Fix compiler crash from unknown interface

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct usage text for 'update'.
2012-02-18 11:05:47 -08:00 · 2012-02-18 11:05:27 -08:00 · 2012-02-18 11:05:11 -08:00 · 2012-02-17 13:47:49 -08:00 · 2012-02-13 12:57:07 -08:00 · 2012-02-12 11:47:08 -08:00
239 changed files with 12113 additions and 15669 deletions
--- a/Shorewall-core/COPYING
+++ b/Shorewall-core/COPYING
@@ -0,0 +1,341 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -0,0 +1,24 @@
+Shoreline Firewall (Shorewall) Version 4
+-----         ----
+
+-----------------------------------------------------------------------------
+
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of Version 2 of the GNU General Public License
+     as published by the Free Software Foundation.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with this program; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+---------------------------------------------------------------------------
+
+Please see http://www.shorewall.net/Install.htm for installation
+instructions.
+
+
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -0,0 +1,287 @@
+#!/bin/sh
+#
+# Script to install Shoreline Firewall Core Modules
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -f"
+    exit $1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+run_install()
+{
+    if ! install $*; then
+	echo
+	echo "ERROR: Failed to install $*" >&2
+	exit 1
+    fi
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+install_file() # $1 = source $2 = target $3 = mode
+{
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
+}
+
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
+#
+# Parse the run line
+#
+# ARGS is "yes" if we've already parsed an argument
+#
+T="-T"
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+MACHOST=
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
+case "$PERLLIB" in
+    /*)
+	;;
+    *)
+	PERLLIB=/usr/${PERLLIB}
+	;;
+esac
+
+INSTALLD='-D'
+
+case $(uname) in
+    CYGWIN*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+	CYGWIN=Yes
+	;;
+    Darwin)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	MAC=Yes
+        MACHOST=Yes
+	INSTALLD=
+	T=
+	;;
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    a*)
+			ANNOTATED=Yes
+			option=${option#a}
+			;;
+		    p*)
+			ANNOTATED=
+			option=${option#p}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    [ -n "$option" ] && usage 1
+	    finished=1
+	    ;;
+    esac
+done
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+#
+# Determine where to install the firewall script
+#
+
+if [ -n "$DESTDIR" ]; then
+    if [ -z "$CYGWIN" ]; then
+	if [ `id -u` != 0 ] ; then
+	    echo "Not setting file owner/group permissions, not running as root."
+	    OWNERSHIP=""
+	fi
+    fi
+
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+
+    CYGWIN=
+    MAC=
+else
+    if [ -n "$CYGWIN" ]; then
+	echo "Installing Cygwin-specific configuration..."
+    elif [ -n "$MAC" ]; then
+	echo "Installing Mac-specific configuration..."
+    else
+	if [ -f /etc/debian_version ]; then
+	    echo "Installing Debian-specific configuration..."
+	    DEBIAN=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
+	elif [ -f /etc/slackware-version ] ; then
+	    echo "Installing Slackware-specific configuration..."
+	    DEST="/etc/rc.d"
+	    MANDIR="/usr/man"
+	    SLACKWARE=yes
+	elif [ -f /etc/arch-release ] ; then
+	    echo "Installing ArchLinux-specific configuration..."
+	    DEST="/etc/rc.d"
+	    INIT="shorewall"
+	    ARCHLINUX=yes
+	fi
+    fi
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Core Version $VERSION"
+
+#
+# Create /usr/share/shorewall
+#
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+chmod 755 ${DESTDIR}/usr/share/shorewall
+#
+# Install wait4ifup
+#
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+
+echo
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+
+#
+# Install the libraries
+#
+for f in lib.* ; do
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+done
+
+if [ -z "$MACHOST" ]; then
+    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+else
+    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+fi
+
+#
+# Symbolically link 'functions' to lib.base
+#
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+#
+# Create the version file
+#
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
+chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+#
+#  Report Success
+#
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -23,16 +23,53 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
-#   and /usr/share/shorewall-lite/shorecap.
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40426
+SHOREWALL_LIBVERSION=40500
+SHOREWALL_CAPVERSION=40501

-[ -n "${VARDIR:=/var/lib/shorewall}" ]
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
-[ -n "${CONFDIR:=/etc/shorewall}" ]
+[ -n "${g_program:=shorewall}" ]
+
+case $g_program in
+    shorewall)
+	SHAREDIR=/usr/share/shorewall
+	CONFDIR=/etc/shorewall
+	g_product="Shorewall"
+	g_family=4
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall6)
+	SHAREDIR=/usr/share/shorewall6
+	CONFDIR=/etc/shorewall6
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall-lite)
+	SHAREDIR=/usr/share/shorewall-lite
+	CONFDIR=/etc/shorewall-lite
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_basedir=/usr/share/shorewall-lite
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	SHAREDIR=/usr/share/shorewall6-lite
+	CONFDIR=/etc/shorewall6-lite
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_basedir=/usr/share/shorewall6-lite
+	g_lite=Yes
+	;;
+esac

 #
 # Conditionally produce message
@@ -149,33 +186,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common

 #
 # Validate an IP address
@@ -339,8 +350,8 @@ ensure_config_path() {
 	. $F
    fi

-    if [ -n "$SHOREWALL_DIR" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }

@@ -378,9 +389,8 @@ resolve_file() # $1 = file name
    esac
 }

-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
+#
+# Determine how to do "echo -e"
 #

 find_echo() {
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,6 +24,50 @@
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
 # scripts rather than loaded at run-time.
 #
+#########################################################################################
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}

 #
 # Get the Shorewall version of the passed script
@@ -38,7 +82,7 @@ get_script_version() { # $1 = script
    verbosity="$VERBOSITY"
    VERBOSITY=0

-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

    if [ $? -ne 0 ]; then
 	version=0
@@ -88,13 +132,15 @@ run_it() {
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering

-	if [ "$g_product" != Shorewall ]; then
-	    #
-	    # Shorewall Lite
-	    #
-	    export LOGFORMAT
-	    export IPTABLES
-	fi
+	case "$g_program" in
+	    *-lite)
+		#
+		# Shorewall Lite
+		#
+		export LOGFORMAT
+		export IPTABLES
+		;;
+	esac
    else
 	#
 	# 4.4.8 or later -- no additional exports required
@@ -127,6 +173,30 @@ error_message() # $* = Error Message
   echo "   $@" >&2
 }

+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
 #
 # Split a colon-separated list into a space-separated list
 #
@@ -184,12 +254,20 @@ qt1()
 }

 #
-# Determine if Shorewall is "running"
+# Determine if Shorewall[6] is "running"
 #
+product_is_started() {
+    qt1 $g_tool -L shorewall -n
+}
+
 shorewall_is_started() {
    qt1 $IPTABLES -L shorewall -n
 }

+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
 #
 # Echos the fully-qualified name of the calling shell program
 #
@@ -294,7 +372,7 @@ reload_kernel_modules() {

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

@@ -333,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -465,38 +543,100 @@ in_network() # $1 = IP address, $2 = CIDR network
    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
 }

+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $g_tool -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Find interface address--returns the first IP address assigned to the passed
 # device
 #
 find_first_interface_address() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)	
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
 }

 find_first_interface_address_if_any() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+    fi
 }

 #
@@ -515,14 +655,6 @@ mywhich() {
    return 2
 }

-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
 #
 # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
 #
@@ -552,7 +684,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2
+set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    exit $1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+if [ -f /usr/share/shorewall/coreversion ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    VERSION=""
+fi
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+
+echo "Uninstalling Shorewall Core $VERSION"
+
+rm -rf /usr/share/shorewall
+
+echo "Shorewall Core Uninstalled"
+
+
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -213,7 +213,7 @@ fi
 if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 elif [ -n "$FEDORA" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
 #elif [ -n "$ARCHLINUX" ]; then
 #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
 else
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -18,9 +18,18 @@ startup=0
 #
 # Startup options
 #
-
 OPTIONS=""

+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0

 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -80,7 +80,7 @@ fi
 # start the firewall
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -98,7 +98,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -76,14 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall-lite $@
+    restart|reload)
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall-lite restart $@
+    status|stop)
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }

 delete_file() # $1 = file to delete
@@ -85,6 +85,19 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+if [ -f shorewall-lite ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 #
@@ -92,16 +105,13 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
-
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi

 if [ -z "$INIT" ] ; then
-	INIT="shorewall-lite"
+	INIT="$PRODUCT"
 fi

 while [ $# -gt 0 ] ; do
@@ -110,7 +120,7 @@ while [ $# -gt 0 ] ; do
 	    usage 0
 	    ;;
        -v)
-	    echo "Shorewall Lite Firewall Installer Version $VERSION"
+	    echo "$Product Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -118,7 +128,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
    esac
    shift
-    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -179,11 +188,16 @@ elif [ -f /etc/slackware-version ] ; then
    INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
      DEST="/etc/rc.d"
-      INIT="shorewall-lite"
+      INIT="$PRODUCT"
      ARCHLINUX=yes
 fi

 if [ -z "$DESTDIR" ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi
+
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
@@ -191,68 +205,66 @@ elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Lite Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
-# Check for /etc/shorewall-lite
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
-    [ -f /etc/shorewall-lite/shorewall.conf ] && \
-	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi
+
+    [ -f /etc/$PRODUCT/shorewall.conf ] && \
+	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
+    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
 fi

 #
-# Check for /sbin/shorewall-lite
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544

-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
-
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"

 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi

-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"

 #
-# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
+# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT

-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
@@ -263,85 +275,74 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi

 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
-
-#
-# Install wait4ifup
-#
-
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
-
-    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
-fi
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"

 #
 # Install the Modules files
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done

 #
@@ -371,62 +372,65 @@ if [ -d manpages ]; then
 fi

 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi

-
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #

 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-lite/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
+    rm -f /usr/share/$PRODUCT/init
+    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
 fi

+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
+delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
+    touch /var/log/$PRODUCT-init.log

    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT

-	    update-rc.d shorewall-lite defaults
+	    update-rc.d $PRODUCT defaults

 	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
+		insserv /etc/init.d/$PRODUCT
 	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi

-	    echo "Shorewall Lite will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-lite; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if systemctl enable $PRODUCT; then
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if insserv /etc/init.d/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically in run levels as follows:"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -440,4 +444,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Lite Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -0,0 +1,34 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redisribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# This library contains the code common to all Shorewall components.
+
+g_program=shorewall-lite
+g_family=4
+g_basedir=/usr/share/shorewall
+
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
+[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
+[ -n "${CONFDIR:=/etc/$g_program}" ]
+
+. /usr/share/shorewall/lib.base
+
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -11,11 +11,27 @@
  <refnamediv>
    <refname>shorewall-lite</refname>

-    <refpurpose>Administration tool for Shoreline Firewall Lite
-    (Shorewall-lite)</refpurpose>
+    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
+    Lite)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>add</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -37,7 +53,38 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>clear</option></arg>
+      <arg
+      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>delete</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>disable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -64,13 +111,30 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-m</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>enable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

@@ -96,7 +160,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>hits</option></arg>
+      <arg
+      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -130,6 +195,19 @@
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -170,6 +248,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -191,8 +282,24 @@

      <arg>-<replaceable>options</replaceable></arg>

+      <arg choice="plain"><option>reset</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
      <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>restart</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -232,8 +339,10 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -263,7 +372,7 @@
      <arg choice="plain"><option>show</option></arg>

      <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -277,7 +386,7 @@

      <arg><option>-x</option></arg>

-      <arg choice="req"><option>mangle|nat</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -318,7 +427,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-f</option><arg><option>-p</option></arg></arg>
+      <arg><option>-p</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -349,7 +458,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>version</option></arg>
+      <arg
+      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -357,7 +467,7 @@
    <title>Description</title>

    <para>The shorewall-lite utility is used to control the Shoreline Firewall
-    (Shorewall) Lite.</para>
+    Lite (Shorewall Lite).</para>
  </refsect1>

  <refsect1>
@@ -365,12 +475,12 @@

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
-    <filename>started</filename> extension script.</para>
+    attempting to acquire the Shorewall-lite lockfile. It is useful if you
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -407,12 +517,12 @@
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.<caution>
+          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
              there are errors in the <replaceable>host-list</replaceable>,
              you may see a large number of error messages yet a subsequent
-              <command>shorewall show zones</command> command will indicate
-              that all hosts were added. If this happens, replace
+              <command>shorewall-lite show zones</command> command will
+              indicate that all hosts were added. If this happens, replace
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
@@ -435,10 +545,16 @@
        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
-          Lite. The firewall is then wide open and unprotected. Existing
-          connections are untouched. Clear is often used to see if the
-          firewall is causing connection problems.</para>
+          <para>Clear will remove all rules and chains installed by
+          Shorewall-lite. The firewall is then wide open and unprotected.
+          Existing connections are untouched. Clear is often used to see if
+          the firewall is causing connection problems.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -457,6 +573,18 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">disable</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.26. Disables the optional provider
+          associated with the specified <replaceable>interface</replaceable>
+          or <replaceable>provider</replaceable>. Where more than one provider
+          share a single network interface, a
+          <replaceable>provider</replaceable> name must be given.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">drop</emphasis></term>

@@ -476,8 +604,23 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall-lite log
          messages to be displayed.</para>
+
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          number for each Netfilter rule to be displayed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">enable</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.26. Enables the optional provider
+          associated with the specified <replaceable>interface</replaceable>
+          or <replaceable>provider</replaceable>. Where more than one provider
+          share a single network interface, a
+          <replaceable>provider</replaceable> name must be given.</para>
        </listitem>
      </varlistentry>

@@ -489,7 +632,7 @@
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -506,8 +649,9 @@
        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
-          the current log file.</para>
+          <para>Generates several reports from Shorewall-lite log messages in
+          the current log file. If the <option>-t</option> option is included,
+          the reports are restricted to log messages generated today.</para>
        </listitem>
      </varlistentry>

@@ -530,12 +674,33 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+
+          <para>The trace records are written to the kernel's log buffer with
+          faciility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          Shorewall-lite has no control over where the messages go; consult
+          your logging daemon's documentation.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

@@ -543,9 +708,9 @@
        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          <para>Monitors the log file specified by the LOGFILE option in
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+          produces an audible alarm when new Shorewall-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
@@ -563,7 +728,22 @@

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
        </listitem>
      </varlistentry>

@@ -581,10 +761,10 @@

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> but assumes that the firewall is already started.
-          Existing connections are maintained.</para>
+          start</emphasis> except that it assumes that the firewall is already
+          started. Existing connections are maintained.</para>

-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
@@ -597,14 +777,14 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall-lite to a state saved using the <emphasis
          role="bold">shorewall-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall-lite created using <emphasis
          role="bold">shorewall-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -615,11 +795,10 @@
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall-lite/save. The state of the firewall is stored in
          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
-          If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          <emphasis role="bold">shorewall-lite restore</emphasis>. If
+          <emphasis>filename</emphasis> is not given then the state is saved
+          in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -631,15 +810,6 @@
          arguments:</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">actions</emphasis></term>
-
-              <listitem>
-                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -652,8 +822,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
-              ... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -669,20 +839,25 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-l</emphasis> option causes
+                the rule number for each Netfilter rule to be
+                displayed.</para>
+
                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
+              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
-                shaping configuration.</para>
+                defined on the system as a result of traffic shaping
+                configuration.</para>
              </listitem>
            </varlistentry>

@@ -704,15 +879,44 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to iptables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <para>Displays the system's IPv4 configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipa</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.17. Displays the per-IP
+                accounting counters (<ulink
+                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">log</emphasis></term>
+
+              <listitem>
+                <para>Displays the last 20 Shorewall-lite messages from the
+                log file specified by the LOGFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
+                <emphasis role="bold">-m</emphasis> option causes the MAC
+                address of each packet source to be displayed if that
+                information is available.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">marks</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.26. Displays the various fields
+                in packet marks giving the min and max value (in both decimal
+                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>

