Update the -lite manpages (long overdue)

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add comments to add_interface_options()
2012-02-08 13:23:53 -08:00 · 2012-02-07 14:20:11 -08:00 · 2012-02-07 07:40:35 -08:00 · 2012-02-05 13:19:54 -08:00 · 2012-02-05 10:03:47 -08:00 · 2012-02-05 09:40:02 -08:00
227 changed files with 10322 additions and 15388 deletions
--- a/Shorewall-core/COPYING
+++ b/Shorewall-core/COPYING
@@ -0,0 +1,341 @@
 		    GNU GENERAL PUBLIC LICENSE
 		       Version 2, June 1991
 Copyright (C) 1989, 1991 Free Software Foundation, Inc.
                          51 Franklin Street, Fifth Floor,
 			  Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.
 			    Preamble
  The licenses for most software are designed to take away your
 freedom to share and change it.  By contrast, the GNU General Public
 License is intended to guarantee your freedom to share and change free
 software--to make sure the software is free for all its users.  This
 General Public License applies to most of the Free Software
 Foundation's software and to any other program whose authors commit to
 using it.  (Some other Free Software Foundation software is covered by
 the GNU Library General Public License instead.)  You can apply it to
 your programs, too.
  When we speak of free software, we are referring to freedom, not
 price.  Our General Public Licenses are designed to make sure that you
 have the freedom to distribute copies of free software (and charge for
 this service if you wish), that you receive source code or can get it
 if you want it, that you can change the software or use pieces of it
 in new free programs; and that you know you can do these things.
  To protect your rights, we need to make restrictions that forbid
 anyone to deny you these rights or to ask you to surrender the rights.
 These restrictions translate to certain responsibilities for you if you
 distribute copies of the software, or if you modify it.
  For example, if you distribute copies of such a program, whether
 gratis or for a fee, you must give the recipients all the rights that
 you have.  You must make sure that they, too, receive or can get the
 source code.  And you must show them these terms so they know their
 rights.
  We protect your rights with two steps: (1) copyright the software, and
 (2) offer you this license which gives you legal permission to copy,
 distribute and/or modify the software.
  Also, for each author's protection and ours, we want to make certain
 that everyone understands that there is no warranty for this free
 software.  If the software is modified by someone else and passed on, we
 want its recipients to know that what they have is not the original, so
 that any problems introduced by others will not reflect on the original
 authors' reputations.
  Finally, any free program is threatened constantly by software
 patents.  We wish to avoid the danger that redistributors of a free
 program will individually obtain patent licenses, in effect making the
 program proprietary.  To prevent this, we have made it clear that any
 patent must be licensed for everyone's free use or not licensed at all.
  The precise terms and conditions for copying, distribution and
 modification follow.
 		    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
  0. This License applies to any program or other work which contains
 a notice placed by the copyright holder saying it may be distributed
 under the terms of this General Public License.  The "Program", below,
 refers to any such program or work, and a "work based on the Program"
 means either the Program or any derivative work under copyright law:
 that is to say, a work containing the Program or a portion of it,
 either verbatim or with modifications and/or translated into another
 language.  (Hereinafter, translation is included without limitation in
 the term "modification".)  Each licensee is addressed as "you".
 Activities other than copying, distribution and modification are not
 covered by this License; they are outside its scope.  The act of
 running the Program is not restricted, and the output from the Program
 is covered only if its contents constitute a work based on the
 Program (independent of having been made by running the Program).
 Whether that is true depends on what the Program does.
  1. You may copy and distribute verbatim copies of the Program's
 source code as you receive it, in any medium, provided that you
 conspicuously and appropriately publish on each copy an appropriate
 copyright notice and disclaimer of warranty; keep intact all the
 notices that refer to this License and to the absence of any warranty;
 and give any other recipients of the Program a copy of this License
 along with the Program.
 You may charge a fee for the physical act of transferring a copy, and
 you may at your option offer warranty protection in exchange for a fee.
  2. You may modify your copy or copies of the Program or any portion
 of it, thus forming a work based on the Program, and copy and
 distribute such modifications or work under the terms of Section 1
 above, provided that you also meet all of these conditions:
    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.
    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.
    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)
 These requirements apply to the modified work as a whole.  If
 identifiable sections of that work are not derived from the Program,
 and can be reasonably considered independent and separate works in
 themselves, then this License, and its terms, do not apply to those
 sections when you distribute them as separate works.  But when you
 distribute the same sections as part of a whole which is a work based
 on the Program, the distribution of the whole must be on the terms of
 this License, whose permissions for other licensees extend to the
 entire whole, and thus to each and every part regardless of who wrote it.
 Thus, it is not the intent of this section to claim rights or contest
 your rights to work written entirely by you; rather, the intent is to
 exercise the right to control the distribution of derivative or
 collective works based on the Program.
 In addition, mere aggregation of another work not based on the Program
 with the Program (or with a work based on the Program) on a volume of
 a storage or distribution medium does not bring the other work under
 the scope of this License.
  3. You may copy and distribute the Program (or a work based on it,
 under Section 2) in object code or executable form under the terms of
 Sections 1 and 2 above provided that you also do one of the following:
    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,
    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,
    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)
 The source code for a work means the preferred form of the work for
 making modifications to it.  For an executable work, complete source
 code means all the source code for all modules it contains, plus any
 associated interface definition files, plus the scripts used to
 control compilation and installation of the executable.  However, as a
 special exception, the source code distributed need not include
 anything that is normally distributed (in either source or binary
 form) with the major components (compiler, kernel, and so on) of the
 operating system on which the executable runs, unless that component
 itself accompanies the executable.
 If distribution of executable or object code is made by offering
 access to copy from a designated place, then offering equivalent
 access to copy the source code from the same place counts as
 distribution of the source code, even though third parties are not
 compelled to copy the source along with the object code.
  4. You may not copy, modify, sublicense, or distribute the Program
 except as expressly provided under this License.  Any attempt
 otherwise to copy, modify, sublicense or distribute the Program is
 void, and will automatically terminate your rights under this License.
 However, parties who have received copies, or rights, from you under
 this License will not have their licenses terminated so long as such
 parties remain in full compliance.
  5. You are not required to accept this License, since you have not
 signed it.  However, nothing else grants you permission to modify or
 distribute the Program or its derivative works.  These actions are
 prohibited by law if you do not accept this License.  Therefore, by
 modifying or distributing the Program (or any work based on the
 Program), you indicate your acceptance of this License to do so, and
 all its terms and conditions for copying, distributing or modifying
 the Program or works based on it.
  6. Each time you redistribute the Program (or any work based on the
 Program), the recipient automatically receives a license from the
 original licensor to copy, distribute or modify the Program subject to
 these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties to
 this License.
  7. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot
 distribute so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you
 may not distribute the Program at all.  For example, if a patent
 license would not permit royalty-free redistribution of the Program by
 all those who receive copies directly or indirectly through you, then
 the only way you could satisfy both it and this License would be to
 refrain entirely from distribution of the Program.
 If any portion of this section is held invalid or unenforceable under
 any particular circumstance, the balance of the section is intended to
 apply and the section as a whole is intended to apply in other
 circumstances.
