string generated by the
 #			LOGPREFIX (in /etc/shorewall/shorewall.conf).
 #
 #			Example: ACCEPT:info:ftp would include 'ftp '
 #			at the end of the log prefix generated by the
 #			LOGPREFIX setting.
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, "all", "all+" or "none" If the ACTION
 #			is DNAT	or REDIRECT, sub-zones of the specified zone
 #			may be excluded from the rule by following the zone
 #			name with "!' and a comma-separated list of sub-zone
 #			names.
 #
 #			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. When "all+" is
 #			used, intra-zone traffic is affected.
 #
 #			Except when "all[+]" is specified, clients may be
 #			further restricted to a list of subnets and/or hosts by
 #			appending ":" and a comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
 #			If you kernel and iptables have ipset match support
 #			then you may give the name of an ipset prefaced by "+".
 #			The ipset name may be optionally followed by a number
 #			from 1 to 6 enclosed in square brackets ([]) to
 #			indicate the number of levels of source bindings to be
 #			matched.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
 #			net:155.186.235.0/24	Subnet 155.186.235.0/24 on the
 #						Internet
 #
 #			loc:192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2 in the local zone.
 #			loc:~00-A0-C9-15-39-78	Host in the local zone with
 #						MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
 #						Hosts 192.0.2.11-192.0.2.17 in
 #						the net zone.
 #
 #			Alternatively, clients may be specified by interface
 #			by appending ":" to the zone name followed by the
 #			interface name. For example, loc:eth1 specifies a
 #			client that communicates with the firewall system
 #			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., loc:eth1:192.168.1.5).
 #
 #	DEST		Location of Server. May be a zone defined in
 #			/etc/shorewall/zones, $FW to indicate the firewall
 #			itself, "all". "all+" or "none".
 #
 #			When "none" is used either in the SOURCE or DEST
 #			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. When "all+" is
 #			used, intra-zone traffic is affected.
 #
 #			Except when "all[+]" is specified, the server may be
 #			further restricted to a particular subnet, host or
 #			interface by appending ":" and the subnet, host or
 #			interface. See above.
 #
 #				Restrictions:
 #
 #				1. MAC addresses are not allowed.
 #				2. In DNAT rules, only IP addresses are
 #				   allowed; no FQDNs or subnet addresses
 #				   are permitted.
 #				3. You may not specify both an interface and
 #				   an address.
 #
 #			Like in the SOURCE column, you may specify a range of
 #			up to 256 IP addresses using the syntax
 #			<first ip>-<last ip>. When the ACTION is DNAT or DNAT-,
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
 #			If you kernel and iptables have ipset match support
 #			then you may give the name of an ipset prefaced by "+".
 #			The ipset name may be optionally followed by a number
 #			from 1 to 6 enclosed in square brackets ([]) to
 #			indicate the number of levels of destination bindings
 #			to be matched. Only one of the SOURCE and DEST columns
 #			may specify an ipset name.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
 #			":". If omitted, the firewall will not modifiy the
 #			destination port. A destination port may only be
 #			included if the ACTION is DNAT or REDIRECT.
 #
 #			Example: loc:192.168.1.3:3128 specifies a local
 #			server at IP address 192.168.1.3 and listening on port
 #			3128. The port number MUST be specified as an integer
 #			and not as a name from /etc/services.
 #
 #			if the ACTION is REDIRECT, this column needs only to
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
 #	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
 #			"ipp2p", "ipp2p:udp", "ipp2p:all" a number, or "all".
 #                       "ipp2p*" requires ipp2p match support in your kernel
 #                       and iptables.
 #
 #			"tcp:syn" implies "tcp" plus the SYN flag must be
 #			set and the RST,ACK and FIN flags must be reset.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p*, this column is interpreted
 #			as an ipp2p option without the leading "--" (example
 #			"bit" for bit-torrent). If no port is given, "ipp2p" is
 #			assumed.
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following ields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ORIGINAL DEST in the next column, then
 #			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #       ORIGINAL        Original destination IP address. Must be omitted (
 #       DEST            or '-') if the macro is to be used from within
 #                       an action. See 'man shorewall-rules'.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
 #			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
 #			where <rate> is the number of connections per
 #			<interval> ("sec" or "min") and <burst> is the
 #			largest burst permitted. If no <burst> is given,
 #			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
 #				Example: 10/sec:20
 #
 #	USER/GROUP	This column may only be non-empty if the SOURCE is
 #			the firewall itself.
 #
 #			The column may contain:
 #
 #	[!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
 #			the effective <user> and/or <group> specified (or is
 #			NOT running under that id if "!" is given).
 #
 #			Examples:
 #
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
 #				!:kids	#program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd	#program named upnpd (This feature was
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
 #	MARK		Specifies a MARK value to match. Must be empty or 
 #			'-' if the macro is to be used within an action.
 #			
 #				[!]value[/mask][:C]
 #
 #    			Defines a test on the existing packet or connection
 #			mark. The rule will match only if the test returns
 #			true.
 #
 #    			If you don't want to define a test but need to
 #			specify anything in the following columns,
 #			place a "-" in this field.
 #
 #    			!
 #
 #				Inverts the test (not equal)
 #
 #    			value
 #
 #				Value of the packet or connection mark.
 #
 #  			mask
 #
 #				A mask to be applied to the mark before
 #				testing.
 #
 #    			:C
 #
 #				Designates a connection mark. If omitted, the
 #				packet mark's value is tested.
 #
 #	CONNLIMIT	Must be empty or '-' if the macro is to be used within
 #			an action.
 #
 #				[!]limit[:mask]
 #
 #			May be used to limit the number of simultaneous
 #			connections from each individual host to limit 
 #			connections. Requires connlimit match in your kernel
 #			and iptables. While the limit is only checked on rules
 #			specifying CONNLIMIT, the number of current connections
 #			is calculated over all current connections from the
 #			SOURCE host. By default, the limit is applied to each
 #			host but can be made to apply to networks of hosts by
 #			specifying a mask. The mask specifies the width of a
 #			VLSM mask to be applied to the source address; the
 #			number of current connections is then taken over all
 #			hosts in the subnet source-address/mask. When ! is
 #			specified, the rule matches when the number of
 #			connection exceeds the limit.
 #
 #	TIME		Must be empty or '-' if the macro is to be used within
 #			an action.
 #
 #
 #				<timeelement>[&...]
 #
 #			timeelement may be:
 #
 #    				timestart=hh:mm[:ss]
 #
 #					Defines the starting time of day.
 #
 #    				timestop=hh:mm[:ss]
 #
 #					Defines the ending time of day.
 #
 #    				utc
 #
 #					Times are expressed in Greenwich Mean
 #					Time.
 #
 #    				localtz
 #
 #					Times are expressed in Local Civil Time
 #					(default).
 #
 #    				weekdays=ddd[,ddd]...
 #
 #					where ddd is one of Mon, Tue, Wed, Thu,
 #					Fri, Sat or Sun
 #
 #    				monthdays=dd[,dd],...
 #
 #					where dd is an ordinal day of the month#
 #
 #    				datestart=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
 #
 #					Defines the starting date and time.
 #
 #    				datestop=yyyy[-mm[-dd[Thh[:mm[:ss]]]]]
 #
 #					Defines the ending date and time.
 #
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -74,6 +456,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
+#######################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	ORIGINAL
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#						PORT(S)	PORT(S)	DEST		LIMIT	GROUP   DEST
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -1,3 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <includepath />
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -1,17 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <projectDescription>
 	<name>Shorewall</name>
 	<comment></comment>
 	<projects>
 	</projects>
 	<buildSpec>
 		<buildCommand>
 			<name>org.epic.perleditor.perlbuilder</name>
 			<arguments>
 			</arguments>
 		</buildCommand>
 	</buildSpec>
 	<natures>
 		<nature>org.epic.perleditor.perlnature</nature>
 	</natures>
 </projectDescription>
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,101 +35,14 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_accounting );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4.13';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
 my %tables;
 my $jumpchainref;
 my %accountingjumps;
 my $asection;
 my $defaultchain;
 my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
 my $sectionname;
 my $acctable;
 #
 # Sections in the Accounting File
 #
 use constant {
 	      LEGACY      => 0,
 	      PREROUTING  => 1,
 	      INPUT       => 2,
 	      OUTPUT      => 3,
 	      FORWARD     => 4,
 	      POSTROUTING => 5
 	  };
 #
 # Map names to values
 #
 our %asections = ( PREROUTING  => PREROUTING,
 		   INPUT       => INPUT,
 		   FORWARD     => FORWARD,
 		   OUTPUT      => OUTPUT,
 		   POSTROUTING => POSTROUTING
 		 );
 #
 # Called by the compiler to [re-]initialize this module's state
 #
 sub initialize() {
-    $jumpchainref       = undef;
+    our $jumpchainref;
-    %tables             = ();
+    $jumpchainref = undef;
    %accountingjumps    = ();
    #
    # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
    # the first non-commentary line in the accounting file isn't a section header
    #
    # This allows the section header processor to quickly check for correct order 
    #
    $asection           = -1;
    #
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
 #
 # Process a SECTION header
 #
 sub process_section ($) {
    $sectionname = shift;
    my $newsect  = $asections{$sectionname};
    #
    # read_a_line has already verified that there are exactly two tokens on the line
    #
    fatal_error "Invalid SECTION ($sectionname)"                   unless defined $newsect;
    fatal_error "SECTION not allowed after un-sectioned rules"     unless $asection;
    fatal_error "Duplicate or out-of-order SECTION ($sectionname)" if     $newsect <= $asection;
    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
    $asection = $newsect;
 }
 #
@@ -137,31 +50,19 @@ sub process_section ($) {
 #
 sub process_accounting_rule( ) {
-    $acctable = $config{ACCOUNTING_TABLE};
+    our $jumpchainref;
-    $jumpchainref = 0;
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec ) = split_line1 1, 10, 'Accounting File';
    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
 	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
    fatal_error 'ACTION must be specified' if $action eq '-';
    if ( $action eq 'COMMENT' ) {
 	process_comment;
 	return 0;
    }
    if ( $action eq 'SECTION' ) {
 	process_section( $chain );
 	return 0;
    }
    $asection = LEGACY if $asection < 0;
    our $disposition = '';
    sub reserved_chain_name($) {
-	$_[0] =~ /^acc(?:ount(?:fwd|in|ing|out|pre|post)|ipsecin|ipsecout)$/;
+	$_[0] =~ /^acc(?:ount(?:ing|out)|ipsecin|ipsecout)$/;
    }
    sub ipsec_chain_name($) {
@@ -182,7 +83,7 @@ sub process_accounting_rule( ) {
    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
 	fatal_error "Jumps to the $jumpchain chain are not allowed" if reserved_chain_name( $jumpchain );
-	$jumpchainref = ensure_accounting_chain( $jumpchain, 0, $defaultrestriction );
+	$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
 	check_chain( $jumpchainref );
 	$disposition = $jumpchain;
 	$jumpchain;
@@ -194,44 +95,15 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; 
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} );
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $rule2 = 0;
    my $jump  = 0;
-
+    
    unless ( $action eq 'COUNT' ) {
 	if ( $action eq 'DONE' ) {
 	    $target = 'RETURN';
 	} elsif ( $action =~ /^ACCOUNT\(/ ) {
 	    if ( $action =~ /^ACCOUNT\((.+)\)$/ ) {
 		require_capability 'ACCOUNT_TARGET' , 'ACCOUNT Rules' , '';
 		my ( $table, $net, $rest ) = split/,/, $1;
 		fatal_error "Invalid Network Address (${net},${rest})" if defined $rest;
 		fatal_error "Missing Table Name"                       unless supplied $table;
 		fatal_error "Invalid Table Name ($table)"              unless $table =~ /^([-\w.]+)$/;
 		fatal_error "Missing Network Address"                  unless defined $net;
 		fatal_error "Invalid Network Address ($net)"           unless defined $net   && $net =~ '/(\d+)$';
 		fatal_error "Netmask ($1) out of range"                unless $1 >= 8;
 		validate_net $net, 0;
 		my $prevnet = $tables{$table};
 		if ( $prevnet ) {
 		    fatal_error "Previous net associated with $table ($prevnet) does not match this one ($net)" unless compare_nets( $net , $prevnet );
 		} else {
 		    $tables{$table} = $net;
 		}
 		$target = "ACCOUNT --addr $net --tname $table";
 	    } else {
 		fatal_error "Invalid ACCOUNT Action";
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
 	    if ( $cmd ) {
 		if ( $cmd eq 'COUNT' ) {
 		    $rule2 = 1;
@@ -246,15 +118,11 @@ sub process_accounting_rule( ) {
 	}
    }
-    $restriction = $defaultrestriction;
+    my $restriction = NO_RESTRICT;
-    if ( $source eq 'any' || $source eq 'all' ) {
+    $source = ALLIP if $source eq 'any' || $source eq 'all';
        $source = ALLIP;
    } else { 
 	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }
-    if ( have_bridges && ! $asection ) {
+    if ( have_bridges ) {
 	my $fw = firewall_zone;
 	if ( $source =~ /^$fw:?(.*)$/ ) {
@@ -264,10 +132,9 @@ sub process_accounting_rule( ) {
 	    $dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
 	} else {
 	    $chain = 'accounting' unless $chain and $chain ne '-';
 	    if ( $dest eq 'any' || $dest eq 'all' || $dest eq ALLIP ) {
 		expand_rule(
-			    ensure_rules_chain ( 'accountout' ) ,
+			    ensure_filter_chain( 'accountout' , 0 ) ,
 			    OUTPUT_RESTRICT ,
 			    $rule ,
 			    $source ,
@@ -280,23 +147,15 @@ sub process_accounting_rule( ) {
 	    }
 	}
    } else {
-	$chain = $defaultchain unless $chain and $chain ne '-';
+	$chain = 'accounting' unless $chain and $chain ne '-';
 	$dest = ALLIP if $dest   eq 'any' || $dest   eq 'all';
    }
-    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
+    my $chainref = $filter_table->{$chain};
    my $dir;
    if ( ! $chainref ) {
-	if ( reserved_chain_name( $chain ) ) {
+	$chainref = ensure_accounting_chain $chain, 0;
 	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; 
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	} elsif ( $asection ) {
 	    fatal_error "Unknown accounting chain ($chain)";
 	} else {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}
 	$dir      = ipsec_chain_name( $chain );
 	if ( $ipsec ne '-' ) {
@@ -307,38 +166,15 @@ sub process_accounting_rule( ) {
 		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
 	} else {
-	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );	    
 	    $chainref->{ipsec} = $dir;
 	}
-    } else {
+    } elsif ( $ipsec ne '-' ) {
-	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
+	$dir = $chainref->{ipsec};
-    
+	fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-	if ( $ipsec ne '-' ) {
+	$rule .= do_ipsec( $dir , $ipsec );
 	    $dir = $chainref->{ipsec};
 	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
 	    $rule .= do_ipsec( $dir , $ipsec );
 	} elsif ( $asection ) {
 	    $restriction |= $chainref->{restriction};
 	}
    }
    dont_optimize( $chainref ) if $target eq 'RETURN';
    if ( $jumpchainref ) {
 	if ( $asection ) {
 	    #
 	    # Check the jump-to chain to be sure that it doesn't contain rules that are incompatible with this section
 	    #
 	    my $jumprestricted = $jumpchainref->{restricted};
 	    fatal_error "Chain $jumpchainref->{name} contains rules that are incompatible with the $sectionname section" if $jumprestricted && $restriction && $jumprestricted ne $restriction;
 	    $restriction |= $jumpchainref->{restriction};
 	}
 	$accountingjumps{$jumpchainref->{name}}{$chain} = 1;
    }
    fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
    expand_rule
@@ -388,96 +224,48 @@ sub process_accounting_rule( ) {
 sub setup_accounting() {
-    if ( my $fn = open_file 'accounting' ) {
+    my $fn = open_file 'accounting';
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
-	$nonEmpty |= process_accounting_rule while read_a_line;
+    $nonEmpty |= process_accounting_rule while read_a_line;
-	clear_comment;
+    clear_comment;
-	if ( $nonEmpty ) {
+    if ( have_bridges ) {
-	    my $tableref = $chain_table{$acctable};
+	if ( $filter_table->{accounting} ) {
-
+	    for my $chain ( qw/INPUT FORWARD/ ) {
-	    if ( have_bridges || $asection ) {
+		add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 		if ( $tableref->{accountin} ) {
 		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
 		}
 		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
 		}
 		if ( $tableref->{accountfwd} ) {
 		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
 		}
 		if ( $tableref->{accountout} ) {
 		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
 		}
 		if ( $tableref->{accountpre} ) {
 		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
 		}
 		if ( $tableref->{accountpost} ) {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
 	    }
 	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
 		}
 	    }
 	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
 		}
 	    }
 	    unless ( $asection ) {
 		for ( accounting_chainrefs ) {
 		    warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
 		}
 	    }
 	    if ( my $chainswithjumps = keys %accountingjumps ) {
 		my $progress = 1;
 		while ( $chainswithjumps && $progress ) {
 		    $progress = 0;
 		    for my $chain1 (  keys %accountingjumps ) {
 			if ( keys %{$accountingjumps{$chain1}} ) {
 			    for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
 				delete $accountingjumps{$chain1}{$chain2}, $progress = 1 unless $accountingjumps{$chain2};
 			    }
 			} else {
 			    delete $accountingjumps{$chain1};
 			    $chainswithjumps--;
 			    $progress = 1;
 			}
 		    }
 		}
 		if ( $chainswithjumps ) {
 		    my @chainswithjumps = keys %accountingjumps;
 		    fatal_error "Jump loop involving the following chains: @chainswithjumps";
 		}
 	    }
 	}
 	if ( $filter_table->{accountout} ) {
 	    add_jump( $filter_table->{OUTPUT}, 'accountout', 0, '', 0, 0 );
 	}
    } elsif ( $filter_table->{accounting} ) {
 	for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 	    add_jump( $filter_table->{$chain}, 'accounting', 0, '', 0, 0 );
 	}
    }
    if ( $filter_table->{accipsecin} ) {
 	for my $chain ( qw/INPUT FORWARD/ ) {
 	    add_jump( $filter_table->{$chain}, 'accipsecin', 0,  '', 0, 0 );
 	}
    }
    if ( $filter_table->{accipsecout} ) {
 	for my $chain ( qw/FORWARD OUTPUT/ ) {
 	    add_jump( $filter_table->{$chain}, 'accipsecout', 0, '', 0, 0 );
 	}
    }
    for ( accounting_chainrefs ) {
 	warning_message "Accounting chain $_->{name} has no references" unless keys %{$_->{references}};
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -0,0 +1,964 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Actions.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module contains the code for dealing with actions (built-in,
 #   standard and user-defined) and Macros.
 #
 package Shorewall::Actions;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( merge_levels
 		  isolate_basic_target
 		  get_target_param
 		  add_requiredby
 		  createactionchain
 		  find_logactionchain
 		  process_actions1
 		  process_actions2
 		  process_actions3
 		  find_macro
 		  split_action
 		  substitute_param
 		  merge_macro_source_dest
 		  merge_macro_column
 		  map_old_actions
 		  %usedactions
 		  %default_actions
 		  %actions
 		  %macros
 		  $macro_commands
 		  );
 our @EXPORT_OK = qw( initialize );
 our $VERSION = '4.4_13';
 #
 #  Used Actions. Each action that is actually used has an entry with value 1.
 #
 our %usedactions;
 #
 # Default actions for each policy.
 #
 our %default_actions;
 #  Action Table
 #
 #     %actions{ <action1> =>  { requires => { <requisite1> = 1,
 #                                             <requisite2> = 1,
 #                                             ...
 #                                           } ,
 #                               actchain => <action chain number> # Used for generating unique chain names for each <level>:<tag> pair.
 #
 our %actions;
 #
 # Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
 #
 our %logactionchains;
 our %macros;
 our $family;
 our @builtins;
 #
 # Commands that can be embedded in a macro file and how many total tokens on the line (0 => unlimited).
 #
 our $macro_commands = { COMMENT => 0, FORMAT => 2 };
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
 #   1. Proper initialization depends on the address family which isn't
 #      known until the compiler has started.
 #
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
    $family          = shift;
    %usedactions     = ();
    %default_actions = ( DROP     => 'none' ,
 			 REJECT   => 'none' ,
 			 ACCEPT   => 'none' ,
 			 QUEUE    => 'none' );
    %actions         = ();
    %logactionchains = ();
    %macros          = ();
    if ( $family == F_IPV4 ) {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
    } else {
 	@builtins = qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
    }
 }
 #
 # This function determines the logging for a subordinate action or a rule within a superior action
 #
 sub merge_levels ($$) {
    my ( $superior, $subordinate ) = @_;
    my @supparts = split /:/, $superior;
    my @subparts = split /:/, $subordinate;
    my $subparts = @subparts;
    my $target   = $subparts[0];
    push @subparts, '' while @subparts < 3;   #Avoid undefined values
    my $level = $supparts[1];
    my $tag   = $supparts[2];
    if ( @supparts == 3 ) {
 	return "$target:none!:$tag"   if $level eq 'none!';
 	return "$target:$level:$tag"  if $level =~ /!$/;
 	return $subordinate           if $subparts >= 2;
 	return "$target:$level:$tag";
    }
    if ( @supparts == 2 ) {
 	return "$target:none!"        if $level eq 'none!';
 	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
    }
    $subordinate;
 }
 #
 # Try to find a macro file -- RETURNS false if the file doesn't exist or MACRO if it does.
 # If the file exists, the macro is entered into the 'targets' table and the fully-qualified
 # name of the file is stored in the 'macro' table.
 #
 sub find_macro( $ )
 {
    my $macro = $_[0];
    my $macrofile = find_file "macro.$macro";
    if ( -f $macrofile ) {
 	$macros{$macro} = $macrofile;
 	$targets{$macro} = MACRO;
    } else {
 	0;
    }
 }
 #
 # Return ( action, level[:tag] ) from passed full action
 #
 sub split_action ( $ ) {
    my $action = $_[0];
    my $target = '';
    my $max    = 3;
    #
    # The following rather grim RE, when matched, breaks the action into two parts:
    #
    #    basicaction(param)
    #    logging part (may be empty)
    #
    # The param may contain one or more ':' characters
    #
    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
 	$target = $1;
 	$action = $2 ? $3 : '';
 	$max    = 2;
    }
    my @a = split( /:/ , $action, 4 );
    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
    $target = shift @a unless $target;
    ( $target, join ":", @a );
 }
 #
 # This function substitutes the second argument for the first part of the first argument up to the first colon (":")
 #
 # Example:
 #
 #         substitute_param DNAT PARAM:info:FTP
 #
 #         produces "DNAT:info:FTP"
 #
 sub substitute_param( $$ ) {
    my ( $param, $action ) = @_;
    if ( $action =~ /:/ ) {
 	my $logpart = (split_action $action)[1];
 	$logpart =~ s!/$!!;
 	return "$param:$logpart";
    }
    $param;
 }
 #
 # Combine fields from a macro body with one from the macro invocation
 #
 sub merge_macro_source_dest( $$ ) {
    my ( $body, $invocation ) = @_;
    if ( $invocation ) {
 	if ( $body ) {
 	    return $body if $invocation eq '-';
 	    return "$body:$invocation" if $invocation =~ /.*?\.*?\.|^\+|^!+|^~|^!~|~<|~\[/;
 	    return "$invocation:$body";
 	}
 	return $invocation;
    }
    $body || '';
 }
 sub merge_macro_column( $$ ) {
    my ( $body, $invocation ) = @_;
    if ( defined $invocation && $invocation ne '' && $invocation ne '-' ) {
 	$invocation;
    } else {
 	$body;
    }
 }
 #
 # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
 #
 sub isolate_basic_target( $ ) {
    my $target = ( split '[/:]', $_[0])[0];
    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
 #
 # Split the passed target into the basic target and parameter
 #
 sub get_target_param( $ ) {
    my ( $target, $param ) = split '/', $_[0];
    unless ( defined $param ) {
 	( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/;
    }
    ( $target, $param );
 }
 #
 # Define an Action
 #
 sub new_action( $ ) {
    my $action = $_[0];
    $actions{$action} = { actchain => '', requires => {} };