@@ -729,6 +933,39 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones. Note that implicit intrazone
+                ACCEPT policies are not displayed for zones associated with a
+                single network where that network doesn't specify
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -742,8 +979,8 @@
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
-                <para>Displays the current composition of the Shorewall Lite
-                zones on the system.</para>
+                <para>Displays the current composition of the Shorewall zones
+                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -754,17 +991,10 @@
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall.</para>
-
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
+          policies.</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
@@ -779,11 +1009,18 @@
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
-          are taken down. The only new traffic permitted through the firewall
-          is from systems listed in <ulink
+          or permitted by the ADMINISABSENTMINDED option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
+          The only new traffic permitted through the firewall is from systems
+          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -800,7 +1037,9 @@
        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
+          is included for compatibility with earlier Shorewall releases and is
+          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -819,13 +1058,13 @@
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -48,10 +48,14 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
+g_program=shorewall-lite
 g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite

 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -60,6 +64,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)

 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

+g_tool=$IPTABLES
+
 VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,14 +1,13 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#         Tom Eastep (teastep@shorewall.net)
 #
-#	This file should be placed in /sbin/shorewall-lite.
-#
-#	Shorewall documentation is available at http://shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
@@ -23,858 +22,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#     If an error occurs while starting or restarting the firewall, the
-#     firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
-#     Commands are:
-#
-#     shorewall-lite dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#     shorewall-lite start 			   Starts the firewall
-#     shorewall-lite restart			   Restarts the firewall
-#     shorewall-lite stop			   Stops the firewall
-#     shorewall-lite status			   Displays firewall status
-#     shorewall-lite reset			   Resets iptables packet and
-#						   byte counts
-#     shorewall-lite clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#     shorewall-lite show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#     shorewall-lite show log			   Print the last 20 log messages
-#     shorewall-lite show connections		   Show the kernel's connection
-#						   tracking table
-#     shorewall-lite show nat			   Display the rules in the nat table
-#     shorewall-lite show {mangle|tos}		   Display the rules in the mangle table
-#     shorewall-lite show tc			   Display traffic control info
-#     shorewall-lite show classifiers		   Display classifiers
-#     shorewall-lite show capabilities             Display iptables/kernel capabilities
-#     shorewall-lite show vardir                   Display VARDIR setting
-#     shorewall-lite version			   Display the installed version id
-#     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#     shorewall-lite drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#     shorewall-lite reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#     shorewall-lite allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#     shorewall-lite save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#     shorewall-lite forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#     shorewall-lite restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#     shorewall-lite ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#     shorewall-lite iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#     shorewall-lite ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
+################################################################################################
+g_program=shorewall-lite

-#
-# Set the configuration variables from shorewall-lite.conf
-#
-get_config() {
+. /usr/share/shorewall/lib.cli

-    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
-    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
-    else
-	echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	exit 2
-    fi
-    #
-    # See if we have a real version of "tail" -- use separate redirection so
-    # that ash (aka /bin/sh on LRP) doesn't crap
-    #
-    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
-	realtail="Yes"
-    else
-	realtail=""
-    fi
-
-    [ -n "$FW" ] || FW=fw
-
-    if [ -n "$IPTABLES" ]; then
-	if [ ! -x "$IPTABLES" ]; then
-	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
-	    exit 2
-	fi
-    else
-	IPTABLES=$(mywhich iptables 2> /dev/null)
-	if [ -z "$IPTABLES" ] ; then
-	    echo "   ERROR: Can't find iptables executable" >&2
-	    exit 2
-	fi
-    fi
-
-    if [ -n "$SHOREWALL_SHELL" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
-	fi
-    fi
-
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
-    validate_restorefile RESTOREFILE
-
-    [ -n "${VERBOSITY:=2}" ]
-
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
-
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
-    g_hostname=$(hostname 2> /dev/null)
-
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
-
-}
-
-#
-# Verify that we have a compiled firewall script
-#
-verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
-	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
-	    echo "          non-existant file" >&2
-	else
-	    echo "          The file $g_firewall does not exist" >&2
-	fi
-	
-	exit 2
-    fi
-}
-
-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
-#
-# Start Command Executor
-#
-start_command() {
-    local finished
-    finished=0
-
-    do_it() {
-	local rc
-	rc=0
-	[ -n "$nolock" ] || mutex_on
-
-	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
-	    rc=$?
-	else
-	    error_message "${LITEDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:Shorewall Lite start failed"
-	    rc=2
-	fi
-
-	[ -n "$nolock" ] || mutex_off
-	exit $rc
-    }
-
-    verify_firewall_script
-
-    if shorewall_is_started; then
-	error_message "Shorewall is already running"
-	exit 0
-    fi
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			f*)
-			    g_fast=Yes
-			    option=${option#f}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    if [ -n "$g_fast" ]; then
-	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
-	fi
-
-	if [ -n "$g_fast" ]; then
-
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
-		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
-	    else
-		do_it
-	    fi
-	else
-	    do_it
-	fi
-    else
-	do_it
-    fi
-}
-
-#
-# Restart Command Executor
-#
-restart_command() {
-    local finished
-    finished=0
-    local rc
-    rc=0
-
-    verify_firewall_script
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    [ -n "$nolock" ] || mutex_on
-
-    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
-	rc=$?
-    else
-	error_message "${LITEDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:Shorewall Lite restart failed"
-	rc=2
-    fi
-
-    [ -n "$nolock" ] || mutex_off
-    return $rc
-}
-
-#
-# Give Usage Information
-#
-usage() # $1 = exit status
-{
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
-    echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
-    echo "   allow <address> ..."
-    echo "   clear"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
-    echo "   drop <address> ..."
-    echo "   dump [ -x ]"
-    echo "   forget [ <file name> ]"
-    echo "   help"
-    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
-    echo "   ipdecimal { <address> | <integer> }"
-    echo "   iprange <address>-<address>"
-    echo "   logdrop <address> ..."
-    echo "   logreject <address> ..."
-    echo "   logwatch [<refresh interval>]"
-    echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
-    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show [ -f ] capabilities"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show filters"
-    echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
-    echo "   status"
-    echo "   version [ -a ]"
-    echo
-    exit $1
-}
-
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
-#
-# Execution begins here
-#
-debugging=
-
-if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
-    debugging=$1
-    shift
-fi
-
-nolock=
-
-if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
-    nolock=nolock
-    shift
-fi
-
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=
-
-finished=0
-
-while [ $finished -eq 0 ]; do
-    [ $# -eq 0 ] && usage 1
-    option=$1
-    case $option in
-	-)
-	    finished=1
-	    ;;
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    x*)
-			g_ipt_options="-xnv"
-			option=${option#x}
-			;;
-		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
-			option=${option#q}
-			;;
-		    f*)
-			g_fast=Yes
-			option=${option#f}
-			;;
-		    v*)
-			option=${option#v}
-			case $option in 
-			    -1*)
-				g_use_verbosity=-1
-				option=${option#-1}
-				;;
-			    0*)
-				g_use_verbosity=0
-				option=${option#0}
-				;;
-			    1*)
-				g_use_verbosity=1
-				option=${option#1}
-				;;
-			    2*)
-				g_use_verbosity=2
-				option=${option#2}
-				;;
-			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
-				;;
-			esac
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    -)
-			finished=1
-			option=
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-if [ $# -eq 0 ]; then
-    usage 1
-fi
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-MUTEX_TIMEOUT=
-
-SHAREDIR=/usr/share/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
-g_libexec=share
-
-[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
-
-[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
-
-[ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
-
-version_file=$SHAREDIR/version
-
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
-done
-
-ensure_config_path
-
-config=$(find_file shorewall-lite.conf)
-
-if [ -f $config ]; then
-    if [ -r $config ]; then
-	. $config
-    else
-	echo "Cannot read $config! (Hint: Are you root?)" >&2
-	exit 1
-    fi
-else
-    echo "$config does not exist!" >&2
-    exit 2
-fi
-
-ensure_config_path
-
-LITEDIR=${VARDIR}
-
-[ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
-
-get_config
-
-g_firewall=$LITEDIR/firewall
-
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
-else
-    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
-    exit 1
-fi
-
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
-
-case $(echo -e) in
-    -e*)
-	RING_BELL="echo \a"
-	ECHO_E="echo"
-	;;
-    *)
-	RING_BELL="echo -e \a"
-	ECHO_E="echo -e"
-	;;
-esac
-
-case $(echo -n "Testing") in
-    -n*)
-	ECHO_N=
-	;;
-    *)
-	ECHO_N=-n
-	;;
-esac
-
-COMMAND=$1
-
-case "$COMMAND" in
-    start)
-	shift
-	start_command $@
-	;;
-    stop|reset|clear)
-	[ $# -ne 1 ] && usage 1
-	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
-	;;
-    restart)
-	shift
-	restart_command
-	;;
-    show|list)
-    	shift
-    	show_command $@
-	;;
-    status)
-	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
-	echo
-	if shorewall_is_started ; then
-	    echo "Shorewall Lite is running"
-	    status=0
-	else
-	    echo "Shorewall Lite is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Closed*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	exit $status
-	;;
-    dump)
-    	shift
-    	dump_command $@
-	;;
-    hits)
-	[ -n "$debugging" ] && set -x
-	shift
-	hits_command $@
-	;;
-    version)
-	shift
-	version_command $@
-	;;
-    logwatch)
-	logwatch_command $@
-	;;
-    drop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block DROP Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    logdrop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block logdrop Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    reject|logreject)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block $COMMAND Rejected $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    allow)
-	allow_command $@
-	;;
-    add)
-	get_config
-	shift
-	add_command $@
-	;;
-    delete)
-	get_config
-	shift
-	add_command $@
-	;;
-    save)
-	[ -n "$debugging" ] && set -x
-
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	[ "$nolock" ] || mutex_on
-
-	save_config
-
-	[ "$nolock" ] || mutex_off
-	;;
-    forget)
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	if [ -x $g_restorepath ]; then
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
-	fi
-	rm -f ${VARDIR}/save
-	;;
-    ipcalc)
-    	[ -n "$debugging" ] && set -x
-	if [ $# -eq 2 ]; then
-	    address=${2%/*}
-	    vlsm=${2#*/}
-	elif [ $# -eq 3 ]; then
-	    address=$2
-	    vlsm=$(ip_vlsm $3)
-	else
-	    usage 1
-	fi
-
-	valid_address $address || fatal_error "Invalid IP address: $address"
-	[ -z "$vlsm" ] && exit 2
-	[ "x$address" = "x$vlsm" ] && usage 2
-	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
-
-	address=$address/$vlsm
-
-	                                   echo "   CIDR=$address"
-	temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
-	temp=$(ip_network $address);       echo "   NETWORK=$temp"
-	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
-	;;
-
-    iprange)
-	[ -n "$debugging" ] && set -x
-	case $2 in
-	    *.*.*.*-*.*.*.*)
-		for address in ${2%-*} ${2#*-}; do
-		    valid_address $address || fatal_error "Invalid IP address: $address"
-		done
-
-		ip_range $2
-		;;
-	    *)
-		usage 1
-		;;
-	esac
-	;;
-    ipdecimal)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 2 ] || usage 1
-	case $2 in
-	    *.*.*.*)
-		valid_address $2 || fatal_error "Invalid IP address: $2"
-		echo "   $(decodeaddr $2)"
-		;;
-	    *)
-		echo "   $(encodeaddr $2)"
-		;;
-	esac
-	;;
-    restore)
-	shift
-	STARTUP_ENABLED=Yes
-	restore_command $@
-        ;;
-    call)
-	[ -n "$debugging" ] && set -x
-	#
-	# Undocumented way to call functions in ${SHAREDIR}/functions directly
-	#
-	shift
-	$@
-	;;
-    help)
-	shift
-	usage
-	;;
-    *)
-	usage 1
-	;;
-
-esac
+shorewall_cli $@
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -95,7 +95,8 @@ sub generate_script_1( $ ) {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }

-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

    }
@@ -162,27 +163,39 @@ sub generate_script_2() {
    push_indent;

    if ( $family == F_IPV4 ) {
+	emit( 'g_family=4' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'g_product="Shorewall Lite"',
+		   'g_program=shorewall-lite',
+		   'g_basedir=/usr/share/shorewall-lite',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'g_product=Shorewall',
+		   'g_program=shorewall',
+		   'g_basedir=/usr/share/shorewall',
 		 );
 	}
    } else {
+	emit( 'g_family=6' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"',
+		   'g_program=shorewall6-lite',
+		   'g_basedir=/usr/share/shorewall6',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'g_product=Shorewall6',
+		   'g_program=shorewall6',
+		   'g_basedir=/usr/share/shorewall'
 		 );
 	}
    }
@@ -432,6 +445,10 @@ sub generate_script_3($) {
    save_policies;
    emit_unindented '__EOF__';

+    emit 'cat > ${VARDIR}/marks << __EOF__';
+    dump_mark_layout;
+    emit_unindented '__EOF__';
+
    pop_indent;

    emit "fi\n";
@@ -457,6 +474,7 @@ sub generate_script_3($) {
    fi
 EOF
    pop_indent;
+    setup_load_distribution;
    setup_forwarding( $family , 1 );
    push_indent;

@@ -469,14 +487,18 @@ else
    if [ \$COMMAND = refresh ]; then
        chainlist_reload
 EOF
+    setup_load_distribution;
    setup_forwarding( $family , 0 );

+    emit( '        run_refreshed_exit' ,
+	  '        do_iptables -N shorewall' ,
+	  "        set_state Started $config_dir" ,
+	  '    else' ,
+	  '        setup_netfilter' );
+    
+    setup_load_distribution;
+
    emit<<"EOF";
-        run_refreshed_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-    else
-        setup_netfilter
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
@@ -518,15 +540,15 @@ EOF

 }

-#1
+#
 #  The Compiler.
 #
 #     Arguments are named -- see %parms below.
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');

    $export = 0;
    $test   = 0;
@@ -562,7 +584,8 @@ sub compiler {
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
-		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,		  
+		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
+		  config_path   => { store => \$config_path } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -582,6 +605,8 @@ sub compiler {
    #
    initialize_package_globals( $update );

+    set_config_path( $config_path ) if $config_path;
+
    if ( $directory ne '' ) {
 	fatal_error "$directory is not an existing directory" unless -d $directory;
 	set_shorewall_dir( $directory );
@@ -597,14 +622,9 @@ sub compiler {
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate );
-
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
-    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
-
+    #
+    # Create a temp file to hold the script
+    #
    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
@@ -613,7 +633,7 @@ sub compiler {
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
+    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
@@ -771,7 +791,7 @@ sub compiler {
    #
    # Process the rules file.
    #
-    process_rules;
+    process_rules( $convert );
    #
    # Add Tunnel rules.
    #
@@ -795,7 +815,9 @@ sub compiler {
 	#
 	generate_matrix;

-	if ( $config{OPTIMIZE} & 0xE ) {
+	optimize_level0;
+
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
@@ -804,7 +826,7 @@ sub compiler {
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0xC;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -837,13 +859,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	unless ( $test ) {
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.footer';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.footer6';
-	    }
-	}
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

 	disable_script;
 	#
@@ -864,16 +880,18 @@ sub compiler {
 	    #
 	    generate_matrix;

-	    if ( $config{OPTIMIZE} & 0xE ) {
+	    optimize_level0;
+
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0xC;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -63,7 +63,7 @@ our @EXPORT = qw(
 		 require_capability
                );

-our @EXPORT_OK = qw( $shorewall_dir initialize set_config_path shorewall);
+our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);

 our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       finalize_script
@@ -87,6 +87,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       set_timestamp
 				       set_verbosity
 				       set_log
+				       set_config_path
 				       close_log
 				       set_command
 				       push_indent
@@ -126,6 +127,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       run_user_exit1
 				       run_user_exit2
 				       generate_aux_config
+				       dump_mark_layout

 				       $product
 				       $Product
@@ -134,6 +136,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $currentfilename
 				       $debug
 				       %config
 				       %globals
@@ -285,6 +288,10 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
+		 CT_TARGET       => 'CT Target',
+		 STATISTIC_MATCH => 
+		                    'Statistics Match',
+		 IMQ_TARGET      => 'IMQ Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -364,7 +371,7 @@ my @actparms;

 our $currentline;            # Current config file line image
 my  $currentfile;            # File handle reference
-my  $currentfilename;        # File NAME
+our $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
@@ -402,6 +409,15 @@ use constant { MIN_VERBOSITY => -1,

 my %validlevels;             # Valid log levels.