 It is not the purpose of this section to induce you to infringe any
 patents or other property right claims or to contest validity of any
 such claims; this section has the sole purpose of protecting the
 integrity of the free software distribution system, which is
 implemented by public license practices.  Many people have made
 generous contributions to the wide range of software distributed
 through that system in reliance on consistent application of that
 system; it is up to the author/donor to decide if he or she is willing
 to distribute software through any other system and a licensee cannot
 impose that choice.
 This section is intended to make thoroughly clear what is believed to
 be a consequence of the rest of this License.
  8. If the distribution and/or use of the Program is restricted in
 certain countries either by patents or by copyrighted interfaces, the
 original copyright holder who places the Program under this License
 may add an explicit geographical distribution limitation excluding
 those countries, so that distribution is permitted only in or among
 countries not thus excluded.  In such case, this License incorporates
 the limitation as if written in the body of this License.
  9. The Free Software Foundation may publish revised and/or new versions
 of the General Public License from time to time.  Such new versions will
 be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
 Each version is given a distinguishing version number.  If the Program
 specifies a version number of this License which applies to it and "any
 later version", you have the option of following the terms and conditions
 either of that version or of any later version published by the Free
 Software Foundation.  If the Program does not specify a version number of
 this License, you may choose any version ever published by the Free Software
 Foundation.
  10. If you wish to incorporate parts of the Program into other free
 programs whose distribution conditions are different, write to the author
 to ask for permission.  For software which is copyrighted by the Free
 Software Foundation, write to the Free Software Foundation; we sometimes
 make exceptions for this.  Our decision will be guided by the two goals
 of preserving the free status of all derivatives of our free software and
 of promoting the sharing and reuse of software generally.
 			    NO WARRANTY
  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
 FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
 OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
 PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
 OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
 TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
 PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
 REPAIR OR CORRECTION.
  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
 REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
 INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
 OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
 TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
 YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
 PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
 POSSIBILITY OF SUCH DAMAGES.
 		     END OF TERMS AND CONDITIONS
 	    How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 convey the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) 19yy  <name of author>
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
 Also add information on how to contact you by electronic and paper mail.
 If the program is interactive, make it output a short notice like this
 when it starts in an interactive mode:
    Gnomovision version 69, Copyright (C) 19yy name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.
 The hypothetical commands `show w' and `show c' should show the appropriate
 parts of the General Public License.  Of course, the commands you use may
 be called something other than `show w' and `show c'; they could even be
 mouse-clicks or menu items--whatever suits your program.
 You should also get your employer (if you work as a programmer) or your
 school, if any, to sign a "copyright disclaimer" for the program, if
 necessary.  Here is a sample; alter the names:
  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.
  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice
 This General Public License does not permit incorporating your program into
 proprietary programs.  If your program is a subroutine library, you may
 consider it more useful to permit linking proprietary applications with the
 library.  If this is what you want to do, use the GNU Library General
 Public License instead of this License.
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -0,0 +1,24 @@
 Shoreline Firewall (Shorewall) Version 4
 -----         ----
 -----------------------------------------------------------------------------
     This program is free software; you can redistribute it and/or modify
     it under the terms of Version 2 of the GNU General Public License
     as published by the Free Software Foundation.
     This program is distributed in the hope that it will be useful,
     but WITHOUT ANY WARRANTY; without even the implied warranty of
     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
     GNU General Public License for more details.
     You should have received a copy of the GNU General Public License
     along with this program; if not, write to the Free Software
     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 ---------------------------------------------------------------------------
 Please see http://www.shorewall.net/Install.htm for installation
 instructions.
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -0,0 +1,278 @@
 #!/bin/sh
 #
 # Script to install Shoreline Firewall Core Modules
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -f"
    exit $1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
    return 2
 }
 run_install()
 {
    if ! install $*; then
 	echo
 	echo "ERROR: Failed to install $*" >&2
 	exit 1
    fi
 }
 cant_autostart()
 {
    echo
    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
 {
    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
 {
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
 # Parse the run line
 #
 # ARGS is "yes" if we've already parsed an argument
 #
 T="-T"
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 MACHOST=
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 case "$PERLLIB" in
    /*)
 	;;
    *)
 	PERLLIB=/usr/${PERLLIB}
 	;;
 esac
 INSTALLD='-D'
 case $(uname) in
    CYGWIN*)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	CYGWIN=Yes
 	;;
    Darwin)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 finished=0
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    a*)
 			ANNOTATED=Yes
 			option=${option#a}
 			;;
 		    p*)
 			ANNOTATED=
 			option=${option#p}
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    [ -n "$option" ] && usage 1
 	    finished=1
 	    ;;
    esac
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
 if [ -n "$DESTDIR" ]; then
    if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
 	fi
    fi
    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
    CYGWIN=
    MAC=
 else
    if [ -n "$CYGWIN" ]; then
 	echo "Installing Cygwin-specific configuration..."
    elif [ -n "$MAC" ]; then
 	echo "Installing Mac-specific configuration..."
    else
 	if [ -f /etc/debian_version ]; then
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	elif [ -f /etc/redhat-release ]; then
 	    echo "Installing Redhat/Fedora-specific configuration..."
 	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
 	    MANDIR="/usr/man"
 	    SLACKWARE=yes
 	elif [ -f /etc/arch-release ] ; then
 	    echo "Installing ArchLinux-specific configuration..."
 	    DEST="/etc/rc.d"
 	    INIT="shorewall"
 	    ARCHLINUX=yes
 	fi
    fi
 fi
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 echo "Installing Shorewall Core Version $VERSION"
 #
 # Create /usr/share/shorewall
 #
 mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
 chmod 755 ${DESTDIR}/usr/share/shorewall
 #
 # Install wait4ifup
 #
 install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
 echo
 echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
 #
 # Install the libraries
 #
 for f in lib.* ; do
    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
 #
 # Symbolically link 'functions' to lib.base
 #
 ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
 #
 # Create the version file
 #
 echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
 chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
 #
 #  Report Success
 #
 echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -23,16 +23,53 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall-lite/shorecap.