 }
 #
 # Record a 'requires' relationship between a pair of actions.
 #
 sub add_requiredby ( $$ ) {
    my ($requiredby , $requires ) = @_;
    $actions{$requires}{requires}{$requiredby} = 1;
 }
 #
 # Map pre-3.0 actions to the corresponding Macro invocation
 #
 sub find_old_action ( $$$ ) {
    my ( $target, $macro, $param ) = @_;
    if ( my $actiontype = find_macro( $macro ) ) {
 	( $macro, $actiontype , $param );
    } else {
 	( $target, 0, '' );
    }
 }
 sub map_old_actions( $ ) {
    my $target = shift;
    if ( $target =~ /^Allow(.*)$/ ) {
 	find_old_action( $target, $1, 'ACCEPT' );
    } elsif ( $target =~ /^Drop(.*)$/ ) {
 	find_old_action( $target, $1, 'DROP' );
    } elsif ( $target = /^Reject(.*)$/ ) {
 	find_old_action( $target, $1, 'REJECT' );
    } else {
 	( $target, 0, '' );
    }
 }
 #
 # Create and record a log action chain -- Log action chains have names
 # that are formed from the action name by prepending a "%" and appending
 # a 1- or 2-digit sequence number. In the functions that follow,
 # the $chain, $level and $tag variable serves as arguments to the user's
 # exit. We call the exit corresponding to the name of the action but we
 # set $chain to the name of the iptables chain where rules are to be added.
 # Similarly, $level and $tag contain the log level and log tag respectively.
 #
 # The maximum length of a chain name is 30 characters -- since the log
 # action chain name is 2-3 characters longer than the base chain name,
 # this function truncates the original chain name where necessary before
 # it adds the leading "%" and trailing sequence number.
 #
 sub createlogactionchain( $$ ) {
    my ( $action, $level ) = @_;
    my $chain = $action;
    my $actionref = $actions{$action};
    my $chainref;
    my ($lev, $tag) = split ':', $level;
    validate_level $lev;
    $actionref = new_action $action unless $actionref;
    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;
  CHECKDUP:
    {
 	$actionref->{actchain}++ while $chain_table{filter}{'%' . $chain . $actionref->{actchain}};
 	$chain = substr( $chain, 0, 27 ), redo CHECKDUP if ( $actionref->{actchain} || 0 ) >= 10 and length $chain == 28;
    }
    $logactionchains{"$action:$level"} = $chainref = new_standard_chain '%' . $chain . $actionref->{actchain}++;
    fatal_error "Too many invocations of Action $action" if $actionref->{actchain} > 99;
    unless ( $targets{$action} & BUILTIN ) {
 	dont_optimize $chainref;
 	my $file = find_file $chain;
 	if ( -f $file ) {
 	    progress_message "Processing $file...";
 	    ( $level, my $tag ) = split /:/, $level;
 	    $tag = $tag || '';
 	    unless ( my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		fatal_error "Couldn't do $file: $!"    unless defined $return;
 		fatal_error "Couldn't run $file"       unless $return;
 	    }
 	}
    }
 }
 sub createsimpleactionchain( $ ) {
    my $action  = shift;
    my $chainref = new_standard_chain $action;
    $logactionchains{"$action:none"} = $chainref;
    unless ( $targets{$action} & BUILTIN ) {
 	dont_optimize $chainref;
 	my $file = find_file $action;
 	if ( -f $file ) {
 	    progress_message "Processing $file...";
 	    my ( $level, $tag ) = ( '', '' );
 	    unless ( my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
 		fatal_error "Couldn't do $file: $!"    unless defined $return;
 		fatal_error "Couldn't run $file"       unless $return;
 	    }
 	}
    }
 }
 #
 # Create an action chain and run its associated user exit
 #
 sub createactionchain( $ ) {
    my ( $action , $level ) = split_action $_[0];
    my $chainref;
    if ( defined $level && $level ne '' ) {
 	if ( $level eq 'none' ) {
 	    createsimpleactionchain $action;
 	} else {
 	    createlogactionchain $action , $level;
 	}
    } else {
 	createsimpleactionchain $action;
    }
 }
 #
 # Find the chain that handles the passed action. If the chain cannot be found,
 # a fatal error is generated and the function does not return.
 #
 sub find_logactionchain( $ ) {
    my $fullaction = $_[0];
    my ( $action, $level ) = split_action $fullaction;
    $level = 'none' unless $level;
    fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
 }
 #
 # Scans a macro file invoked from an action file ensuring that all targets mentioned in the file are known and that none are actions.
 #
 sub process_macro1 ( $$ ) {
    my ( $action, $macrofile ) = @_;
    progress_message "   ..Expanding Macro $macrofile...";
    push_open( $macrofile );
    while ( read_a_line ) {
 	my ( $mtarget, $msource,  $mdest,  $mproto,  $mports,  $msports, $morigdest, $mrate, $muser ) = split_line1 1, 9, 'macro file', $macro_commands;
 	next if $mtarget eq 'COMMENT' || $mtarget eq 'FORMAT';
 	$mtarget =~ s/:.*$//;
 	$mtarget = (split '/' , $mtarget)[0];
 	my $targettype = $targets{$mtarget};
 	$targettype = 0 unless defined $targettype;
 	fatal_error "Invalid target ($mtarget)"
 	    unless ( $targettype == STANDARD ) || ( $mtarget eq 'PARAM' ) || ( $targettype & ( LOGRULE | NFQ | CHAIN ) );
    }
    progress_message "   ..End Macro $macrofile";
    pop_open;
 }
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
 # The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
 # to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
 # ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
 #      c) A dependency graph is created using the 'requires' field in the 'actions' table.
 #
 # As the rules file is scanned, each action[:level[:tag]] is merged onto the 'usedactions' hash. When an <action>
 # is merged into the hash, its action chain is created. Where logging is specified, a chain with the name
 # %<action>n is used where the <action> name is truncated on the right where necessary to ensure that the total
 # length of the chain name does not exceed 30 characters.
 #
 # The second phase (process_actions2) occurs after the rules file is scanned. The transitive closure of
 # %usedactions is generated; again, as new actions are merged into the hash, their action chains are created.
 #
 # The final phase (process_actions3) traverses the keys of %usedactions populating each chain appropriately
 # by reading the related action definition file and creating rules. Note that a given action definition file is
 # processed once for each unique [:level[:tag]] applied to an invocation of the action.
 #
 sub process_action1 ( $$ ) {
    my ( $action, $wholetarget ) = @_;
    my ( $target, $level ) = split_action $wholetarget;
    $level = 'none' unless $level;
    my $targettype = $targets{$target};
    if ( defined $targettype ) {
 	return if ( $targettype == STANDARD ) || ( $targettype & ( MACRO | LOGRULE |  NFQ | CHAIN ) );
 	fatal_error "Invalid TARGET ($target)" if $targettype & STANDARD;
 	fatal_error "An action may not invoke itself" if $target eq $action;
 	add_requiredby $wholetarget, $action if $targettype & ACTION;
    } elsif ( $target eq 'COMMENT' ) {
 	fatal_error "Invalid TARGET ($wholetarget)" unless $wholetarget eq $target;
    } else {
 	( $target, my $param ) = get_target_param $target;
 	return if $target eq 'NFQUEUE';
 	if ( defined $param ) {
 	    my $paramtype = $targets{$param} || 0;
 	    fatal_error "Parameter value not allowed in action files ($param)" if $paramtype & NATRULE;
 	}
 	fatal_error "Invalid or missing ACTION ($wholetarget)" unless defined $target;
 	if ( find_macro $target ) {
 	    process_macro1( $action, $macros{$target} );
 	} else {
 	    fatal_error "Invalid TARGET ($target)";
 	}
    }
 }
 sub process_actions1() {
    progress_message2 "Preprocessing Action Files...";
    #
    # Add built-in actions to the target table and create those actions
    #
    $targets{$_} = ACTION + BUILTIN, new_action( $_ ) for @builtins;
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
 	while ( read_a_line ) {
 	    my ( $action ) = split_line 1, 1, 'action file';
 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }
 	    next unless $action;
 	    if ( $targets{$action} ) {
 		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
 		next;
 	    }
 	    $targets{$action} = ACTION;
 	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
 	    new_action $action;
 	    my $actionfile = find_file "action.$action";
 	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
 	    progress_message2 "   Pre-processing $actionfile...";
 	    push_open( $actionfile );
 	    while ( read_a_line ) {
 		my ($wholetarget, $source, $dest, $proto, $ports, $sports, $rate, $users, $mark ) = split_line 1, 9, 'action file';
 		process_action1( $action, $wholetarget );
 	    }
 	    pop_open;
 	}
    }
 }
 sub process_actions2 () {
    progress_message2 'Generating Transitive Closure of Used-action List...';
    my $changed = 1;
    while ( $changed ) {
 	$changed = 0;
 	for my $target (keys %usedactions) {
 	    my ($action, $level) = split_action $target;
 	    my $actionref = $actions{$action};
 	    assert( $actionref );
 	    for my $action1 ( keys %{$actionref->{requires}} ) {
 		my $action2 = merge_levels $target, $action1;
 		unless ( $usedactions{ $action2 } ) {
 		    $usedactions{ $action2 } = 1;
 		    createactionchain $action2;
 		    $changed = 1;
 		}
 	    }
 	}
    }
 }
 #
 # This function is called to process each rule generated from an action file.
 #
 sub process_action( $$$$$$$$$$$ ) {
    my ($chainref, $actionname, $target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
    my ( $action , $level ) = split_action $target;
    if ( $action eq 'REJECT' ) {
 	$action = 'reject';
    } elsif ( $action eq 'CONTINUE' ) {
 	$action = 'RETURN';
    } elsif ( $action =~ /^NFQUEUE/ ) {
 	( $action, my $param ) = get_target_param $action;
 	$param = 1 unless defined $param;
 	$action = "NFQUEUE --queue-num $param";
    } elsif ( $action eq 'COUNT' ) {
 	$action = '';
    }
    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
 		  do_proto( $proto, $ports, $sports ) . do_ratelimit( $rate, $action ) . do_user $user . do_test( $mark, $globals{TC_MASK} ) ,
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
 		  $action ,
 		  $level ,
 		  $action ,
 		  '' );
 }
 #
 # Expand Macro in action files.
 #
 sub process_macro3( $$$$$$$$$$$$ ) {
    my ( $macro, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = @_;
    my $nocomment = no_comment;
    my $format = 1;
    macro_comment $macro;
    my $fn = $macros{$macro};
    progress_message "..Expanding Macro $fn...";
    push_open $fn;
    while ( read_a_line ) {
 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark );
 	if ( $format == 1 ) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 1, 8, 'macro file', $macro_commands;
 	    $morigdest = '-';
 	    $mmark     = '-';
 	} else {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark ) = split_line1 1, 10, 'macro file', $macro_commands;
 	}
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
 	}
 	if ( $mtarget eq 'FORMAT' ) {
 	    fatal_error "Invalid FORMAT ($msource)" unless $msource =~ /^[12]$/;
 	    $format = $msource;
 	    next;
 	}
 	if ( $mtarget =~ /^PARAM:?/ ) {
 	    fatal_error 'PARAM requires that a parameter be supplied in macro invocation' unless $param;
 	    $mtarget = substitute_param $param,  $mtarget;
 	}
 	fatal_error "Macros used within Actions may not specify an ORIGINAL DEST " if $morigdest ne '-';
 	if ( $msource ) {
 	    if ( ( $msource eq '-' ) || ( $msource eq 'SOURCE' ) ) {
 		$msource = $source || '';
 	    } elsif ( $msource eq 'DEST' ) {
 		$msource = $dest || '';
 	    } else {
 		$msource = merge_macro_source_dest $msource, $source;
 	    }
 	} else {
 	    $msource = '';
 	}
 	$msource = '' if $msource eq '-';
 	if ( $mdest ) {
 	    if ( ( $mdest eq '-' ) || ( $mdest eq 'DEST' ) ) {
 		$mdest = $dest || '';
 	    } elsif ( $mdest eq 'SOURCE' ) {
 		$mdest = $source || '';
 	    } else {
 		$mdest = merge_macro_source_dest $mdest, $dest;
 	    }
 	} else {
 	    $mdest = '';
 	}
 	$mdest   = '' if $mdest eq '-';
 	$mproto  = merge_macro_column $mproto,  $proto;
 	$mports  = merge_macro_column $mports,  $ports;
 	$msports = merge_macro_column $msports, $sports;
 	$mrate   = merge_macro_column $mrate,   $rate;
 	$muser   = merge_macro_column $muser,   $user;
 	$mmark   = merge_macro_column $mmark,   $mark;
 	process_action $chainref, $action, $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser, $mark;
    }
    pop_open;
    progress_message '..End Macro';
    clear_comment unless $nocomment;
 }
 #
 # Generate chain for non-builtin action invocation
 #
 sub process_action3( $$$$$ ) {
    my ( $chainref, $wholeaction, $action, $level, $tag ) = @_;
    my $actionfile = find_file "action.$action";
    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
    progress_message2 "Processing $actionfile for chain $chainref->{name}...";
    open_file $actionfile;
    while ( read_a_line ) {
 	my ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) = split_line1 1, 9, 'action file';
 	if ( $target eq 'COMMENT' ) {
 	    process_comment;
 	    next;
 	}
 	my $target2 = merge_levels $wholeaction, $target;
 	my ( $action2 , $level2 ) = split_action $target2;
 	( $action2 , my $param ) = get_target_param $action2;
 	my $action2type = $targets{$action2} || 0;
 	unless ( $action2type == STANDARD ) {
 	    if ( $action2type & ACTION ) {
 		$target2 = (find_logactionchain ( $target = $target2 ))->{name};
 	    } else {
 		assert( $action2type & ( MACRO | LOGRULE | NFQ | CHAIN ) );
 	    }
 	}
 	if ( $action2type == MACRO ) {
 	    process_macro3( $action2, $param, $chainref, $action, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark );
 	} else {
 	    process_action $chainref, $action, $target2, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark;
 	}
    }
    clear_comment;
 }
 #
 # The following small functions generate rules for the builtin actions of the same name
 #
 sub dropBcast( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    if ( $family == F_IPV4 ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    } else {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
 	    }
 	}
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_ACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
 	add_rule $chainref, '-d $address -j DROP';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
 	log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
    }
    if ( $family == F_IPV4 ) {
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
    } else {
 	add_rule $chainref, join( ' ', '-d', IPv6_MULTICAST, '-j DROP' );
    }
 }
 sub allowBcast( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
 	if ( $level ne '' ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	}
 	add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
 	add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
    } else {
 	if ( $family == F_IPV4 ) {
 	    add_commands $chainref, 'for address in $ALL_BCASTS; do';
 	} else {
 	    add_commands $chainref, 'for address in $ALL_MACASTS; do';
 	}
 	incr_cmd_level $chainref;
 	log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
 	add_rule $chainref, '-d $address -j ACCEPT';
 	decr_cmd_level $chainref;
 	add_commands $chainref, 'done';
 	if ( $family == F_IPV4 ) {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
 	} else {
 	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d ' . IPv6_MULTICAST . ' ' if $level ne '';
 	    add_rule $chainref, join ( ' ', '-d', IPv6_MULTICAST, '-j ACCEPT' );
 	}
    }
 }
 sub dropNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'dropNotSyn' , 'DROP', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
    add_rule $chainref , '-p 6 ! --syn -j DROP';
 }
 sub rejNotSyn ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'rejNotSyn' , 'REJECT', '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
    add_rule $chainref , '-p 6 ! --syn -j REJECT --reject-with tcp-reset';
 }
 sub dropInvalid ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
    add_rule $chainref , "$globals{STATEMATCH} INVALID -j DROP";
 }
 sub allowInvalid ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
    add_rule $chainref , "$globals{STATEMATCH} INVALID -j ACCEPT";
 }
 sub forwardUPnP ( $$$ ) {
    my $chainref = dont_optimize 'forwardUPnP';
    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
 sub allowinUPnP ( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    if ( $level ne '' ) {
 	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 17 --dport 1900 ';
 	log_rule_limit $level, $chainref, 'allowinUPnP' , 'ACCEPT', '', $tag, 'add', '-p 6 --dport 49152 ';
    }
    add_rule $chainref, '-p 17 --dport 1900 -j ACCEPT';
    add_rule $chainref, '-p 6 --dport 49152 -j ACCEPT';
 }
 sub Limit( $$$ ) {
    my ($chainref, $level, $tag) = @_;
    my @tag = split /,/, $tag;
    fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')' unless @tag == 3;
    my $set   = $tag[0];
    for ( @tag[1,2] ) {
 	fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
    }
    my $count = $tag[1] + 1;
    require_capability( 'RECENT_MATCH' , 'Limit rules' , '' );
    add_rule $chainref, "-m recent --name $set --set";
    if ( $level ne '' ) {
 	my $xchainref = new_chain 'filter' , "$chainref->{name}%";
 	log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
 	add_rule $xchainref, '-j DROP';
 	add_jump $chainref,  $xchainref, 0, "-m recent --name $set --update --seconds $tag[2] --hitcount $count ";
    } else {
 	add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
    }
    add_rule $chainref, '-j ACCEPT';
 }
 sub process_actions3 () {
    my %builtinops = ( 'dropBcast'      => \&dropBcast,
 		       'allowBcast'     => \&allowBcast,
 		       'dropNotSyn'     => \&dropNotSyn,
 		       'rejNotSyn'      => \&rejNotSyn,
 		       'dropInvalid'    => \&dropInvalid,
 		       'allowInvalid'   => \&allowInvalid,
 		       'allowinUPnP'    => \&allowinUPnP,
 		       'forwardUPnP'    => \&forwardUPnP,
 		       'Limit'          => \&Limit, );
    for my $wholeaction ( keys %usedactions ) {
 	my $chainref = find_logactionchain $wholeaction;
 	my ( $action, $level, $tag ) = split /:/, $wholeaction;
 	$level = '' unless defined $level;
 	$tag   = '' unless defined $tag;
 	if ( $targets{$action} & BUILTIN ) {
 	    $level = '' if $level =~ /none!?/;
 	    $builtinops{$action}->($chainref, $level, $tag);
 	} else {
 	    process_action3 $chainref, $wholeaction, $action, $level, $tag;
 	}
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -21,51 +21,52 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 package Shorewall::Compiler;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Policy;
 use Shorewall::Nat;
 use Shorewall::Providers;
 use Shorewall::Tc;
 use Shorewall::Tunnels;
 use Shorewall::Actions;
 use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
 use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_12';
-my $export;
+our $export;
-my $test;
+our $test;
-my $family;
+our $family;
 #
 # Initilize the package-globals in the other modules
 #
 sub initialize_package_globals() {
    Shorewall::Config::initialize($family);
-    Shorewall::Chains::initialize ($family, 1, $export );
+    Shorewall::Chains::initialize ($family);
    Shorewall::Zones::initialize ($family);
    Shorewall::Policy::initialize;
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
    Shorewall::Actions::initialize( $family );
    Shorewall::Accounting::initialize;
    Shorewall::Rules::initialize($family);
    Shorewall::Proxyarp::initialize($family);
    Shorewall::IPAddrs::initialize($family);
    Shorewall::Misc::initialize($family);
 }
 #
@@ -83,11 +84,11 @@ sub generate_script_1( $ ) {
    if ( $script ) {
 	if ( $test ) {
-	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
+	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall-perl\n#";
 	} else {
 	    my $date = localtime;
-	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+	    emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
@@ -110,7 +111,7 @@ sub generate_script_1( $ ) {
 ################################################################################
 EOF
-    for my $exit ( qw/init start tcclear started stop stopped clear refresh refreshed restored/ ) {
+    for my $exit qw/init start tcclear started stop stopped clear refresh refreshed restored/ {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file $exit or emit 'true';
@@ -118,7 +119,7 @@ EOF
 	emit '}';
    }
-    for my $exit ( qw/isusable findgw/ ) {
+    for my $exit qw/isusable findgw/ {
 	emit "\nrun_${exit}_exit() {";
 	push_indent;
 	append_file($exit, 1) or emit 'true';
@@ -228,11 +229,7 @@ sub generate_script_2() {
    set_chain_variables;
-    if ( $config{EXPORTPARAMS} ) {
+    append_file 'params' if $config{EXPORTPARAMS};
 	append_file 'params';
    } else {
 	export_params;
    }
    emit ( '',
 	   "g_stopping=",
@@ -265,9 +262,9 @@ sub generate_script_2() {
 	push_indent;
 	if ( $global_variables & NOT_RESTORE ) {
-	    emit( 'start|restart|refresh|disable|enable)' );
+	    emit( 'start|restart|refresh)' );
 	} else {
-	    emit( 'start|restart|refresh|disable|enable|restore)' );
+	    emit( 'start|restart|refresh|restore)' );
 	}
 	push_indent;
@@ -310,6 +307,7 @@ sub generate_script_2() {
 #
 #    Generate code for loading the various files in /var/lib/shorewall[6][-lite]
 #    Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
 #
 #    Generate the 'setup_netfilter()' function that runs iptables-restore.
 #    Generate the 'define_firewall()' function.
 #
@@ -335,10 +333,10 @@ sub generate_script_3($) {
    save_progress_message 'Initializing...';
-    if ( $export || $config{EXPORTMODULES} ) {
+    if ( $export ) {
-	my $fn = find_file( $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules' );
+	my $fn = find_file $config{LOAD_HELPERS_ONLY} ? 'helpers' : 'modules';
-	if ( -f $fn && ( $config{EXPORTMODULES} || ( $export && ! $fn =~ "^$globals{SHAREDIR}/" ) ) ) {
+	if ( -f $fn && ! $fn =~ "^$globals{SHAREDIR}/" ) {
 	    emit 'echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir';
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
@@ -346,7 +344,7 @@ sub generate_script_3($) {
 	    emit_unindented $currentline while read_a_line;
 	    emit_unindented 'EOF';
-	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
+	    emit 'reload_kernel_modules < ${VARDIR}/.modules';
 	} else {
 	    emit 'load_kernel_modules Yes';
 	}
@@ -354,11 +352,9 @@ sub generate_script_3($) {
 	emit 'load_kernel_modules Yes';
    }
    emit '';
    load_ipsets;
    if ( $family == F_IPV4 ) {
 	load_ipsets;
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
 	       '   run_refresh_exit' ,
 	       'else' ,
@@ -370,7 +366,7 @@ sub generate_script_3($) {
 	mark_firewall_not_started;
-	emit ( '',
+	emit ('',
 	       'delete_proxyarp',
 	       ''
 	     );
@@ -388,20 +384,11 @@ sub generate_script_3($) {
 	emit "disable_ipv6\n" if $config{DISABLE_IPV6};
    } else {
-	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
+	emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
 	       '   run_refresh_exit' ,
 	       'else' ,
 	       '    run_init_exit',
 	       'fi',
 	       '' );
 	save_dynamic_chains;
 	mark_firewall_not_started;
-
+	emit '';
 	emit ('',
 	       'delete_proxyndp',
 	       ''
 	     );
    }
    emit qq(delete_tc1\n) if $config{CLEAR_TC};
@@ -410,12 +397,7 @@ sub generate_script_3($) {
    emit( 'setup_routing_and_traffic_shaping', '' );
-    if ( $family == F_IPV4 ) {
+    emit 'cat > ${VARDIR}/proxyarp << __EOF__';
 	emit 'cat > ${VARDIR}/proxyarp << __EOF__';
    } else {
 	emit 'cat > ${VARDIR}/proxyndp << __EOF__';
    } 
    dump_proxy_arp;
    emit_unindented '__EOF__';
@@ -463,7 +445,7 @@ EOF
    my $config_dir = $globals{CONFIGDIR};
    emit<<"EOF";
-    set_state Started $config_dir
+    set_state Started $config_dir 
    run_restored_exit
 else
    if [ \$COMMAND = refresh ]; then
@@ -518,15 +500,15 @@ EOF
 }
-#1
+#
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        );
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0 );
    $export = 0;
    $test   = 0;
@@ -558,10 +540,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
+		  preview       => { store => \$preview },
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -591,11 +570,11 @@ sub compiler {
    set_verbosity( $verbosity );
    set_log($log, $log_verbosity) if $log;
    set_timestamp( $timestamp );
-    set_debug( $debug , $confess );
+    set_debug( $debug );
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate );
+    get_configuration( $export );
    report_capabilities unless $config{LOAD_HELPERS_ONLY};