+#
+# Deprecated options with their default values
+#
+my %deprecated = ( LOGRATE            => '' ,
+		   LOGBURST           => '' ,
+		   EXPORTPARAMS       => 'no',
+		   WIDE_TC_MARKS      => 'no',
+		   HIGH_ROUTE_MARKS   => 'no'
+		 );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -449,7 +465,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40425 ,
+		    CAPVERSION => 40501 ,
 		  );
    #
    # From shorewall.conf file
@@ -468,6 +484,7 @@ sub initialize( $ ) {
 	  LOGBURST => undef,
 	  LOGALLNEW => undef,
 	  BLACKLIST_LOGLEVEL => undef,
+	  RELATED_LOG_LEVEL => undef,
 	  RFC1918_LOG_LEVEL => undef,
 	  MACLIST_LOG_LEVEL => undef,
 	  TCP_FLAGS_LOG_LEVEL => undef,
@@ -483,16 +500,10 @@ sub initialize( $ ) {
 	  TC => undef,
 	  IPSET => undef,
 	  PERL => undef,
-	  #
-	  #PATH is inherited
-	  #
 	  PATH => undef,
 	  SHOREWALL_SHELL => undef,
 	  SUBSYSLOCK => undef,
 	  MODULESDIR => undef,
-	  #
-	  #CONFIG_PATH is inherited
-	  #
 	  CONFIG_PATH => undef,
 	  RESTOREFILE => undef,
 	  IPSECFILE => undef,
@@ -571,6 +582,7 @@ sub initialize( $ ) {
 	  COMPLETE => undef,
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
+	  USE_PHYSICAL_NAMES => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -579,13 +591,15 @@ sub initialize( $ ) {
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
 	  SFILTER_DISPOSITION => undef,
+	  RELATED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
 	  TC_BITS => undef,
 	  PROVIDER_BITS => undef,
 	  PROVIDER_OFFSET => undef,
-	  MASK_BITS => undef
+	  MASK_BITS => undef,
+	  ZONE_BITS => undef,
 	);


@@ -608,6 +622,7 @@ sub initialize( $ ) {
 		     PANIC   => 0,
 		     NONE    => '',
 		     NFLOG   => 'NFLOG',
+		     LOGMARK => 'LOGMARK',
 		   );

    #
@@ -674,6 +689,9 @@ sub initialize( $ ) {
 	       CONDITION_MATCH => undef,
 	       IPTABLES_S => undef,
 	       BASIC_FILTER => undef,
+	       CT_TARGET => undef,
+	       STATISTIC_MATCH => undef,
+	       IMQ_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -968,10 +986,10 @@ sub emitstd {
 #
 # Write passed message to the script with newline but no indentation.
 #
-sub emit_unindented( $ ) {
+sub emit_unindented( $;$ ) {
    assert( $script_enabled );

-    print $script "$_[0]\n" if $script;
+    print $script $_[1] ? "$_[0]" : "$_[0]\n" if $script;
 }

 #
@@ -1792,7 +1810,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;

-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );

    if ( $multiline ) {
 	#
@@ -1931,9 +1949,11 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
 	    $val = $actparms[$var];
-	} else {
-	    fatal_error "Undefined shell variable (\$$var)" unless exists $params{$var};
+	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
+	} else {
+	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
+	    $val = $config{$var};
 	}

 	$val = '' unless defined $val;
@@ -2143,13 +2163,12 @@ sub validate_level( $ ) {
    my $level    = uc $rawlevel;

    if ( supplied ( $level ) ) {
+	$level =~ s/!$//;
 	my $value = $level;
 	my $qualifier;

-	$value =~ s/^!//;
-
 	unless ( $value =~ /^[0-7]$/ ) {
-	    level_error( $level ) unless $level =~ /^!?([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
+	    level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
 	    $qualifier = $2;
 	}

@@ -2203,7 +2222,7 @@ sub validate_level( $ ) {
 	if ( supplied $qualifier ) {
 	    return $rawlevel if $qualifier =~ /^ --/;

-	    if ( $qualifier =~ /[(](.+)[)]?$/ ) {
+	    if ( $qualifier =~ /[(](.+)[)]$/ ) {
 		$sublevel = $1;

 		$sublevel = $validlevels{$sublevel} unless $sublevel =~ /^[0-7]$/;
@@ -2741,6 +2760,27 @@ sub Iptables_S() {
    qt1( "$iptables -S INPUT" )
 }

+sub Ct_Target() {
+    my $ct_target;
+
+    if ( have_capability 'RAW_TABLE' ) {
+	qt1( "$iptables -t raw -N $sillyname" );
+	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
+	qt1( "$iptables -t raw -F $sillyname" );
+	qt1( "$iptables -t raw -X $sillyname" );
+    }
+
+    $ct_target;
+}
+
+sub Statistic_Match() {
+    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
+}
+
+sub Imq_Target() {
+    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
@@ -2753,6 +2793,7 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
+      CT_TARGET => \&Ct_Target,
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
@@ -2761,6 +2802,7 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
+      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
@@ -2794,6 +2836,7 @@ our %detect_capability =
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      RECENT_MATCH => \&Recent_Match,
+      STATISTIC_MATCH => \&Statistic_Match,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
@@ -2929,6 +2972,9 @@ sub determine_capabilities() {
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
 	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
 	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
+	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
+	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
+	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );


 	qt1( "$iptables -F $sillyname" );
@@ -3022,6 +3068,22 @@ sub conditional_quote( $ ) {
 sub update_config_file( $ ) {
    my $annotate = shift;

+    sub is_set( $ ) {
+	my $value = $_[0];
+	defined( $value ) && lc( $value ) eq 'yes';
+    }
+
+    my $wide = is_set $config{WIDE_TC_MARKS};
+    my $high = is_set $config{HIGH_ROUTE_MARKS};
+
+    #
+    # Establish default values for the mark layout items
+    #
+    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless supplied $config{TC_BITS};
+    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless supplied $config{MASK_BITS};
+    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless supplied $config{PROVIDER_OFFSET};
+    $config{PROVIDER_BITS}   = 8                              unless supplied $config{PROVIDER_BITS};
+
    my $fn;

    unless ( -d "$globals{SHAREDIR}/configfiles/" ) {
@@ -3035,18 +3097,7 @@ sub update_config_file( $ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
-    #
-    # Deprecated options with their default values
-    #
-    my %deprecated = ( LOGRATE            => '' ,
-		       LOGBURST           => '' ,
-		       EXPORTPARAMS       => 'no' );
-    #
-    # Undocumented options -- won't be listed in the template
-    #
-    my @undocumented = ( qw( TC_BITS PROVIDER_BITS PROVIDER_OFFSET MASK_BITS ) );
-
-    if ( -f $fn ) {
+   if ( -f $fn ) {
 	my ( $template, $output );

 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -3094,29 +3145,6 @@ sub update_config_file( $ ) {

 	my $heading_printed;

-	for ( @undocumented ) {
-	    if ( defined ( my $val = $config{$_} ) ) {
-
-		unless ( $heading_printed ) {
-		    print $output <<'EOF';
-
-#################################################################################
-#                          U N D O C U M E N T E D
-#                               O P T I O N S
-#################################################################################
-
-EOF
-		    $heading_printed = 1;
-		}
-
-		$val = conditional_quote $val;
-
-		print $output "$_=$val\n\n";
-	    }
-	}
-
-	$heading_printed = 0;
-
 	for ( keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
@@ -3188,6 +3216,9 @@ sub process_shorewall_conf( $$ ) {
 		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};

 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
+		    
+		    warning_message "Option $var=$val is deprecated"
+			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -3453,11 +3484,13 @@ sub add_param( $$ ) {
 sub export_params() {
    my $count = 0;

-    while ( my ( $param, $value ) = each %params ) {
+    for my $param ( sort keys %params ) {
 	#
 	# Don't export params added by the compiler
 	#
 	next if exists $compiler_params{$param};
+
+	my $value = $params{$param};
 	#
 	# Values in %params are generated from the output of 'export -p'.
 	# The different shells have different conventions for delimiting
@@ -3526,7 +3559,6 @@ sub get_configuration( $$$ ) {

    get_capabilities( $export );

-
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';

    if ( my $rate = $config{LOGLIMIT} ) {
@@ -3725,6 +3757,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'COMPLETE'                   , '';
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
+    default_yes_no 'USE_PHYSICAL_NAMES'         , '';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

@@ -3732,23 +3765,36 @@ sub get_configuration( $$$ ) {
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
    numeric_option 'PROVIDER_BITS' ,   8, 0;
    numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
+    numeric_option 'ZONE_BITS'       , 0, 0;
+
+    require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's' if $config{ZONE_BITS};

    if ( $config{PROVIDER_OFFSET} ) {
-	$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
-	fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 31' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
-	$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
+	$config{PROVIDER_OFFSET}  = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
+	$globals{ZONE_OFFSET}     = $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS};
    } elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
-	$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
+	$globals{ZONE_OFFSET}     = $config{MASK_BITS};
    } else {
-	$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
+	$globals{ZONE_OFFSET}     = $config{PROVIDER_BITS};
    }

-    $globals{TC_MAX}                 = make_mask( $config{TC_BITS} );
-    $globals{TC_MASK}                = make_mask( $config{MASK_BITS} );
-    $globals{PROVIDER_MIN}           = 1 << $config{PROVIDER_OFFSET};
-    $globals{PROVIDER_MASK}          = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
+    
+    $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
+    $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};
+
+    $globals{TC_MAX}         = make_mask( $config{TC_BITS} );
+    $globals{TC_MASK}        = make_mask( $config{MASK_BITS} );
+    $globals{PROVIDER_MASK}  = make_mask( $config{PROVIDER_BITS} ) << $config{PROVIDER_OFFSET};
+
+    if ( $config{ZONE_BITS} ) {
+	$globals{ZONE_MASK} = make_mask( $config{ZONE_BITS} ) << $globals{ZONE_OFFSET};
+    } else {
+	$globals{ZONE_MASK} = 0;
+    }

    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+	
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
    } else {
 	$globals{USER_MASK} = 0;
@@ -3780,6 +3826,7 @@ sub get_configuration( $$$ ) {
    default_log_level 'MACLIST_LOG_LEVEL',   '';
    default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
    default_log_level 'RFC1918_LOG_LEVEL',   '';
+    default_log_level 'RELATED_LOG_LEVEL',   '';

    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

@@ -3814,6 +3861,23 @@ sub get_configuration( $$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }

+    if ( $val = $config{RELATED_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+	    $globals{RELATED_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{RELATED_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{RELATED_TARGET} = $val;
+	} else {
+	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{RELATED_DISPOSITION}  =
+	$globals{RELATED_TARGET}      = 'ACCEPT';
+    }
+
    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -3887,7 +3951,9 @@ sub get_configuration( $$$ ) {

    $val = numeric_value $config{OPTIMIZE};

-    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 15;
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 31;
+
+    require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;

    $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';

@@ -3926,6 +3992,13 @@ sub get_configuration( $$$ ) {
    } else {
 	$config{LOCKFILE} = '';
    }
+
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 }

 #
@@ -4117,6 +4190,52 @@ sub generate_aux_config() {
    finalize_aux_config;
 }

+sub dump_mark_layout() {
+    sub dumpout( $$$$$ ) {
+	my ( $name, $bits, $min, $max, $mask ) = @_;
+
+	if ( $bits ) {
+	    if ( $min == $max ) {
+		emit_unindented "$name:" . $min . ' mask ' . in_hex( $mask );
+	    } else {
+		emit_unindented "$name:" . join('-', $min, $max ) . ' (' . join( '-', in_hex( $min ), in_hex( $max ) ) . ') mask ' . in_hex( $mask );
+	    }
+	} else {
+	    emit_unindented "$name: Not Enabled";
+	}
+    }
+
+    dumpout( "Traffic Shaping",
+	     $config{TC_BITS},
+	     0,
+	     $globals{TC_MAX},
+	     $globals{TC_MASK} );
+
+    dumpout( "User",
+	     $globals{USER_MASK},
+	     $globals{TC_MAX} + 1,
+	     $globals{USER_MASK},
+	     $globals{USER_MASK} );
+    
+    dumpout( "Provider",
+	     $config{PROVIDER_BITS},
+	     $globals{PROVIDER_MIN},
+	     $globals{PROVIDER_MASK},
+	     $globals{PROVIDER_MASK} );
+
+    dumpout( "Zone",
+	     $config{ZONE_BITS},
+	     1 << $globals{ZONE_OFFSET},
+	     $globals{ZONE_MASK},
+	     $globals{ZONE_MASK} );
+
+    dumpout( "Exclusion",
+	     1,
+	     $globals{EXCLUSION_MASK},
+	     $globals{EXCLUSION_MASK},
+	     $globals{EXCLUSION_MASK} );
+}	
+
 END {
    cleanup;
 }
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -55,6 +55,7 @@ our @EXPORT = qw( ALLIPv4
 		  DCCP
 		  IPv6_ICMP
 		  SCTP
+		  GRE

 		  validate_address
 		  validate_net
@@ -117,6 +118,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
+	       GRE                 => 47,
 	       IPv6_ICMP           => 58,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -220,17 +220,7 @@ sub setup_blacklist() {
 	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;

 	if ( supplied $level ) {
-	    my $logchainref = new_standard_chain 'blacklog';
-
-	    $target =~ s/A_//;
-	    $target = 'reject' if $target eq 'REJECT';
-
-	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
-
-	    add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
-	    add_ijump( $logchainref, g => $target );
-
-	    $target = 'blacklog';
+	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
 	} elsif ( $audit ) {
 	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
@@ -356,7 +346,7 @@ sub remove_blacklist( $ ) {

    my $fn = find_file $file;

-    assert( -f $fn );
+    return 1 unless -f $file;

    my $oldfile = open_file $fn;
    my $newfile;
@@ -405,26 +395,13 @@ sub convert_blacklist() {
    
    if ( @$zones || @$zones1 ) {
 	if ( supplied $level ) {
-	    my $logchainref = new_standard_chain 'blacklog';
-
-	    $target =~ s/A_//;
-	    $target = 'reject' if $target eq 'REJECT';
-
-	    log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
-
-	    add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target ) if $audit;
-	    add_ijump( $logchainref, g => $target );
-
 	    $target = 'blacklog';
 	} elsif ( $audit ) {
-	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
 	}

 	my $fn = open_file 'blacklist';

-	assert $fn;
-
 	first_entry "Converting $fn...";

 	while ( read_a_line ) {
@@ -447,7 +424,7 @@ sub convert_blacklist() {

 	    warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;