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #
-SHOREWALL_LIBVERSION=40407
+SHOREWALL_LIBVERSION=40500
-SHOREWALL_CAPVERSION=40426
+SHOREWALL_CAPVERSION=40501
-[ -n "${VARDIR:=/var/lib/shorewall}" ]
+[ -n "${g_program:=shorewall}" ]
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
+
-[ -n "${CONFDIR:=/etc/shorewall}" ]
+case $g_program in
    shorewall)
 	SHAREDIR=/usr/share/shorewall
 	CONFDIR=/etc/shorewall
 	g_product="Shorewall"
 	g_family=4
 	g_tool=
 	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall6)
 	SHAREDIR=/usr/share/shorewall6
 	CONFDIR=/etc/shorewall6
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=
 	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall-lite)
 	SHAREDIR=/usr/share/shorewall-lite
 	CONFDIR=/etc/shorewall-lite
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_basedir=/usr/share/shorewall-lite
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	SHAREDIR=/usr/share/shorewall6-lite
 	CONFDIR=/etc/shorewall6-lite
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_basedir=/usr/share/shorewall6-lite
 	g_lite=Yes
 	;;
 esac
 #
 # Conditionally produce message
@@ -149,33 +186,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
-#
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
 # Find the interface with the passed MAC address
 #
 find_interface_by_mac() {
    local mac
    mac=$1
    local first
    local second
    local rest
    local dev
    $IP link list | while read first second rest; do
 	case $first in
 	    *:)
                dev=$second
 		;;
 	    *)
 	        if [ "$second" = $mac ]; then
 		    echo ${dev%:}
 		    return
 		fi
 	esac
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
 #
 # Validate an IP address
@@ -339,8 +350,8 @@ ensure_config_path() {
 	. $F
    fi
-    if [ -n "$SHOREWALL_DIR" ]; then
+    if [ -n "$g_shorewalldir" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }
@@ -378,9 +389,8 @@ resolve_file() # $1 = file name
    esac
 }
-# Function to truncate a string -- It uses 'cut -b -<n>'
+#
-# rather than ${v:first:last} because light-weight shells like ash and
+# Determine how to do "echo -e"
 # dash do not support that form of expansion.
 #
 find_echo() {
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,6 +24,50 @@
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
 # scripts rather than loaded at run-time.
 #
 #########################################################################################
 #
 # Issue a message and stop
 #
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    case $COMMAND in
        start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
 	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
 	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
 	case $COMMAND in
 	    start)
 		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
 		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
 		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
    kill $$
    exit 2
 }
 #
 # Get the Shorewall version of the passed script
@@ -38,7 +82,7 @@ get_script_version() { # $1 = script
    verbosity="$VERBOSITY"
    VERBOSITY=0
-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
    if [ $? -ne 0 ]; then
 	version=0
@@ -88,13 +132,15 @@ run_it() {
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering
-	if [ "$g_product" != Shorewall ]; then
+	case "$g_program" in
 	    *-lite)
 		#
 		# Shorewall Lite
 		#
 		export LOGFORMAT
 		export IPTABLES
-	fi
+		;;
 	esac
    else
 	#
 	# 4.4.8 or later -- no additional exports required
@@ -127,6 +173,30 @@ error_message() # $* = Error Message
   echo "   $@" >&2
 }
 #
 # Undo the effect of 'split()'
 #
 join()
 {
    local f
    local o
    o=
    for f in $* ; do
        o="${o:+$o:}$f"
    done
    echo $o
 }
 #
 # Return the number of elements in a list
 #
 list_count() # $* = list
 {
    return $#
 }
 #
 # Split a colon-separated list into a space-separated list
 #
@@ -184,12 +254,20 @@ qt1()
 }
 #
-# Determine if Shorewall is "running"
+# Determine if Shorewall[6] is "running"
 #
 product_is_started() {
    qt1 $g_tool -L shorewall -n
 }
 shorewall_is_started() {
    qt1 $IPTABLES -L shorewall -n
 }
 shorewall6_is_started() {
    qt1 $IP6TABLES -L shorewall -n
 }
 #
 # Echos the fully-qualified name of the calling shell program
 #
@@ -294,7 +372,7 @@ reload_kernel_modules() {
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)
@@ -333,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -465,12 +543,47 @@ in_network() # $1 = IP address, $2 = CIDR network
    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
 }
 #
 # Query NetFilter about the existence of a filter chain
 #
 chain_exists() # $1 = chain name
 {
    qt1 $g_tool -L $1 -n
 }
 #
 # Find the interface with the passed MAC address
 #
 find_interface_by_mac() {
    local mac
    mac=$1
    local first
    local second
    local rest
    local dev
    $IP link list | while read first second rest; do
 	case $first in
 	    *:)
                dev=$second
 		;;
 	    *)
 	        if [ "$second" = $mac ]; then
 		    echo ${dev%:}
 		    return
 		fi
 	esac
    done
 }
 #
 # Find interface address--returns the first IP address assigned to the passed
 # device
 #
 find_first_interface_address() # $1 = interface
 {
    if [ $g_family -eq 4 ]; then
 	#
 	# get the line of output containing the first IP address
 	#
@@ -484,10 +597,26 @@ find_first_interface_address() # $1 = interface
 	# along with everything else on the line
 	#
 	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
    else
 	#
 	# get the line of output containing the first IP address
 	#
 	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
 	#
 	# If there wasn't one, bail out now
 	#
 	[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
 	#
 	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line
 	#
 	echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
    fi
 }
 find_first_interface_address_if_any() # $1 = interface
 {
    if [ $g_family -eq 4 ]; then
 	#
 	# get the line of output containing the first IP address
 	#
@@ -497,6 +626,17 @@ find_first_interface_address_if_any() # $1 = interface
 	# along with everything else on the line
 	#
 	[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
    else
 	#
 	# get the line of output containing the first IP address
 	#
 	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
 	#
 	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line
 	#
 	[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
    fi
 }
 #
@@ -515,14 +655,6 @@ mywhich() {
    return 2
 }
 #
 # Query NetFilter about the existence of a filter chain
 #
 chain_exists() # $1 = chain name
 {
    qt1 $IPTABLES -L $1 -n
 }
 #
 # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
 #
@@ -552,7 +684,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2
+set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -0,0 +1,84 @@
 #!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #    Usage:
 #
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall
 VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
    echo "usage: $ME"
    exit $1
 }
 qt()
 {
    "$@" >/dev/null 2>&1
 }
 restore_file() # $1 = file to restore
 {
    if [ -f ${1}-shorewall.bkout ]; then
 	if (mv -f ${1}-shorewall.bkout $1); then
 	    echo
 	    echo "$1 restored"
        else
 	    exit 1
        fi
    fi
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
 	rm -f $1
 	echo "$1 Removed"
    fi
 }
 if [ -f /usr/share/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
 	VERSION="$INSTALLED_VERSION"
    fi
 else
    echo "WARNING: Shorewall Core Version $VERSION is not installed"
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 echo "Uninstalling Shorewall Core $VERSION"
 rm -rf /usr/share/shorewall
 echo "Shorewall Core Uninstalled"
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -18,9 +18,18 @@ startup=0
 #
 # Startup options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
 SAFESTOP=0
 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -80,7 +80,7 @@ fi
 # start the firewall
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -98,7 +98,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -76,14 +76,13 @@ command="$1"
 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
 	;;
-    stop|restart|status)
+    restart|reload)
-	exec /sbin/shorewall-lite $@
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
 	;;
-    reload)
+    status|stop)
-	shift
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	exec /sbin/shorewall-lite restart $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }
 delete_file() # $1 = file to delete
@@ -85,6 +85,19 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
 else
    PRODUCT=shorewall6-lite
    Product="Shorewall6 Lite"
 fi
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
@@ -92,16 +105,13 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
 #
 ARGS=""
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi
 if [ -z "$INIT" ] ; then
-	INIT="shorewall-lite"
+	INIT="$PRODUCT"
 fi
 while [ $# -gt 0 ] ; do
@@ -110,7 +120,7 @@ while [ $# -gt 0 ] ; do
 	    usage 0
 	    ;;
        -v)
-	    echo "Shorewall Lite Firewall Installer Version $VERSION"
+	    echo "$Product Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -118,7 +128,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
    esac
    shift
    ARGS="yes"
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -179,11 +188,16 @@ elif [ -f /etc/slackware-version ] ; then
    INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
      DEST="/etc/rc.d"
-      INIT="shorewall-lite"
+      INIT="$PRODUCT"
      ARCHLINUX=yes
 fi
 if [ -z "$DESTDIR" ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
@@ -191,68 +205,68 @@ elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
-#
+echo "Installing $Product Version $VERSION"
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 echo "Installing Shorewall Lite Version $VERSION"
 #
-# Check for /etc/shorewall-lite
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
-    [ -f /etc/shorewall-lite/shorewall.conf ] && \
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
-	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
    [ -f /etc/$PRODUCT/shorewall.conf ] && \
 	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
+    rm -rf ${DESTDIR}/etc/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
 fi
 #
-# Check for /sbin/shorewall-lite
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
 fi
-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
+eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/$PRODUCT
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
 #
 # Install the Firewall Script
 #
 if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi
-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
+echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
 #
-# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
+# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}/etc/shorewall-lite
+mkdir -p ${DESTDIR}/etc/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT
-chmod 755 ${DESTDIR}/etc/shorewall-lite
+chmod 755 ${DESTDIR}/etc/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
@@ -263,85 +277,74 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi
 if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
    fi
 done
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
 #
 # Install Shorecap
 #
-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
 #
 # Install wait4ifup
 #
 if [ -f wait4ifup ]; then
    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
    echo
    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
 fi
 #
 # Install the Modules files
 #
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done
 #
@@ -371,62 +374,65 @@ if [ -d manpages ]; then
 fi
 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-lite/init
+    rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
+    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
 fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
 delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
 delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
+    touch /var/log/$PRODUCT-init.log
    if [ -n "$first_install" ]; then
 	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
-	    update-rc.d shorewall-lite defaults
+	    update-rc.d $PRODUCT defaults
 	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
+		insserv /etc/init.d/$PRODUCT
 	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi
-	    echo "Shorewall Lite will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-lite; then
+		if systemctl enable $PRODUCT; then
-		    echo "Shorewall Lite will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
+		if insserv /etc/init.d/$PRODUCT ; then
-		    echo "Shorewall Lite will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
+		if chkconfig --add $PRODUCT ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
+		    echo "$Product will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
+		if rc-update add $PRODUCT default; then
-		    echo "Shorewall Lite will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
@@ -440,4 +446,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Lite Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -0,0 +1,34 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redisribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the code common to all Shorewall components.
 g_program=shorewall-lite
 g_family=4
 g_basedir=/usr/share/shorewall
 [ -n "${VARDIR:=/var/lib/$g_program}" ]
 [ -n "${SHAREDIR:=/usr/share/$g_program}" ]
 [ -n "${CONFDIR:=/etc/$g_program}" ]
 . /usr/share/shorewall/lib.base
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -11,11 +11,27 @@
  <refnamediv>
    <refname>shorewall-lite</refname>
-    <refpurpose>Administration tool for Shoreline Firewall Lite
+    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
-    (Shorewall-lite)</refpurpose>
+    Lite)</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>add</option></arg>
      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
      <arg choice="plain"><replaceable>zone</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -37,11 +53,28 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>clear</option></arg>
+      <arg
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>delete</option></arg>
      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
      <arg choice="plain"><replaceable>zone</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -50,7 +83,8 @@
      <arg choice="plain"><option>disable</option></arg>
-      <arg choice="plain"><replaceable>interface</replaceable></arg>
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -63,8 +97,7 @@
      <arg choice="plain"><option>drop</option></arg>
-      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <arg choice="plain"><replaceable>address</replaceable></arg>
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -78,11 +111,13 @@
      <arg><option>-x</option></arg>
      <arg><option>-l</option></arg>
      <arg><option>-m</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -98,7 +133,8 @@
    <cmdsynopsis>
      <command>shorewall-lite</command>
-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
@@ -124,7 +160,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>hits</option></arg>
+      <arg
      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -158,6 +195,19 @@
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>iptrace</option></arg>
      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -198,6 +248,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>noiptrace</option></arg>
      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -219,8 +282,24 @@
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>reset</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>restart</option></arg>
      <arg><option>-n</option></arg>
      <arg><option>-p</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -260,8 +339,10 @@
      <arg><option>-x</option></arg>
      <arg><option>-l</option></arg>
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -291,7 +372,7 @@
      <arg choice="plain"><option>show</option></arg>
      <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -305,7 +386,7 @@
      <arg><option>-x</option></arg>
-      <arg choice="req"><option>mangle|nat</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -346,7 +427,7 @@
      <arg><option>-n</option></arg>
-      <arg><option>-f</option><arg><option>-p</option></arg></arg>
+      <arg><option>-p</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -377,7 +458,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>version</option></arg>
+      <arg
      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>
@@ -385,7 +467,7 @@
    <title>Description</title>
    <para>The shorewall-lite utility is used to control the Shoreline Firewall
-    (Shorewall) Lite.</para>
+    Lite (Shorewall Lite).</para>
  </refsect1>
  <refsect1>
@@ -393,12 +475,12 @@
    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
+    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
+    need to include <command>shorewall</command> commands in
-    <filename>started</filename> extension script.</para>
+    <filename>/etc/shorewall/started</filename>.</para>
    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -435,12 +517,12 @@
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.<caution>
+          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
              there are errors in the <replaceable>host-list</replaceable>,
              you may see a large number of error messages yet a subsequent
-              <command>shorewall show zones</command> command will indicate
+              <command>shorewall-lite show zones</command> command will
-              that all hosts were added. If this happens, replace
+              indicate that all hosts were added. If this happens, replace
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
@@ -463,10 +545,16 @@
        <term><emphasis role="bold">clear</emphasis></term>
        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
+          <para>Clear will remove all rules and chains installed by
-          Lite. The firewall is then wide open and unprotected. Existing
+          Shorewall-lite. The firewall is then wide open and unprotected.
-          connections are untouched. Clear is often used to see if the
+          Existing connections are untouched. Clear is often used to see if
-          firewall is causing connection problems.</para>
+          the firewall is causing connection problems.</para>
          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -516,8 +604,11 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall-lite log
          messages to be displayed.</para>
          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
        </listitem>
      </varlistentry>
@@ -541,7 +632,7 @@
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -558,8 +649,9 @@
        <term><emphasis role="bold">hits</emphasis></term>
        <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
+          <para>Generates several reports from Shorewall-lite log messages in
-          the current log file.</para>
+          the current log file. If the <option>-t</option> option is included,
          the reports are restricted to log messages generated today.</para>
        </listitem>
      </varlistentry>
@@ -582,12 +674,33 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">iptrace</emphasis></term>
        <listitem>
          <para>This is a low-level debugging command that causes iptables
          TRACE log records to be created. See iptables(8) for details.</para>
          <para>The <replaceable>iptables match expression</replaceable> must
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>
          <para>The trace records are written to the kernel's log buffer with
          faciility = kernel and priority = warning, and they are routed from
          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
          Shorewall-lite has no control over where the messages go; consult
          your logging daemon's documentation.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>
@@ -595,9 +708,9 @@
        <term><emphasis role="bold">logwatch</emphasis></term>
        <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
+          <para>Monitors the log file specified by the LOGFILE option in
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          produces an audible alarm when new Shorewall-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
@@ -615,7 +728,22 @@
        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">noiptrace</emphasis></term>
        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>
          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          cancelled.</para>
        </listitem>
      </varlistentry>
@@ -633,10 +761,10 @@
        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> but assumes that the firewall is already started.