@@ -614,7 +593,8 @@ sub compiler {
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
    # shorewall.conf has been processed and the capabilities have been determined.
    #
-    initialize_chain_table(1);
+    initialize_chain_table;
    #
    # Allow user to load Perl modules
    #
@@ -639,12 +619,12 @@ sub compiler {
    #
    # Do action pre-processing.
    #
-    process_actions;
+    process_actions1;
    #
    #                                        P O L I C Y
    #                           (Produces no output to the compiled script)
    #
-    process_policies;
+    validate_policy;
    #
    #                                       N O T R A C K
    #                           (Produces no output to the compiled script)
@@ -696,7 +676,7 @@ sub compiler {
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
-	emit '}'; # End of setup_common_rules()
+	emit '}';
    }
    disable_script;
@@ -705,17 +685,7 @@ sub compiler {
    #         (Writes the setup_routing_and_traffic_shaping() function to the compiled script)
    #
    enable_script;
-    #
+
    # Validate the TC files so that the providers will know what interfaces have TC
    #
    my $tcinterfaces = process_tc;
    #
    # Generate a function to bring up each provider
    #
    process_providers( $tcinterfaces );
    #
    # [Re-]establish Routing
    #
    if ( $scriptfilename || $debug ) {
 	emit(  "\n#",
 	       '# Setup routing and traffic shaping',
@@ -725,7 +695,9 @@ sub compiler {
 	push_indent;
    }
-
+    #
    # [Re-]establish Routing
    #
    setup_providers;
    #
    # TCRules and Traffic Shaping
@@ -734,7 +706,7 @@ sub compiler {
    if ( $scriptfilename || $debug ) {
 	pop_indent;
-	emit "}\n"; # End of setup_routing_and_traffic_shaping()
+	emit "}\n";
    }
    disable_script;
@@ -757,12 +729,12 @@ sub compiler {
 	# Setup Nat
 	#
 	setup_nat;
 	#
 	# Setup NETMAP
 	#
 	setup_netmap;
    }
    #
    # Setup NETMAP
    #
    setup_netmap;
    #
    # MACLIST Filtration
    #
@@ -776,6 +748,11 @@ sub compiler {
    #
    setup_tunnels;
    #
    # Post-rules action processing.
    #
    process_actions2;
    process_actions3;
    #
    # MACLIST Filtration again
    #
    setup_mac_lists 2;
@@ -794,7 +771,7 @@ sub compiler {
 	#
 	generate_matrix;
-	if ( $config{OPTIMIZE} & 0xE ) {
+	if ( $config{OPTIMIZE} & 0xD ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -821,8 +798,8 @@ sub compiler {
 	# We must reinitialize Shorewall::Chains before generating the iptables-restore input
 	# for stopping the firewall
 	#
-	Shorewall::Chains::initialize( $family, 0 , $export );
+	Shorewall::Chains::initialize( $family );
-	initialize_chain_table(0);
+	initialize_chain_table;
 	#
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
@@ -863,7 +840,7 @@ sub compiler {
 	    #
 	    generate_matrix;
-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    if ( $config{OPTIMIZE} & 6 ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -872,7 +849,7 @@ sub compiler {
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & 4;
 	    }
 	    enable_script if $debug;
@@ -885,8 +862,8 @@ sub compiler {
 	# Re-initialize the chain table so that process_routestopped() has the same
 	# environment that it would when called by compile_stop_firewall().
 	#
-	Shorewall::Chains::initialize( $family , 0 , $export );
+	Shorewall::Chains::initialize( $family );
-	initialize_chain_table(0);
+	initialize_chain_table;
 	if ( $debug ) {
 	    compile_stop_firewall( $test, $export );
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,8 +34,6 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
 	          IPv4_MULTICAST
 	          IPv6_MULTICAST
 	          IPv6_LINKLOCAL
@@ -46,7 +44,6 @@ our @EXPORT = qw( ALLIPv4
 	          IPv6_SITE_ALLNODES
 	          IPv6_SITE_ALLRTRS
 		  ALLIP
 		  NILIP
 		  ALL
 		  TCP
 		  UDP
@@ -59,7 +56,6 @@ our @EXPORT = qw( ALLIPv4
 		  validate_address
 		  validate_net
 		  decompose_net
 		  compare_nets
 		  validate_host
 		  validate_range
 		  ip_range_explicit
@@ -67,9 +63,6 @@ our @EXPORT = qw( ALLIPv4
 		  allipv4
 		  allipv6
 		  allip
 		  nilipv4
 		  nilipv6
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
 		  proto_name
@@ -80,30 +73,24 @@ our @EXPORT = qw( ALLIPv4
 		  validate_icmp6
 		 );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_12';
 #
 # Some IPv4/6 useful stuff
 #
-my @allipv4 = ( '0.0.0.0/0' );
+our @allipv4 = ( '0.0.0.0/0' );
-my @allipv6 = ( '::/0' );
+our @allipv6 = ( '::/0' );
-my $allip;
+our $allip;
-my @allip;
+our @allip;
-my @nilipv4 = ( '0.0.0.0' );
+our $valid_address;
-my @nilipv6 = ( '::' );
+our $validate_address;
-my $nilip;
+our $validate_net;
-my @nilip;
+our $validate_range;
-my $valid_address;
+our $validate_host;
-my $validate_address;
+our $family;
 my $validate_net;
 my $validate_range;
 my $validate_host;
 my $family;
 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
 	       NILIPv4             => '0.0.0.0' ,
 	       NILIPv6             => '::' ,
 	       IPv4_MULTICAST      => '224.0.0.0/4' ,
 	       IPv6_MULTICAST      => 'ff00::/8' ,
 	       IPv6_LINKLOCAL      => 'fe80::/10' ,
@@ -121,7 +108,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
-my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 #
 # Note: initialize() is declared at the bottom of the file
@@ -197,16 +184,7 @@ sub validate_4net( $$ ) {
    $net = '' unless defined $net;
    fatal_error "Missing address" if $net eq '';
-
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
 	    fatal_error "An ipset list ($net) is not allowed in this context";
 	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
 	    fatal_error "An ipset name ($net) is not allowed in this context";
 	} else {
 	    fatal_error "Invalid ipset name ($net)";
 	}
    }
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
@@ -281,19 +259,10 @@ sub decompose_net( $ ) {
    my $net = $_[0];
    ( $net, my $vlsm ) = validate_net( $net , 0 );
-    ( ( $family == F_IPV4 ? encodeaddr( $net) : normalize_6addr( $net ) )  , $vlsm );
+    ( encodeaddr( $net) , $vlsm );
 }
 sub compare_nets( $$ ) {
    my ( @net1, @net2 );
    @net1 = decompose_net( $_[0] );
    @net2 = decompose_net( $_[1] );
    $net1[0] eq $net2[0] && $net1[1] == $net2[1];
 }			    
 sub allipv4() {
    @allipv4;
 }
@@ -302,14 +271,6 @@ sub allipv6() {
    @allipv6;
 }
 sub nilipv4() {
    @nilipv4;
 }
 sub nilipv6() {
    @nilipv6;
 }
 sub rfc1918_networks() {
    @rfc1918_networks
 }
@@ -330,13 +291,13 @@ sub resolve_proto( $ ) {
    if ( $proto =~ /^\d+$/ || $proto =~ /^0x/ ) {
 	$number = numeric_value ( $proto );
-	defined $number && $number <= 255 ? $number : undef;
+	defined $number && $number <= 65535 ? $number : undef;
    } else {
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
 	$proto= 'ipv6-icmp' if $proto eq 'icmp' && $family == F_IPV6;
-
+	
 	defined( $number = $nametoproto{$proto} ) ? $number : scalar getprotobyname $proto;
    }
 }
@@ -536,7 +497,6 @@ sub valid_6address( $ ) {
    }
    return 0 if @address > $max;
    return 0 unless $address =~ /^[a-f:\d]+$/;
    return 0 unless ( @address == $max ) || $address =~ /::/;
    return 0 if $address =~ /:::/ || $address =~ /::.*::/;
@@ -580,15 +540,7 @@ sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[1];
-    if ( $net =~ /\+(\[?)/ ) {
+    fatal_error "An ipset name ($net) is not allowed in this context" if substr( $net, 0, 1 ) eq '+';
 	if ( $1 ) {
 	    fatal_error "An ipset list ($net) is not allowed in this context";
 	} elsif ( $net =~ /^\+[a-zA-Z][-\w]*$/ ) {
 	    fatal_error "An ipset name ($net) is not allowed in this context";
 	} else {
 	    fatal_error "Invalid ipset name ($net)";
 	}
    }
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
@@ -597,16 +549,6 @@ sub validate_6net( $$ ) {
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }
    if ( defined wantarray ) {
 	assert ( ! $allow_name );
 	if ( wantarray ) {
 	    ( $net , $vlsm );
 	} else {
 	    "$net/$vlsm";
 	}
    }
 }
@@ -715,14 +657,6 @@ sub allip() {
    @allip;
 }
 sub NILIP() {
    $nilip;
 }
 sub nilip() {
    @nilip;
 }
 sub valid_address ( $ ) {
    $valid_address->(@_);
 }
@@ -759,8 +693,6 @@ sub initialize( $ ) {
    if ( $family == F_IPV4 ) {
 	$allip            = ALLIPv4;
 	@allip            = @allipv4;
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -769,8 +701,6 @@ sub initialize( $ ) {
    } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -36,10 +36,10 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our @EXPORT_OK = ();
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';
-my @addresses_to_add;
+our @addresses_to_add;
-my %addresses_to_add;
+our %addresses_to_add;
 #
 # Called by the compiler
@@ -54,16 +54,13 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = split_line1 2, 8, 'masq file';
 	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
 	return 1;
    }
    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
@@ -158,7 +155,6 @@ sub process_one_masq( )
 	my $exceptionrule = '';
 	my $randomize     = '';
 	my $persistent    = '';
 	my $conditional   = 0;
 	#
 	# Parse the ADDRESSES column
 	#
@@ -166,8 +162,8 @@ sub process_one_masq( )
 	    if ( $addresses eq 'random' ) {
 		$randomize = '--random ';
 	    } else {
-		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
+		$addresses =~ s/:persistent$// and $persistent = '--persistent ';
-		$addresses =~ s/:random$//     and $randomize  = ' --random ';
+		$addresses =~ s/:random$//     and $randomize  = '--random ';
 		require_capability 'PERSISTENT_SNAT', ':persistent', 's' if $persistent;
@@ -190,14 +186,7 @@ sub process_one_masq( )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^&(.+)$/ ) {
+			if ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
 				$addrlist .= '--to-source ' . record_runtime_address $1;
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
 			    my ($ipaddr, $rest) = split ':', $addr;
 			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
@@ -208,12 +197,8 @@ sub process_one_masq( )
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr; 
+			    $addr =~ s/^://;
-			    $ports =~ s/^://;
+			    $addrlist .= "--to-ports $addr ";
 			    my $portrange = $ports;
 			    $portrange =~ s/-/:/;
 			    validate_portpair( $proto, $portrange );
 			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    }
@@ -241,7 +226,10 @@ sub process_one_masq( )
 		     '' ,
 		     $exceptionrule );
-	conditional_rule_end( $chainref ) if $detectaddress || $conditional;
+	if ( $detectaddress ) {
 	    decr_cmd_level( $chainref );
 	    add_commands( $chainref , 'fi' );
 	}
 	if ( $add_snat_aliases ) {
 	    my ( $interface, $alias , $remainder ) = split( /:/, $fullinterface, 3 );
@@ -274,14 +262,14 @@ sub process_one_masq( )
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file 'masq' ) {
+    my $fn = open_file 'masq';
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
-	process_one_masq while read_a_line;
+    process_one_masq while read_a_line;
    clear_comment;
 	clear_comment;
    }
 }
 #
@@ -371,35 +359,32 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {
-    if ( my $fn = open_file 'nat' ) {
+    my $fn = open_file 'nat';
-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
+	my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 3, 5, 'nat file';
-	    if ( $external eq 'COMMENT' ) {
+	if ( $external eq 'COMMENT' ) {
-		process_comment;
+	    process_comment;
-	    } else {
+	} else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';
-		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
-		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+		fatal_error "Invalid Interface List ($interfacelist)" unless defined $interface && $interface ne '';
-
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 		for my $interface ( split_list $interfacelist , 'interface' ) {
 		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
 		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 		}
 		progress_message "   NAT entry \"$currentline\" $done";
 	    }
 	    progress_message "   NAT entry \"$currentline\" $done";
 	}
 	clear_comment;
    }
    clear_comment;
 }
 #
@@ -407,111 +392,40 @@ sub setup_nat() {
 #
 sub setup_netmap() {
-    if ( my $fn = open_file 'netmap' ) {
+    my $fn = open_file 'netmap';
-	first_entry "$doing $fn...";
+    first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty netmap file' , 's'; } );
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
+	my ( $type, $net1, $interfacelist, $net2, $net3 ) = split_line 4, 5, 'netmap file';
-	    $net3 = ALLIP if $net3 eq '-';
+	$net3 = ALLIP if $net3 eq '-';
-	    for my $interface ( split_list $interfacelist, 'interface' ) {
+	for my $interface ( split_list $interfacelist, 'interface' ) {
-		my $iface = $interface;
+	    my $rulein = '';
 	    my $ruleout = '';
 	    my $iface = $interface;
-		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
+	    fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
-		my @rule = do_iproto( $proto, $dport, $sport );
+	    unless ( $interfaceref->{root} ) {
-
+		$rulein  = match_source_dev( $interface );
-		unless ( $type =~ /:/ ) {
+		$ruleout = match_dest_dev( $interface );
-		    my @rulein;
+		$interface = $interfaceref->{name};
 		    my @ruleout;
 		    validate_net $net1, 0;
 		    validate_net $net2, 0;
 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
 			@ruleout = imatch_dest_dev( $interface );
 			$interface = $interfaceref->{name};
 		    }
 		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';
 		    if ( $type eq 'DNAT' ) {
 			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
 					  j => 'NETMAP' ,
 					  "--to $net2",
 					  $net1 ,
 					  @rulein  ,
 					  imatch_source_net( $net3 ) );
 		    } elsif ( $type eq 'SNAT' ) {
 			source_iexclusion( ensure_chain( 'nat' , output_chain $interface ) ,
 					   j => 'NETMAP' ,
 					   "--to $net2" ,
 					   $net1 ,
 					   @ruleout ,
 					   imatch_dest_net( $net3 ) );
 		    } else {
 			fatal_error "Invalid type ($type)";
 		    }
 		} elsif ( $type =~ /^(DNAT|SNAT):([POT])$/ ) {
 		    my ( $target , $chain ) = ( $1, $2 );
 		    my $table = 'raw';
 		    my @match;
 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';
 		    validate_net $net2, 0;
 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface ); 
 			$interface = $interfaceref->{name};
 		    }
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
 		    } elsif ( $chain eq 'O' ) {
 			$chain = output_chain $interface;
 		    } else {
 			$chain = postrouting_chain $interface;
 			$table = 'rawpost';
 		    }
 		    my $chainref = ensure_chain( $table, $chain );
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
 					 "--to-dest $net2" ,
 					 $net1 ,
 					 imatch_source_net( $net3 ) ,
 					 @rule ,
 					 @match
 				       );
 		    } else {
 			source_iexclusion( $chainref ,
 					   j  => 'RAWSNAT' ,
 					   "--to-source $net2" ,
 					   $net1 ,
 					   imatch_dest_net( $net3 ) ,
 					   @rule ,
 					   @match );
 		    }
 		} else {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
 		    fatal_error "Invalid TYPE ($type)";
 		}
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
-	clear_comment;
+	    if ( $type eq 'DNAT' ) {
 		add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
 	    } elsif ( $type eq 'SNAT' ) {
 		add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
 	    } else {
 		fatal_error "Invalid type ($type)";
 	    }
 	    progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Policy.pm
+++ b/Shorewall/Perl/Shorewall/Policy.pm
@@ -0,0 +1,533 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Policy.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/policy file.
 #
 package Shorewall::Policy;
 require Exporter;
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw( :DEFAULT :internal) ;
 use Shorewall::Actions;
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( validate_policy apply_policy_rules complete_standard_chain setup_syn_flood_chains save_policies optimize_policy_chains);
 our @EXPORT_OK = qw(  );
 our $VERSION = '4.4_12';
 # @policy_chains is a list of references to policy chains in the filter table
 our @policy_chains;
 #
 # Called by the compiler
 #
 sub initialize() {
    @policy_chains = ();
 }
 #
 # Convert a chain into a policy chain.
 #
 sub convert_to_policy_chain($$$$$)
 {
    my ($chainref, $source, $dest, $policy, $provisional ) = @_;
    $chainref->{is_policy}   = 1;
    $chainref->{policy}      = $policy;
    $chainref->{provisional} = $provisional;
    $chainref->{policychain} = $chainref->{name};
    $chainref->{policypair}  = [ $source, $dest ];
 }
 #
 # Create a new policy chain and return a reference to it.
 #
 sub new_policy_chain($$$$)
 {
    my ($source, $dest, $policy, $provisional) = @_;
    my $chainref = new_chain( 'filter', rules_chain( ${source}, ${dest} ) );
    convert_to_policy_chain( $chainref, $source, $dest, $policy, $provisional );
    $chainref;
 }
 #
 # Set the passed chain's policychain and policy to the passed values.
 #
 sub set_policy_chain($$$$$)
 {
    my ($source, $dest, $chain1, $chainref, $policy ) = @_;
    my $chainref1 = $filter_table->{$chain1};
    $chainref1 = new_chain 'filter', $chain1 unless $chainref1;