-	    my $tgt = $whitelist ? 'RETURN' : $target;
+	    my $tgt = $whitelist ? 'WHITELIST' : $target;

 	    if ( $auditone ) {
 		fatal_error "'audit' not allowed in whitelist entries" if $whitelist;
@@ -520,11 +497,7 @@ EOF
 	    for ( @rules ) {
 		my ( $srcdst, $tgt, $networks, $protocols, $ports ) = @$_;

-		if ( $level ) {
-		    $tgt .= ":$level\t";
-		} else {
-		    $tgt .= "\t\t";
-		}
+		$tgt .= "\t\t";

 		my $list = $srcdst eq 'src' ? $zones : $zones1;

@@ -554,13 +527,14 @@ EOF

 	    close $blrules;
 	} else {
-	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty) unless @rules;
+	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules;
+	}
+	
+	if ( -f $fn ) {
+	    rename $fn, "$fn.bak";
+	    progress_message2 "Blacklist file $fn saved in $fn.bak";
 	}
 	
-	rename $fn, "$fn.bak";
-
-	progress_message2 "Blacklist file $fn saved in $fn.bak";
-
 	for my $file ( qw(zones interfaces hosts) ) {
 	    remove_blacklist $file;
 	}
@@ -716,6 +690,7 @@ sub add_common_rules ( $ ) {
    my $dynamicref;

    my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};

@@ -723,13 +698,14 @@ sub add_common_rules ( $ ) {
 	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
 	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
-	add_ijump $filter_table->{INPUT}, j => $dynamicref, @state;
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }

    setup_mss;

-    add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ) if ( $config{FASTACCEPT} );
+    if ( $config{FASTACCEPT} ) {
+	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
+    } 

    my $policy   = $config{SFILTER_DISPOSITION};
    $level       = $config{SFILTER_LOG_LEVEL};
@@ -776,8 +752,8 @@ sub add_common_rules ( $ ) {
 	$target1 = $target;
    }

-    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
+    for $interface ( all_real_interfaces ) {
+	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );

 	my $interfaceref = find_interface $interface;

@@ -785,33 +761,28 @@ sub add_common_rules ( $ ) {

 	    my @filters = @{$interfaceref->{filter}};
 	
-	    $chainref = $filter_table->{forward_chain $interface};
+	    $chainref = $filter_table->{forward_option_chain $interface};
 	
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-		$interfaceref->{options}{use_forward_chain} = 1;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 		    unless( $config{ROUTE_FILTER} eq 'on' ||
 			    $interfaceref->{options}{routeback} ||
 			    $interfaceref->{options}{routefilter} ||
 			    $interfaceref->{physical} eq '+' );
-
-		$interfaceref->{options}{use_forward_chain} = 1;
 	    }

-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
-
-	    $chainref = $filter_table->{input_chain $interface};
 	
 	    if ( @filters ) {
+		$chainref = $filter_table->{input_option_chain $interface};
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-		$interfaceref->{options}{use_input_chain} = 1;
 	    }
 	
-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+	    for ( option_chains( $interface ) ) {
+		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
+		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
+	    }
 	}
    }

@@ -895,12 +866,9 @@ sub add_common_rules ( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
    }

@@ -950,14 +918,11 @@ sub add_common_rules ( $ ) {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';

 	for $interface ( @$list ) {
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-	    
 	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
 			     'dhcp',
-			     1 ) for input_chain( $interface ), output_chain( $interface );
+			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );

-	    add_ijump( $filter_table->{forward_chain $interface} ,
+	    add_ijump( $filter_table->{forward_option_chain $interface} ,
 		       j => 'ACCEPT', 
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
@@ -1015,11 +980,9 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();

-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
    }

@@ -1048,7 +1011,7 @@ sub add_common_rules ( $ ) {
 	    progress_message2 "$doing UPnP" unless $announced;

 	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_chain $interface};
+		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;

@@ -1197,12 +1160,9 @@ sub setup_mac_lists( $ ) {
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );

-		for my $chain ( first_chains $interface ) {
+		for my $chain ( option_chains $interface ) {
 		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
 		}
-
-		set_interface_option $interface, 'use_input_chain', 1;
-		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
 		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
@@ -1300,7 +1260,7 @@ sub generate_dest_rules( $$$;@ ) {
    my $z2ref            = find_zone( $z2 );
    my $type2            = $z2ref->{type};

-    if ( $type2 == VSERVER ) {
+    if ( $type2 & VSERVER ) {
 	for my $hostref ( @{$z2ref->{hosts}{ip}{'%vserver%'}} ) {
 	    my $exclusion = dest_exclusion( $hostref->{exclusions}, $chain);

@@ -1407,6 +1367,7 @@ sub add_interface_jumps {
    our %output_jump_added;
    our %forward_jump_added;
    my  $lo_jump_added = 0;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    #
    # Add Nat jumps
    #
@@ -1418,7 +1379,7 @@ sub add_interface_jumps {
    addnatjump 'POSTROUTING' , 'nat_out';
    addnatjump 'PREROUTING', 'dnat';

-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1432,7 +1393,7 @@ sub add_interface_jumps {
    #
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces ) {
 	my $forwardref   = $filter_table->{forward_chain $interface};
 	my $inputref     = $filter_table->{input_chain $interface};
 	my $outputref    = $filter_table->{output_chain $interface};
@@ -1512,58 +1473,21 @@ sub generate_matrix() {
    my  %ipsec_jump_added   = ();

    progress_message2 'Generating Rule Matrix...';
-    progress_message  '  Handling blacklisting and complex zones...';
+    progress_message  '  Handling complex zones...';

    #
-    # Special processing for complex and/or blacklisting configurations
+    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
+	next if  @zones <= 2 && ! $zoneref->{options}{complex};
 	#
-	# Handle blacklisting first
+	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    insert_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , -1, @state for firewall_zone, @vservers;
+	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};

-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
-		    my $ruleschainref = $filter_table->{$ruleschain};
-
-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-			insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
-		    }
-		}
-	    }
-	}
-
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    insert_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , -1, @state;
-
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
-
-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-		    insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
-		}
-	    }
-	}
-
-	next if $simple;
-
-	#
-	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
-	#
-	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
-
-	insert_ijump $frwd_ref , j => $filter_table->{blacklst}, -1, @state if $zoneref->{options}{in}{blacklist};
+	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};

 	if ( have_ipsec ) {
 	    #
@@ -1707,7 +1631,7 @@ sub generate_matrix() {
 		    for my $net ( @{$hostref->{hosts}} ) {
 			my @dest   = imatch_dest_net $net;

-			if ( $chain1 && zone_type ( $zone) != BPORT ) {
+			if ( $chain1 && ! ( zone_type( $zone) & BPORT ) ) {
 			    my $chain1ref = $filter_table->{$chain1};
 			    my $nextchain = dest_exclusion( $exclusions, $chain1 );
 			    my $outputref;
@@ -1799,7 +1723,6 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my @interfacematch;
 			my $use_input;
-			my $blacklist = $zoneref->{options}{in}{blacklist};

 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -1891,7 +1814,7 @@ sub generate_matrix() {
 		    next if ( scalar ( keys( %{ $zoneref->{interfaces}} ) ) < 2 ) && ! $zoneref->{options}{in_out}{routeback};
 		}

-		if ( $zone1ref->{type} == BPORT ) {
+		if ( $zone1ref->{type} & BPORT ) {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}

@@ -1941,7 +1864,7 @@ sub generate_matrix() {
 		next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 	    }

-	    if ( $zone1ref->{type} == BPORT ) {
+	    if ( $zone1ref->{type} & BPORT ) {
 		next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 	    }

@@ -2053,8 +1976,6 @@ sub generate_matrix() {

    add_interface_jumps @interfaces unless $interface_jumps_added;

-    promote_blacklist_rules;
-
    my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -308,8 +308,7 @@ sub setup_interface_proc( $ ) {
    }

    if ( @emitted ) {
-	emit( '',
-	      'if [ $COMMAND = enable ]; then' );
+	emit( 'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,7 +21,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
+#   /etc/shorewall/rtrules and /etc/shorewall/routes files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -38,7 +38,9 @@ our @EXPORT = qw( process_providers
 		  setup_providers
 		  @routemarked_interfaces
 		  handle_stickiness
-		  handle_optional_interfaces );
+		  handle_optional_interfaces
+		  setup_load_distribution
+	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';

@@ -53,11 +55,14 @@ my  @routemarked_providers;
 my  %routemarked_interfaces;
 our @routemarked_interfaces;
 my  %provider_interfaces;
+my  @load_providers;
+my  @load_interfaces;

 my $balancing;
 my $fallback;
 my $first_default_route;
 my $first_fallback_route;
+my $maxload;

 my %providers;

@@ -82,14 +87,17 @@ use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 sub initialize( $ ) {
    $family = shift;

-    @routemarked_providers = ();
+    @routemarked_providers  = ();
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
-    $balancing           = 0;
-    $fallback            = 0;
-    $first_default_route  = 1;
-    $first_fallback_route = 1;
+    @load_providers         = ();
+    @load_interfaces        = ();
+    $balancing              = 0;
+    $fallback               = 0;
+    $first_default_route    = 1;
+    $first_fallback_route   = 1;
+    $maxload                = 0;

    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -110,33 +118,57 @@ sub setup_route_marking() {
    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;

    my $chainref  = new_chain 'mangle', 'routemark';
-    my $chainref1 = new_chain 'mangle', 'setsticky';
-    my $chainref2 = new_chain 'mangle', 'setsticko';

-    my %marked_interfaces;
+    if ( @routemarked_providers ) {
+	my $chainref1 = new_chain 'mangle', 'setsticky';
+	my $chainref2 = new_chain 'mangle', 'setsticko';

-    for my $providerref ( @routemarked_providers ) {
-	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
-	my $mark      = $providerref->{mark};
+	my %marked_interfaces;

-	unless ( $marked_interfaces{$interface} ) {
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
-	    add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
-	    $marked_interfaces{$interface} = 1;
+	for my $providerref ( @routemarked_providers ) {
+	    my $interface = $providerref->{interface};
+	    my $physical  = $providerref->{physical};
+	    my $mark      = $providerref->{mark};
+
+	    unless ( $marked_interfaces{$interface} ) {
+		add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
+		add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
+		add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
+		$marked_interfaces{$interface} = 1;
+	    }
+
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
+	    } else {
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+	    }
 	}

-	if ( $providerref->{shared} ) {
-	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
-	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
-	} else {
-	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
-	}
+	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
    }

-    add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
+    if ( @load_interfaces ) {
+	my $chainref1 = new_chain 'mangle', 'balance';
+	my @match;
+
+	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
+	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
+
+	for my $physical ( @load_interfaces ) {
+
+	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+
+	    dont_optimize $chainref2;
+	    dont_move     $chainref2;
+	    dont_delete   $chainref2;
+	
+  	    add_ijump ( $chainref1,
+			j => $chainref2 ,
+		        mark => "--mark 0/$mask" );
+	}
+    }
 }

 sub copy_table( $$$ ) {
@@ -155,9 +187,22 @@ sub copy_table( $$$ ) {
    emit ( '    case $net in',
 	   '        default)',
 	   '            ;;',
-	   '        *)',
-	   "            run_ip route add table $number \$net \$route $realm",
-	   '            ;;',
+	   '        *)' );
+	   
+    if ( $family == F_IPV4 ) {
+	emit ( '            case $net in',
+	       '                255.255.255.255*)',
+	       '                    ;;',
+	       '                *)',
+	       "                    run_ip route add table $number \$net \$route $realm",
+	       '                    ;;',
+	       '            esac',
+	     );
+    } else {
+	emit ( "            run_ip route add table $number \$net \$route $realm" );
+    }
+
+    emit ( '            ;;',
 	   '    esac',
 	   "done\n"
 	 );
@@ -189,9 +234,21 @@ sub copy_and_edit_table( $$$$ ) {
 	    '            ;;',
 	    '        *)',
 	    '            case $(find_device $route) in',
-	    "                $copy)",
-	    "                    run_ip route add table $number \$net \$route $realm",
-	    '                    ;;',
+	    "                $copy)" );
+    if ( $family == F_IPV4 ) {
+	emit (  '                    case $net in',
+		'                        255.255.255.255*)',
+		'                            ;;',
+		'                        *)',
+		"                            run_ip route add table $number \$net \$route $realm",
+		'                            ;;',
+		'                    esac',
+	     );
+    } else {
+	emit (  "                    run_ip route add table $number \$net \$route $realm" );
+    } 
+
+    emit (  '                    ;;',
 	    '            esac',
 	    '            ;;',
 	    '    esac',
@@ -341,8 +398,8 @@ sub process_a_provider() {
 	$gateway = '';
    }

-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -360,8 +417,11 @@ sub process_a_provider() {
 		$loose   = 1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'optional' ) {
-		warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead);
-		set_interface_option $interface, 'optional', 1;
+		unless ( $shared ) {
+		    warning_message q(The 'optional' provider option is deprecated - use the 'optional' interface option instead);
+		    set_interface_option $interface, 'optional', 1;
+		}
+
 		$optional = 1;
 	    } elsif ( $option =~ /^src=(.*)$/ ) {
 		fatal_error "OPTION 'src' not allowed on shared interface" if $shared;
@@ -380,6 +440,9 @@ sub process_a_provider() {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if $config{USE_DEFAULT_RT};
+	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
+		$load = $1;
+		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -388,6 +451,12 @@ sub process_a_provider() {

    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;

+    if ( $load ) {
+	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
+	fatal_error q(The 'fallback=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $default > 1;
+	$maxload += $load;
+    }
+
    if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
@@ -460,6 +529,7 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
+			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
@@ -478,8 +548,11 @@ sub process_a_provider() {
 	push @routemarked_providers, $providers{$table};
    }

+    push @load_interfaces, $physical if $load;
+
    push @providers, $table;

+    progress_message "   Provider \"$currentline\" $done";
 }

 #
@@ -508,6 +581,8 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
+    my $load        = $providerref->{load};
+
    my $dev         = chain_base $physical;
    my $base        = uc $dev;
    my $realm = '';
@@ -534,7 +609,23 @@ sub add_a_provider( $$ ) {
 	    }
 	}
    }
+
+    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+
+    emit( '', 
+	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
    
+    emit_unindented 'case \$COMMAND in';
+    emit_unindented '    enable|disable)';
+    emit_unindented '        ;;';
+    emit_unindented '    *)';
+    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
+    emit_unindented <<"CEOF", 1;
+        rm -f \${VARDIR}/${physical}.status
+        ;;
+esac
+EOF
+CEOF
    #
    # /proc for this interface
    #
@@ -570,8 +661,7 @@ sub add_a_provider( $$ ) {
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	} else {
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}";
+	    emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
@@ -602,7 +692,10 @@ sub add_a_provider( $$ ) {
 	$fallback = 1;
    }

-    emit ( qq(\nqt \$IP rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ) if $family == F_IPV6;
+    emit( qq(\n) ,
+	  qq(if ! \$IP -6 rule ls | egrep -q "32767:[[:space:]]+from all lookup (default|253)"; then) ,
+	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
+	  qq(fi) ) if $family == F_IPV6;

    unless ( $local ) {
 	emit '';
@@ -640,11 +733,14 @@ sub add_a_provider( $$ ) {
    }

    emit( '' );
-
+    
    my ( $tbl, $weight );

-    if ( $optional ) {
-	emit( 'if [ $COMMAND = enable ]; then' );
+    emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
+
+    if ( $optional ) {	
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );

 	push_indent;

@@ -668,22 +764,27 @@ sub add_a_provider( $$ ) {
 		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
 		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}