+          start</emphasis> except that it assumes that the firewall is already
-          Existing connections are maintained.</para>
+          started. Existing connections are maintained.</para>
-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option causes the connection tracking
@@ -649,14 +777,14 @@
        <term><emphasis role="bold">restore</emphasis></term>
        <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall-lite to a state saved using the <emphasis
          role="bold">shorewall-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall-lite created using <emphasis
          role="bold">shorewall-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -667,11 +795,10 @@
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall-lite/save. The state of the firewall is stored in
          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
+          <emphasis role="bold">shorewall-lite restore</emphasis>. If
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
+          <emphasis>filename</emphasis> is not given then the state is saved
-          If <emphasis>filename</emphasis> is not given then the state is
+          in the file specified by the RESTOREFILE option in <ulink
-          saved in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>
@@ -683,15 +810,6 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">actions</emphasis></term>
              <listitem>
                <para>Produces a report about the available actions (built-in,
                standard and user-defined).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -704,8 +822,8 @@
            </varlistentry>
            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ... ]</term>
+              ]</term>
              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -721,20 +839,25 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
              role="bold">classifiers|filters</emphasis></term>
              <listitem>
                <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
+                defined on the system as a result of traffic shaping
-                shaping configuration.</para>
+                configuration.</para>
              </listitem>
            </varlistentry>
@@ -756,15 +879,44 @@
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>
              <listitem>
-                <para>Displays the Netfilter mangle table using the command
+                <para>Displays the system's IPv4 configuration.</para>
-                <emphasis role="bold">iptables -t mangle -L -n
+              </listitem>
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
+            </varlistentry>
-                is passed directly through to iptables and causes actual
+
-                packet and byte counts to be displayed. Without this option,
+            <varlistentry>
-                those counts are abbreviated.</para>
+              <term><emphasis role="bold">ipa</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.17. Displays the per-IP
                accounting counters (<ulink
                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">log</emphasis></term>
              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
                log file specified by the LOGFILE option in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
                <emphasis role="bold">-m</emphasis> option causes the MAC
                address of each packet source to be displayed if that
                information is available.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.26. Displays the various fields
                in packet marks giving the min and max value (in both decimal
                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>
@@ -781,6 +933,39 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.4.4. Displays the applicable policy
                between each pair of zones. Note that implicit intrazone
                ACCEPT policies are not displayed for zones associated with a
                single network where that network doesn't specify
                <option>routeback</option>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">routing</emphasis></term>
              <listitem>
                <para>Displays the system's IPv4 routing configuration.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">raw</emphasis></term>
              <listitem>
                <para>Displays the Netfilter raw table using the command
                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>
@@ -794,8 +979,8 @@
              <term><emphasis role="bold">zones</emphasis></term>
              <listitem>
-                <para>Displays the current composition of the Shorewall Lite
+                <para>Displays the current composition of the Shorewall zones
-                zones on the system.</para>
+                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -806,17 +991,10 @@
        <term><emphasis role="bold">start</emphasis></term>
        <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
+          policies.</para>
          saved configuration specified by the RESTOREFILE option in <ulink
          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
          be restored if that saved configuration exists and has been modified
          more recently than the files in /etc/shorewall.</para>
          <para>The <option>-n</option> option causes Shorewall to avoid
          updating the routing table(s).</para>
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
@@ -831,11 +1009,18 @@
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
+          or permitted by the ADMINISABSENTMINDED option in <ulink
-          are taken down. The only new traffic permitted through the firewall
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
-          is from systems listed in <ulink
+          The only new traffic permitted through the firewall is from systems
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>
@@ -852,7 +1037,9 @@
        <term><emphasis role="bold">version</emphasis></term>
        <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
          is included for compatibility with earlier Shorewall releases and is
          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -871,13 +1058,13 @@
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-zones(5)</para>
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -48,10 +48,14 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 g_program=shorewall-lite
 g_product="Shorewall Lite"
 g_family=4
 g_base=shorewall
 g_basedir=/usr/share/shorewall-lite
 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -60,6 +64,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)
 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
 g_tool=$IPTABLES
 VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,14 +1,13 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
 #         Tom Eastep (teastep@shorewall.net)
 #
-#	This file should be placed in /sbin/shorewall-lite.
+#	Shorewall documentation is available at http://www.shorewall.net
 #
 #	Shorewall documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
@@ -23,868 +22,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#     If an error occurs while starting or restarting the firewall, the
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #     firewall is automatically stopped.
 #
-#     Commands are:
+################################################################################################