    unless ( $chainref1->{policychain} ) {
 	if ( $config{EXPAND_POLICIES} ) {
 	    #
 	    # We convert the canonical chain into a policy chain, using the settings of the
 	    # passed policy chain.
 	    #
 	    $chainref1->{policychain} = $chain1;
 	    $chainref1->{loglevel}    = $chainref->{loglevel} if defined $chainref->{loglevel};
 	    if ( defined $chainref->{synparams} ) {
 		$chainref1->{synparams}   = $chainref->{synparams};
 		$chainref1->{synchain}    = $chainref->{synchain};
 	    }
 	    $chainref1->{default}     = $chainref->{default} if defined $chainref->{default};
 	    $chainref1->{is_policy}   = 1;
 	    push @policy_chains, $chainref1;
 	} else {
 	    $chainref1->{policychain} = $chainref->{name};
 	}
 	$chainref1->{policy} = $policy;
 	$chainref1->{policypair} = [ $source, $dest ];
    }
 }
 #
 # Process the policy file
 #
 use constant { PROVISIONAL => 1 };
 sub add_or_modify_policy_chain( $$ ) {
    my ( $zone, $zone1 ) = @_;
    my $chain    = rules_chain( ${zone}, ${zone1} );
    my $chainref = $filter_table->{$chain};
    if ( $chainref ) {
 	unless( $chainref->{is_policy} ) {
 	    convert_to_policy_chain( $chainref, $zone, $zone1, 'CONTINUE', PROVISIONAL );
 	    push @policy_chains, $chainref;
 	}
    } else {
 	push @policy_chains, ( new_policy_chain $zone, $zone1, 'CONTINUE', PROVISIONAL );
    }
 }
 sub print_policy($$$$) {
    my ( $source, $dest, $policy , $chain ) = @_;
    unless ( ( $source eq 'all' ) || ( $dest eq 'all' ) ) {
 	if ( $policy eq 'CONTINUE' ) {
 	    my ( $sourceref, $destref ) = ( find_zone($source) ,find_zone( $dest ) );
 	    warning_message "CONTINUE policy between two un-nested zones ($source, $dest)" if ! ( @{$sourceref->{parents}} || @{$destref->{parents}} );
 	}
 	progress_message_nocompress "   Policy for $source to $dest is $policy using chain $chain" unless $source eq $dest;
    }
 }
 sub process_a_policy() {
    our %validpolicies;
    our @zonelist;
    my ( $client, $server, $originalpolicy, $loglevel, $synparams, $connlimit ) = split_line 3, 6, 'policy file';
    $loglevel  = '' if $loglevel  eq '-';
    $synparams = '' if $synparams eq '-';
    $connlimit = '' if $connlimit eq '-';
    my $clientwild = ( "\L$client" eq 'all' );
    fatal_error "Undefined zone ($client)" unless $clientwild || defined_zone( $client );
    my $serverwild = ( "\L$server" eq 'all' );
    fatal_error "Undefined zone ($server)" unless $serverwild || defined_zone( $server );
    my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;
    fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
    ( $policy , my $queue ) = get_target_param $policy;
    if ( $default ) {
 	if ( "\L$default" eq 'none' ) {
 	    $default = 'none';
 	} else {
 	    my $defaulttype = $targets{$default} || 0;
 	    if ( $defaulttype & ACTION ) {
 		unless ( $usedactions{$default} ) {
 		    $usedactions{$default} = 1;
 		    createactionchain $default;
 		}
 	    } else {
 		fatal_error "Unknown Default Action ($default)";
 	    }
 	}
    } else {
 	$default = $default_actions{$policy} || '';
    }
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};
    if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
 	require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' );
 	my $queuenum = numeric_value( $queue );
 	fatal_error "Invalid NFQUEUE queue number ($queue)" unless defined( $queuenum) && $queuenum <= 65535;
 	$policy = "NFQUEUE --queue-num $queuenum";
    } elsif ( $policy eq 'NONE' ) {
 	fatal_error "NONE policy not allowed with \"all\""
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
    }
    unless ( $clientwild || $serverwild ) {
 	if ( zone_type( $server ) == BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	}
    }
    my $chain = rules_chain( ${client}, ${server} );
    my $chainref;
    if ( defined $filter_table->{$chain} ) {
 	$chainref = $filter_table->{$chain};
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{provisional} ) {
 		$chainref->{provisional} = 0;
 		$chainref->{policy} = $policy;
 	    } else {
 		fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	    }
 	} elsif ( $chainref->{policy} ) {
 	    fatal_error qq(Policy "$client $server $policy" duplicates earlier policy "@{$chainref->{policypair}} $chainref->{policy}");
 	} else {
 	    convert_to_policy_chain( $chainref, $client, $server, $policy, 0 );
 	    push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
 	}
    } else {
 	$chainref = new_policy_chain $client, $server, $policy, 0;
 	push @policy_chains, ( $chainref ) unless $config{EXPAND_POLICIES} && ( $clientwild || $serverwild );
    }
    $chainref->{loglevel}  = validate_level( $loglevel ) if defined $loglevel && $loglevel ne '';
    if ( $synparams ne '' || $connlimit ne '' ) {
 	my $value = '';
 	fatal_error "Invalid CONNLIMIT ($connlimit)" if $connlimit =~ /^!/;
 	$value  = do_ratelimit $synparams, 'ACCEPT'  if $synparams ne '';
 	$value .= do_connlimit $connlimit            if $connlimit ne '';
 	$chainref->{synparams} = $value;
 	$chainref->{synchain}  = $chain
    }
    $chainref->{default} = $default if $default;
    if ( $clientwild ) {
 	if ( $serverwild ) {
 	    for my $zone ( @zonelist ) {
 		for my $zone1 ( @zonelist ) {
 		    set_policy_chain $client, $server, rules_chain( ${zone}, ${zone1} ), $chainref, $policy;
 		    print_policy $zone, $zone1, $policy, $chain;
 		}
 	    }
 	} else {
 	    for my $zone ( all_zones ) {
 		set_policy_chain $client, $server, rules_chain( ${zone}, ${server} ), $chainref, $policy;
 		print_policy $zone, $server, $policy, $chain;
 	    }
 	}
    } elsif ( $serverwild ) {
 	for my $zone ( @zonelist ) {
 	    set_policy_chain $client, $server, rules_chain( ${client}, ${zone} ), $chainref, $policy;
 	    print_policy $client, $zone, $policy, $chain;
 	}
    } else {
 	print_policy $client, $server, $policy, $chain;
    }
 }
 sub save_policies() {
    for my $zone1 ( all_zones ) {
 	for my $zone2 ( all_zones ) {
 	    my $chainref  = $filter_table->{ rules_chain( $zone1, $zone2 ) };
 	    my $policyref = $filter_table->{ $chainref->{policychain} };
 	    if ( $policyref->{referenced} ) {
 		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy} . ' using chain ' . $policyref->{name};
 	    } elsif ( $zone1 ne $zone2 ) {
 		emit_unindented "$zone1 \t=>\t$zone2\t" . $policyref->{policy};
 	    }
 	}
    }
 }
 sub validate_policy()
 {
    our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
 			  DROP   => undef,
 			  CONTINUE => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
    our %map = ( DROP_DEFAULT    => 'DROP' ,
 		 REJECT_DEFAULT  => 'REJECT' ,
 		 ACCEPT_DEFAULT  => 'ACCEPT' ,
 		 QUEUE_DEFAULT   => 'QUEUE' ,
 		 NFQUEUE_DEFAULT => 'NFQUEUE' );
    my $zone;
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
    for my $option qw/DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT/ {
 	my $action = $config{$option};
 	next if $action eq 'none';
 	my $actiontype = $targets{$action};
 	if ( defined $actiontype ) {
 	    fatal_error "Invalid setting ($action) for $option" unless $actiontype & ACTION;
 	} else {
 	    fatal_error "Default Action $option=$action not found";
 	}
 	unless ( $usedactions{$action} ) {
 	    $usedactions{$action} = 1;
 	    createactionchain $action;
 	}
 	$default_actions{$map{$option}} = $action;
    }
    for $zone ( all_zones ) {
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL );
 	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL ) if zone_type( $zone ) == BPORT;
 	my $zoneref = find_zone( $zone );
 	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1 );
 		    add_or_modify_policy_chain( $zone1, $zone );
 		}
 	    }		
 	}
    }
    my $fn = open_file 'policy';
    first_entry "$doing $fn...";
    process_a_policy while read_a_line;
    for $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
 	    fatal_error "No policy defined from zone $zone to zone $zone1" unless $filter_table->{rules_chain( ${zone}, ${zone1} )}{policy};
 	}
    }
 }
 #
 # Policy Rule application
 #
 sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;
    unless ( $target eq 'NONE' ) {
 	add_rule $chainref, "-d 224.0.0.0/4 -j RETURN" if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
 	add_jump $chainref, $default, 0 if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 	add_jump( $chainref , $target eq 'REJECT' ? 'reject' : $target, 1 ) unless $target eq 'CONTINUE';
    }
 }
 sub report_syn_flood_protection() {
    progress_message_nocompress '      Enabled SYN flood protection';
 }
 sub default_policy( $$$ ) {
    my $chainref   = $_[0];
    my $policyref  = $filter_table->{$chainref->{policychain}};
    my $synparams  = $policyref->{synparams};
    my $default    = $policyref->{default};
    my $policy     = $policyref->{policy};
    my $loglevel   = $policyref->{loglevel};
    assert( $policyref );
    if ( $chainref eq $policyref ) {
 	policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
    } else {
 	if ( $policy eq 'ACCEPT' || $policy eq 'QUEUE' || $policy =~ /^NFQUEUE/ ) {
 	    if ( $synparams ) {
 		report_syn_flood_protection;
 		policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	    } else {
 		add_jump $chainref,  $policyref, 1;
 		$chainref = $policyref;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
 	    policy_rules $chainref , $policy , $loglevel , $default, $config{MULTICAST};
 	} else {
 	    report_syn_flood_protection if $synparams;
 	    add_jump $chainref , $policyref, 1;
 	    $chainref = $policyref;
 	}
    }
    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
 }
 sub apply_policy_rules() {
    progress_message2 'Applying Policies...';
    for my $chainref ( @policy_chains ) {
 	my $policy      = $chainref->{policy};
 	unless ( $policy eq 'NONE' ) {
 	    my $loglevel    = $chainref->{loglevel};
 	    my $provisional = $chainref->{provisional};
 	    my $default     = $chainref->{default};
 	    my $name        = $chainref->{name};
 	    my $synparms    = $chainref->{synparms};
 	    unless ( $chainref->{referenced} || $provisional || $policy eq 'CONTINUE' ) {
 		if ( $config{OPTIMIZE} & 2 ) {
 		    #
 		    # This policy chain is empty and the only thing that we would put in it is
 		    # the policy-related stuff. Don't create it if all we are going to put in it
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
 		    ensure_filter_chain $name, 1 if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
 		} else {
 		    ensure_filter_chain $name, 1;
 		}
 	    }
 	    if ( $name =~ /^all[-2]|[-2]all$/ ) {
 		run_user_exit $chainref;
 		policy_rules $chainref , $policy, $loglevel , $default, $config{MULTICAST};
 	    }
 	}
    }
    for my $zone ( all_zones ) {
 	for my $zone1 ( all_zones ) {
 	    my $chainref = $filter_table->{rules_chain( ${zone}, ${zone1} )};
 	    if ( $chainref->{referenced} ) {
 		run_user_exit $chainref;
 		default_policy $chainref, $zone, $zone1;
 	    }
 	}
    }
 }
 #
 # Complete a standard chain
 #
 #	- run any supplied user exit
 #	- search the policy file for an applicable policy and add rules as
 #	  appropriate
 #	- If no applicable policy is found, add rules for an assummed
 #	  policy of DROP INFO
 #
 sub complete_standard_chain ( $$$$ ) {
    my ( $stdchainref, $zone, $zone2, $default ) = @_;
    add_rule $stdchainref, "$globals{STATEMATCH} ESTABLISHED,RELATED -j ACCEPT" unless $config{FASTACCEPT};
    run_user_exit $stdchainref;
    my $ruleschainref = $filter_table->{rules_chain( ${zone}, ${zone2} ) } || $filter_table->{rules_chain( 'all', 'all' ) };
    my ( $policy, $loglevel, $defaultaction ) = ( $default , 6, $config{$default . '_DEFAULT'} );
    my $policychainref;
    $policychainref = $filter_table->{$ruleschainref->{policychain}} if $ruleschainref;
    ( $policy, $loglevel, $defaultaction ) = @{$policychainref}{'policy', 'loglevel', 'default' } if $policychainref;
    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
 sub setup_syn_flood_chains() {
    for my $chainref ( @policy_chains ) {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
 	    my $synchainref = new_chain 'filter' , syn_flood_chain $chainref;
 	    add_rule $synchainref , "${limit}-j RETURN";
 	    log_rule_limit( $level , 
 			    $synchainref , 
 			    $chainref->{name} , 
 			    'DROP', 
 			    $globals{LOGLIMIT} || '-m limit --limit 5/min --limit-burst 5 ' , 
 			    '' , 
 			    'add' , 
 			    '' )
 		if $level ne '';
 	    add_rule $synchainref, '-j DROP';
 	}
    }
 }
 #
 # Optimize Policy chains with ACCEPT policy
 #
 sub optimize_policy_chains() {
    for my $chainref ( grep $_->{policy} eq 'ACCEPT', @policy_chains ) {
 	optimize_chain ( $chainref );
    }
    #
    # Often, fw->all has an ACCEPT policy. This code allows optimization in that case
    #
    my $outputrules = $filter_table->{OUTPUT}{rules};
    if ( @{$outputrules} && $outputrules->[-1] =~ /-j ACCEPT/ ) {
 	optimize_chain( $filter_table->{OUTPUT} );
    }
    progress_message '  Policy chains optimized';
    progress_message '';
 }
 1;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,8 +40,8 @@ our @EXPORT = qw(
 		 setup_source_routing
 		 setup_forwarding
 		 );
-our @EXPORT_OK = qw( setup_interface_proc );
+our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_7';
 #
 # ARP Filtering
@@ -106,7 +106,7 @@ sub setup_route_filtering() {
 	my $val = '';
-	if ( $config ne '' ) {
+	if ( $config{ROUTE_FILTER} ne '' ) {
 	    $val = $config eq 'on' ? 1 : $config eq 'off' ? 0 : $config;
 	    emit ( 'for file in /proc/sys/net/ipv4/conf/*; do',
@@ -227,10 +227,6 @@ sub setup_forwarding( $$ ) {
 	}
 	emit '';
 	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
@@ -242,10 +238,6 @@ sub setup_forwarding( $$ ) {
 	emit '';
 	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;
 	my $interfaces = find_interfaces_by_option 'forward';
 	if ( @$interfaces ) {
@@ -277,45 +269,4 @@ sub setup_forwarding( $$ ) {
    }
 }
 sub setup_interface_proc( $ ) {
    my $interface = shift;
    my $physical  = get_physical $interface;
    my $value;
    my @emitted;
    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
    }
    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
    }
    if ( interface_has_option( $interface, 'routefilter' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/rp_filter";
    }
    if ( interface_has_option( $interface, 'logmartians' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/log_martians";
    }
    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
    }
    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
    }
    if ( @emitted ) {
 	emit( '',
 	      'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;
 	emit "fi\n";
    }
 }
 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2011,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,7 +35,7 @@ our @EXPORT = qw(
 		  );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_9';
 our @proxyarp;
@@ -56,10 +56,8 @@ sub initialize( $ ) {
    @proxyarp = ();
 }
-sub setup_one_proxy_arp( $$$$$$$ ) {
+sub setup_one_proxy_arp( $$$$$ ) {
-    my ( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent) = @_;
+    my ( $address, $interface, $external, $haveroute, $persistent) = @_;
    my $proto = $family == F_IPV4 ? 'ARP' : 'NDP';
    if ( "\L$haveroute" eq 'no' || $haveroute eq '-' ) {
 	$haveroute = '';
@@ -78,107 +76,105 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
    }
    unless ( $haveroute ) {
-	fatal_error "HAVEROUTE=No requires an INTERFACE" if $interface eq '-';
+	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
 	if ( $family == F_IPV4 ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
 		  "    qt \$IP -6 route del $address/128 dev $physical".
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
 	}
 	$haveroute = 1 if $persistent;
    }
-    emit ( "run_ip neigh add proxy $address nud permanent dev $extphy" ,
+    emit ( "if ! arp -i $external -Ds $address $external pub; then",
-	   qq(progress_message "   Host $address connected to $interface added to $proto on $extphy"\n) );
+	   "    fatal_error \"Command 'arp -i $external -Ds $address $external pub' failed\"" ,
 	   'fi' ,
 	   '',
 	   "progress_message \"   Host $address connected to $interface added to ARP on $external\"\n" );
    push @proxyarp, "$address $interface $external $haveroute";
-    progress_message "   Host $address connected to $interface added to $proto on $external";
+    progress_message "   Host $address connected to $interface added to ARP on $external";
 }
 #
-# Setup Proxy ARP/NDP
+# Setup Proxy ARP
 #
 sub setup_proxy_arp() {
-    my $proto      = $family == F_IPV4 ? 'arp' : 'ndp';   # Protocol
+    if ( $family == F_IPV4 ) {
    my $file_opt   = 'proxy' . $proto;                    # Name of config file and of the interface option
    my $proc_file  = 'proxy_' . $proto;                   # Name of the corresponding file in /proc
-    my $interfaces= find_interfaces_by_option $file_opt;
+	my $interfaces= find_interfaces_by_option 'proxyarp';
-    my $fn = open_file $file_opt;
+	my $fn = open_file 'proxyarp';
-    if ( @$interfaces || $fn ) {
+	if ( @$interfaces || $fn ) {
-	my $first_entry = 1;
+	    my $first_entry = 1;
-	save_progress_message 'Setting up Proxy ' . uc($proto) . '...';
+	    save_progress_message "Setting up Proxy ARP...";
-	my ( %set, %reset );
+	    my ( %set, %reset );
-	while ( read_a_line ) {
+	    while ( read_a_line ) {
-	    my ( $address, $interface, $external, $haveroute, $persistent ) =
+		my ( $address, $interface, $external, $haveroute, $persistent ) = split_line 3, 5, 'proxyarp file';
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
-	    if ( $first_entry ) {
+		if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
+		    progress_message2 "$doing $fn...";
-		$first_entry = 0;
+		    $first_entry = 0;
-	    }
+		}
-	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		$interface = get_physical $interface;
-	    fatal_error "Unknown interface ($external)" unless known_interface $external;
+		$external  = get_physical $external;
 	    fatal_error "Wildcard interface ($external) not allowed" if $external =~ /\+$/;
 	    $reset{$external} = 1 unless $set{$external};
 	    my $extphy   = get_physical $external;
 	    my $physical = '-';
 	    if ( $interface ne '-' ) {
 		fatal_error "Unknown interface ($interface)" unless known_interface $interface;
 		fatal_error "Wildcard interface ($interface) not allowed" if $interface =~ /\+$/;
 		$physical = physical_name $interface;
 		$set{$interface}  = 1;
 		$reset{$external} = 1 unless $set{$external};
 		setup_one_proxy_arp( $address, $interface, $external, $haveroute, $persistent );
 	    }
-	    setup_one_proxy_arp( $address, $interface, $physical, $external, $extphy, $haveroute, $persistent );
+	    emit '';
 	}
-	emit '';
+	    for my $interface ( keys %reset ) {
 		unless ( $set{interface} ) {
 		    emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
 			    "    echo 0 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		    emit    "fi\n";
 		}
 	    }
-	for my $interface ( keys %reset ) {
+	    for my $interface ( keys %set ) {
-	    unless ( $set{interface} ) {
+		emit  ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ]; then" ,
-		my $physical = get_physical $interface;
+			"    echo 1 > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
-		emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
+		emit  ( 'else' ,
-			"    echo 0 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
+			"    error_message \"    WARNING: Cannot set the 'proxy_arp' option for interface $interface\"" ) unless interface_is_optional( $interface );
 		emit    "fi\n";
 	    }
 	    for my $interface ( @$interfaces ) {
 		my $value = get_interface_option $interface, 'proxyarp';
 		my $optional = interface_is_optional $interface;
 		$interface = get_physical $interface;
 		emit ( "if [ -f /proc/sys/net/ipv4/conf/$interface/proxy_arp ] ; then" ,
 		       "    echo $value > /proc/sys/net/ipv4/conf/$interface/proxy_arp" );
 		emit ( 'else' ,
 		       "    error_message \"WARNING: Unable to set/reset proxy ARP on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
 	}
    } else {
 	my $interfaces= find_interfaces_by_option 'proxyndp';
-	for my $interface ( keys %set ) {
+	if ( @$interfaces ) {
-	    my $physical = get_physical $interface;
+	    save_progress_message "Setting up Proxy NDP...";
 	    emit  ( "if [ -f /proc/sys/net/ipv$family/conf/$physical/$proc_file ]; then" ,
 		    "    echo 1 > /proc/sys/net/ipv$family/conf/$physical/$proc_file" );
 	    emit  ( 'else' ,
 		    "    error_message \"    WARNING: Cannot set the '$file_opt' option for interface $physical\"" ) unless interface_is_optional( $interface );
 	    emit    "fi\n";
 	}
-	for my $interface ( @$interfaces ) {
+	    for my $interface ( @$interfaces ) {
-	    my $value = get_interface_option $interface, $file_opt;
+		my $value = get_interface_option $interface, 'proxyndp';
-	    my $optional = interface_is_optional $interface;
+		my $optional = interface_is_optional $interface;
-	    $interface = get_physical $interface;
+		$interface = get_physical $interface;
-	    emit ( "if [ -f /proc/sys/net/ipv$family/conf/$interface/$proc_file ] ; then" ,
+		emit ( "if [ -f /proc/sys/net/ipv6/conf/$interface/proxy_ndp ] ; then" ,
-		   "    echo $value > /proc/sys/net/ipv$family/conf/$interface/$proc_file" );
+		   "    echo $value > /proc/sys/net/ipv6/conf/$interface/proxy_ndp" );
-	    emit ( 'else' ,
+		emit ( 'else' ,
-		   "    error_message \"WARNING: Unable to set/reset the '$file_opt' option on $interface\"" ) unless $optional;
+		       "    error_message \"WARNING: Unable to set/reset Proxy NDP on $interface\"" ) unless $optional;
-	    emit   "fi\n";
+		emit   "fi\n";
 	    }
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -34,7 +34,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';
 #
 # Notrack
@@ -76,25 +76,24 @@ sub process_notrack_rule( $$$$$$ ) {
 sub setup_notrack() {
-    if ( my $fn = open_file 'notrack' ) {
+    my $fn = open_file 'notrack';
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
-	my $nonEmpty = 0;
+    my $nonEmpty = 0;
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+	my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 1, 6, 'Notrack File';
-	    if ( $source eq 'COMMENT' ) {
+	if ( $source eq 'COMMENT' ) {
-		process_comment;
+	    process_comment;
-	    } else {
+	} else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+	    process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
 	    }
 	}
 	clear_comment;
    }
    clear_comment;
 }
 1;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,14 +28,13 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::Rules;
 use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tunnels );
 our @EXPORT_OK = ( );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';