-	emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
+	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+
+	unless ( $shared ) {
+	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
+	}

 	emit ( qq(progress_message2 "   Provider $table ($number) Started") );

 	pop_indent;
 
-	emit( 'else' ,
-	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	emit( 'else' );
+	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
 	      qq(    progress_message "   Provider $table ($number) Started"),
 	      qq(fi\n)
 	    );
    } else {
+	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
    
@@ -692,6 +793,8 @@ sub add_a_provider( $$ ) {
    emit 'else';

    push_indent;
+    
+    emit( qq(echo 1 > \${VARDIR}/${physical}.status) );

    if ( $optional ) {
 	if ( $shared ) {
@@ -751,11 +854,16 @@ sub add_a_provider( $$ ) {
 	emit (". $undo",
 	      "> $undo" );

-	emit( '', 
-	      "qt \$TC qdisc del dev $physical root",
-	      "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
+	emit ( '',
+	       "distribute_load $maxload @load_interfaces" ) if $load;

-	emit( "progress_message2 \"Provider $table stopped\"" );
+	unless ( $shared ) {
+	    emit( '', 
+		  "qt \$TC qdisc del dev $physical root",
+		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
+	}
+
+	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );

 	pop_indent;

@@ -768,12 +876,10 @@ sub add_a_provider( $$ ) {

 	emit '}';
    }
-
-    progress_message "   Provider \"$currentline\" $done";
 }

 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
+    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };

    our $current_if;

@@ -800,7 +906,7 @@ sub add_an_rtrule( ) {
    my $number = $providerref->{number};

    fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
-    fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
+    fatal_error "You must specify either the source or destination in a rtrules entry" if $source eq '-' && $dest eq '-';

    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
@@ -811,6 +917,8 @@ sub add_an_rtrule( ) {

    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
+    } elsif ( $source =~ s/^&// ) {
+	$source = 'from ' . record_runtime_address $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -961,20 +1069,20 @@ sub start_providers() {
 }

 sub finish_providers() {
+    my $table = MAIN_TABLE;
+    
+    if ( $config{USE_DEFAULT_RT} ) {
+	emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+	       'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
+	       "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
+	       qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
+	       '' );
+	$table = BALANCE_TABLE;
+    }
+
    if ( $balancing ) {
-	my $table = MAIN_TABLE;
-
-	if ( $config{USE_DEFAULT_RT} ) {
-	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
-		   'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
-		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
-		   '' );
-	    $table = BALANCE_TABLE;
-	}
-
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
@@ -1062,7 +1170,15 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
-	my $fn = open_file 'route_rules';
+	my $fn = open_file( 'route_rules' );
+
+	if ( $fn ){
+	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
+		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+	    }
+	} else {
+	    $fn = open_file( 'rtrules' );
+	}

 	if ( $fn ) {
 	    first_entry "$doing $fn...";
@@ -1100,14 +1216,21 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};

-	emit( "$providerref->{physical})",
-	      "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
-	      "        start_provider_$provider",
-	      '    else',
-	      '        startup_error "Interface $g_interface is already enabled"',
-	      '    fi',
-	      '    ;;'
-	    ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
+	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
+		emit "$provider})";
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+		   "        start_provider_$provider",
+		   '    else',
+		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
+		   '    fi',
+		   '    ;;'
+		 );
+	}
    }

    pop_indent;
@@ -1115,7 +1238,7 @@ EOF

    emit << 'EOF';;
        *)
-            startup_error "$g_interface is not an optional provider interface"
+            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
 }
@@ -1135,11 +1258,11 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};

-	emit( "$providerref->{physical})",
+	emit( "$providerref->{physical}|$provider)",
 	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 	      "        stop_provider_$provider",
 	      '    else',
-	      '        startup_error "Interface $g_interface is already disabled"',
+	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 	      '    fi',
 	      '    ;;'
 	    ) if $providerref->{optional};
@@ -1182,7 +1305,7 @@ sub setup_providers() {
 	pop_indent;
 	emit "fi\n";

-	setup_route_marking if @routemarked_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

@@ -1381,17 +1504,17 @@ sub handle_stickiness( $ ) {

 		for my $chainref ( $stickyref, $setstickyref ) {
 		    if ( $chainref->{name} eq 'sticky' ) {
-			$rule1 = $_;
+			$rule1 = clone_rule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
 			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300" );

-			$rule2 = $_;
+			$rule2 = clone_rule( $_ );

 			clear_rule_target( $rule2 );
 			set_rule_option( $rule2, 'mark', "--mark 0/$mask -m recent --name $list --remove" );
 		    } else {
-			$rule1 = $_;
+			$rule1 = clone_rule( $_ );

 			clear_rule_target( $rule1 );
 			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" ); 
@@ -1414,17 +1537,29 @@ sub handle_stickiness( $ ) {

 		for my $chainref ( $stickoref, $setstickoref ) {
 		    if ( $chainref->{name} eq 'sticko' ) {
-			$rule1 = $_;
+			$rule1 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule1->{$key} = $value;
+			}

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300" );

-			$rule2 = $_;
+			$rule2 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule2->{$key} = $value;
+			}
 			
 			clear_rule_target( $rule2 );
 			set_rule_option  ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
 		    } else {
-			$rule1 = $_;
+			$rule1 = {};
+
+			while ( my ( $key, $value ) = each %$_ ) {
+			    $rule1->{$key} = $value;
+			}

 			clear_rule_target( $rule1 );
 			set_rule_option  ( $rule1, 'mark', "--mark $mark -m recent --name $list --rdest --set" );
@@ -1442,10 +1577,17 @@ sub handle_stickiness( $ ) {
 	}
    }

-    if ( @routemarked_providers ) {
+    if ( @routemarked_providers || @load_interfaces ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
 }

+sub setup_load_distribution() {
+    emit ( '',
+	   "        distribute_load $maxload @load_interfaces" ,
+	   '' 
+	 ) if @load_interfaces;
+}
+
 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -84,7 +84,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical".
+		  "    qt \$IP -6 route del $address/128 dev $physical",
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -36,12 +36,14 @@ our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

+my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {

-    my ($source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
@@ -55,42 +57,110 @@ sub process_notrack_rule( $$$$$$ ) {
    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';

+    my $target = $action;
+    my $exception_rule = '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    expand_rule
-	$chainref ,
-	$restriction ,
-	$rule ,
-	$source ,
-	$dest ,
-	'' ,
-	'NOTRACK' ,
-	'' ,
-	'NOTRACK' ,
-	'' ;
+    unless ( $action eq 'NOTRACK' ) {
+	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

+	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
+
+	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+
+	if ( $option eq 'notrack' ) {
+	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    $action = 'CT --notrack';
+	} else {
+	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
+
+	    if ( $option eq 'helper' ) {
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $args";
+		$exception_rule = do_proto( $proto, '-', '-' );
+	    } elsif ( $option eq 'ctevents' ) {
+		for ( split ',', $args ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevent' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+	    } elsif ( $option eq 'zone' ) {
+		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+	    } else {
+		fatal_error "Invalid CT option ($option)";
+	    }
+	}
+    }
+
+    expand_rule( $chainref ,
+		 $restriction ,
+		 $rule,
+		 $source ,
+		 $dest ,
+		 '' ,
+		 $action ,
+		 '' ,
+		 $target ,
+		 $exception_rule );
+    
    progress_message "  Notrack rule \"$currentline\" $done";

    $globals{UNTRACKED} = 1;
 }

+sub process_format( $ ) {
+    my $format = shift;
+
+    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+
+    $format;
+}
+
 sub setup_notrack() {

+    my $format = 1;
+    my $action = 'NOTRACK';
+
    if ( my $fn = open_file 'notrack' ) {

 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;

-	while ( read_a_line ) {
+	while ( read_a_line ) {	    
+	    my ( $source, $dest, $proto, $ports, $sports, $user );

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
-
-	    if ( $source eq 'COMMENT' ) {
-		process_comment;
+	    if ( $format == 1 ) {
+		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		
+		if ( $source eq 'FORMAT' ) {
+		    $format = process_format( $dest );
+		    next;
+		}
+		
+		if ( $source eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    } else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		
+		if ( $action eq 'FORMAT' ) {
+		    $format = process_format( $source );
+		    $action = 'NOTRACK';
+		    next;
+		}
+		
+		if ( $action eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    }
+	    
+	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}

 	clear_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -116,7 +116,6 @@ my %auditpolicies = ( ACCEPT => 1,
 		      DROP   => 1,
 		      REJECT => 1
 		    );
-
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -145,8 +144,7 @@ sub initialize( $ ) {
    #
    # These are set to 1 as sections are encountered.
    #
-    %sections = ( BLACKLIST   => 0,
-		  ALL         => 0,
+    %sections = ( ALL         => 0,
 		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
@@ -379,7 +377,7 @@ sub process_a_policy() {
    }

    unless ( $clientwild || $serverwild ) {
-	if ( zone_type( $server ) == BPORT ) {
+	if ( zone_type( $server ) & BPORT ) {
 	    fatal_error "Invalid policy - DEST zone is a Bridge Port zone but the SOURCE zone is not associated with the same bridge"
 		unless find_zone( $client )->{bridge} eq find_zone( $server)->{bridge} || single_interface( $client ) eq find_zone( $server )->{bridge};
 	}
@@ -515,11 +513,11 @@ sub process_policies()

    for $zone ( all_zones ) {
 	push @policy_chains, ( new_policy_chain $zone,         $zone, 'ACCEPT', PROVISIONAL, 0 );
-	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) == BPORT;
+	push @policy_chains, ( new_policy_chain firewall_zone, $zone, 'NONE',   PROVISIONAL, 0 ) if zone_type( $zone ) & BPORT;

 	my $zoneref = find_zone( $zone );

-	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} == VSERVER ) ) {
+	if ( $config{IMPLICIT_CONTINUE} && ( @{$zoneref->{parents}} || $zoneref->{type} & VSERVER ) ) {
 	    for my $zone1 ( all_zones ) {
 		unless( $zone eq $zone1 ) {
 		    add_or_modify_policy_chain( $zone, $zone1, 0 );
@@ -678,8 +676,6 @@ sub complete_standard_chain ( $$$$ ) {
    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }

-sub require_audit($$;$);
-
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
@@ -744,7 +740,7 @@ sub ensure_rules_chain( $ )

    my $chainref = $filter_table->{$chain};

-    $chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
+    $chainref = new_chain( 'filter', $chain ) unless $chainref;

    unless ( $chainref->{referenced} ) {
 	if ( $section =~/^(NEW|DONE)$/ ) {
@@ -764,11 +760,33 @@ sub ensure_rules_chain( $ )
 #
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
-    my $chain = $chainref->{name};
+    my $chain               = $chainref->{name};
+    my $related_level       = $config{RELATED_LOG_LEVEL};
+    my $related_target      = $globals{RELATED_TARGET};
    
    push_comment(''); #These rules should not have comments

-    add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
+
+	if ( $related_level ) {
+	    my $relatedref = new_chain( 'filter', "+$chainref->{name}" );
+	    log_rule( $related_level,
+		      $relatedref,
+		      $config{RELATED_DISPOSITION},
+		      '' );
+	    add_ijump( $relatedref, g => $related_target );
+		    
+	    $related_target = $relatedref->{name};
+	}
+
+	add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
+
+	$state =~ s/,?RELATED//;
+    }
+
+    if ( $state ) {
+	add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    }

    if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
@@ -1409,7 +1427,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
-# the function will be called recursively by process_rules_common().
+# the function will be called recursively by process_rule1().
 #
 sub process_action( $) {
    my $chainref = shift;
@@ -1697,9 +1715,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;

-	if ( $param ne '' ) {
-	    $current_param = $param unless $param eq 'PARAM';
-	}
+	$current_param = $param unless $param eq '' || $param eq 'PARAM';

 	my $generated = process_macro( $basictarget,
 				       $chainref,
@@ -1741,7 +1757,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1807,7 +1823,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  CONTINUE => sub { $action = 'RETURN'; } ,

 			  WHITELIST => sub { 
-			      fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist; 
+			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; 
 			      $action = 'RETURN';
 			  } ,

@@ -1889,10 +1905,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my $restriction = NO_RESTRICT;

    unless ( $inaction ) {
-	if ( $sourceref && ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ) ) {
-	    $restriction = $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
+	if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
+	    $restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
 	} else {
-	    $restriction = INPUT_RESTRICT if $destref && ( $destref->{type} == FIREWALL || $destref->{type} == VSERVER );
+	    $restriction = INPUT_RESTRICT if $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) );
 	}
    }

@@ -1916,7 +1932,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    #
 	    # Check for illegal bridge port rule
 	    #
-	    if ( $destref->{type} == BPORT ) {
+	    if ( $destref->{type} & BPORT ) {
 		unless ( $sourceref->{bridge} eq $destref->{bridge} || single_interface( $sourcezone ) eq $destref->{bridge} ) {
 		    return 0 if $wildcard;
 		    fatal_error "Rules with a DESTINATION Bridge Port zone must have a SOURCE zone on the same bridge";
@@ -2000,7 +2016,12 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    }

    unless ( $section eq 'NEW' || $inaction ) {
-	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
+	if ( $config{FASTACCEPT} ) {
+	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless 
+		$section eq 'BLACKLIST' ||
+		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+	}
+
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }
@@ -2285,15 +2306,15 @@ sub process_section ($) {
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
    $sections{$sect} = 1;

-    if ( $sect eq 'ALL' ) {
-	$sections{BLACKLIST} = 1;
+    if ( $sect eq 'BLACKLIST' ) {
+	fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
    } elsif ( $sect eq 'ESTABLISHED' ) {
-	$sections{'BLACKLIST','ALL'} = ( 1, 1);
+	$sections{ALL} = 1;
    } elsif ( $sect eq 'RELATED' ) {
-	@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
+	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
    } elsif ( $sect eq 'NEW' ) {
-	@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
+	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
    }

@@ -2438,22 +2459,115 @@ sub process_rule ( ) {
 }

 #
-# Process the Rules File
+# Add jumps to the blacklst and blackout chains
 #
-sub process_rules() {
+sub classic_blacklist() {
+    my $fw       = firewall_zone;
+    my @zones    = off_firewall_zones;
+    my @vservers = vserver_zones;
+    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my $result;
+    
+    for my $zone ( @zones ) {
+	my $zoneref = find_zone( $zone );
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
+	if ( $zoneref->{options}{in}{blacklist} ) {
+	    my $blackref = $filter_table->{blacklst};
+	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
+
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		    }
+		}
+	    }
+
+	    $result = 1;
+	}
+
+	if ( $zoneref->{options}{out}{blacklist} ) {
+	    my $blackref = $filter_table->{blackout};
+	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
+
+	    for my $zone1 ( @zones, @vservers ) {
+		my $ruleschain    = rules_chain( $zone1, $zone );
+		my $ruleschainref = $filter_table->{$ruleschain};
+
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		}
+	    }
+
+	    $result = 1;
+	}
+
+	unless ( $simple ) {
+	    #
+	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
+	    #
+	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
+
+	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
+	}
+    }
+
+    $result;
+}
+
+#
+# Process the BLRules and Rules Files
+#
+sub process_rules( $ ) {
+    my $convert = shift;
+    my $blrules = 0;
+    #
+    # Generate jumps to the classic blacklist chains
+    #
+    $blrules = classic_blacklist unless $convert;
+    #
+    # Process the blrules file
+    #
+    $section = 'BLACKLIST';

    my $fn = open_file 'blrules';

    if ( $fn ) {
-	first_entry "$doing $fn...";
-	
-	$section = 'BLACKLIST';
+	first_entry( sub () {
+			 my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+			 my  $audit       = $disposition =~ /^A_/;
+			 my  $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+
+			 progress_message2 "$doing $currentfilename...";
+
+			 if ( supplied $level ) {
+			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
+			     ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET';
+			 } elsif ( $audit ) {
+			     require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+			     verify_audit( $disposition );
+			 } elsif ( have_capability 'AUDIT_TARGET' ) {
+			     verify_audit( 'A_' . $disposition );
+			 }
+
+			 $blrules = 1;
+		     }
+		   );

 	process_rule while read_a_line;
-	    
-	$section = '';
    }

+    $section = '';
+
+    add_interface_options( $blrules );
+
    $fn = open_file 'rules';

    if ( $fn ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -104,6 +104,9 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );

+my %designator = ( F => 'tcfor' ,
+		   T => 'tcpost' );
+
 my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
@@ -191,8 +194,15 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
-	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
+    if ( $family == F_IPV4 ) {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+	$headers = '-';
+    } else {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+    }

    our @tccmd;

@@ -207,38 +217,52 @@ sub process_tc_rule( ) {

    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;

+    my $chain    = $globals{MARKING_CHAIN};
+    my $classid  = 0;
+
    if ( $remainder ) { 
 	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
 	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)";
+	    fatal_error "Invalid MARK ($originalmark)" 
+		unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
+			 $designator =~ /^([0-9a-fA-F]+)$/ && 
+			 ( $chain = $designator{$remainder} ) );
+	    $mark    = join( ':', $mark, $designator );
+	    $classid = 1;
 	}
    }

-    my $chain  = $globals{MARKING_CHAIN};
    my $target = 'MARK --set-mark';
    my $tcsref;
    my $connmark = 0;
-    my $classid  = 0;
    my $device   = '';
    my $fw       = firewall_zone;
    my $list;

    if ( $source ) {
 	if ( $source eq $fw ) {
-	    $chain = 'tcout';
+	    if ( $classid ) {
+		fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
+	    } else {
+		$chain = 'tcout';
+	    }
+
 	    $source = '';
-	} else {
-	    $chain = 'tcout' if $source =~ s/^($fw)://;
+	} elsif ( $source =~ s/^($fw):// ) {
+	    fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
+	    $chain = 'tcout';
 	}
    }

    if ( $dest ) {
 	if ( $dest eq $fw ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
 	    $chain = 'tcin';
 	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	} elsif ( $dest =~ s/^($fw):// ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
+	    $chain = 'tcin';
 	}
    }

@@ -259,11 +283,16 @@ sub process_tc_rule( ) {
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;

 	} else {
-	    fatal_error "Invalid MARK ($originalmark)"   unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+	    unless ( $classid ) {
+		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
+		$chain = 'tcpost';
+		$mark  = $originalmark;
+	    }

 	    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
 		$originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) );
-		fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
+		fatal_error "Unknown Class ($mark)}" unless ( $device = $classids{$mark} );
 		fatal_error "IFB Classes may not be specified in tcrules" if @{$tcdevices{$device}{redirected}};

 		unless ( $tcclasses{$device}{hex_value $designator}{leaf} ) {
@@ -278,9 +307,7 @@ sub process_tc_rule( ) {
 		}
 	    }

-	    $chain   = 'tcpost';
 	    $classid = 1;
-	    $mark    = $originalmark;
 	    $target  = 'CLASSIFY --set-class';
 	}
    }
@@ -352,7 +379,7 @@ sub process_tc_rule( ) {
 				$val = numeric_value ($s);
 				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
 				$shift = $s;
-			    }
+			    }			    
 			} else {
 			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 			}
@@ -433,6 +460,10 @@ sub process_tc_rule( ) {
 			} else {
 			    $target .= " --hl-set $param";
 			}
+		    } elsif ( $target eq 'IMQ' ) {
+			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+			require_capability 'IMQ_TARGET', 'IMQ', 's';
+			$target .= " --todev $1";
 		    }

 		    if ( $rest ) {
@@ -478,7 +509,8 @@ sub process_tc_rule( ) {
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
-				     do_headers( $headers ) ,
+				     do_headers( $headers ) .
+				     do_probability( $probability ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -527,7 +559,7 @@ sub calculate_quantum( $$ ) {
 sub process_in_bandwidth( $ ) {
    my $in_rate     = shift;
    
-    return 0 if $in_rate eq '-';
+    return 0 if $in_rate eq '-' or $in_rate eq '0';

    my $in_burst    = '10kb';
    my $in_avrate   = 0;
@@ -960,7 +992,7 @@ sub validate_tc_class( ) {
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
-		$classnumber = $config{WIDE_TC_MARKS} ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
@@ -1716,6 +1748,26 @@ sub process_traffic_shaping() {

 	    pop_indent;
 	    emit "}\n";
+	} else {
+	    for my $class ( @tcclasses ) {
+		#
+		# The class number in the tcclasses array is expressed in decimal.
+		#
+		my ( $d, $decimalclassnum ) = split /:/, $class;
+
+		next unless $d eq $devname;
+		#
+		# For inclusion in 'tc' commands, we also need the hex representation
+		#
+		my $classnum = in_hexp $decimalclassnum;
+		#
+		# The decimal value of the class number is also used as the key for the hash at $tcclasses{$device}
+		#
+		my $devicenumber  = in_hexp $devref->{number};
+		my $classid  = join( ':', $devicenumber, $classnum);
+
+		$classids{$classid}=$device;
+	    }
 	}
    }
 }
@@ -1929,7 +1981,13 @@ sub setup_tc() {
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
-			} 
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+			  target    => 'IMQ',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );

 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -238,7 +238,7 @@ sub setup_tunnels() {

 	my $zonetype = zone_type( $zone );

-	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype == FIREWALL || $zonetype == BPORT;
+	fatal_error "Invalid tunnel ZONE ($zone)" if $zonetype & ( FIREWALL | BPORT );

 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -50,6 +50,7 @@ our @EXPORT = qw( NOTHING
 		  defined_zone
 		  zone_type
 		  zone_interfaces
+		  zone_mark
 		  all_zones
 		  all_parent_zones
 		  complex_zones
@@ -60,6 +61,7 @@ our @EXPORT = qw( NOTHING
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
+		  all_real_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -75,6 +77,7 @@ our @EXPORT = qw( NOTHING
 		  get_interface_option
 		  interface_has_option
 		  set_interface_option
+		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
@@ -97,6 +100,14 @@ use constant { NOTHING    => 'NOTHING',
 	       IPSECPROTO => 'ah|esp|ipcomp',
 	       IPSECMODE  => 'tunnel|transport'
 	       };
+
+#
+# Option columns
+#
+use constant { IN_OUT     => 1,
+	       IN         => 2,
+	       OUT        => 3 };
+
 #
 # Zone Table.
 #
@@ -132,6 +143,7 @@ use constant { NOTHING    => 'NOTHING',
 #
 my @zones;
 my %zones;
+my %zonetypes;
 my $firewall_zone;

 my  %reservedName = ( all => 1,
@@ -181,12 +193,15 @@ my $upgrade;
 my $have_ipsec;
 my $baseseq;
 my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;

 use constant { FIREWALL => 1,
 	       IP       => 2,
-	       BPORT    => 3,
-	       IPSEC    => 4,
-	       VSERVER  => 5 };
+	       BPORT    => 4,
+	       IPSEC    => 8,
+	       VSERVER  => 16 };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -276,6 +291,7 @@ sub initialize( $$ ) {
 			     destonly => 1,
 			     sourceonly => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
@@ -301,6 +317,7 @@ sub initialize( $$ ) {
 			     routeback => 1,
 			     tcpflags => 1,
 			    );
+	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
 }

@@ -310,9 +327,10 @@ sub initialize( $$ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$\$)
+sub parse_zone_option_list($$\$$)
 {
    my %validoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
@@ -324,13 +342,13 @@ sub parse_zone_option_list($$\$)
 			 "tunnel-dst" => NETWORK,
 		       );

-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8 };
+    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
    #
    # Hash of options that have their own key in the returned hash.
    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW );
+    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );

-    my ( $list, $zonetype, $complexref ) = @_;
+    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
    my $fmt;
@@ -363,11 +381,12 @@ sub parse_zone_option_list($$\$)
 	    my $key = $key{$e};

 	    if ( $key ) {
-		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype == FIREWALL || $zonetype == VSERVER);
+		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
+		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
-		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
+		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype & IPSEC;
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
@@ -411,14 +430,6 @@ sub process_zone( \$ ) {
    if ( $zone =~ /(\w+):([\w,]+)/ ) {
 	$zone = $1;
 	@parents = split_list $2, 'zone';
-
-	for my $p ( @parents ) {
-	    fatal_error "Invalid Parent List ($2)" unless $p;
-	    fatal_error "Unknown parent zone ($p)" unless $zones{$p};
-	    fatal_error 'Subzones of firewall zone not allowed' if $zones{$p}{type} == FIREWALL;
-	    fatal_error 'Subzones of a Vserver zone not allowed' if $zones{$p}{type} == VSERVER;
-	    push @{$zones{$p}{children}}, $zone;
-	}
    }

    fatal_error "Invalid zone name ($zone)"      unless $zone =~ /^[a-z]\w*$/i && length $zone <= $globals{MAXZONENAMELENGTH};
@@ -431,10 +442,11 @@ sub process_zone( \$ ) {
 	$$ip = 1;
    } elsif ( $type =~ /^ipsec([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
+	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
 	$type = IPSEC;
    } elsif ( $type =~ /^bport([46])?$/i ) {
 	fatal_error "Invalid zone type ($type)" if $1 && $1 != $family;
-	warning_message "Bridge Port zones should have a parent zone" unless @parents;
+	warning_message "Bridge Port zones should have a parent zone" unless @parents || $config{ZONE_BITS};
 	$type = BPORT;
 	push @bport_zones, $zone;
    } elsif ( $type eq 'firewall' ) {
@@ -453,11 +465,18 @@ sub process_zone( \$ ) {
 	fatal_error "Invalid zone type ($type)";
    }

-    if ( $type eq IPSEC ) {
-	require_capability 'POLICY_MATCH' , 'IPSEC zones', '';
-	for ( @parents ) {
-	    set_super( $zones{$_} ) unless $zones{$_}{type} == IPSEC;
-	}
+    for my $p ( @parents ) {
+	fatal_error "Invalid Parent List ($2)" unless $p;
+	fatal_error "Unknown parent zone ($p)" unless $zones{$p};
+
+	my $ptype = $zones{$p}{type};
+
+	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
+	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+
+	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );
+
+	push @{$zones{$p}{children}}, $zone;
    }

    my $complex = 0;
@@ -465,10 +484,10 @@ sub process_zone( \$ ) {
    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
-						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
-						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
-						    complex => ( $type == IPSEC || $complex ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
+						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
@@ -477,6 +496,28 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };

+    if ( $config{ZONE_BITS} ) {
+	my $mark;
+
+	if ( $type == FIREWALL ) {
+	    $mark = 0;
+	} else {
+	    unless ( $zoneref->{options}{in_out}{nomark} ) {
+		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
+		$mark      = $zonemark;
+		$zonemark += $zonemarkincr;
+		$zoneref->{options}{complex} = 1;
+	    }
+	}
+
+	if ( $zoneref->{options}{in_out}{nomark} ) {
+	    progress_message_nocompress "   Zone $zone:\tmark value not assigned";
+	} else {
+	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
+	}
+    }
+	
+
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -498,6 +539,10 @@ sub determine_zones()
    my @z;
    my $ip = 0;

+    $zonemark      = 1 << $globals{ZONE_OFFSET};
+    $zonemarkincr  = $zonemark;
+    $zonemarklimit = $zonemark << $config{ZONE_BITS};
+
    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
 	push @z, process_zone( $ip ) while read_a_line;
@@ -536,7 +581,7 @@ sub determine_zones()
 #
 sub haveipseczones() {
    for my $zoneref ( values %zones ) {
-	return 1 if $zoneref->{type} == IPSEC;
+	return 1 if $zoneref->{type} & IPSEC;
    }

    0;
@@ -549,22 +594,13 @@ sub zone_report()
 {
    progress_message2 "Determining Hosts in Zones...";

-    my @translate;
-
-    if ( $family == F_IPV4 ) {
-	@translate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@translate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
-    for my $zone ( @zones )
-    {
+    for my $zone ( @zones ) {
 	my $zoneref   = $zones{$zone};
 	my $hostref   = $zoneref->{hosts};
 	my $type      = $zoneref->{type};
 	my $optionref = $zoneref->{options};

-	progress_message_nocompress "   $zone ($translate[$type])";
+	progress_message_nocompress "   $zone ($zonetypes{$type})";

 	my $printed = 0;

@@ -575,11 +611,14 @@ sub zone_report()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+
 			if ( $hosts ) {
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
+
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;

 			    if ( $family == F_IPV4 ) {
@@ -590,13 +629,12 @@ sub zone_report()
 			    $printed = 1;
 			}
 		    }
-
 		}
 	    }
 	}

 	unless ( $printed ) {
-	    fatal_error "No bridge has been associated with zone $zone" if $type == BPORT && ! $zoneref->{bridge};
+	    fatal_error "No bridge has been associated with zone $zone" if $type & BPORT && ! $zoneref->{bridge};
 	    warning_message "*** $zone is an EMPTY ZONE ***" unless $type == FIREWALL;
 	}

@@ -606,16 +644,7 @@ sub zone_report()
 #
 # This function is called to create the contents of the ${VARDIR}/zones file
 #
-sub dump_zone_contents()
-{
-    my @xlate;
-
-    if ( $family == F_IPV4 ) {
-	@xlate = ( undef, 'firewall', 'ipv4', 'bport4', 'ipsec4', 'vserver' );
-    } else {
-	@xlate = ( undef, 'firewall', 'ipv6', 'bport6', 'ipsec6', 'vserver' );
-    }
-
+sub dump_zone_contents() {
    for my $zone ( @zones )
    {
 	my $zoneref    = $zones{$zone};
@@ -623,9 +652,10 @@ sub dump_zone_contents()
 	my $type       = $zoneref->{type};
 	my $optionref  = $zoneref->{options};

-	my $entry      =  "$zone $xlate[$type]";
+	my $entry      =  "$zone $zonetypes{$type}";

-	$entry .= ":$zoneref->{bridge}" if $type == BPORT;
+	$entry .= ":$zoneref->{bridge}" if $type & BPORT;
+	$entry .= ( " mark=" . in_hex( $zoneref->{mark} ) ) if exists $zoneref->{mark};

 	if ( $hostref ) {
 	    for my $type ( sort keys %$hostref ) {
@@ -634,6 +664,7 @@ sub dump_zone_contents()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};

@@ -736,7 +767,7 @@ sub add_group_to_zone($$$$$)

    $zoneref->{options}{in_out}{routeback} = 1 if $options->{routeback};

-    my $gtype = $type == IPSEC ? 'ipsec' : 'ip';
+    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';

    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
@@ -748,7 +779,7 @@ sub add_group_to_zone($$$$$)

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
-			     ipsec   => $type == IPSEC ? 'ipsec' : 'none' ,
+			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };

    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
@@ -776,6 +807,12 @@ sub zone_interfaces( $ ) {
    find_zone( $_[0] )->{interfaces};
 }