-#
+g_program=shorewall-lite
 #     shorewall-lite dump                          Dumps all Shorewall-related information
 #                                                  for problem analysis
 #     shorewall-lite start 			   Starts the firewall
 #     shorewall-lite restart			   Restarts the firewall
 #     shorewall-lite stop			   Stops the firewall
 #     shorewall-lite status			   Displays firewall status
 #     shorewall-lite reset			   Resets iptables packet and
 #						   byte counts
 #     shorewall-lite clear			   Open the floodgates by
 #						   removing all iptables rules
 #						   and setting the three permanent
 #						   chain policies to ACCEPT
 #     shorewall-lite show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
 #     shorewall-lite show log			   Print the last 20 log messages
 #     shorewall-lite show connections		   Show the kernel's connection
 #						   tracking table
 #     shorewall-lite show nat			   Display the rules in the nat table
 #     shorewall-lite show {mangle|tos}		   Display the rules in the mangle table
 #     shorewall-lite show tc			   Display traffic control info
 #     shorewall-lite show classifiers		   Display classifiers
 #     shorewall-lite show capabilities             Display iptables/kernel capabilities
 #     shorewall-lite show vardir                   Display VARDIR setting
 #     shorewall-lite version			   Display the installed version id
 #     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
 #						   messages.
 #     shorewall-lite drop <address> ...		   Temporarily drop all packets from the
 #						   listed address(es)
 #     shorewall-lite reject <address> ...	   Temporarily reject all packets from the
 #						   listed address(es)
 #     shorewall-lite allow <address> ...	   Reenable address(es) previously
 #						   disabled with "drop" or "reject"
 #     shorewall-lite save [ <file> ]		   Save the list of "rejected" and
 #						   "dropped" addresses so that it will
 #						   be automatically reinstated the
 #						   next time that Shorewall starts.
 #                                                  Save the current state so that 'shorewall
 #                                                  restore' can be used.
 #
 #     shorewall-lite forget [ <file> ]             Discard the data saved by 'shorewall save'
 #
 #     shorewall-lite restore [ <file> ]            Restore the state of the firewall from
 #                                                  previously saved information.
 #
 #     shorewall-lite ipaddr { <address>/<cidr> | <address> <netmask> }
 #
 #                                                  Displays information about the network
 #                                                  defined by the argument[s]
 #
 #     shorewall-lite iprange <address>-<address>   Decomposes a range of IP addresses into
 #                                                  a list of network/host addresses.
 #
 #     shorewall-lite ipdecimal { <address> | <integer> }
 #
 #                                                  Displays the decimal equivalent of an IP
 #                                                  address and vice versa.
-#
+. /usr/share/shorewall/lib.cli
 # Set the configuration variables from shorewall-lite.conf
 #
 get_config() {
-    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+shorewall_cli $@
    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
 	g_logread="logread | tac"
    elif [ -r $LOGFILE ]; then
 	g_logread="tac $LOGFILE"
    else
 	echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	exit 2
    fi
    #
    # See if we have a real version of "tail" -- use separate redirection so
    # that ash (aka /bin/sh on LRP) doesn't crap
    #
    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
 	realtail="Yes"
    else
 	realtail=""
    fi
    [ -n "$FW" ] || FW=fw
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
 	    exit 2
 	fi
    else
 	IPTABLES=$(mywhich iptables 2> /dev/null)
 	if [ -z "$IPTABLES" ] ; then
 	    echo "   ERROR: Can't find iptables executable" >&2
 	    exit 2
 	fi
    fi
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 	    SHOREWALL_SHELL=/bin/sh
 	fi
    fi
    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
    validate_restorefile RESTOREFILE
    [ -n "${VERBOSITY:=2}" ]
    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
    if [ $VERBOSITY -lt -1 ]; then
 	VERBOSITY=-1
    elif [ $VERBOSITY -gt 2 ]; then
 	VERBOSITY=2
    fi
    g_hostname=$(hostname 2> /dev/null)
    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
 	echo "   ERROR: Can't find ip executable" >&2
 	exit 2
    fi
    IPSET=ipset
    TC=tc
 }
 #
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
 	if [ -L $g_firewall ]; then
 	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
 	    echo "          The file $g_firewall does not exist" >&2
 	fi
 	exit 2
    fi
 }
 #
 # Fatal error
 #
 startup_error() {
    echo "   ERROR: $@" >&2
    kill $$
    exit 1
 }
 #
 # Start Command Executor
 #
 start_command() {
    local finished
    finished=0
    do_it() {
 	local rc
 	rc=0
 	[ -n "$nolock" ] || mutex_on
 	if [ -x ${LITEDIR}/firewall ]; then
 	    run_it ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
 	    logger -p kern.err "ERROR:Shorewall Lite start failed"
 	    rc=2
 	fi
 	[ -n "$nolock" ] || mutex_off
 	exit $rc
    }
    verify_firewall_script
    if shorewall_is_started; then
 	error_message "Shorewall is already running"
 	exit 0
    fi
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			f*)
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	0)
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac
    if [ -n "$g_fast" ]; then
 	if qt mywhich make; then
 	    export RESTOREFILE
 	    make -qf ${CONFDIR}/Makefile || g_fast=
 	fi
 	if [ -n "$g_fast" ]; then
 	    g_restorepath=${VARDIR}/$RESTOREFILE
 	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
 		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
 		progress_message3 Shorewall Lite restored from $g_restorepath
 	    else
 		do_it
 	    fi
 	else
 	    do_it
 	fi
    else
 	do_it
    fi
 }
 #
 # Restart Command Executor
 #
 restart_command() {
    local finished
    finished=0
    local rc
    rc=0
    verify_firewall_script
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			n*)
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    case $# in
 	0)
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac
    [ -n "$nolock" ] || mutex_on
    if [ -x ${LITEDIR}/firewall ]; then
 	run_it ${LITEDIR}/firewall $debugging restart
 	rc=$?
    else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
 	logger -p kern.err "ERROR:Shorewall Lite restart failed"
 	rc=2
    fi
    [ -n "$nolock" ] || mutex_off
    return $rc
 }
 #
 # Give Usage Information
 #
 usage() # $1 = exit status
 {
    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
    echo "   clear"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
    echo "   dump [ -x ]"
    echo "   enable <interface>"
    echo "   forget [ <file name> ]"
    echo "   help"
    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
    echo "   ipdecimal { <address> | <integer> }"
    echo "   iprange <address>-<address>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
    echo "   reject <address> ..."
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show [ -f ] capabilities"
    echo "   show classifiers"
    echo "   show config"
    echo "   show connections"
    echo "   show filters"
    echo "   show ip"
    echo "   show [ -m ] log [<regex>]"
    echo "   show [ -x ] mangle|nat|raw|routing"
    echo "   show policies"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
    echo "   status"
    echo "   version [ -a ]"
    echo
    exit $1
 }
 version_command() {
    local finished
    finished=0
    local all
    all=
    local product
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			a*)