 #
 # Here starts the tunnel stuff -- we really should get rid of this crap...
@@ -62,47 +61,47 @@ sub setup_tunnels() {
 	    }
 	}
-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my $options = $globals{UNTRACKED} ? "-m state --state NEW,UNTRACKED -j ACCEPT" : "$globals{STATEMATCH} NEW -j ACCEPT";
-	add_tunnel_rule $inchainref,  p => 50, @$source;
+	add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-	add_tunnel_rule $outchainref, p => 50, @$dest;
+	add_tunnel_rule $outchainref, "-p 50 $dest   -j ACCEPT";
 	unless ( $noah ) {
-	    add_tunnel_rule $inchainref,  p => 51, @$source;
+	    add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-	    add_tunnel_rule $outchainref, p => 51, @$dest;
+	    add_tunnel_rule $outchainref, "-p 51 $dest   -j ACCEPT";
 	}
 	if ( $kind eq 'ipsec' ) {
-	    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+	    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-	    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
+	    add_tunnel_rule $outchainref, "-p udp $dest   --dport 500 $options";
 	} else {
-	    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+	    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-	    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
+	    add_tunnel_rule $outchainref, "-p udp $dest   -m multiport --dports 500,4500 $options";
 	}
 	unless ( $gatewayzones eq '-' ) {
 	    for my $zone ( split_list $gatewayzones, 'zone' ) {
 		my $type = zone_type( $zone );
 		fatal_error "Invalid zone ($zone) for GATEWAY ZONE" if $type == FIREWALL || $type == BPORT;
-		$inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+		$inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-		$outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+		$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 		unless ( have_ipsec ) {
-		    add_tunnel_rule $inchainref,  p => 50, @$source;
+		    add_tunnel_rule $inchainref,  "-p 50 $source -j ACCEPT";
-		    add_tunnel_rule $outchainref, p => 50, @$dest;
+		    add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
 		    unless ( $noah ) {
-			add_tunnel_rule $inchainref,  p => 51, @$source;
+			add_tunnel_rule $inchainref,  "-p 51 $source -j ACCEPT";
-			add_tunnel_rule $outchainref, p => 51, @$dest;
+			add_tunnel_rule $outchainref, "-p 51 $dest -j ACCEPT";
 		    }
 		}
 		if ( $kind eq 'ipsec' ) {
-		    add_tunnel_rule $inchainref,  p => 'udp --dport 500', @$source, @options;
+		    add_tunnel_rule $inchainref,  "-p udp $source --dport 500 $options";
-		    add_tunnel_rule $outchainref, p => 'udp --dport 500', @$dest,   @options;
+		    add_tunnel_rule $outchainref, "-p udp $dest --dport 500 $options";
 		} else {
-		    add_tunnel_rule $inchainref,  p => 'udp', @$source, multiport => '--dports 500,4500', @options;
+		    add_tunnel_rule $inchainref,  "-p udp $source -m multiport --dports 500,4500 $options";
-		    add_tunnel_rule $outchainref, p => 'udp', @$dest,   multiport => '--dports 500,4500', @options;
+		    add_tunnel_rule $outchainref, "-p udp $dest -m multiport --dports 500,4500 $options";
 		}
 	    }
 	}
@@ -111,24 +110,24 @@ sub setup_tunnels() {
    sub setup_one_other {
 	my ($inchainref, $outchainref, $source, $dest , $protocol) = @_;
-	add_tunnel_rule $inchainref ,  p => $protocol, @$source;
+	add_tunnel_rule $inchainref ,  "-p $protocol $source -j ACCEPT";
-	add_tunnel_rule $outchainref , p => $protocol, @$dest;
+	add_tunnel_rule $outchainref , "-p $protocol $dest -j ACCEPT";
    }
    sub setup_pptp_client {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
-	add_tunnel_rule $outchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $inchainref,   p => 47, @$source;
+	add_tunnel_rule $inchainref,   "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $outchainref,  p => 'tcp --dport 1723', @$dest;
+	add_tunnel_rule $outchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
-    }
+	}
    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
-	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $inchainref,  "-p 47 $dest -j ACCEPT";
-	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $outchainref, "-p 47 $source -j ACCEPT";
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
+	add_tunnel_rule $inchainref,  "-p tcp --dport 1723 $dest -j ACCEPT"
 	}
    sub setup_one_openvpn {
@@ -141,10 +140,10 @@ sub setup_tunnels() {
 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
-	if ( supplied $p ) {
+	if ( defined $p && $p ne '' ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( supplied $proto ) {
+	} elsif ( defined $proto && $proto ne '' ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -152,8 +151,8 @@ sub setup_tunnels() {
 	    }
 	}
-	add_tunnel_rule $inchainref,  p => "$protocol --dport $port", @$source;
+	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;;
+	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
    }
    sub setup_one_openvpn_client {
@@ -166,10 +165,10 @@ sub setup_tunnels() {
 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
-	if ( supplied $p ) {
+	if ( defined $p && $p ne '' ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( supplied $proto ) {
+	} elsif ( defined $proto && $proto ne '' ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -177,8 +176,8 @@ sub setup_tunnels() {
 	    }
 	}
-	add_tunnel_rule $inchainref,  p => "$protocol --sport $port", @$source;
+	add_tunnel_rule $inchainref,  "-p $protocol $source --sport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, p => "$protocol --dport $port", @$dest;
+	add_tunnel_rule $outchainref, "-p $protocol $dest --dport $port -j ACCEPT";
    }
    sub setup_one_openvpn_server {
@@ -191,10 +190,10 @@ sub setup_tunnels() {
 	fatal_error "Invalid port ($p:$remainder)" if defined $remainder;
-	if ( supplied $p ) {
+	if ( defined $p && $p ne '' ) {
 	    $port = $p;
 	    $protocol = $proto;
-	} elsif ( supplied $proto ) {
+	} elsif ( defined $proto && $proto ne '' ) {
 	    if ( "\L$proto" =~ /udp|tcp/ ) {
 		$protocol = $proto;
 	    } else {
@@ -202,8 +201,8 @@ sub setup_tunnels() {
 	    }
 	}
-	add_tunnel_rule $inchainref,  p => "$protocol --dport $port" , @$source;
+	add_tunnel_rule $inchainref,  "-p $protocol $source --dport $port -j ACCEPT";
-	add_tunnel_rule $outchainref, p => "$protocol --sport $port",  @$dest;
+	add_tunnel_rule $outchainref, "-p $protocol $dest --sport $port -j ACCEPT";
    }
    sub setup_one_l2tp {
@@ -211,8 +210,8 @@ sub setup_tunnels() {
 	fatal_error "Unknown option ($1)" if $kind =~ /^.*?:(.*)$/;
-	add_tunnel_rule $inchainref,  p => 'udp --sport 1701 --dport 1701', @$source;
+	add_tunnel_rule $inchainref,  "-p udp $source --sport 1701 --dport 1701 -j ACCEPT";
-	add_tunnel_rule $outchainref, p => 'udp --sport 1701 --dport 1701', @$dest;
+	add_tunnel_rule $outchainref, "-p udp $dest   --sport 1701 --dport 1701 -j ACCEPT";
    }
    sub setup_one_generic {
@@ -229,8 +228,8 @@ sub setup_tunnels() {
 	    ( $kind, $protocol ) = split /:/ , $kind if $kind =~ /.*:.*/;
 	}
-	add_tunnel_rule $inchainref,  p => "$protocol $port", @$source;
+	add_tunnel_rule $inchainref,  "-p $protocol $source $port -j ACCEPT";
-	add_tunnel_rule $outchainref, p => "$protocol $port", @$dest;
+	add_tunnel_rule $outchainref, "-p $protocol $dest $port -j ACCEPT";
    }
    sub setup_one_tunnel($$$$) {
@@ -240,27 +239,26 @@ sub setup_tunnels() {
 	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
-	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
+	my $inchainref  = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
-	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
+	my $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
 	$gateway = ALLIP if $gateway eq '-';
-	my @source = imatch_source_net $gateway;
+	my $source = match_source_net $gateway;
-	my @dest   = imatch_dest_net   $gateway;
+	my $dest   = match_dest_net   $gateway;
-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, $source, $dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+			    'ipip'          => { function => \&setup_one_other,          params   => [ $source, $dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+			    'gre'           => { function => \&setup_one_other,          params   => [ $source, $dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6to4'          => { function => \&setup_one_other,          params   => [ $source, $dest , 41 ] } ,
-			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, $source, $dest ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, $source, $dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, $source, $dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, $source, $dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, $source, $dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, $source, $dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, $source, $dest ] } ,
 			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
 			  );
 	$kind = "\L$kind";
@@ -279,26 +277,22 @@ sub setup_tunnels() {
    #
    # Setup_Tunnels() Starts Here
    #
-    if ( my $fn = open_file 'tunnels' ) {
+    my $fn = open_file 'tunnels';
-	first_entry "$doing $fn...";
+    first_entry "$doing $fn...";
-	while ( read_a_line ) {
+    while ( read_a_line ) {
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 2, 4, 'tunnels file';
-	    fatal_error 'TYPE must be specified' if $kind eq '-';
+	if ( $kind eq 'COMMENT' ) {
-	    fatal_error 'ZONE must be specified' if $zone eq '-';
+	    process_comment;
-
+	} else {
-	    if ( $kind eq 'COMMENT' ) {
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 		process_comment;
 	    } else {
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}
 	clear_comment;
    }
    clear_comment;
 }
 1;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -73,9 +73,7 @@ our @EXPORT = qw( NOTHING
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
 		  interface_has_option
 		  set_interface_option
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
 		  validate_hosts_file
@@ -86,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );
 our @EXPORT_OK = qw( initialize );
-our $VERSION = 'MODULEVERSION';
+our $VERSION = '4.4_13';
 #
 # IPSEC Option types
@@ -130,11 +128,11 @@ use constant { NOTHING    => 'NOTHING',
 #
 #     $firewall_zone names the firewall zone.
 #
-my @zones;
+our @zones;
-my %zones;
+our %zones;
-my $firewall_zone;
+our $firewall_zone;
-my  %reservedName = ( all => 1,
+our %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -148,38 +146,32 @@ my  %reservedName = ( all => 1,
 #     %interfaces { <interface1> => { name        => <name of interface>
 #                                     root        => <name without trailing '+'>
 #                                     options     => { port => undef|1
-#                                                    { <option1> } => <val1> ,          #See %validinterfaceoptions
+#                                                      <option1> = <val1> ,          #See %validinterfaceoptions
 #                                                      ...
 #                                                    }
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name>
+#                                     bridge      => <bridge>
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
 #
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
-#    the same order as the interfaces are encountered in the configuration files.
+#    the same order as the interfaces are encountered in the configuration files. 
 #
-my @interfaces;
+our @interfaces;
-my %interfaces;
+our %interfaces;
-my %roots;
+our @bport_zones;
-my @bport_zones;
+our %ipsets;
-my %ipsets;
+our %physical;
-my %physical;
+our %basemap;
-my %basemap;
+our %mapbase;
-my %mapbase;
+our $family;
-my $family;
+our $have_ipsec;
-my $have_ipsec;
+our $baseseq;
 my $baseseq;
 my $minroot;
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -200,16 +192,15 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_ZONEONLY => 8,
 	       IF_OPTION_HOST     => 16,
 	       IF_OPTION_VSERVER  => 32,
 	       IF_OPTION_WILDOK   => 64
 	   };
-my %validinterfaceoptions;
+our %validinterfaceoptions;
-my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
-my %validhostoptions;
+our %validhostoptions;
 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -229,7 +220,6 @@ sub initialize( $ ) {
    $have_ipsec = undef;
    @interfaces = ();
    %roots = ();
    %interfaces = ();
    @bport_zones = ();
    %ipsets = ();
@@ -237,7 +227,6 @@ sub initialize( $ ) {
    %basemap = ();
    %mapbase = ();
    $baseseq = 0;
    $minroot = 0;
    if ( $family == F_IPV4 ) {
 	%validinterfaceoptions = (arp_filter  => BINARY_IF_OPTION,
@@ -256,14 +245,13 @@ sub initialize( $ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  upnp        => SIMPLE_IF_OPTION,
 				  upnpclient  => SIMPLE_IF_OPTION,
-				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  mss         => NUMERIC_IF_OPTION,
-				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				  wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -286,13 +274,12 @@ sub initialize( $ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
-				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    mss         => NUMERIC_IF_OPTION,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
-				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    wait        => NUMERIC_IF_OPTION,
 				 );
 	%validhostoptions = (
 			     blacklist => 1,
@@ -309,7 +296,7 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$)
 {
    my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
@@ -323,13 +310,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );
-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -359,18 +346,14 @@ sub parse_zone_option_list($$\$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }
-	    my $key = $key{$e};
+	    if ( $key{$e} ) {
-
+		fatal_error "Option '$e' not permitted with this zone type " if $key{$e} == NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
 		$$complexref = 1;
 	    }
 	}
    }
@@ -402,10 +385,7 @@ sub process_zone( \$ ) {
    my @parents;
-    my ($zone, $type, $options, $in_options, $out_options ) =
+    my ($zone, $type, $options, $in_options, $out_options ) = split_line 1, 5, 'zones file';
 	split_line 'zones file', { zone => 0, type => 1, options => 2, in_options => 3, out_options => 4 };
    fatal_error 'ZONE must be specified' if $zone eq '-';
    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
@@ -440,7 +420,7 @@ sub process_zone( \$ ) {
 	fatal_error 'Firewall zone may not be nested' if @parents;
 	fatal_error "Only one firewall zone may be defined ($zone)" if $firewall_zone;
 	$firewall_zone = $zone;
-	add_param( FW => $zone );
+	$ENV{FW} = $zone;
 	$type = FIREWALL;
    } elsif ( $type eq 'vserver' ) {
 	fatal_error 'Vserver zones may not be nested' if @parents;
@@ -459,15 +439,13 @@ sub process_zone( \$ ) {
 	}
    }
    my $complex = 0;
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -497,12 +475,11 @@ sub determine_zones()
    my @z;
    my $ip = 0;
-    if ( my $fn = open_file 'zones' ) {
+    my $fn = open_file 'zones';
-	first_entry "$doing $fn...";
+
-	push @z, process_zone( $ip ) while read_a_line;
+    first_entry "$doing $fn...";
-    } else {
+
-	fatal_error q(The 'zones' file does not exist or has zero size);
+    push @z, process_zone( $ip ) while read_a_line;
    }
    fatal_error "No firewall zone defined" unless $firewall_zone;
    fatal_error "No IP zones defined" unless $ip;
@@ -679,7 +656,6 @@ sub add_group_to_zone($$$$$)
    my $interfaceref;
    my $zoneref  = $zones{$zone};
    my $zonetype = $zoneref->{type};
    $zoneref->{interfaces}{$interface} = 1;
@@ -692,11 +668,9 @@ sub add_group_to_zone($$$$$)
    for my $host ( @$networks ) {
 	$interfaceref = $interfaces{$interface};
 	$interfaceref->{zones}{$zone} = 1;
 	$interfaceref->{nets}++;
-	fatal_error "Invalid Host List" unless supplied $host;
+	fatal_error "Invalid Host List" unless defined $host and $host ne '';
 	if ( substr( $host, 0, 1 ) eq '!' ) {
 	    fatal_error "Only one exclusion allowed in a host list" if $switched;
@@ -724,7 +698,7 @@ sub add_group_to_zone($$$$$)
 	}
 	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+[a-zA-Z]\w*$/;
 	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
 	} else {
 	    validate_host $host, 0;
@@ -749,8 +723,6 @@ sub add_group_to_zone($$$$$)
 			     hosts   => \@newnetworks,
 			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
 }
 #
@@ -829,7 +801,7 @@ sub chain_base($) {
    #
    return $name if $name;
    #
-    # Remember initial value
+    # Remember initial value 
    #
    my $key = $chain;
    #
@@ -838,7 +810,7 @@ sub chain_base($) {
    $chain =~ s/\+$//;
    $chain =~ tr/./_/;
-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
@@ -872,9 +844,8 @@ sub chain_base($) {
 #
 sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
-    my $netsref   = '';
+    my $netsref = '';
-    my $filterref = [];
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 2, 4, 'interfaces file';
    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    my $zoneref;
    my $bridge = '';
@@ -887,22 +858,19 @@ sub process_interface( $$ ) {
 	fatal_error "Firewall zone not allowed in ZONE column of interface record" if $zoneref->{type} == FIREWALL;
    }
    fatal_error 'INTERFACE must be specified' if $originalinterface eq '-';
    my ($interface, $port, $extra) = split /:/ , $originalinterface, 3;
    fatal_error "Invalid INTERFACE ($originalinterface)" if ! $interface || defined $extra;
-    if ( supplied $port ) {
+    if ( defined $port && $port ne '' ) {
 	fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
 	require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
-	fatal_error "Your iptables is not recent enough to support bridge ports" unless $globals{KLUDGEFREE};
+	fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
 	fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
 	fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	$interfaces{$interface}{ports}++;
 	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
 	if ( $zone ) {
@@ -911,7 +879,7 @@ sub process_interface( $$ ) {
 	    } else {
 		$zoneref->{bridge} = $interface;
 	    }
-
+	    
 	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
 	}
@@ -931,14 +899,6 @@ sub process_interface( $$ ) {
    if ( $interface =~ /\+$/ ) {
 	$wildcard = 1;
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
 	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
 	    $minroot = $len;
 	}
    } else {
 	$root = $interface;
    }
@@ -987,7 +947,7 @@ sub process_interface( $$ ) {
 	    if ( $zone ) {
 		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
-	    } else {
+	    } else { 
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
@@ -1031,7 +991,6 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
 		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK; 
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1066,9 +1025,6 @@ sub process_interface( $$ ) {
 		    # Assume 'broadcast'
 		    #
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
 		    validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1093,7 +1049,7 @@ sub process_interface( $$ ) {
 	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = "${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1116,7 +1072,6 @@ sub process_interface( $$ ) {
    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
 						       filter     => $filterref ,
 						       nets       => 0 ,
 						       number     => $nextinum ,
 						       root       => $root ,
@@ -1124,8 +1079,7 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => chain_base( $physical ),
+						       base       => chain_base( $physical )
 						       zones      => {},
 						     };
    if ( $zone ) {
@@ -1148,16 +1102,16 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
    my $export = shift;
-    
+
    my $fn = open_file 'interfaces';
    my @ifaces;
    my $nextinum = 1;
-    if ( my $fn = open_file 'interfaces' ) {
+    first_entry "$doing $fn...";
-	first_entry "$doing $fn...";
+
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+    push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
    } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
    }
    #
    # We now assemble the @interfaces array such that bridge ports immediately precede their associated bridge
@@ -1221,36 +1175,35 @@ sub map_physical( $$ ) {
 #
 # Returns true if passed interface matches an entry in /etc/shorewall/interfaces
 #
-# If the passed name matches a wildcard, an entry for the name is added to %interfaces.
+# If the passed name matches a wildcard and 'cache' is true, an entry for the name is added in 
 # %interfaces.
 #
-sub known_interface($)
+sub known_interface($;$)
 {
-    my $interface = shift;
+    my ( $interface, $cache ) = @_;
    my $interfaceref = $interfaces{$interface};
    return $interfaceref if $interfaceref;
    fatal_error "Invalid interface ($interface)" if $interface =~ /\*/;
-    my $iface = $interface;
+    for my $i ( @interfaces ) {
 	$interfaceref = $interfaces{$i};
 	my $root = $interfaceref->{root};
 	if ( $i ne $root && substr( $interface, 0, length $root ) eq $root ) {
 	    my $physical = map_physical( $interface, $interfaceref );
 	    my $copyref = { options  => $interfaceref->{options},
 			    bridge   => $interfaceref->{bridge} ,
 			    name     => $i ,
 			    number   => $interfaceref->{number} ,
 			    physical => $physical ,
 			    base     => chain_base( $physical ) ,
 			  };
-    if ( $minroot ) {
+	    $interfaces{$interface} = $copyref if $cache;
 	while ( length $iface > $minroot ) {
 	    chop $iface;
 	    if ( my $i = $roots{$iface} ) {
 		$interfaceref = $interfaces{$i};
-		my $physical = map_physical( $interface, $interfaceref );
+	    return $copyref;
 		return $interfaces{$interface} = { options  => $interfaceref->{options} ,
 						   bridge   => $interfaceref->{bridge} ,
 						   name     => $i ,
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => chain_base( $physical ) ,
 						 };
 	    }
 	}
    }
@@ -1331,16 +1284,6 @@ sub source_port_to_bridge( $ ) {
    return $portref ? $portref->{bridge} : '';
 }
 #
 # Returns a hash reference for the zones interface through the interface
 #
 sub interface_zones( $ ) {
    my $interfaceref = $interfaces{(shift)};
    $interfaceref->{zones};
 }
 #
 # Return the 'optional' setting of the passed interface
 #
@@ -1381,7 +1324,8 @@ sub find_interfaces_by_option1( $ ) {
    my @ints = ();
    my $wild = 0;
-    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} } keys %interfaces ) {
+    for my $interface ( sort { $interfaces{$a}->{number} <=> $interfaces{$b}->{number} }
 			keys %interfaces ) {
 	my $interfaceref = $interfaces{$interface};
 	next unless defined $interfaceref->{physical};
@@ -1405,30 +1349,7 @@ sub find_interfaces_by_option1( $ ) {
 sub get_interface_option( $$ ) {
    my ( $interface, $option ) = @_;
-    my $ref = $interfaces{$interface};
+    $interfaces{$interface}{options}{$option};
    return $ref->{options}{$option} if $ref;
    assert( $ref = known_interface( $interface ) );
    $ref->{options}{$option};
 }
 #
 # Return the value of an option for an interface
 #
 sub interface_has_option( $$\$ ) {
    my ( $interface, $option, $value ) = @_;
    my $ref = $interfaces{$interface};
    $ref = known_interface( $interface ) unless $ref;
    if ( exists $ref->{options}{$option} ) {
 	$$value = $ref->{options}{$option};
 	1;
    }
 }
 #
@@ -1468,7 +1389,7 @@ sub verify_required_interfaces( $ ) {
 	    my $wait = $interfaces{$interface}{options}{wait};
 	    emit q() unless $first-- > 0;
-
+	    
 	    if ( $wait ) {
 		my $physical = get_physical $interface;
@@ -1507,7 +1428,7 @@ sub verify_required_interfaces( $ ) {
 	}
 	emit( ";;\n" );
-
+	
 	pop_indent;
 	pop_indent;
@@ -1732,10 +1653,7 @@ sub compile_updown() {
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+    my ($zone, $hosts, $options ) = split_line 2, 3, 'hosts file';
    fatal_error 'ZONE must be specified'  if $zone eq '-';
    fatal_error 'HOSTS must be specified' if $hosts eq '-';
    my $zoneref = $zones{$zone};
    my $type    = $zoneref->{type};
@@ -1743,42 +1661,34 @@ sub process_host( ) {
    fatal_error "Unknown ZONE ($zone)" unless $type;
    fatal_error 'Firewall zone not allowed in ZONE column of hosts record' if $type == FIREWALL;
-    my ( $interface, $interfaceref );
+    my $interface;
    if ( $family == F_IPV4 ) {
 	if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
 	    $interface = $1;
 	    $hosts = $2;
-	    fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	    $zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
 	    fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>\s*$/ || $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]\s*$/   ) {
 	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
-
+	$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+	fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
    } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts" 
+	fatal_error "Invalid HOST(S) column contents: $hosts";
    }
    if ( $hosts =~ /^!?\+/ ) {
 	$zoneref->{options}{complex} = 1;
 	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }
    if ( $type == BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
-	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
+	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaces{$interface}{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
-	} elsif ( $zoneref->{bridge} ne $interfaceref->{bridge} ) {
+	} elsif ( $zoneref->{bridge} ne $interfaces{$interface}{bridge} ) {
 	    fatal_error "Interface $interface is not a port on bridge $zoneref->{bridge}";
 	}
-    }
+    } 
    my $optionsref = { dynamic => 0 };
@@ -1791,7 +1701,7 @@ sub process_host( ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
 		$zoneref->{options}{complex} = 1;
-		$ipsec = $interfaceref->{ipsec} = 1;
+		$ipsec = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
@@ -1804,7 +1714,7 @@ sub process_host( ) {
 	    }
 	}
-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER; 
 	$optionsref = \%options;
    }
@@ -1827,13 +1737,12 @@ sub process_host( ) {
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
+	my $physical = physical_name $interface;
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+	$hosts = "+${zone}_${physical}";
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
-	$ipsets{$set} = 1;
+	$ipsets{"${zone}_${physical}"} = 1;
    }
    }
    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
@@ -1853,15 +1762,14 @@ sub validate_hosts_file()
 {
    my $ipsec = 0;
-    if ( my $fn = open_file 'hosts' ) {
+    my $fn = open_file 'hosts';
-	first_entry "$doing $fn...";
+
-	$ipsec |= process_host while read_a_line;
+    first_entry "$doing $fn...";
-    }
+
    $ipsec |= process_host while read_a_line;
    $have_ipsec = $ipsec || haveipseczones;
    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
 }
 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -54,15 +54,12 @@ sub usage( $ ) {
    [ --verbose={-1|0-2} ]
    [ --timestamp ]
    [ --debug ]
    [ --confess ]
    [ --refresh=<chainlist> ]
    [ --log=<filename> ]
    [ --log-verbose={-1|0-2} ]
    [ --test ]
    [ --preview ]
    [ --family={4|6} ]
    [ --annotate ]
    [ --updatee ]
 ';
    exit shift @_;
@@ -76,16 +73,13 @@ my $shorewall_dir = '';
 my $verbose       = 0;
 my $timestamp     = 0;
 my $debug         = 0;
-my $confess       = 0;
+my $chains        = '';
 my $chains        = ':none:';
 my $log           = '';
 my $log_verbose   = 0;
 my $help          = 0;
 my $test          = 0;
 my $family        = 4; # F_IPV4
 my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 Getopt::Long::Configure ('bundling');
@@ -109,12 +103,6 @@ my $result = GetOptions('h'               => \$help,
 			'preview'         => \$preview,
 			'f=i'             => \$family,
 			'family=i'        => \$family,
 			'c'               => \$confess,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
 			'u'               => \$update,
 			'update'          => \$update,
 		       );
 usage(1) unless $result && @ARGV < 2;
@@ -131,8 +119,4 @@ compiler( script          => $ARGV[0] || '',
 	  log_verbosity   => $log_verbose,
 	  test            => $test,
 	  preview         => $preview,
-	  family          => $family,
+	  family          => $family );
 	  confess         => $confess,
 	  update          => $update,
 	  annotate        => $annotate,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -1,46 +0,0 @@
 #!/bin/sh
 #
 #     The Shoreline Firewall Packet Filtering Firewall Param File Helper - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #  Parameters:
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
 #      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
    . /usr/share/shorewall6/lib.base
    . /usr/share/shorewall6/lib.cli
 else
    . /usr/share/shorewall/lib.base
    . /usr/share/shorewall/lib.cli
 fi
 CONFIG_PATH="$2"
 set -a
 . $1 >&2 # Avoid spurious output on STDOUT
 set +a
 export -p
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,21 +5,7 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ options ] <command>"
+    echo "Usage: $0 [ options ] [ start|stop|clear|down|reset|refresh|restart|status|up|version ]"
    echo 
    echo "<command> is one of:"
    echo "   start"
    echo "   stop"
    echo "   clear"
    echo "   disable <interface>"
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   status"
    echo "   up <interface>"
    echo "   version"
    echo
    echo "Options are:"
    echo
@@ -183,10 +169,8 @@ case "$COMMAND" in
 	    detect_configuration
 	    define_firewall
 	    status=$?
-	    if [ $status -eq 0 ]; then
+	    [ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
-		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+	    progress_message3 "done."
 		progress_message3 "done."
 	    fi
 	fi
 	;;
    stop)
@@ -241,9 +225,9 @@ case "$COMMAND" in
 	define_firewall
 	status=$?
 	if [ -n "$SUBSYSLOCK" ]; then
-	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+ 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-	fi
+        fi
-	[ $status -eq 0 ] && progress_message3 "done."
+	progress_message3 "done."
 	;;
    refresh)
 	[ $# -ne 1 ] && usage 2
@@ -252,7 +236,7 @@ case "$COMMAND" in
 	    detect_configuration
 	    define_firewall
 	    status=$?