+sub zone_mark( $ ) {
+    my $zoneref = find_zone( $_[0] );
+    fatal_error "Zone $_[0] has no assigned mark" unless exists $zoneref->{mark};
+    $zoneref->{mark};
+}
+
 sub defined_zone( $ ) {
    $zones{$_[0]};
 }
@@ -785,11 +822,11 @@ sub all_zones() {
 }

 sub off_firewall_zones() {
-   grep ( ! ( $zones{$_}{type} == FIREWALL || $zones{$_}{type} == VSERVER )  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }

 sub non_firewall_zones() {
-   grep ( $zones{$_}{type} != FIREWALL  ,  @zones );
+   grep ( ! ( $zones{$_}{type} & FIREWALL ) ,  @zones );
 }

 sub all_parent_zones() {
@@ -805,7 +842,7 @@ sub complex_zones() {
 }

 sub vserver_zones() {
-    grep ( $zones{$_}{type} == VSERVER, @zones );
+    grep ( $zones{$_}{type} & VSERVER, @zones );
 }

 sub firewall_zone() {
@@ -904,7 +941,7 @@ sub process_interface( $$ ) {

 	fatal_error "$interface is not a defined bridge" unless $interfaces{$interface} && $interfaces{$interface}{options}{bridge};
 	$interfaces{$interface}{ports}++;
-	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && $zoneref->{type} != BPORT;
+	fatal_error "Bridge Ports may only be associated with 'bport' zones" if $zone && ! ( $zoneref->{type} & BPORT );

 	if ( $zone ) {
 	    if ( $zoneref->{bridge} ) {
@@ -913,15 +950,15 @@ sub process_interface( $$ ) {
 		$zoneref->{bridge} = $interface;
 	    }

-	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} == VSERVER;
+	    fatal_error "Vserver zones may not be associated with bridge ports" if $zoneref->{type} & VSERVER;
 	}

 	$bridge = $interface;
 	$interface = $port;
    } else {
 	fatal_error "Duplicate Interface ($interface)" if $interfaces{$interface};
-	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} == BPORT;
-	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} == VSERVER;
+	fatal_error "Zones of type 'bport' may only be associated with bridge ports" if $zone && $zoneref->{type} & BPORT;
+	fatal_error "Vserver zones may not be associated with interfaces" if $zone && $zoneref->{type} & VSERVER;

 	$bridge = $interface;
    }
@@ -987,7 +1024,7 @@ sub process_interface( $$ ) {
 	    fatal_error "Invalid Interface option ($option)" unless my $type = $validinterfaceoptions{$option};

 	    if ( $zone ) {
-		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} == VSERVER && ! ( $type & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option may not be specified for a Vserver zone") if $zoneref->{type} & VSERVER && ! ( $type & IF_OPTION_VSERVER );
 	    } else {
 		fatal_error "The \"$option\" option may not be specified on a multi-zone interface" if $type & IF_OPTION_ZONEONLY;
 	    }
@@ -1272,6 +1309,13 @@ sub all_interfaces() {
    @interfaces;
 }

+#
+# Return all non-vserver interfaces
+#
+sub all_real_interfaces() {
+    grep $_ ne '%vserver%', @interfaces;
+}
+
 #
 # Return a list of bridges
 #
@@ -1307,7 +1351,7 @@ sub physical_name( $ ) {

    $devref ? $devref->{physical} : $device;
 }
-
+    
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1770,7 +1814,7 @@ sub process_host( ) {
 	$interface = $1;
 	$hosts = $2;

-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts" 
    }
@@ -1781,7 +1825,7 @@ sub process_host( ) {
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }

-    if ( $type == BPORT ) {
+    if ( $type & BPORT ) {
 	if ( $zoneref->{bridge} eq '' ) {
 	    fatal_error 'Bridge Port Zones may only be associated with bridge ports' unless $interfaceref->{options}{port};
 	    $zoneref->{bridge} = $interfaces{$interface}{bridge};
@@ -1807,14 +1851,14 @@ sub process_host( ) {
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $validhostoptions{$option}) {
-		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type == VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
+		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
 	}

-	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} == VSERVER;
+	fatal_error q(A host entry for a Vserver zone may not specify the 'ipsec' option) if $ipsec && $zoneref->{type} & VSERVER;

 	$optionsref = \%options;
    }
@@ -1835,7 +1879,7 @@ sub process_host( ) {
    $hosts = join( '', ALLIP , $hosts ) if substr($hosts, 0, 2 ) eq ',!';

    if ( $hosts eq 'dynamic' ) {
-	fatal_error "Vserver zones may not be dynamic" if $type == VSERVER;
+	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
 	my $physical = chain_base( physical_name $interface );
 	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
@@ -1847,7 +1891,7 @@ sub process_host( ) {
    #
    # We ignore the user's notion of what interface vserver addresses are on and simply invent one for all of the vservers.
    #
-    $interface = '%vserver%' if $type == VSERVER;
+    $interface = '%vserver%' if $type & VSERVER;

    add_group_to_zone( $zone, $type , $interface, [ split_list( $hosts, 'host' ) ] , $optionsref);

@@ -1889,7 +1933,7 @@ sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;

-    for my $zone ( grep $zones{$_}{type} != FIREWALL , @zones ) {
+    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --config_path=<path-list>   # Search path for config files
 #
 use strict;
 use FindBin;
@@ -64,6 +65,7 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
+    [ --config_path=<path-list> ]
 ';

    exit shift @_;
@@ -88,6 +90,7 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
+my $config_path   = '';

 Getopt::Long::Configure ('bundling');

@@ -118,6 +121,7 @@ my $result = GetOptions('h'               => \$help,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
+			'config_path=s'   => \$config_path,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -139,4 +143,5 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
+	  config_path     => $config_path,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -28,13 +28,13 @@
 #      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
-    . /usr/share/shorewall6/lib.base
-    . /usr/share/shorewall6/lib.cli
+    g_program=shorewall6
 else
-    . /usr/share/shorewall/lib.base
-    . /usr/share/shorewall/lib.cli
+    g_program=shorewall
 fi

+. /usr/share/shorewall/lib.cli
+
 CONFIG_PATH="$2"

 set -a
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -6,7 +6,7 @@
 #
 usage() {
    echo "Usage: $0 [ options ] <command>"
-    echo 
+    echo
    echo "<command> is one of:"
    echo "   start"
    echo "   stop"
@@ -31,6 +31,31 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    if [ $g_family -eq 6 ]; then
+	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+	case "$kernel" in 
+	    *.*.*)
+		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+		;;
+	    *)
+		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+		;;
+	esac
+
+	if [ $kernel -lt 20624 ]; then
+	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	    return 1
+	fi
+    fi
+
+    return 0
+}
+
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -47,7 +72,7 @@ if [ $# -gt 1 ]; then
    fi
 fi
 #
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
@@ -175,61 +200,66 @@ COMMAND="$1"
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ $status -eq 0 ]; then
-		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		progress_message3 "done."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		if [ $status -eq 0 ]; then
+		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		    progress_message3 "done."
+		fi
 	    fi
 	fi
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
-	detect_configuration
-	stop_firewall
-	status=0
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	progress_message3 "done."
+	if checkkernelversion; then
+	    progress_message3 "Stopping $g_product...."
+	    detect_configuration
+	    stop_firewall
+	    status=0
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    progress_message3 "done."
+	fi
 	;;
    reset)
-	if ! shorewall_is_started ; then
+	if ! product_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	elif [ $# -eq 1 ]; then
-	    $IPTABLES -Z
-	    $IPTABLES -t nat -Z
-	    $IPTABLES -t mangle -Z
-	    date > ${VARDIR}/restarted
-	    status=0
-	    progress_message3 "$g_product Counters Reset"
-	else
-	    shift
-	    status=0
-	    for chain in $@; do
-		if chain_exists $chain; then
-		    if qt $IPTABLES -Z $chain; then
-			progress_message3 "Filter $chain Counters Reset"
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
+		$IP6TABLES -Z
+		$IP6TABLES -t mangle -Z
+		date > ${VARDIR}/restarted
+		status=0
+		progress_message3 "$g_product Counters Reset"
+	    else
+		shift
+		status=0
+		for chain in $@; do
+		    if chain_exists $chain; then
+			if qt $IP6TABLES -Z $chain; then
+			    progress_message3 "Filter $chain Counters Reset"
+			else
+			    error_message "ERROR: Reset of chain $chain failed"
+			    status=2
+			    break
+			fi
 		    else
-			error_message "ERROR: Reset of chain $chain failed"
-			status=2
-			break
+			error_message "WARNING: Filter Chain $chain does not exist"
 		    fi
-		else
-		    error_message "WARNING: Filter Chain $chain does not exist"
-		fi
-	    done
+		done
+	    fi
 	fi
 	;;
    restart)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
@@ -237,22 +267,27 @@ case "$COMMAND" in
 	    COMMAND=start
 	fi

-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
-	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-	fi
-	[ $status -eq 0 ] && progress_message3 "done."
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+
 	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
+	;;
+    refresh)
+	[ $# -ne 1 ] && usage 2
+	if product_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		[ $status -eq 0 ] && progress_message3 "done."
+	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -260,20 +295,25 @@ case "$COMMAND" in
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
- 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-        fi
+	if checkkernelversion; then
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	clear_firewall
-	status=0
-	if [ $status -eq 0 ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	if checkkernelversion; then
+	    clear_firewall
+	    status=0
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	fi
 	;;
@@ -281,7 +321,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
-	if shorewall_is_started; then
+	if product_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
@@ -292,7 +332,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -306,14 +346,14 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
+	updown $1
+	status=0
 	;;
    enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
@@ -323,7 +363,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -1,381 +0,0 @@
-###############################################################################
-# Code imported from /usr/share/shorewall/prog.footer6
-###############################################################################
-#
-# Give Usage Information
-#
-usage() {
-    echo "Usage: $0 [ options ] <command>"
-    echo
-    echo "<command> is one of:"
-    echo "   start"
-    echo "   stop"
-    echo "   clear"
-    echo "   disable <interface>"
-    echo "   down <interface>"
-    echo "   enable <interface>"
-    echo "   reset"
-    echo "   refresh"
-    echo "   restart"
-    echo "   status"
-    echo "   up <interface>"
-    echo "   version"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
-    exit $1
-}
-
-checkkernelversion() {
-    local kernel
-
-    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-
-    case "$kernel" in 
-	*.*.*)
-	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-	    ;;
-	*)
-	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-	    ;;
-    esac
-
-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
-    else
-	return 0
-    fi
-}
-################################################################################
-# E X E C U T I O N    B E G I N S   H E R E				       #
-################################################################################
-#
-# Start trace if first arg is "debug" or "trace"
-#
-if [ $# -gt 1 ]; then
-    if [ "x$1" = "xtrace" ]; then
-	set -x
-	shift
-    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
-	shift
-    fi
-fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
-
-initialize
-
-if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
-    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
-	#
-	# We're being run by a startup script that isn't redirecting STDOUT
-	# Redirect it to the log
-	#
-	exec 2>>$STARTUP_LOG
-    fi
-fi
-
-finished=0
-
-while [ $finished -eq 0 -a $# -gt 0 ]; do
-    option=$1
-    case $option in
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
-			option=${option#v}
-			;;
-		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
-			option=${option#q}
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-COMMAND="$1"
-
-
-case "$COMMAND" in
-    start)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    error_message "$g_product is already Running"
-	    status=0
-	else
-	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		if [ $status -eq 0 ]; then
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		    progress_message3 "done."
-		fi
-	    fi
-	fi
-	;;
-    stop)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
-	    stop_firewall
-	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	    progress_message3 "done."
-	fi
-	;;
-    reset)
-	if ! shorewall6_is_started ; then
-	    error_message "$g_product is not running"
-	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
-		date > ${VARDIR}/restarted
-		status=0
-		progress_message3 "$g_product Counters Reset"
-	    else
-		shift
-		status=0
-		for chain in $@; do
-		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
-			    progress_message3 "Filter $chain Counters Reset"
-			else
-			    error_message "ERROR: Reset of chain $chain failed"
-			    status=2
-			    break
-			fi
-		    else
-			error_message "WARNING: Filter Chain $chain does not exist"
-		    fi
-		done
-	    fi
-	fi
-	;;
-    restart)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Restarting $g_product...."
-	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
-	fi
-
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
-	    fi
-	else
-	    echo "$g_product is not running" >&2
-	    status=2
-	fi
-	;;
-    restore)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    clear)
-	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
-	    clear_firewall
-	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
-	    progress_message3 "done."
-	fi
-	;;
-    status)
-	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
-	if shorewall6_is_started; then
-	    echo "$g_product is running"
-	    status=0
-	else
-	    echo "$g_product is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
-	;;
-    enable)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    detect_configuration
-	    enable_provider $1
-	fi
-	status=0
-	;;
-    disable)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    detect_configuration
-	    disable_provider $1
-	fi
-	status=0
-	;;
-    version)
-	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
-	status=0
-	;;
-    help)
-	[ $# -ne 1 ] && usage 2
-	usage 0
-	;;
-    *)
-	usage 2
-	;;
-esac
-
-exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -27,90 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv4 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
@@ -122,40 +38,6 @@ find_weight() {
    done
 }

-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
@@ -178,23 +60,6 @@ find_rt_interface() {
    done
 }

-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -4 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
@@ -211,31 +76,6 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }

-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -428,178 +268,6 @@ disable_ipv6() {
    fi
 }

-#
-# Clear the current traffic shaping configuration
-#
-
-delete_tc1()
-{
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
-}
-
-#
-# Detect a device's MTU -- echos the passed device's MTU
-#
-get_device_mtu() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-
-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-    local undofiles
-    local f
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
-	if [ -n "$undofiles" ]; then
-	    for f in $undofiles; do
-		. $f
-	    done
-
-	    rm -f $undofiles
-
-            progress_message "Shorewall-generated routing tables and routing rules removed"
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {deroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
-}
-
 #
 # Add an additional gateway to the default route
 #
@@ -675,20 +343,6 @@ find_mac() # $1 = IP address, $2 = interface
    fi
 }

-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy Arp
 #
@@ -735,124 +389,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -861,97 +397,6 @@ get_all_bcasts()
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }

-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw     -F
-    qt1 $IPTABLES -t raw     -X
-    qt1 $IPTABLES -t rawpost -F
-    qt1 $IPTABLES -t rawpost -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -27,166 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv6 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -6 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Get all interface addresses with VLSMs
 #
@@ -196,64 +36,6 @@ find_interface_full_addresses() # $1 = interface
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }

-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
-    local route
-    local weight
-    local delta
-    local dev
-    
-    run_ip route add default scope global table $2 $1
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
-    local route
-    local gateway
-    local dev
-
-    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
-  
-    dev=$(find_device $route)
-    [ "$dev" = "$3" ] && run_ip route delete default table $2
-}
-
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-
-    $IP -6 route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		2*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/128"
-		    echo $address
-		    ;;
-	    esac
-        done
-}
-
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
@@ -438,172 +220,33 @@ detect_gateway() # $1 = interface
    [ -n "$gateway" ] && echo $gateway
 }

-delete_tc1()
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
 {
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
 }

 #
-# Detect a device's MTU -- echos the passed device's MTU
+# Remove a gateway from the default route
 #
-get_device_mtu() # $1 = device
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local route
+    local gateway
+    local dev

-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-    local undofiles
-    local f
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
-	if [ -n "$undofiles" ]; then
-	    for f in $undofiles; do
-		. $f
-	    done
-
-	    rm -f $undofiles
-
-            progress_message "Shorewall6-generated routing tables and routing rules removed"
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }

 #
@@ -625,20 +268,6 @@ find_echo() {
    echo echo
 }

-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(which conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy NDP
 #
@@ -677,204 +306,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
--- a/Shorewall/Samples/README.txt
+++ b/Shorewall/Samples/README.txt
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -39,6 +39,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -136,8 +138,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -188,7 +188,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -200,12 +200,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/Universal/zones
+++ b/Shorewall/Samples/Universal/zones
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -50,6 +50,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -147,8 +149,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
@@ -199,7 +199,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -211,12 +211,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
--- a/Shorewall/Samples/three-interfaces/routestopped
+++ b/Shorewall/Samples/three-interfaces/routestopped
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -48,6 +48,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -145,8 +147,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -197,7 +197,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -209,12 +209,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
--- a/Shorewall/Samples/two-interfaces/routestopped
+++ b/Shorewall/Samples/two-interfaces/routestopped
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -51,6 +51,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -148,8 +150,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -200,7 +200,7 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=Yes
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -212,12 +212,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -4,5 +4,6 @@
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
-#SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#					PORT(S)		PORT(S)	GROUP
+FORMAT 2
+#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/route_rules
+++ b/Shorewall/configfiles/route_rules
@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - route_rules File
+# Shorewall version 4 - route rules File
 #
-# For information about entries in this file, type "man shorewall-route_rules"
+# For information about entries in this file, type "man shorewall-rtrules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
 ####################################################################################
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -9,7 +9,6 @@
 ######################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -39,6 +39,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -136,8 +138,6 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

-HIGH_ROUTE_MARKS=No
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -188,7 +188,7 @@ TRACK_PROVIDERS=No

 USE_DEFAULT_RT=No

-WIDE_TC_MARKS=No
+USE_PHYSICAL_NAMES=No

 ZONE2ZONE=2

@@ -200,12 +200,28 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+################################################################################
+#			P A C K E T  M A R K  L A Y O U T
+################################################################################
+
+TC_BITS=
+
+PROVIDER_BITS=
+
+PROVIDER_OFFSET=
+
+MASK_BITS=
+
+ZONE_BITS=0
+
 ################################################################################
 #                            L E G A C Y  O P T I O N
 #                      D O  N O T  D E L E T E  O R  A L T E R
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -9,6 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
+######################################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
 #						PORT(S)	PORT(S)
+
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,11 +16,20 @@ startup=0
 #    wait_interface=

 #
-# Startup options
+# Global start/restart/stop options
 #
-
 OPTIONS=""

+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0

 # EOF
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -48,6 +48,7 @@ loadmodule nf_conntrack_netlink
 loadmodule nf_conntrack_pptp
 loadmodule nf_conntrack_proto_gre
 loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_proto_udplite
 loadmodule nf_conntrack_sip         sip_direct_media=0
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -86,7 +86,7 @@ wait_for_pppd () {
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
  wait_for_pppd
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -104,7 +104,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -74,17 +74,17 @@ export SHOREWALL_INIT_SCRIPT=1
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 command="$1"
+shift

 case "$command" in
-    start|restart|stop)
-	exec /sbin/shorewall $OPTIONS $@
+    start)
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall $@
+    restart|reload)
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall $OPTIONS restart $@
+    status|stop)
+	exec /sbin/shorewall $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -0,0 +1,618 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/lib.core.
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# The purpose of this library is to hold those functions used by the generated
+# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
+# are found in prog.header and prog.header6).
+#
+#########################################################################################
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+#
+# Set a standard chain's policy
+#
+setpolicy() # $1 = name of chain, $2 = policy
+{
+    run_iptables -P $1 $2
+}
+
+#
+# Generate a list of all network interfaces on the system
+#
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipvX address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Find the value 'dev' in the passed arguments then echo the next value
+#
+
+find_device() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xdev ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'via' in the passed arguments then echo the next value
+#
+
+find_gateway() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xvia ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'mtu' in the passed arguments then echo the next value
+#
+
+find_mtu() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xmtu ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+
+#
+# Try to find the gateway through an interface looking for 'nexthop'
+
+find_nexthop() # $1 = interface
+{
+    echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
+}
+
+#
+# Find the default route's interface
+#
+find_default_interface() {
+    $IP -$g_family route list | while read first rest; do
+	[ "$first" = default ] && echo $(find_device $rest) && return
+    done
+}
+
+#
+# Determine if Interface is up
+#
+interface_is_up() {
+    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+    [ "$1" = lo ] && return 0
+    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    if [ $g_family -eq 4 ]; then
+	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+    local mask
+
+    [ $g_family -eq 4 ] && mask=32 || mask=128
+    
+
+    $IP -$g_family route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		[2-3]*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+		    echo $address
+		    ;;
+		*)
+		    if [ $g_family -eq 4 ]; then
+			[ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+			echo $address
+		    fi
+		    ;;
+	    esac
+        done
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
+delete_tc1()
+{
+    clear_one_tc() {
+        $TC qdisc del dev $1 root 2> /dev/null
+        $TC qdisc del dev $1 ingress 2> /dev/null
+
+    }
+
+    run_tcclear_exit
+
+    run_ip link list | \
+    while read inx interface details; do
+        case $inx in
+            [0-9]*)
+                clear_one_tc ${interface%:}
+                ;;
+            *)
+                ;;
+        esac
+    done
+}
+
+#
+# Detect a device's MTU -- echos the passed device's MTU
+#
+get_device_mtu() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+
+    if [ -n "$output" ]; then
+	echo $(find_mtu $output)
+    else
+	echo 1500
+    fi
+}
+
+#
+# Version of the above that doesn't generate any output for MTU 1500.
+# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
+#
+get_device_mtu1() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local mtu
+
+    if [ -n "$output" ]; then
+	mtu=$(find_mtu $output)
+	if [ -n "$mtu" ]; then
+	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
+	fi
+    fi
+
+}
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+    local undofiles
+    local f
+
+    if [ -z "$g_noroutes"  ]; then
+	#
+	# Restore rt_tables database
+	#
+	if [ -f ${VARDIR}/rt_tables ]; then
+	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    rm -f ${VARDIR}/rt_tables
+	fi
+	#
+	# Restore the rest of the routing table
+	#
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall-generated routing tables and routing rules removed"
+	fi
+    fi
+
+}
+
+#
+# Save the default route
+#
+save_default_route() {
+    awk \
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
+}
+
+#
+# Restore the default route that was in place before the initial 'shorewall start'
+#
+replace_default_route() # $1 = USE_DEFAULT_RT
+{
+    #
+    # default_route and result are inherited from the caller
+    #
+    if [ -n "$default_route" ]; then
+	case "$default_route" in
+	    *metric*)
+	        #
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        #
+		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		default_route=
+		;;
+	    *)
+		qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		result=0
+		default_route=
+		;;
+	esac
+    fi
+}
+
+restore_default_route() # $1 = USE_DEFAULT_RT
+{
+    local result
+    result=1
+
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+	local default_route
+	default_route=
+	local route
+
+	while read route ; do
+	    case $route in
+		default*)
+		    replace_default_route $1
+		    default_route="$default_route $route"
+		    ;;
+		*)
+		    default_route="$default_route $route"
+		    ;;
+	    esac
+	done < ${VARDIR}/default_route
+
+	replace_default_route $1
+	
+	if [ $result = 1 ]; then
+	    #
+	    # We didn't restore a default route with metric 0
+	    #
+	    if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
+	       #
+	       # But we added a default route with metric 0
+	       #
+	       qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
+	    fi
+	fi
+
+	rm -f ${VARDIR}/default_route
+    fi
+
+    return $result
+}
+
+#
+# Flush the conntrack table if $g_purge is non-empty
+#
+conditionally_flush_conntrack() {
+
+    if [ -n "$g_purge" ]; then
+	if [ -n $(mywhich conntrack) ]; then
+            conntrack -F
+	else
+            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+	fi
+    fi
+}
+
+#
+# Issue a message and stop/restore the firewall.
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$g_tool $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$g_tool $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables/ip6tables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$g_tool $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run ip and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -$g_family $@; then
+	error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $g_tool -t mangle -F
+    qt1 $g_tool -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $g_tool -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t raw    -F
+    qt1 $g_tool -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $g_tool -t raw -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t filter -F
+    qt1 $g_tool -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $g_tool -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $g_tool -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
+interface_up() {
+    return $(cat ${VARDIR}/$1.status)
+}
+
+distribute_load() {
+    local interface
+    local totalload
+    local load
+    local maxload
+
+    maxload=$1
+    shift
+
+    totalload=0
+
+    for interface in $@; do
+	if interface_up $interface; then
+	    load=$(cat ${VARDIR}/${interface}_load)
+	    eval ${interface}_load=$load
+	    totalload=$( bc <<EOF
+scale=8
+$totalload + $load
+EOF
+)
+	fi
+    done
+
+    if [ $totalload ]; then
+	for interface in $@; do
+	    qt $g_tool -t mangle -F ~$interface
+	    eval load=\$${interface}_load
+	
+	    if [ -n "$load" ]; then
+		load=$(bc <<EOF
+scale=8
+( $load / $totalload ) * $maxload
+EOF
+)
+		totalload=$(bc <<EOF
+scale=8
+$totalload - $load
+EOF
+)
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+	    fi
+	done
+    fi
+}
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -702,7 +702,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -51,7 +51,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@@ -189,7 +189,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -40,7 +40,7 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION- {<emphasis
        role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
-        role="bold">WHITELIES</emphasis>|<emphasis
+        role="bold">WHITELIST</emphasis>|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[<emphasis
@@ -59,6 +59,18 @@
          rule. Must be one of the following.</para>

          <variablelist>
+            <varlistentry>
+              <term>blacklog</term>
+
+              <listitem>
+                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
+                <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5).
+                Logs, audits (if specified) and applies the
+                BLACKLIST_DISPOSITION specified in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">ACCEPT|CONTINUE|WHITELIST</emphasis></term>
@@ -280,10 +292,9 @@
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
    shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -67,7 +67,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -180,7 +180,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -148,12 +148,6 @@
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>This option is deprecated in Shorewall 4.4.25 in favor
-                of entries in <ulink
-                url="shorewall-blrules.html">shorewall-blrules</ulink> (5) or
-                in the BLACKLIST section of <ulink
-                url="shorewall-rules.html">shorewall-rules </ulink>(5).</para>
-
                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
@@ -275,7 +269,7 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -166,7 +166,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -228,11 +228,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of
-                rules in the BLACKLIST section of <ulink
-                url="shorewall-rules.html">shorewall-rules</ulink> (5) or in
-                <ulink url="shorewall-blrules.html">shorewall-blrules</ulink>
-                (5). Checks packets arriving on this interface against the
+                <para>Checks packets arriving on this interface against the
                <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
@@ -379,11 +375,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">maclist</emphasis></term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of
-                rules in the BLACKLIST section of <ulink
-                url="shorewall-blacklist.html">shorewall-rules</ulink> (5).
-                Connection requests from this interface are compared against
-                the contents of <ulink
+                <para>Connection requests from this interface are compared
+                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC and must be up before Shorewall is started.</para>
@@ -432,9 +425,8 @@ loc     eth2            -</programlisting>
              <term>nosmurfs</term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of the
-                DropSmurfs standard action. Filter packets for smurfs (packets
-                with a broadcast address as the source).</para>
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>

                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -651,13 +643,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">tcpflags</emphasis></term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of the
-                TCPFlags standard action. Packets arriving on this interface
-                are checked for certain illegal combinations of TCP flags.
-                Packets found to have such a combination of flags are handled
-                according to the setting of TCP_FLAGS_DISPOSITION after having
-                been logged according to the setting of
-                TCP_FLAGS_LOG_LEVEL.</para>
+                <para>Packets arriving on this interface are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>

@@ -782,7 +772,7 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -120,7 +120,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -110,7 +110,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -35,7 +35,7 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-route_rules.html">shorewall-route_rules</ulink>(5) or
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
      PREROUTING entries in <ulink
      url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
      that.</para>
@@ -568,7 +568,7 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@@ -89,7 +89,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -147,7 +147,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -207,7 +207,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -198,7 +198,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-notrack.xml
+++ b/Shorewall/manpages/shorewall-notrack.xml
@@ -23,15 +23,101 @@
  <refsect1>
    <title>Description</title>

-    <para>The notrack file is used to exempt certain traffic from Netfilter
-    connection tracking. Traffic matching entries in this file will not be
-    tracked.</para>
+    <para>The original intent of the notrack file was to exempt certain
+    traffic from Netfilter connection tracking. Traffic matching entries in
+    this file were not to be tracked.</para>
+
+    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
+    rules tht can be added in the Netfilter <emphasis
+    role="bold">raw</emphasis> table.</para>
+
+    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
+    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
+    additional leading ACTION column. When an entry in the file of this form
+    is encountered, the format of the following entries are assumed to be of
+    the specified <replaceable>format</replaceable>.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">FORMAT</emphasis>
+      <replaceable>format</replaceable></member>
+    </simplelist>
+
+    <para>where <replaceable>format</replaceable> is either <emphasis
+    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>

    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
+        role="bold">NOTRACK</emphasis>|<emphasis
+        role="bold">CT</emphasis>:<replaceable>option</replaceable>[:<replaceable>arg,...</replaceable>]}</term>
+
+        <listitem>
+          <para>This column is only present when FORMAT = 2. Values other than
+          NOTRACK require <firstterm>CT Target </firstterm>support in your
+          iptables and kernel.</para>
+
+          <para>Possible values for <replaceable>option</replaceable> and
+          <replaceable>arg</replaceable>s are:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para><option>notrack</option> (no
+              <replaceable>arg</replaceable>)</para>
+
+              <para>Disables connection tracking for this packet, the same as
+              if NOTRACK has been specified in this column.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>helper</option>:<replaceable>name</replaceable></para>
+
+              <para>Use the helper identified by the name to this connection.
+              This is more flexible than loading the conntrack helper with
+              preset ports.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>ctevents</option>:<replaceable>event</replaceable>,...</para>
+
+              <para>Only generate the specified conntrack events for this
+              connection. Possible event types are: <emphasis
+              role="bold">new</emphasis>, <emphasis
+              role="bold">related</emphasis>, <emphasis
+              role="bold">destroy</emphasis>, <emphasis
+              role="bold">reply</emphasis>, <emphasis
+              role="bold">assured</emphasis>, <emphasis
+              role="bold">protoinfo</emphasis>, <emphasis
+              role="bold">helper</emphasis>, <emphasis
+              role="bold">mark</emphasis> (this is connection mark, not packet
+              mark), <emphasis role="bold">natseqinfo</emphasis>, and
+              <emphasis role="bold">secmark</emphasis>.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>expevents</option><option>:new</option></para>
+
+              <para>Only generate a new expectation events for this
+              connection.</para>
+            </listitem>
+
+            <listitem>
+              <para><option>zone</option>:<replaceable>id</replaceable></para>
+
+              <para>Assign this packet to zone <replaceable>id</replaceable>
+              and only have lookups done in that zone. By default, packets
+              have zone 0.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>When FORMAT = 1, this column is not present and the rule is
+          processed as if NOTRACK had been entered in this column.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>SOURCE ‒
        {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
@@ -155,7 +241,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -131,7 +131,7 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -322,7 +322,7 @@
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -211,8 +211,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">optional
-              (deprecated)</emphasis></term>
+              <term><emphasis role="bold">optional (deprecated for use with
+              providers that do not share an interface)</emphasis></term>

              <listitem>
                <para>If the interface named in the INTERFACE column is not up
@@ -220,8 +220,9 @@
                If not specified, the value of the <option>optional</option>
                option for the INTERFACE in <ulink
                url="shorewall-interfaces.html">shorewall-interfaces(5)</ulink>
-                is assumed. Use of that option is preferred to this
-                one.</para>
+                is assumed. Use of that option is preferred to this one,
+                unless an <replaceable>address</replaceable> is provider in
+                the INTERFACE column.</para>
              </listitem>
            </varlistentry>

@@ -348,7 +349,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-policy(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Show More
+++ b/Show More