 			    all=Yes
 			    option=${option#a}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -gt 0 ] && usage 1
    echo $SHOREWALL_VERSION
    if [ -n "$all" ]; then
 	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
 	    if [ -f /usr/share/$product/version ]; then
 		echo "$product: $(cat /usr/share/$product/version)"
 	    fi
 	done
    fi
 }
 #
 # Execution begins here
 #
 debugging=
 if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
    debugging=$1
    shift
 fi
 nolock=
 if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
    nolock=nolock
    shift
 fi
 g_ipt_options="-nv"
 g_fast=
 g_verbose_offset=0
 g_use_verbosity=
 g_noroutes=
 g_timestamp=
 g_recovering=
 g_logread=
 #
 # Make sure that these variables are cleared
 #
 VERBOSE=
 VERBOSITY=
 finished=0
 while [ $finished -eq 0 ]; do
    [ $# -eq 0 ] && usage 1
    option=$1
    case $option in
 	-)
 	    finished=1
 	    ;;
 	-*)
 	    option=${option#-}
 	    [ -z "$option" ] && usage 1
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
 			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
 			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
 			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
 				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
 				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
 				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
 				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
 				g_verbose_offset=$(($g_verbose_offset + 1 ))
 				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
 			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
 			finished=1
 			option=
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
            ;;
    esac
 done
 if [ $# -eq 0 ]; then
    usage 1
 fi
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 MUTEX_TIMEOUT=
 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 g_product="Shorewall Lite"
 g_libexec=share
 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
 [ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
 version_file=$SHAREDIR/version
 for library in base cli; do
    . ${SHAREDIR}/lib.$library
 done
 ensure_config_path
 config=$(find_file shorewall-lite.conf)
 if [ -f $config ]; then
    if [ -r $config ]; then
 	. $config
    else
 	echo "Cannot read $config! (Hint: Are you root?)" >&2
 	exit 1
    fi
 else
    echo "$config does not exist!" >&2
    exit 2
 fi
 ensure_config_path
 LITEDIR=${VARDIR}
 [ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
 get_config
 g_firewall=$LITEDIR/firewall
 if [ -f $version_file ]; then
    SHOREWALL_VERSION=$(cat $version_file)
 else
    echo "   ERROR: Shorewall Lite is not properly installed" >&2
    echo "          The file $version_file does not exist" >&2
    exit 1
 fi
 banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
 case $(echo -e) in
    -e*)
 	RING_BELL="echo \a"
 	ECHO_E="echo"
 	;;
    *)
 	RING_BELL="echo -e \a"
 	ECHO_E="echo -e"
 	;;
 esac
 case $(echo -n "Testing") in
    -n*)
 	ECHO_N=
 	;;
    *)
 	ECHO_N=-n
 	;;
 esac
 COMMAND=$1
 case "$COMMAND" in
    start)
 	shift
 	start_command $@
 	;;
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
 	[ -n "$nolock" ] || mutex_on
 	run_it $g_firewall $debugging $COMMAND
 	[ -n "$nolock" ] || mutex_off
 	;;
    restart)
 	shift
 	restart_command
 	;;
    show|list)
    	shift
    	show_command $@
 	;;
    status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
 	    status=0
 	else
 	    echo "Shorewall Lite is stopped"
 	    status=4
 	fi
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
 		Stopped*|Closed*|Clear*)
 		    status=3
 		    ;;
 	    esac
 	else
 	    state=Unknown
 	fi
 	echo "State:$state"
 	echo
 	exit $status
 	;;
    dump)
    	shift
    	dump_command $@
 	;;
    hits)
 	[ -n "$debugging" ] && set -x
 	shift
 	hits_command $@
 	;;
    version)
 	shift
 	version_command $@
 	;;
    logwatch)
 	logwatch_command $@
 	;;
    drop)
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
 	    block DROP Dropped $*
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    error_message "ERROR: Shorewall Lite is not started"
 	    exit 2
 	fi
 	;;
    logdrop)
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
 	    block logdrop Dropped $*
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    error_message "ERROR: Shorewall Lite is not started"
 	    exit 2
 	fi
 	;;
    reject|logreject)
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
 	    block $COMMAND Rejected $*
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    error_message "ERROR: Shorewall Lite is not started"
 	    exit 2
 	fi
 	;;
    allow)
 	allow_command $@
 	;;
    add)
 	get_config
 	shift
 	add_command $@
 	;;
    delete)
 	get_config
 	shift
 	add_command $@
 	;;
    disable|enable)
 	get_config Yes
 	if shorewall_is_started; then
 	    run_it ${VARDIR}/firewall $g_debugging $@
 	else
 	    fatal_error "Shorewall is not running"
 	fi
 	;;
    save)
 	[ -n "$debugging" ] && set -x
 	case $# in
 	1)
 	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
 	    usage 1
 	    ;;
 	esac
 	g_restorepath=${VARDIR}/$RESTOREFILE
 	[ "$nolock" ] || mutex_on
 	save_config
 	[ "$nolock" ] || mutex_off
 	;;
    forget)
 	case $# in
 	1)
 	    ;;
 	2)
 	    RESTOREFILE="$2"
 	    validate_restorefile '<restore file>'
 	    ;;
 	*)
 	    usage 1
 	    ;;
 	esac
 	g_restorepath=${VARDIR}/$RESTOREFILE
 	if [ -x $g_restorepath ]; then
 	    rm -f $g_restorepath
 	    rm -f ${g_restorepath}-iptables
 	    rm -f ${g_restorepath}-ipsets
 	    echo "    $g_restorepath removed"
 	elif [ -f $g_restorepath ]; then
 	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
    ipcalc)
    	[ -n "$debugging" ] && set -x
 	if [ $# -eq 2 ]; then
 	    address=${2%/*}
 	    vlsm=${2#*/}
 	elif [ $# -eq 3 ]; then
 	    address=$2
 	    vlsm=$(ip_vlsm $3)
 	else
 	    usage 1
 	fi
 	valid_address $address || fatal_error "Invalid IP address: $address"
 	[ -z "$vlsm" ] && exit 2
 	[ "x$address" = "x$vlsm" ] && usage 2
 	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
 	address=$address/$vlsm
 	                                   echo "   CIDR=$address"
 	temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
 	temp=$(ip_network $address);       echo "   NETWORK=$temp"
 	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
 	;;
    iprange)
 	[ -n "$debugging" ] && set -x
 	case $2 in
 	    *.*.*.*-*.*.*.*)
 		for address in ${2%-*} ${2#*-}; do
 		    valid_address $address || fatal_error "Invalid IP address: $address"
 		done
 		ip_range $2
 		;;
 	    *)
 		usage 1
 		;;
 	esac
 	;;
    ipdecimal)
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 2 ] || usage 1
 	case $2 in
 	    *.*.*.*)
 		valid_address $2 || fatal_error "Invalid IP address: $2"
 		echo "   $(decodeaddr $2)"
 		;;
 	    *)
 		echo "   $(encodeaddr $2)"
 		;;
 	esac
 	;;
    restore)
 	shift
 	STARTUP_ENABLED=Yes
 	restore_command $@
        ;;
    call)
 	[ -n "$debugging" ] && set -x
 	#
 	# Undocumented way to call functions in ${SHAREDIR}/functions directly
 	#
 	shift
 	$@
 	;;
    help)
 	shift
 	usage
 	;;
    *)
 	usage 1
 	;;
 esac
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Chains.pm
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Chains.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -28,6 +28,7 @@ package Shorewall::Chains;
 require Exporter;
 use Scalar::Util 'reftype';
 use Digest::SHA1 qw(sha1);
 use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::IPAddrs;
@@ -57,6 +58,7 @@ our @EXPORT = qw(
 		    ensure_manual_chain
 		    ensure_audit_chain
 		    ensure_blacklog_chain
 		    ensure_audit_blacklog_chain
 		    require_audit
 		    newlogchain
 		    log_rule_limit
@@ -64,8 +66,10 @@ our @EXPORT = qw(
 		    dont_delete
 		    dont_move
 		    get_action_logging
 		    add_interface_options
 		    %chain_table
 		    %helpers
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