-	    [ $status -eq 0 ] && progress_message3 "done."
+	    progress_message3 "done."
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -272,10 +256,10 @@ case "$COMMAND" in
 	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
-	if [ $status -eq 0 ]; then
+	if [ -n "$SUBSYSLOCK" ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	fi
 	progress_message3 "done."
 	;;
    status)
 	[ $# -ne 1 ] && usage 2
@@ -309,26 +293,6 @@ case "$COMMAND" in
 	updown $@
 	status=0;
 	;;
    enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
 	status=0
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -17,28 +17,6 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
 checkkernelversion() {
    local kernel
    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
    case "$kernel" in 
 	*.*.*)
 	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 	    ;;
 	*)
 	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
 	    ;;
    esac
    if [ $kernel -lt 20624 ]; then
 	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
 	return 1
    else
 	return 0
    fi
 }
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -177,43 +155,40 @@ done
 COMMAND="$1"
-
+kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-case "$COMMAND" in
+if [ $kernel -lt 20624 ]; then
-    start)
+    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	[ $# -ne 1 ] && usage 2
+    status=2
-	if shorewall6_is_started; then
+else
-	    error_message "$g_product is already Running"
+    case "$COMMAND" in
-	    status=0
+	start)
-	else
+	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Starting $g_product...."
+	    if shorewall6_is_started; then
-	    if checkkernelversion; then
+		error_message "$g_product is already Running"
 		status=0
 	    else
 		progress_message3 "Starting $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
-		if [ $status -eq 0 ]; then
+		[ -n "$SUBSYSLOCK" -a $status -eq 0 ] && touch $SUBSYSLOCK
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		progress_message3 "done."
 		    progress_message3 "done."
 		fi
 	    fi
-	fi
+	    ;;
-	;;
+	stop)
-    stop)
+	    [ $# -ne 1 ] && usage 2
 	[ $# -ne 1 ] && usage 2
 	if checkkernelversion; then
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
-	fi
+	    ;;
-	;;
+ 	reset)
-    reset)
+	    if ! shorewall6_is_started ; then
-	if ! shorewall6_is_started ; then
+		error_message "$g_product is not running"
-	    error_message "$g_product is not running"
+		status=2
-	    status=2
+	    elif [ $# -eq 1 ]; then
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
@@ -236,112 +211,102 @@ case "$COMMAND" in
 		    fi
 		done
 	    fi
-	fi
+	    ;;
-	;;
+	restart)
-    restart)
+	    [ $# -ne 1 ] && usage 2
-	[ $# -ne 1 ] && usage 2
+	    if shorewall6_is_started; then
-	if shorewall6_is_started; then
+		progress_message3 "Restarting $g_product...."
-	    progress_message3 "Restarting $g_product...."
+	    else
-	else
+		error_message "$g_product is not running"
-	    error_message "$g_product is not running"
+		progress_message3 "Starting $g_product...."
-	    progress_message3 "Starting $g_product...."
+		COMMAND=start
-	    COMMAND=start
+	    fi
 	fi
 	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
-
+	    progress_message3 "done."
-	    [ $status -eq 0 ] && progress_message3 "done."
+	    ;;
-	fi
+	refresh)
-	;;
+	    [ $# -ne 1 ] && usage 2
-    refresh)
+	    if shorewall6_is_started; then
-	[ $# -ne 1 ] && usage 2
+		progress_message3 "Refreshing $g_product...."
 	if shorewall6_is_started; then
 	    progress_message3 "Refreshing $g_product...."
 	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
+		progress_message3 "done."
 	    else
 		echo "$g_product is not running" >&2
 		status=2
 	    fi
-	else
+	    ;;
-	    echo "$g_product is not running" >&2
+	restore)
-	    status=2
+	    [ $# -ne 1 ] && usage 2
 	fi
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
 	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
+	    ;;
-	fi
+	clear)
-	;;
+	    [ $# -ne 1 ] && usage 2
-    clear)
+	    progress_message3 "Clearing $g_product...."
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
 	if checkkernelversion; then
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
-	fi
+	    ;;
-	;;
+	status)
-    status)
+	    [ $# -ne 1 ] && usage 2
-	[ $# -ne 1 ] && usage 2
+	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
+	    echo
-	echo
+	    if shorewall6_is_started; then
-	if shorewall6_is_started; then
+		echo "$g_product is running"
-	    echo "$g_product is running"
+		status=0
-	    status=0
+	    else
-	else
+		echo "$g_product is stopped"
-	    echo "$g_product is stopped"
+		status=4
-	    status=4
+	    fi
 	fi
-	if [ -f ${VARDIR}/state ]; then
+	    if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
+		state="$(cat ${VARDIR}/state)"
-	    case $state in
+		case $state in
-		Stopped*|Clear*)
+		    Stopped*|Clear*)
-		    status=3
+			status=3
-		    ;;
+			;;
-	    esac
+		esac
-	else
+	    else
-	    state=Unknown
+		state=Unknown
-	fi
+	    fi
-	echo "State:$state"
+	    echo "State:$state"
-	echo
+	    echo
-	;;
+	    ;;
-    up|down)
+	up|down)
-	[ $# -eq 1 ] && exit 0
+	    [ $# -eq 1 ] && exit 0
-	shift
+	    shift
-	[ $# -ne 1 ] && usage 2
+	    [ $# -ne 1 ] && usage 2
-	updown $1
+	    updown $1
-	status=0
+	    status=0
-	;;
+	    ;;
-    version)
+	version)
-	[ $# -ne 1 ] && usage 2
+	    [ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
+	    echo $SHOREWALL_VERSION
-	status=0
+	    status=0
-	;;
+	    ;;
-    help)
+	help)
-	[ $# -ne 1 ] && usage 2
+	    [ $# -ne 1 ] && usage 2
-	usage 0
+	    usage 0
-	;;
+	    ;;
-    *)
+	*)
-	usage 2
+	    usage 2
-	;;
+	    ;;
-esac
+    esac
 fi
 exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,6 +1,8 @@
 #!/bin/sh
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -111,17 +113,6 @@ find_device() {
    done
 }
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
@@ -281,7 +272,7 @@ get_interface_bcasts() # $1 = interface
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qt $IP addr del $1 dev $2
 }
 # Add IP Aliases
@@ -492,8 +483,6 @@ get_device_mtu1() # $1 = device
 # Undo changes to routing
 #
 undo_routing() {
    local undofiles
    local f
    if [ -z "$g_noroutes"  ]; then
 	#
@@ -506,72 +495,49 @@ undo_routing() {
 	#
 	# Restore the rest of the routing table
 	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+	if [ -f ${VARDIR}/undo_routing ]; then
-
+	    . ${VARDIR}/undo_routing
-	if [ -n "$undofiles" ]; then
+	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    for f in $undofiles; do
+	    rm -f ${VARDIR}/undo_routing
 		. $f
 	    done
 	    rm -f $undofiles
            progress_message "Shorewall-generated routing tables and routing rules removed"
 	fi
    fi
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {defroute=0;};
     /^default /  {deroute=1; print; next};
     /nexthop/    {if (defroute == 1 ) {print ; next} };
                  { defroute=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
-replace_default_route() # $1 = USE_DEFAULT_RT
+restore_default_route() {
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
-    result=1
+    
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	result=1
 	while read route ; do
 	    case $route in
 		default*)
-		    replace_default_route $1
+		    if [ -n "$default_route" ]; then
 			case "$default_route" in
 			    *metric*)
 		                #
 		                # Don't restore a route with a metric -- we only replace the one with metric == 0
 		                #
 				qt $IP -4 route delete default metric 0 && \
 				    progress_message "Default Route with metric 0 deleted"
 				;;
 			    *)
 				qt $IP -4 route replace $default_route && \
 				    result=0 && \
 				    progress_message "Default Route (${default_route# }) restored"
 				;;
 			esac
 			break
 		    fi
 		    default_route="$default_route $route"
 		    ;;
 		*)
@@ -580,80 +546,12 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 	    esac
 	done < ${VARDIR}/default_route
 	replace_default_route $1
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
 	rm -f ${VARDIR}/default_route
    fi
    return $result
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
    if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
    else
 	delta=$1
 	if ! echo $route | fgrep -q ' nexthop '; then
 	    route=`echo $route | sed 's/via/nexthop via/'`
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
 		route="$route weight $weight"
 	    fi
 	fi
 	run_ip route replace default scope global table $2 $route $delta
    fi
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
 	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 	    run_ip route replace table $2 $route
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
 	fi
    fi
 }
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -695,8 +593,8 @@ conditionally_flush_conntrack() {
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
-	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
@@ -876,17 +774,13 @@ debug_restore_input() {
 	qt1 $IPTABLES -t mangle -P $chain ACCEPT
    done
-    qt1 $IPTABLES -t raw     -F
+    qt1 $IPTABLES -t raw    -F
-    qt1 $IPTABLES -t raw     -X
+    qt1 $IPTABLES -t raw    -X
    qt1 $IPTABLES -t rawpost -F
    qt1 $IPTABLES -t rawpost -X
    for chain in PREROUTING OUTPUT; do
 	qt1 $IPTABLES -t raw -P $chain ACCEPT
    done
    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
    run_iptables -t nat -F
    run_iptables -t nat -X
@@ -936,9 +830,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,6 +1,8 @@
 #!/bin/sh
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
@@ -484,63 +486,46 @@ undo_routing() {
 	if [ -f ${VARDIR}/undo_routing ]; then
 	    . ${VARDIR}/undo_routing
 	    progress_message "Shorewall-generated routing tables and routing rules removed"
-	    rm -f ${VARDIR}/undo_*routing
+	    rm -f ${VARDIR}/undo_routing
 	fi
    fi
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {defroute=0;};
     /^default /  {defroute=1; print; next};
     /nexthop/    {if (defroute == 1 ) {print ; next} };
                  { defroute=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
-replace_default_route() # $1 = USE_DEFAULT_RT
+restore_default_route() {
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
-    result=1
+    
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	result=1
 	while read route ; do
 	    case $route in
-		default*)
+		default)
-		    replace_default_route $1
+		    if [ -n "$default_route" ]; then
 			case "$default_route" in
 			    *metric*)
 		                #
 		                # Don't restore a route with a metric -- we only replace the one with metric == 0
 		                #
 				qt $IP -6 route delete default metric 0 && \
 				    progress_message "Default Route with metric 0 deleted"
 				;;
 			    *)
 				qt $IP -6 route replace $default_route && \
 				    result=0 && \
 				    progress_message "Default Route (${default_route# }) restored"
 				;;
 			esac
 			break
 		    fi
 		    default_route="$default_route $route"
 		    ;;
 		*)
@@ -549,20 +534,6 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 	    esac
 	done < ${VARDIR}/default_route
 	replace_default_route $1
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
 	rm -f ${VARDIR}/default_route
    fi
@@ -602,22 +573,6 @@ conditionally_flush_conntrack() {
    fi
 }
 #
 # Clear Proxy NDP
 #
 delete_proxyndp() {
    if [ -f ${VARDIR}/proxyndp ]; then
 	while read address interface external haveroute; do
 	    qt $IP -6 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
 	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyndp
 	rm -f ${VARDIR}/proxyndp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
@@ -822,9 +777,6 @@ debug_restore_input() {
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -1,56 +0,0 @@
 #
 # Shorewall version 4 - Drop Action
 #
 # /usr/share/shorewall/action.A_Drop
 #
 #	The audited default DROP common rules
 #
 #	This action is invoked before a DROP policy is enforced. The purpose
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that 'auth' requests are rejected, even if the policy is
 #	   DROP. Otherwise, you may experience problems establishing
 #	   connections with servers that use auth.
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Reject 'auth'
 #
 Auth(A_REJECT)
 #
 # Don't log broadcasts
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
 dropInvalid(audit)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_DROP)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@@ -1,54 +0,0 @@
 #
 # Shorewall version 4 - Reject Action
 #
 # /usr/share/shorewall/action.A_Reject
 #
 #	The audited default REJECT action common rules
 #
 #	This action is invoked before a REJECT policy is enforced. The purpose
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
 #
 COUNT
 #
 # Don't log 'auth' -- REJECT
 #
 Auth(A_REJECT)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
 dropBcast(audit)
 #
 # ACCEPT critical ICMP types
 #
 A_AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
 dropInvalid(audit)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
 SMB(A_REJECT)
 A_DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
 dropNotSyn(audit)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
 A_DropDNSrep
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -1,73 +0,0 @@
 #
 # Shorewall 4 - Broadcast Action
 #
 #    /usr/share/shorewall/action.Broadcast
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   Broadcast[([<action>|-[,{audit|-}])] 
 #
 #       Default action is DROP
 #
 ##########################################################################################
 FORMAT 2
 DEFAULTS DROP,-
 BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action, $audit ) = get_action_params( 2 );
 fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref           = get_action_chain;
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $level ne '' ) {
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
    }	
    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
 } else {
    add_commands $chainref, 'for address in $ALL_BCASTS; do';
    incr_cmd_level $chainref;
    log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
    add_jump $chainref, $target, 0, "-d \$address ";
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
 }
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 1;
 END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -15,49 +15,9 @@
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 #  The action accepts five optional parameters:
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
 #       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #	3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
 #           A_ACCEPT depending on the first parameter.
 #       5 - Action to take with late UDP replies (UDP source port 53). Default
 #           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
 FORMAT 2
 #
 # The following magic provides different defaults for $2 thru $5, when $1 is 
 # 'audit'.
 #
 BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) { 
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Drop parameter" if supplied $p1;
    }
 }
 1;
 END PERL;
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Count packets that come through here
@@ -66,31 +26,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth($2)
+Auth(REJECT)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,$1)
+dropBcast
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,$1)
+dropInvalid
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
+SMB(DROP)
-DropUPnP($5)
+DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+dropNotSyn	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -1,85 +0,0 @@
 #
 # Shorewall version 4 - Drop Smurfs Action
 #
 # /usr/share/shorewall/action.DropSmurfs
 #
 #   Accepts a single optional parameter:
 #
 #          -     = Do not Audit
 #          audit = Audit dropped packets.
 #
 #################################################################################
 FORMAT 2
 DEFAULTS -
 BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 use Shorewall::Rules;
 my ( $audit ) = get_action_params( 1 );
 my $chainref        = get_action_chain;
 my ( $level, $tag ) = get_action_logging;
 my $target;
 if ( $level ne '-' || $audit ne '-' ) {
    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
    log_rule_limit( $level,
 		    $logchainref,
 		    $chainref->{name},
 		    'DROP',
 		    '',
 		    $tag,
 		    'add',
 		    '' );
    if ( supplied $audit ) {
 	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
    } 
    add_ijump( $logchainref, j => 'DROP' );
    $target = $logchainref;
 } else {
    $target = 'DROP';
 }
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $family == F_IPV4 ) {
 	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
    } else {
 	add_ijump $chainref , j => 'RETURN', s => '::';
    }
    add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
 } else {
    if ( $family == F_IPV4 ) {
 	add_commands $chainref, 'for address in $ALL_BCASTS; do';
    } else {
 	add_commands $chainref, 'for address in $ALL_ACASTS; do';
    }
    incr_cmd_level $chainref;
    add_ijump( $chainref, g => $target, s => '$address' );
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
 }
 if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
 } else {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }
 END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -1,56 +0,0 @@
 #
 # Shorewall 4 - Invalid Action
 #
 #    /usr/share/shorewall/action.Invalid
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   Invalid[([<action>|-[,{audit|-}])] 
 #
 #       Default action is DROP
 #
 ##########################################################################################
 FORMAT 2
 DEFAULTS DROP,-
 BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action, $audit ) = get_action_params( 2 );
 fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
 $chainref->{dont_optimize} = 0;
 1;
 END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -1,56 +0,0 @@
 #
 # Shorewall 4 - NotSyn Action
 #
 #    /usr/share/shorewall/action.NotSyn
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   NotSyn[([<action>|-[,{audit|-}])] 
 #
 #       Default action is DROP
 #
 ##########################################################################################
 FORMAT 2
 DEFAULTS DROP,-
 BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action, $audit ) = get_action_params( 2 );
 fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';
 $chainref->{dont_optimize} = 0;
 1;
 END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -12,48 +12,8 @@
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 #  The action accepts five optional parameters:
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
 #       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
 #           A_ACCEPT depending on the first parameter.
 #       5 - Action to take with late UDP replies (UDP source port 53). Default
 #           is DROP or A_DROP depending on the first parameter.
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
 FORMAT 2
 #
 # The following magic provides different defaults for $2 thru $5, when $1 is 
 # 'audit'.
 #
 BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
 if ( defined $p1 ) { 
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
    } else {
 	fatal_error "Invalid value ($p1) for first Reject parameter" if supplied $p1;
    }
 }
 1;
 END PERL;
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 #TARGET		SOURCE	DEST	PROTO
 #
 # Count packets that come through here
@@ -62,33 +22,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth($2)
+Auth(REJECT)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,$1)
+dropBcast
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs($4)	-	-	icmp
+AllowICMPs	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,$1)
+dropInvalid
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB($3)
+SMB(REJECT)
-DropUPnP($5)
+DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,$1)	-	-	tcp
+dropNotSyn	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep($5)
+DropDNSrep
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,63 +0,0 @@
 #
 # Shorewall version 4 - Drop Smurfs Action
 #
 # /usr/share/shorewall/action.DropSmurfs
 #
 #   Accepts a single optional parameter:
 #
 #          -     = Do not Audit
 #          audit = Audit dropped packets.
 #
 #################################################################################
 FORMAT 2
 DEFAULTS DROP,-
 BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 my $chainref        = get_action_chain;
 my ( $level, $tag ) = get_action_logging;
 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
 if ( $level ne '-' || $audit ne '-' ) {
    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
    log_rule_limit( $level,
 		    $logchainref,
 		    $chainref->{name},
 		    $disposition,
 		    '',
 		    $tag,
 		    'add',
 		    '' ) if $level;
    if ( supplied $audit ) {
 	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
    } 
    add_ijump( $logchainref, g => $disposition );
    $disposition = $logchainref;
 }
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
 END PERL;
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -16,11 +16,184 @@
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
-# Columns are the same as in /etc/shorewall/rules.
+# Columns are:
 #
-#######################################################################################################
+#
-#                                         DO NOT REMOVE THE FOLLOWING LINE
+#	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE, CONTINUE, a <macro>
-FORMAT 2
+#			or a previously-defined <action>
-####################################################################################################################################################################
+#
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#				ACCEPT	 -- allow the connection request
-#							PORT	PORT(S)		DEST		LIMIT		GROUP
+#				DROP	 -- ignore the request
 #				REJECT	 -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
 #				LOG	 -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as p2pwall.
 #				CONTINUE -- Stop processing this action and
 #					    return to the point where the
 #					    action was invoked.
 #				<action> -- An <action> defined in
 #					    /etc/shorewall/actions.
 #					    The <action> must appear in that
 #					    file BEFORE the one being defined
 #					    in this file.
 #				<macro>	 -- The name of a macro defined in a
 #					    file named macro.<macro-name>. If
 #					    the macro accepts an action
 #					    parameter (Look at the macro
 #					    source to see if it has PARAM in
 #					    the TARGET column) then the macro
 #					    name is followed by "/" and the
 #					    action (ACCEPT, DROP, REJECT, ...)
 #					    to be substituted for the
 #					    parameter. Example: FTP/ACCEPT.
 #
 #			The TARGET may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			ACCEPT:debugging). This causes the packet to be
 #			logged at the specified level.
 #
 #			The special log level 'none' does not result in logging
 #			but rather exempts the rule from being overridden by a
 #			non-forcing log level when the action is invoked.
 #
 #			You may also specify ULOG (must be in upper case) as a
 #			log level.This will log to the ULOG target for routing
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
 #			Actions specifying logging may be followed by a
 #			log tag (a string of alphanumeric characters)
 #			are appended to the string generated by the
 #			LOGPREFIX (in /etc/shorewall/shorewall.conf).
 #
 #			Example: ACCEPT:info:ftp would include 'ftp '
 #			at the end of the log prefix generated by the
 #			LOGPREFIX setting.
 #
 #	SOURCE		Source hosts to which the rule applies.
 #			A comma-separated list of subnets
 #			and/or hosts. Hosts may be specified by IP or MAC
 #			address; mac addresses must begin with "~" and must use
 #			"-" as a separator.
 #
 #			192.168.2.2		Host 192.168.2.2
 #
 #			155.186.235.0/24	Subnet 155.186.235.0/24
 #
 #			10.0.0.4-10.0.0.9	Range of IP addresses; your
 #						kernel and iptables must have
 #						iprange match support.
 #
 #			+remote			The name of an ipset prefaced
 #						by "+". Your kernel and
 #						iptables must have set match
 #						support
 #
 #			+remote[4]		The name of the ipset may
 #						followed by a number of
 #						levels of ipset bindings
 #						enclosed in square brackets.
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
 #			~00-A0-C9-15-39-78	Host with
 #						MAC address 00:A0:C9:15:39:78.
 #
 #			Alternatively, clients may be specified by interface
 #			name. For example, eth1 specifies a
 #			client that communicates with the firewall system
 #			through eth1. This may be optionally followed by
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., eth1:192.168.1.5).
 #
 #	DEST		Location of destination host. Same as above with
 #			the exception that MAC addresses are not allowed and
 #			that you cannot specify an ipset name in both the
 #			SOURCE and DEST columns.
 #
 #	PROTO		Protocol - Must be "tcp", "tcp:syn", "udp", "icmp",
 #			"ipp2p", "ipp2p:udp", "ipp2p:all", a number, or "all".
 #                       "ipp2p*" requires ipp2p match support in your kernel
 #                       and iptables.
 #
 #			"tcp:syn" implies "tcp" plus the SYN flag must be
 #			set and the RST, ACK and FIN flags must be reset.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following fields are supplied.
 #			In that case, it is suggested that this field contain
 #			 "-"
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the CLIENT PORT(S) list below:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	SOURCE PORT(S)	(Optional) Port(s) used by the client. If omitted,
 #			any source port is acceptable. Specified as a comma-
 #			separated list of port names, port numbers or port
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
 #			specify an ADDRESS in the next column, then place "-"
 #			in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
 #			this list and the DEST PORT(S) list above:
 #			1. There are 15 or less ports listed.
 #			2. No port ranges are included.
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
 #			this column:
 #
 #				<rate>/<interval>[:<burst>]
 #
 #			where <rate> is the number of connections per
 #			<interval> ("sec" or "min") and <burst> is the
 #			largest burst permitted. If no <burst> is given,
 #			a value of 5 is assumed. There may be no
 #			no whitespace embedded in the specification.
 #
 #				Example: 10/sec:20
 #
 #	USER/GROUP	This column may only be non-empty if the SOURCE is
 #			the firewall itself.
 #
 #			The column may contain:
 #
 #	[!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
 #			the effective <user> and/or <group> specified (or is
 #			NOT running under that id if "!" is given).
 #
 #			Examples:
 #
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
 #				!:kids	#program must not be run by a member
 #					#of the 'kids' group
 #				+upnpd	#program named upnpd (This feature was
 #					#removed from Netfilter in kernel
 #					#version 2.6.14).
 #
 ###############################################################################
 #TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #				PORT	PORT(S)	DEST		LIMIT	GROUP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -8,9 +8,6 @@
 #
 # Builtin Actions are:
 #
 #    A_ACCEPT           # Audits then accepts a connection request
 #    A_DROP             # Audits then drops a connection request
 #    A_REJECT		# Audits then drops a connection request
 #    allowBcast		# Silently Allow Broadcast/multicast
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
@@ -33,12 +30,5 @@
 #
 ###############################################################################
 #ACTION
 A_Drop 		    # Audited Default Action for DROP policy
 A_Reject	    # Audited Default action for REJECT policy
 Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
 DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
 TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -0,0 +1,632 @@
 Changes in Shorewall 4.4.13
 1)  Allow zone lists in rules SOURCE and DEST.
 2)  Fix exclusion in the blacklist file.
 3)  Correct several old exclusion bugs.
 4)  Fix exclusion with CONTINUE/NONAT/ACCEPT+
 5)  Re-implement optional interface handling.
 6)  Add secmark config file.
 7)  Split in and out blacklisting.
 8)  Correct handling of [{src|dst},...] in ipset invocation
 9)  Correct SAME.
 10) TC Enhancements:
    <burst> in IN-BANDWIDTH columns.
    OUT-BANDWIDTH column in tcinterfaces.
 11) Create dynamic zone ipsets on 'start'.
 12) Remove new blacklisting implementation.
 13) Implement an alternative blacklisting scheme.
 14) Use '-m state' for UNTRACKED.
 15) Clear raw table on 'clear'
 16) Correct port-range check in tcfilters.
 17) Disallow '*' in interface names.
 Changes in Shorewall 4.4.12
 1)  Fix IPv6 shorecap program.
 2)  Eradicate incorrect IPv6 Multicast Network
 3)  Add ADD/DEL support.
 4)  Allow :random to work with REDIRECT
 5)  Add per-ip log rate limiting.
 6)  Use new hashlimit match syntax if available.
 7)  Add Universal sample.
 8)  Add COMPLETE option.
 9)  Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
 10) Support new set match syntax.
 11) Blacklisting by DEST IP.
 12) Fix duplicate rule generation with 'any'.
 13) Fix port range editing problem.
 14) Display the .conf file directory in response to the status command.
 15)  Correct AUTOMAKE
 Changes in Shorewall 4.4.11
 1)  Apply patch from Gabriel.
 2)  Fix IPSET match detection when a pathname is specified for IPSET.
 3)  Fix start priority of shorewall-init on Debian
 4)  Make IPv6 log and connections output readable.
 5)  Add REQUIRE_INTERFACE to shorewall*.conf
 6)  Avoid run-time warnings when options are not listed in
    shorewall.conf.
 7)  Implement Vserver zones.
 8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
    hosts file.
 9)  Add CLEAR_FORWARD_MARK option.
 10) Avoid missing closing quote when REQUIRE_INTERFACE=Yes.
 11) Add PERL option.
 12) Fix nets= in Shorewall6
 Changes in Shorewall 4.4.10
 1)  Fix regression with scripts.
 2)  Log startup errors.
 3)  Implement Shorewall-init.
 4)  Add SAFESTOP option to /etc/default/shorewall*
 5)  Restore -a functionality to the version command.
 6)  Correct Optimization issue
 7)  Rename PREFIX to DESTDIR in install scripts
 8)  Correct handling of optional/required interfaces with wildcard names.
 Changes in Shorewall 4.4.9
 1)  Auto-detection of bridges.
 2)  Correct handling of a logical interface name in the EXTERNAL column
    of proxyarp.
 3)  More robust 'trace'.
 4)  Added IPv6 mDNS macro.
 5)  Fix find_first_interface_address() error reporting.
 6)  Fix propagation of zero-valued config variables.
 7)  Fix OPTIMIZE 4 bug.
 8)  Deallocate unused rules.
 9)  Keep rule arrays compressed during optimization.
 10) Remove remaining fallback scripts.
 11) Rationalize startup logs.
 12) Optimize 8.
 13) Don't create output chains for BPORT zones.
 14) Implement 'show log ip-addr' in /sbin/shorewall and
    /sbin/shorewall-lite/
 15) Restore lone ACCEPT rule to the OUTPUT chain under OPTIMIZE 2.
 16) Change chain policy on OUTPUT chain with lone ACCEPT rule.
 17) Set IP before sourcing the params file.
 18) Fix rare optimization bug.
 19) Allow definition of an addressless bridge without a zone.
 20) In the routestopped file, assume 'routeback' if the interface has
    'routeback'.
 21) Make Shorewall and Shorewall6 installable on OS X.
 Changes in Shorewall 4.4.8
 1)  Correct handling of RATE LIMIT on NAT rules.
 2)  Don't create a logging chain for rules with '-j RETURN'.
 3)  Avoid duplicate SFQ class numbers.
 4)  Fix low per-IP rate limits.
 5)  Fix Debian init script exit status
 6)  Fix NFQUEUE(queue-num) in policy
 7)  Implement -s option in install.sh
 8)  Add HKP Macro
 9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
 10) Eliminate up-cased variable names that aren't documented options.
 11) Don't show 'OLD' capabilities if they are not available.
 12) Attempt to flag use of '-' as a port-range separator.
 13) Add undocumented OPTIMIZE=-1 setting.
 14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
    default optimizations.
 15) Add support for UDPLITE
 16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
 17) Issue warnings when 'blacklist' but no blacklist file entries.
 18) Don't optimize 'blacklst'.
 Changes in Shorewall 4.4.7
 1)  Backport optimization changes from 4.5.
 2)  Backport two new options from 4.5.
 3)  Backport TPROXY from 4.5
 4)  Add TC_PRIOMAP to shorewall*.conf
 5)  Implement LOAD_HELPERS_ONLY
 6)  Avoid excessive module loading with LOAD_HELPERS_ONLY=Yes
 7)  Fix case where MARK target is unavailable.
 8)  Change default to ADD_IP_ALIASES=No
 9)  Correct defects in generate_matrix().
 10) Fix and optimize 'nosmurfs'.
 11) Use 'OLD_HL_MATCH' to suppress use of 'flow' in Simple TC.
 Changes in Shorewall 4.4.6
 1)  Fix for rp_filter and kernel 2.6.31.
 2)  Add a hack to work around a bug in Lenny + xtables-addons
 3)  Re-enable SAVE_IPSETS
 4)  Allow both <...> and [...] for IPv6 Addresses.
 5)  Port mark geometry change from 4.5.
 6)  Add Macro patch from Tuomo Soini
 7)  Add 'show macro' command.
 8)  Add -r option to check.
 9)  Port simplified TC from 4.5.
 Changes in Shorewall 4.4.5
 1)  Fix 15-port limit removal change.
 2)  Fix handling of interfaces with the 'bridge' option.
 3)  Generate error for port number 0
 4)  Allow zone::serverport in rules DEST column.
 5)  Fix 'show policies' in Shorewall6.
 6)  Auto-load tc modules.
 7)  Allow LOGFILE=/dev/null
 8)  Fix shorewall6-lite/shorecap
 9) Fix MODULE_SUFFIX.
 10) Fix ENHANCED_REJECT detection for IPv4.
 11) Fix DONT_LOAD vs 'reload -c'
 12) Fix handling of SOURCE and DEST vs macros.
 13) Remove silly logic in expand_rule().
 14) Add current and limit to Conntrack Table Heading.
 Changes in Shorewall 4.4.4
 1)  Change STARTUP_LOG and LOG_VERBOSITY in default shorewall6.conf.
 2)  Fix access to uninitialized variable.
 3)  Add logrotate scripts.
 4)  Allow long port lists in /etc/shorewall/routestopped.
 5)  Implement 'physical' interface option.
 6)  Implement ZONE2ZONE option.
 7)  Suppress duplicate COMMENT warnings.
 8)  Implement 'show policies' command.
 9)  Fix route_rule suppression for down provider.
 10) Suppress redundant tests for provider availability in route rules
    processing.
 11) Implement the '-l' option to the 'show' command.
 12) Fix class number assignment when WIDE_TC_MARKS=Yes
 13) Allow wide marks in tcclasses when WIDE_TC_MARKS=Yes
 Changes in Shorewall 4.4.3
 1)  Move Debian INITLOG initialization to /etc/default/shorewall
 2)  Fix 'routeback' in /etc/shorewall/routestopped.
 3)  Rename 'object' to 'script' in compiler and config modules.
 4)  Correct RETAIN_ALIASES=No.
 5)  Fix detection of IP config.
 6)  Fix nested zones.
 7)  Move all function declarations from prog.footer to prog.header
 8)  Remove superfluous variables from generated script
 9)  Make 'track' the default.
 10)  Add TRACK_PROVIDERS option.
 11)  Fix IPv6 address parsing bug.
 12)  Add hack to work around iproute IPv6 bug in route handling
 13)  Correct messages issued when an optional provider is not usable.
 14)  Fix optional interfaces.
 15)  Add 'limit' option to tcclasses.
 Changes in Shorewall 4.4.2
 1)  BUGFIX: Correct detection of Persistent SNAT support
 2)  BUGFIX: Fix chain table initialization
 3)  BUGFIX: Validate routestopped file on 'check'
 4)  Let the Actions module add the builtin actions to
    %Shorewall::Chains::targets. Much better modularization that way.
 5)  Some changes to make Lenny->Squeeze less painful.
 6)  Allow comments at the end of continued lines.
 7)  Call process_routestopped() during 'check' rather than
    'compile_stop_firewall()'.
 8)  Don't look for an extension script for built-in actions.
 9)  Apply Jesse Shrieve's patch for SNAT range.
 10) Add -<family> to 'ip route del default' command.
 11) Add three new columns to macro body.
 12) Change 'wait4ifup' so that it requires no PATH
 13) Allow extension scripts for accounting chains.
 14) Allow per-ip LIMIT to work on ancient iptables releases.
 15) Add 'MARK' column to action body.
 Changes in Shorewall 4.4.1
 1)  Deleted extra 'use ...IPAddrs.pm' from Nat.pm.
 2)  Deleted superfluous export from Chains.pm.
 3)  Added support for --persistent.
 4)  Don't do module initialization in an INIT block.
 5)  Minor performance improvements.
 6)  Add 'clean' target to Makefile.
 7)  Redefine 'full' for sub-classes.
 8)  Fix log level in rules at the end of INPUT and OUTPUT chains.
 9)  Fix nested ipsec zones.
 10) Change one-interface sample to IP_FORWARDING=Off.
 11) Allow multicast to non-dynamic zones defined with nets=.
 12) Allow zones with nets= to be extended by /etc/shorewall/hosts
    entries.
 13) Don't allow nets= in a multi-zone interface definition.
 14) Fix rule generated by MULTICAST=Yes
 15) Fix silly hole in zones file parsing.
 16) Tighen up zone membership checking.
 17) Combine portlist-spitting routines into a single function.
 Changes in Shorewall 4.4.0
 1)  Fix 'compile ... -' so that it no longer requires '-v-1'
 2)  Fix rule generation for logging nat rules with no exclusion.
 3)  Fix log record formatting.
 4)  Restore ipset binding
 5)  Fix 'upnpclient' with required interfaces.
 6)  Fix provider number in masq file.
 Changes in Shorewall 4.4.0-RC2
 1)  Fix capabilities file with Shorewall6.
 2)  Allow Shorewall6 to recognize TC, IP and IPSET
 3)  Make 'any' a reserved zone name.
 4)  Correct handling of an ipsec zone nested in a non-ipsec zone.
 Changes in Shorewall 4.4.0-RC1
 1)  Delete duplicate Git macro.
 2)  Fix routing when no providers.
 3)  Add 'any' as a SOURCE/DEST in rules.
 4)  Fix NONAT on child zone.
 5)  Fix rpm -U from earlier versions
 6)  Generate error on 'status' by non-root.
 7)  Get rid of prog.functions and prog.functions6
 Changes in Shorewall 4.4.0-Beta4
 1)  Add more macros.
 2)  Correct broadcast address detection
 3) Fix 'show dynamic'
 4) Fix BGP and OSFP macros.
 5) Change DISABLE_IPV6 default and use 'correct' ip6tables.
 Changes in Shorewall 4.4.0-Beta3
 1)  Add new macros.
 2)  Work around mis-configured interfaces.
 3)  Fix 'show dynamic'.
 4)  Check for xt_LOG.
 5)  Fix 'findgw'
 Changes in Shorewall 4.4.0-Beta2
 1)  The 'find_first_interface_address()' and
    'find_first_interface_address_if_any()' functions have been restored to
    lib.base.
 2)  Integerize r2q before inserting it into 'tc qdisc add root'
    command.
 3)  Remove '-h' from the help text for install.sh in Shorewall and
    Shorewall6.
 4)  Delete the 'continue' file from the Shorewall package.
 5)  Add 'upnpclient' interface option.
 6)  Fix handling of optional interfaces.
 7)  Add 'iptrace' and 'noiptrace' command.
 8)  Add 'USER/GROUP' column to masq file.
 9)  Added lib.private.
 Changes in Shorewall 4.4.0-Beta1
 1)  Correct typo in Shorewall6 two-interface sample shorewall.conf.
 2)  Fix TOS mnemonic handling in /etc/shorewall/tcfilters.
 Changes in Shorewall 4.3.12
 1) Eliminate 'large quantum' warnings.
 2) Add HFSC support.
 3) Delete support for ipset binding. Jozsef has removed the capability
   from ipset.
 4) Add TOS and LENGTH columns to tcfilters file.
 5) Fix 'reset' command.
 6) Fix 'findgw'.
 7) Remove 'norfc1918' support.
 Changes in Shorewall 4.3.11
 1) Reduce the number of arguments passed in may cases.
 2) Fix SCTP source port handling in tcfilters.
 3) Add 'findgw' user exit.
 4) Add macro.Trcrt
 Changes in Shorewall 4.3.10
 1) Fix handling of shared optional providers.
 2) Add WIDE_TC_MARKS option.
 3) Allow compile to STDOUT.
 4) Fix handling of class IDs.
 5) Deprecate use of an interface in the SOURCE column of
   /etc/shorewall/masq.
 6) Fix handling of 'all' in the SOURCE of DNAT- rules.
 7) Fix compile for export.
 8) Optimize IPMARK.
 9) Implement nested HTB classes.
 10) Fix 'iprange' command.
 11) Make traffic shaping work better with IPv6.
 12) Externalize 'flow'.
 13) Fix 'start' with AUTOMAKE=Yes
 Changes in Shorewall 4.3.9
 1) Logging rules now create separate chain.
 2) Fix netmask genereation in tcfilters.
 3) Allow Shorewall6 with kernel 2.6.24
 4) Avoid 'Invalid BROADCAST address' errors.
 5) Allow Shorewall6 on kernel 4.2.24:Shorewall/changelog.txt
 6) Add IP, TC and IPSET options in shorewall.conf and shorewall6.conf.
 7) Add IPMARK support
 Changes in Shorewall 4.3.8
 1) Apply Tuomo Soini's patch for USE_DEFAULT_RT.
 2) Use 'startup_error' for those errors caught early.
 3) Fix swping
 4) Detect gateway via dhclient leases file.
 5) Suppress leading whitespace on certain continuation lines.
 6) Use iptables[6]-restore to stop the firewall.
 7) Add AUTOMAKE option
 8) Remove SAME support.
 9) Allow 'compile' without a pathname.
 10) Fix LOG_MARTIANS=Yes.
 11) Adapt I. Buijs's hashlimit patch.
 Changes in Shorewall 4.3.7
 1)  Fix forward treatment of interface options.
 2)  Replace $VARDIR/.restore with $VARDIR/firewall
 3)  Fix DNAT- parsing of DEST column.
 4)  Implement dynamic zones
 5)  Allow 'HOST' options on bridge ports.
 6)  Deprecate old macro parameter syntax.
 Changes in Shorewall 4.3.6
 1)  Add SAME tcrules target.
 2)  Make 'dump' display the raw table. Fix shorewall6 dump anomalies.
 3)  Fix split_list1()
 4)  Fix Shorewall6 file location bugs.
 Changes in Shorewall 4.3.5
 1)  Remove support for shorewall-shell.
 2)  Combine shorewall-common and shorewall-perl to produce shorewall.
 3)  Add nets= OPTION in interfaces file.
--- a/Shorewall/configfiles/accounting
+++ b/Shorewall/configfiles/accounting
@@ -6,6 +6,6 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
-#################################################################################################################
+#####################################################################################################
 #ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/	MARK	IPSEC
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/findgw
+++ b/Shorewall/configfiles/findgw
@@ -3,11 +3,11 @@
 #
 # /etc/shorewall/findgw
 #
-#    The code in this file is executed when Shorewall is trying to detect the
+#    The code in this file is executed when Shorewall is trying to detect the 
 #    gateway through an interface in /etc/shorewall/providers that has GATEWAY
 #    specified as 'detect'.
 #
-#    The function should echo the IP address of the gateway if it knows what
+#    The function should echo the IP address of the gateway if it knows what 
 #    it is; the name of the interface is in $1.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-#############################################################################################
+###############################################################################
 #INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/netmap
+++ b/Shorewall/configfiles/netmap
@@ -6,6 +6,5 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-##############################################################################################
+###############################################################################
-#TYPE	NET1		INTERFACE	NET2		NET3		PROTO	DEST	SOURCE
+#TYPE	NET1			INTERFACE	NET2		NET3
 #										PORT(S)	PORT(S)
--- a/Shorewall/configfiles/restored
+++ b/Shorewall/configfiles/restored
@@ -4,7 +4,7 @@
 # /etc/shorewall/restored
 #
 #	Add commands below that you want to be executed after shorewall has
-#	completed a 'restore' command.
+#	completed a 'restore' command. 
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall/configfiles/routes
+++ b/Shorewall/configfiles/routes
@@ -1,9 +0,0 @@
 #
 # Shorewall version 4 - routes File
 #
 # For information about entries in this file, type "man shorewall-routes"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
 ##############################################################################
 #PROVIDER		DEST			GATEWAY		DEVICE
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,11 +6,9 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
+####################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
--- a/Shorewall/configfiles/scfilter
+++ b/Shorewall/configfiles/scfilter
@@ -1,13 +0,0 @@
 #
 # Shorewall version 4 - Show Connections Filter
 #
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
 #       'show connections.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
 #
 ###############################################################################
 cat -
--- a/Shorewall/configfiles/secmarks
+++ b/Shorewall/configfiles/secmarks
@@ -10,4 +10,4 @@
-
+								
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -18,180 +18,188 @@ STARTUP_ENABLED=No
 VERBOSITY=1
 ###############################################################################
-#		                L O G G I N G
+#			       L O G G I N G
 ###############################################################################
-BLACKLIST_LOGLEVEL=
+LOGFILE=/var/log/messages
-LOG_MARTIANS=Yes
+STARTUP_LOG=/var/log/shorewall-init.log
 LOG_VERBOSITY=2
 LOGALLNEW=
 LOGFILE=/var/log/messages
 LOGFORMAT="Shorewall:%s:%s:"
 LOGTAGONLY=No
 LOGLIMIT=
 LOGALLNEW=
 BLACKLIST_LOGLEVEL=
 MACLIST_LOG_LEVEL=info
-SFILTER_LOG_LEVEL=info
+TCP_FLAGS_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
-STARTUP_LOG=/var/log/shorewall-init.log
+LOG_MARTIANS=Yes
 TCP_FLAGS_LOG_LEVEL=info
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
 CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
 IPTABLES=
 IP=
 TC=
 IPSET=
 MODULESDIR=
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 PERL=/usr/bin/perl
-RESTOREFILE=restore
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 SHOREWALL_SHELL=/bin/sh
 SUBSYSLOCK=/var/lock/subsys/shorewall
-TC=
+MODULESDIR=
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 RESTOREFILE=
 IPSECFILE=zones
 LOCKFILE=
 ###############################################################################
 #		D E F A U L T   A C T I O N S / M A C R O S
 ###############################################################################
-ACCEPT_DEFAULT=none
+DROP_DEFAULT="Drop"
-DROP_DEFAULT=Drop
+REJECT_DEFAULT="Reject"
-NFQUEUE_DEFAULT=none
+ACCEPT_DEFAULT="none"
-QUEUE_DEFAULT=none
+QUEUE_DEFAULT="none"
-REJECT_DEFAULT=Reject
+NFQUEUE_DEFAULT="none"
 ###############################################################################
 #                        R S H / R C P  C O M M A N D S
 ###############################################################################
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 RSH_COMMAND='ssh ${root}@${system} ${command}'
 RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
 ###############################################################################
 #			F I R E W A L L	  O P T I O N S
 ###############################################################################
-ACCOUNTING=Yes
+IP_FORWARDING=On
 ACCOUNTING_TABLE=filter
 ADD_IP_ALIASES=No
 ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
 AUTO_COMMENT=Yes
 AUTOMAKE=No
 BLACKLISTNEWONLY=Yes
 CLAMPMSS=No
 CLEAR_TC=Yes
 COMPLETE=No
 DELETE_THEN_ADD=Yes
 DETECT_DNAT_IPADDRS=No
 DISABLE_IPV6=No
 DONT_LOAD=
 DYNAMIC_BLACKLIST=Yes
 EXPAND_POLICIES=Yes
 EXPORTMODULES=Yes
 FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
 LEGACY_FASTSTART=Yes
 LOAD_HELPERS_ONLY=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 MANGLE_ENABLED=Yes
 MAPOLDACTIONS=No
 MARK_IN_FORWARD_CHAIN=No
 MODULE_SUFFIX=ko
 MULTICAST=No
 MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
 OPTIMIZE=0
 OPTIMIZE_ACCOUNTING=No
 REQUIRE_INTERFACE=No
 RESTORE_DEFAULT_ROUTE=Yes
 RETAIN_ALIASES=No
 ROUTE_FILTER=No
 SAVE_IPSETS=No
 TC_ENABLED=Internal
 TC_EXPERT=No
 TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
-TRACK_PROVIDERS=No
+CLEAR_TC=Yes
 MARK_IN_FORWARD_CHAIN=No
 CLAMPMSS=No
 ROUTE_FILTER=No
 DETECT_DNAT_IPADDRS=No
 MUTEX_TIMEOUT=60
 ADMINISABSENTMINDED=Yes
 BLACKLISTNEWONLY=Yes
 DELAYBLACKLISTLOAD=No
 MODULE_SUFFIX=ko
 DISABLE_IPV6=No
 BRIDGING=No
 DYNAMIC_ZONES=No
 PKTTYPE=Yes
 NULL_ROUTE_RFC1918=No
 MACLIST_TABLE=filter
 MACLIST_TTL=
 SAVE_IPSETS=No
 MAPOLDACTIONS=No
 FASTACCEPT=No
 IMPLICIT_CONTINUE=No
 HIGH_ROUTE_MARKS=No
 USE_ACTIONS=Yes
 OPTIMIZE=0
 EXPORTPARAMS=Yes
 EXPAND_POLICIES=Yes
 KEEP_RT_TABLES=No
 DELETE_THEN_ADD=Yes
 MULTICAST=No
 DONT_LOAD=
 AUTO_COMMENT=Yes
 MANGLE_ENABLED=Yes
 USE_DEFAULT_RT=No
 RESTORE_DEFAULT_ROUTE=Yes
 AUTOMAKE=No
 WIDE_TC_MARKS=No
 TRACK_PROVIDERS=No
 ZONE2ZONE=2
 ACCOUNTING=Yes
 DYNAMIC_BLACKLIST=Yes
 OPTIMIZE_ACCOUNTING=No
 LOAD_HELPERS_ONLY=No
 REQUIRE_INTERFACE=No
 FORWARD_CLEAR_MARK=Yes
 COMPLETE=No
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################
@@ -200,15 +208,6 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
-################################################################################
+#LAST LINE -- DO NOT REMOVE
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
 ################################################################################
 IPSECFILE=zones
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -1,112 +0,0 @@
 #!/bin/sh
 #
 # Shorewall init script
 #
 # chkconfig: - 28 90
 # description: Packet filtering firewall
 ### BEGIN INIT INFO
 # Provides: shorewall
 # Required-Start: $local_fs $remote_fs $syslog $network
 # Should-Start: VMware $time $named
 # Required-Stop:
 # Default-Start:
 # Default-Stop:	  0 1 2 3 4 5 6
 # Short-Description: Packet filtering firewall
 # Description: The Shoreline Firewall, more commonly known as "Shorewall", is a
 #              Netfilter (iptables) based firewall
 ### END INIT INFO
 # Source function library.
 . /etc/rc.d/init.d/functions
 prog="shorewall"
 shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
 if [ -f /etc/sysconfig/$prog ]; then
    . /etc/sysconfig/$prog
 fi
 start() {
    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	touch $lockfile
 	success
    else 
 	failure
    fi
    echo
    return $retval
 }
 stop() {
    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	rm -f $lockfile
 	success
    else 
 	failure
    fi
    echo
    return $retval
 }
 restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then 
 	touch $lockfile
 	success
    else # Failed to start, clean up lock file if present
 	rm -f $lockfile
 	failure
    fi
    echo
    return $retval
 }
 status(){
    $shorewall status
    return $?
 }
 status_q() {
    status > /dev/null 2>&1
 }
 case "$1" in
    start)
 	status_q && exit 0
 	$1
 	;;
    stop)
 	status_q || exit 0
 	$1
 	;;
    restart|reload|force-reload)
 	restart
 	;;
    condrestart|try-restart)
        status_q || exit 0
        restart
        ;;
    status)
 	$1
 	;;
    *)
 	echo "Usage: $0 start|stop|reload|restart|force-reload|status"
 	exit 1
 	;;
 esac
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000,2001,2002,2003,2004,2005,2006,2007,2009,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx #The Build script inserts the actual version
+VERSION=4.4.13
 usage() # $1 = exit status
 {
@@ -30,8 +30,6 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -f"
    exit $1
 }
@@ -96,6 +94,7 @@ install_file() # $1 = source $2 = target $3 = mode
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
 T="-T"
 if [ -z "$DEST" ] ; then
@@ -106,29 +105,8 @@ if [ -z "$INIT" ] ; then
 	INIT="shorewall"
 fi
 ANNOTATED=
 SPARSE=
 MANDIR=${MANDIR:-"/usr/share/man"}
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 MACHOST=
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 case "$PERLLIB" in
    /*)
 	;;
    *)
 	PERLLIB=/usr/${PERLLIB}
 	;;
 esac
 INSTALLD='-D'
 case $(uname) in
@@ -153,7 +131,6 @@ case $(uname) in
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -165,49 +142,24 @@ esac
 OWNERSHIP="-o $OWNER -g $GROUP"
-finished=0
+while [ $# -gt 0 ] ; do
-
+    case "$1" in
-while [ $finished -eq 0 ]; do
+	-h|help|?)
-    option=$1
+	    usage 0
-
+	    ;;
-    case "$option" in
+        -v)
-	-*)
+	    echo "Shorewall Firewall Installer Version $VERSION"
-	    option=${option#-}
+	    exit 0
-	    
+	    ;;
-	    while [ -n "$option" ]; do
+	-s)
-		case $option in
+	    SPARSE=Yes
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    s*)
 			SPARSE=Yes
 			option=${option#s}
 			;;
 		    a*)
 			ANNOTATED=Yes
 			option=${option#a}
 			;;
 		    p*)
 			ANNOTATED=
 			option=${option#p}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
-	    [ -n "$option" ] && usage 1
+	    usage 1
 	    finished=1
 	    ;;
    esac
    shift
    ARGS="yes"
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -248,9 +200,6 @@ else
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	    SPARSE=yes
 	elif [ -f /etc/redhat-release ]; then
 	    echo "Installing Redhat/Fedora-specific configuration..."
 	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
@@ -265,14 +214,6 @@ else
    fi
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 #
 # Change to the directory containing this script
 #
@@ -292,19 +233,9 @@ fi
 if [ -z "$CYGWIN" ]; then
   install_file shorewall ${DESTDIR}/sbin/shorewall 0755
   echo "shorewall control program installed in ${DESTDIR}/sbin/shorewall"
   if [ -z "$MACHOST" ]; then
       eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall
       eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
   else
       eval sed -i \'\' -e  \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall 
       eval sed -i \'\' -e  \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/sbin/shorewall
   fi
 else
   install_file shorewall ${DESTDIR}/bin/shorewall 0755
   echo "shorewall control program installed in ${DESTDIR}/bin/shorewall"
   eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/bin/shorewall
   eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/bin/shorewall
 fi
 #
@@ -312,8 +243,6 @@ fi
 #
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall 0544
 elif [ -n "$FEDORA" ]; then
    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 elif [ -n "$SLACKWARE" ]; then
@@ -329,8 +258,7 @@ fi
 # Create /etc/shorewall, /usr/share/shorewall and /var/shorewall if needed
 #
 mkdir -p ${DESTDIR}/etc/shorewall
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+mkdir -p ${DESTDIR}/usr/share/shorewall
 mkdir -p ${DESTDIR}${PERLLIB}/Shorewall
 mkdir -p ${DESTDIR}/usr/share/shorewall/configfiles
 mkdir -p ${DESTDIR}/var/lib/shorewall
@@ -338,32 +266,21 @@ chmod 755 ${DESTDIR}/etc/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf           ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall.service ${DESTDIR}/lib/systemd/system/shorewall.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall.service"
 fi
 if [ -n "$ANNOTATED" ]; then
    suffix=.annotated
 else
    suffix=
 fi
 #
 # Install the config file
 #
 run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${DESTDIR}/usr/share/shorewall/configfiles
 perl -p -w -i -e 's|^CONFIG_PATH=.*|CONFIG_PATH=/usr/share/shorewall/configfiles:/usr/share/shorewall|;' ${DESTDIR}/usr/share/shorewall/configfiles/shorewall.conf
 perl -p -w -i -e 's|^STARTUP_LOG=.*|STARTUP_LOG=/var/log/shorewall-lite-init.log|;' ${DESTDIR}/usr/share/shorewall/configfiles/shorewall.conf
 if [ ! -f ${DESTDIR}/etc/shorewall/shorewall.conf ]; then
-   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf${suffix} ${DESTDIR}/etc/shorewall/shorewall.conf
+   run_install $OWNERSHIP -m 0644 configfiles/shorewall.conf ${DESTDIR}/etc/shorewall
   if [ -n "$DEBIAN" ]; then
       #
@@ -381,11 +298,10 @@ fi
 #
 # Install the zones file
 #
-run_install $OWNERSHIP -m 0644 configfiles/zones           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/zones ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/zones.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/zones ]; then
-    run_install $OWNERSHIP -m 0644 configfiles/zones${suffix} ${DESTDIR}/etc/shorewall/zones
+    run_install $OWNERSHIP -m 0744 configfiles/zones ${DESTDIR}/etc/shorewall
    echo "Zones file installed as ${DESTDIR}/etc/shorewall/zones"
 fi
@@ -407,212 +323,189 @@ delete_file ${DESTDIR}/usr/share/shorewall/prog.footer
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}/usr/share/shorewall/wait4ifup 0755
 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}/usr/share/shorewall/wait4ifup"
 #
 # Install the policy file
 #
-run_install -m 0644 configfiles/policy           ${DESTDIR}/usr/share/shorewall/configfiles
+install_file configfiles/policy ${DESTDIR}/usr/share/shorewall/configfiles/policy 0644
 run_install -m 0644 configfiles/policy.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/policy ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/policy${suffix} ${DESTDIR}/etc/shorewall/policy
+    run_install $OWNERSHIP -m 0600 configfiles/policy ${DESTDIR}/etc/shorewall
    echo "Policy file installed as ${DESTDIR}/etc/shorewall/policy"
 fi
 #
 # Install the interfaces file
 #
-run_install $OWNERSHIP -m 0644 configfiles/interfaces           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/interfaces ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/interfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/interfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/interfaces${suffix} ${DESTDIR}/etc/shorewall/interfaces
+    run_install $OWNERSHIP -m 0600 configfiles/interfaces ${DESTDIR}/etc/shorewall
    echo "Interfaces file installed as ${DESTDIR}/etc/shorewall/interfaces"
 fi
 #
 # Install the hosts file
 #
-run_install $OWNERSHIP -m 0644 configfiles/hosts           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/hosts ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/hosts.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/hosts ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/hosts${suffix} ${DESTDIR}/etc/shorewall/hosts
+    run_install $OWNERSHIP -m 0600 configfiles/hosts ${DESTDIR}/etc/shorewall
    echo "Hosts file installed as ${DESTDIR}/etc/shorewall/hosts"
 fi
 #
 # Install the rules file
 #
-run_install $OWNERSHIP -m 0644 configfiles/rules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/rules ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/rules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/rules${suffix} ${DESTDIR}/etc/shorewall/rules
+    run_install $OWNERSHIP -m 0600 configfiles/rules ${DESTDIR}/etc/shorewall
    echo "Rules file installed as ${DESTDIR}/etc/shorewall/rules"
 fi
 #
 # Install the NAT file
 #
-run_install $OWNERSHIP -m 0644 configfiles/nat           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/nat ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/nat.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/nat ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/nat${suffix} ${DESTDIR}/etc/shorewall/nat
+    run_install $OWNERSHIP -m 0600 configfiles/nat ${DESTDIR}/etc/shorewall
    echo "NAT file installed as ${DESTDIR}/etc/shorewall/nat"
 fi
 #
 # Install the NETMAP file
 #
-run_install $OWNERSHIP -m 0644 configfiles/netmap           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/netmap ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/netmap.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/netmap ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/netmap${suffix} ${DESTDIR}/etc/shorewall/netmap
+    run_install $OWNERSHIP -m 0600 configfiles/netmap ${DESTDIR}/etc/shorewall
    echo "NETMAP file installed as ${DESTDIR}/etc/shorewall/netmap"
 fi
 #
 # Install the Parameters file
 #
-run_install $OWNERSHIP -m 0644 configfiles/params           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/params ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/params.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -f ${DESTDIR}/etc/shorewall/params ]; then
    chmod 0644 ${DESTDIR}/etc/shorewall/params
 else
-    run_install $OWNERSHIP -m 0644 configfiles/params${suffix} ${DESTDIR}/etc/shorewall/params
+    run_install $OWNERSHIP -m 0644 configfiles/params ${DESTDIR}/etc/shorewall
    echo "Parameter file installed as ${DESTDIR}/etc/shorewall/params"
 fi
 #
 # Install the proxy ARP file
 #
-run_install $OWNERSHIP -m 0644 configfiles/proxyarp           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/proxyarp ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/proxyarp.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/proxyarp ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/proxyarp${suffix} ${DESTDIR}/etc/shorewall/proxyarp
+    run_install $OWNERSHIP -m 0600 configfiles/proxyarp ${DESTDIR}/etc/shorewall
    echo "Proxy ARP file installed as ${DESTDIR}/etc/shorewall/proxyarp"
 fi
 #
 # Install the Stopped Routing file
 #
-run_install $OWNERSHIP -m 0644 configfiles/routestopped           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/routestopped ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/routestopped.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/routestopped${suffix} ${DESTDIR}/etc/shorewall/routestopped
+    run_install $OWNERSHIP -m 0600 configfiles/routestopped ${DESTDIR}/etc/shorewall
    echo "Stopped Routing file installed as ${DESTDIR}/etc/shorewall/routestopped"
 fi
 #
 # Install the Mac List file
 #
-run_install $OWNERSHIP -m 0644 configfiles/maclist           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/maclist ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/maclist.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/maclist ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/maclist${suffix} ${DESTDIR}/etc/shorewall/maclist
+    run_install $OWNERSHIP -m 0600 configfiles/maclist ${DESTDIR}/etc/shorewall
    echo "MAC list file installed as ${DESTDIR}/etc/shorewall/maclist"
 fi
 #
 # Install the Masq file
 #
-run_install $OWNERSHIP -m 0644 configfiles/masq           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/masq ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/masq.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/masq ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/masq${suffix} ${DESTDIR}/etc/shorewall/masq
+    run_install $OWNERSHIP -m 0600 configfiles/masq ${DESTDIR}/etc/shorewall
    echo "Masquerade file installed as ${DESTDIR}/etc/shorewall/masq"
 fi
 #
 # Install the Notrack file
 #
-run_install $OWNERSHIP -m 0644 configfiles/notrack           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/notrack ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/notrack.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/notrack ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/notrack${suffix} ${DESTDIR}/etc/shorewall/notrack
+    run_install $OWNERSHIP -m 0600 configfiles/notrack ${DESTDIR}/etc/shorewall
    echo "Notrack file installed as ${DESTDIR}/etc/shorewall/notrack"
 fi
 #
-# Install the Modules files
+# Install the Modules file
 #
-run_install $OWNERSHIP -m 0644 modules ${DESTDIR}/usr/share/shorewall
+run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall
 echo "Modules file installed as ${DESTDIR}/usr/share/shorewall/modules"
 for f in modules.*; do
    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall/$f
    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
 #
 # Install the Module Helpers file
 #
-run_install $OWNERSHIP -m 0644 helpers ${DESTDIR}/usr/share/shorewall
+run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall
 echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall/helpers"
 #
 # Install the TC Rules file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcrules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcrules ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tcrules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcrules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcrules${suffix} ${DESTDIR}/etc/shorewall/tcrules
+    run_install $OWNERSHIP -m 0600 configfiles/tcrules ${DESTDIR}/etc/shorewall
    echo "TC Rules file installed as ${DESTDIR}/etc/shorewall/tcrules"
 fi
 #
 # Install the TC Interfaces file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcinterfaces ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces${suffix} ${DESTDIR}/etc/shorewall/tcinterfaces
+    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${DESTDIR}/etc/shorewall
    echo "TC Interfaces file installed as ${DESTDIR}/etc/shorewall/tcinterfaces"
 fi
 #
 # Install the TC Priority file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcpri           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcpri ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tcpri.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcpri ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcpri${suffix} ${DESTDIR}/etc/shorewall/tcpri
+    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${DESTDIR}/etc/shorewall
    echo "TC Priority file installed as ${DESTDIR}/etc/shorewall/tcpri"
 fi
 #
 # Install the TOS file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tos           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tos ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tos.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tos ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tos${suffix} ${DESTDIR}/etc/shorewall/tos
+    run_install $OWNERSHIP -m 0600 configfiles/tos ${DESTDIR}/etc/shorewall
    echo "TOS file installed as ${DESTDIR}/etc/shorewall/tos"
 fi
 #
 # Install the Tunnels file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tunnels           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tunnels ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tunnels.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tunnels ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tunnels${suffix} ${DESTDIR}/etc/shorewall/tunnels
+    run_install $OWNERSHIP -m 0600 configfiles/tunnels ${DESTDIR}/etc/shorewall
    echo "Tunnels file installed as ${DESTDIR}/etc/shorewall/tunnels"
 fi
 #
 # Install the blacklist file
 #
-run_install $OWNERSHIP -m 0644 configfiles/blacklist           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/blacklist ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/blacklist.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/blacklist${suffix} ${DESTDIR}/etc/shorewall/blacklist
+    run_install $OWNERSHIP -m 0600 configfiles/blacklist ${DESTDIR}/etc/shorewall
    echo "Blacklist file installed as ${DESTDIR}/etc/shorewall/blacklist"
 fi
 #
@@ -646,66 +539,60 @@ delete_file ${DESTDIR}/usr/share/shorewall/xmodules
 #
 # Install the Providers file
 #
-run_install $OWNERSHIP -m 0644 configfiles/providers           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/providers ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/providers.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/providers ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/providers${suffix} ${DESTDIR}/etc/shorewall/providers
+    run_install $OWNERSHIP -m 0600 configfiles/providers ${DESTDIR}/etc/shorewall
    echo "Providers file installed as ${DESTDIR}/etc/shorewall/providers"
 fi
 #
 # Install the Route Rules file
 #
-run_install $OWNERSHIP -m 0644 configfiles/route_rules           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/route_rules ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/route_rules.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/route_rules ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/route_rules${suffix} ${DESTDIR}/etc/shorewall/route_rules
+    run_install $OWNERSHIP -m 0600 configfiles/route_rules ${DESTDIR}/etc/shorewall
    echo "Routing rules file installed as ${DESTDIR}/etc/shorewall/route_rules"
 fi
 #
 # Install the tcclasses file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcclasses           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcclasses ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tcclasses.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclasses ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcclasses${suffix} ${DESTDIR}/etc/shorewall/tcclasses
+    run_install $OWNERSHIP -m 0600 configfiles/tcclasses ${DESTDIR}/etc/shorewall
    echo "TC Classes file installed as ${DESTDIR}/etc/shorewall/tcclasses"
 fi
 #
 # Install the tcdevices file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcdevices           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcdevices ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tcdevices.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcdevices ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcdevices${suffix} ${DESTDIR}/etc/shorewall/tcdevices
+    run_install $OWNERSHIP -m 0600 configfiles/tcdevices ${DESTDIR}/etc/shorewall
    echo "TC Devices file installed as ${DESTDIR}/etc/shorewall/tcdevices"
 fi
 #
 # Install the tcfilters file
 #
-run_install $OWNERSHIP -m 0644 configfiles/tcfilters           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/tcfilters ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/tcfilters.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcfilters ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/tcfilters${suffix} ${DESTDIR}/etc/shorewall/tcfilters
+    run_install $OWNERSHIP -m 0600 configfiles/tcfilters ${DESTDIR}/etc/shorewall
    echo "TC Filters file installed as ${DESTDIR}/etc/shorewall/tcfilters"
 fi
 #
 # Install the secmarks file
 #
-run_install $OWNERSHIP -m 0644 configfiles/secmarks           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/secmarks ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/secmarks.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/secmarks ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/secmarks${suffix} ${DESTDIR}/etc/shorewall/secmarks
+    run_install $OWNERSHIP -m 0600 configfiles/secmarks ${DESTDIR}/etc/shorewall
    echo "Secmarks file installed as ${DESTDIR}/etc/shorewall/secmarks"
 fi
@@ -762,21 +649,19 @@ fi
 #
 # Install the ECN file
 #
-run_install $OWNERSHIP -m 0644 configfiles/ecn           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/ecn ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/ecn.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/ecn ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/ecn${suffix} ${DESTDIR}/etc/shorewall/ecn
+    run_install $OWNERSHIP -m 0600 configfiles/ecn ${DESTDIR}/etc/shorewall
    echo "ECN file installed as ${DESTDIR}/etc/shorewall/ecn"
 fi
 #
 # Install the Accounting file
 #
-run_install $OWNERSHIP -m 0644 configfiles/accounting           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/accounting ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/accounting.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/accounting ]; then
-    run_install $OWNERSHIP -m 0600 configfiles/accounting${suffix} ${DESTDIR}/etc/shorewall/accounting
+    run_install $OWNERSHIP -m 0600 configfiles/accounting ${DESTDIR}/etc/shorewall
    echo "Accounting file installed as ${DESTDIR}/etc/shorewall/accounting"
 fi
 #
@@ -852,15 +737,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/tcclear ]; then
    echo "Tcclear file installed as ${DESTDIR}/etc/shorewall/tcclear"
 fi
 #
 # Install the Scfilter file
 #
 run_install $OWNERSHIP -m 644 configfiles/scfilter ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/scfilter ]; then
    run_install $OWNERSHIP -m 0600 configfiles/scfilter ${DESTDIR}/etc/shorewall
    echo "Scfilter file installed as ${DESTDIR}/etc/shorewall/scfilter"
 fi
 #
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}/usr/share/shorewall/actions.std 0644
@@ -869,11 +745,10 @@ echo "Standard actions file installed as ${DESTDIR}/usr/shared/shorewall/actions
 #
 # Install the Actions file
 #
-run_install $OWNERSHIP -m 0644 configfiles/actions           ${DESTDIR}/usr/share/shorewall/configfiles
+run_install $OWNERSHIP -m 0644 configfiles/actions ${DESTDIR}/usr/share/shorewall/configfiles
 run_install $OWNERSHIP -m 0644 configfiles/actions.annotated ${DESTDIR}/usr/share/shorewall/configfiles
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/shorewall/actions ]; then
-    run_install $OWNERSHIP -m 0644 configfiles/actions${suffix} ${DESTDIR}/etc/shorewall/actions
+    run_install $OWNERSHIP -m 0644 configfiles/actions ${DESTDIR}/etc/shorewall
    echo "Actions file installed as ${DESTDIR}/etc/shorewall/actions"
 fi
@@ -927,23 +802,16 @@ chmod 755 ${DESTDIR}/usr/share/shorewall/Shorewall
 #
 cd Perl
-install_file compiler.pl ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl 0755
+install_file compiler.pl ${DESTDIR}/usr/share/shorewall/compiler.pl 0755
 echo
-echo "Compiler installed in ${DESTDIR}${LIBEXEC}/shorewall/compiler.pl"
+echo "Compiler installed in ${DESTDIR}/usr/share/shorewall/compiler.pl"
 #
 # Install the params file helper
 #
 install_file getparams ${DESTDIR}${LIBEXEC}/shorewall/getparams 0755
 echo
 echo "Params file helper installed in ${DESTDIR}${LIBEXEC}/shorewall/getparams"
 #
 # Install the libraries
 #
 for f in Shorewall/*.pm ; do
-    install_file $f ${DESTDIR}${PERLLIB}/$f 0644
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
-    echo "Module ${f%.*} installed as ${DESTDIR}${PERLLIB}/$f"
+    echo "Module ${f%.*} installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
 #
 # Install the program skeleton files
@@ -1004,25 +872,24 @@ fi
 if [ -z "$DESTDIR" ]; then
    rm -rf /usr/share/shorewall-perl
    rm -rf /usr/share/shorewall-shell
    [ "$PERLLIB" != /usr/share/shorewall ] && rm -rf /usr/share/shorewall/Shorewall
 fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
    if [ -n "$DEBIAN" ]; then
 	install_file default.debian /etc/default/shorewall 0644
-	update-rc.d shorewall defaults
+	if [ -x /sbin/insserv ]; then
 	    insserv /etc/init.d/shorewall
 	else
 	    ln -s ../init.d/shorewall /etc/rcS.d/S40shorewall
 	fi
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
    else
-	if [ -n "$SYSTEMD" ]; then
+	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if systemctl enable shorewall; then
 		echo "Shorewall will start automatically at boot"
 	    fi
 	elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall ; then
 		echo "shorewall will start automatically at boot"
 		echo "Set STARTUP_ENABLED=Yes in /etc/shorewall/shorewall.conf to enable"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	a258de3c9d	Update known problems Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-21 07:50:13 -07:00
Tom Eastep	a796623dde	Rename DESTIFAC_DISALLOW -> DESTIFACE_DISALLOW Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-20 09:40:31 -07:00
Tom Eastep	f6f840bebf	Misc cleanup for 4.4.13 1. Replace statement with equivalent function call in promote_blacklist_rules() 2. Bump version of Tunnels.pm 3. Fix typo in comment in Zones.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-20 08:15:24 -07:00
Tom Eastep	59905e8744	Set version to 4.4.13	2010-09-20 07:25:33 -07:00
Tom Eastep	7d2f6379e0	Document fix for '*' in interface names. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2010-09-19 15:19:48 -07:00
Tom Eastep	8bdd9828fd	Don't allow '*' in interface names	2010-09-19 15:13:54 -07:00
		`@@ -1,3 +0,0 @@`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<includepath />`