@@ -96,6 +100,9 @@ our %EXPORT_TAGS = (
 				       ALL_RESTRICT
 				       ALL_COMMANDS
 				       NOT_RESTORE
 				       OPTIMIZE_POLICY_MASK
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_MASK
 				       state_imatch
 				       initialize_chain_table
@@ -111,14 +118,17 @@ our %EXPORT_TAGS = (
 				       push_comment
 				       pop_comment
 				       forward_chain
 				       forward_option_chain
 				       rules_chain
 				       blacklist_chain
 				       zone_forward_chain
 				       use_forward_chain
 				       input_chain
 				       input_option_chain
 				       zone_input_chain
 				       use_input_chain
 				       output_chain
 				       output_option_chain
 				       prerouting_chain
 				       postrouting_chain
 				       zone_output_chain
@@ -131,7 +141,9 @@ our %EXPORT_TAGS = (
 				       snat_chain
 				       ecn_chain
 				       notrack_chain
 				       load_chain
 				       first_chains
 				       option_chains
 				       reserved_name
 				       find_chain
 				       ensure_chain
@@ -146,6 +158,7 @@ our %EXPORT_TAGS = (
 				       new_nat_chain
 				       optimize_chain
 				       check_optimization
 				       optimize_level0
 				       optimize_ruleset
 				       setup_zone_mss
 				       newexclusionchain
@@ -172,7 +185,9 @@ our %EXPORT_TAGS = (
 				       do_tos
 				       do_connbytes
 				       do_helper
 				       validate_helper
 				       do_headers
 				       do_probability
 				       do_condition
 				       have_ipset_rules
 				       record_runtime_address
@@ -194,7 +209,6 @@ our %EXPORT_TAGS = (
 				       do_ipsec
 				       log_rule
 				       expand_rule
 				       promote_blacklist_rules
 				       addnatjump
 				       set_chain_variables
 				       mark_firewall_not_started
@@ -251,7 +265,6 @@ our $VERSION = 'MODULEVERSION';
 #                                                               ]
 #                                               logchains    => { <key1> = <chainref1>, ... }
 #                                               references   => { <ref1> => <refs>, <ref2> => <refs>, ... }
 #                                               blacklist    => <number of blacklist rules at the head of the rules array> ( 0 or 1 )
 #                                               blacklistsection
 #                                                            => Chain was created by entries in the BLACKLIST section of the rules file
 #                                               action       => <action tuple that generated this chain>
@@ -281,6 +294,7 @@ our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
 our %helpers;
 my  $comment;
 my  @comments;
 my  $export;
@@ -336,6 +350,16 @@ my $ipset_rules;
 #
 use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 #
 # Optimization masks
 #
 use constant { 
 	       OPTIMIZE_POLICY_MASK  => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
 	     };
 use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -555,6 +579,17 @@ sub initialize( $$$ ) {
    $ipset_rules        = 0 if $hard;
    %ipset_exists       = ();   
    %helpers = ( amanda          => TCP,
 		 ftp             => TCP,
 		 h323            => UDP,
 		 irc             => TCP,
 		 netbios_ns      => UDP,
 		 pptp            => TCP,
 		 sane            => TCP,
 		 sip             => UDP,
 		 snmp            => UDP,
 		 tftp            => UDP);
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
    #
@@ -645,11 +680,19 @@ sub set_rule_option( $$$ ) {
    my $opttype = $opttype{$option} || MATCH;
    if ( exists $ruleref->{$option} ) {
-	assert( defined $ruleref->{$option} );
+	assert( defined( my $value1 = $ruleref->{$option} ) );
 	if ( $opttype == MATCH ) {
 	    assert( $globals{KLUDGEFREE} );
-	    $ruleref->{$option} = [ $ruleref->{$option} ] unless reftype $ruleref->{$option};
+
 	    unless ( reftype $value1 ) {
 		unless ( reftype $value ) {
 		    return if $value1 eq $value;
 		}
 		$ruleref->{$option} = [ $ruleref->{$option} ];
 	    }
 	    push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
@@ -1206,9 +1249,7 @@ sub delete_reference( $$ ) {
 #    Chain reference , Rule Number, Rule
 #
 # In the first function, the rule number is zero-relative. In the second function,
-# the rule number is one-relative. In the first function, if the rule number is < 0, then
+# the rule number is one-relative.
 # the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be
 # inserted at the front of the chain and the chain's 'blacklist' member incremented.
 #
 sub insert_rule1($$$)
 {
@@ -1220,11 +1261,6 @@ sub insert_rule1($$$)
    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) );
    $ruleref->{mode} = CAT_MODE;
    if ( $number < 0 ) {
 	$chainref->{blacklist}++;
 	$number = 0;
    }
    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
    trace( $chainref, 'I', ++$number, $ruleref ) if $debug;
@@ -1265,11 +1301,6 @@ sub insert_irule( $$$$;@ ) {
 	$ruleref->{comment} = $comment unless $ruleref->{comment};
    }
    if ( $number < 0 ) {
 	$chainref->{blacklist}++;
 	$number = 0;
    }
    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
    trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug;
@@ -1297,13 +1328,12 @@ sub clone_rule( $ ) {
 }
 # Do final work to 'delete' a chain. We leave it in the chain table but clear
-# the 'referenced', 'rules', 'references' and 'blacklist' members.
+# the 'referenced', 'rules', and 'references' members.
 #
 sub delete_chain( $ ) {
    my $chainref = shift;
    $chainref->{referenced}  = 0;
    $chainref->{blacklist}   = 0;
    $chainref->{rules}       = [];
    $chainref->{references}  = {};
    trace( $chainref, 'X', undef, '' ) if $debug;
@@ -1373,7 +1403,7 @@ sub decrement_reference_count( $$ ) {
 #
 # The rules generated by interface options are added to the interfaces's input chain and
 # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to
-# the head of a rules chain (behind any blacklist rule already there).
+# the head of a rules chain.
 #
 sub move_rules( $$ ) {
    my ($chain1, $chain2 ) = @_;
@@ -1384,15 +1414,12 @@ sub move_rules( $$ ) {
 	my $rules     = $chain2->{rules};
 	my $count     = @{$chain1->{rules}};
 	my $tableref  = $chain_table{$chain1->{table}};
 	my $blacklist = $chain2->{blacklist};
 	my $filtered;
 	my $filtered1 = $chain1->{filtered};
 	my $filtered2 = $chain2->{filtered};
 	my @filtered1;
 	my @filtered2;
 	my $rule;
 	assert( ! $chain1->{blacklist} );
 	#
 	# We allow '+' in chain names and '+' is an RE meta-character. Escape it.
 	#
@@ -1412,11 +1439,11 @@ sub move_rules( $$ ) {
 	push @filtered2 , shift @{$chain2->{rules}} while $filtered--;
 	if ( $debug ) {
-	    my $rule = $blacklist + $filtered2;
+	    my $rule = $filtered2;
 	    trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}};
 	}
-	splice @$rules, $blacklist, 0, @{$chain1->{rules}};
+	unshift @$rules, @{$chain1->{rules}};
 	$chain2->{referenced} = 1;
@@ -1424,16 +1451,9 @@ sub move_rules( $$ ) {
 	# In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain.
 	# This hack avoids that.
 	#
 	if ( $blacklist ) {
 	    my $rule = shift @{$rules};
 	shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
 	    unshift @{$rules}, $rule;
 	} else {
 	    shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp};
 	}
 	#
-	# Now insert the filter rules at the head of the chain (before blacklist rules)
+	# Now insert the filter rules at the head of the chain
 	#
 	if ( $filtered1 ) {
@@ -1477,8 +1497,6 @@ sub copy_rules( $$;$ ) {
    my $name1      = $chain1->{name};
    my $name       = $name1;
    my $name2      = $chain2->{name};
    my $blacklist1 = $chain1->{blacklist};
    my $blacklist2 = $chain2->{blacklist};
    my @rules1     = @{$chain1->{rules}};
    my $rules2     = $chain2->{rules};
    my $count      = @{$chain1->{rules}};
@@ -1487,22 +1505,6 @@ sub copy_rules( $$;$ ) {
    # We allow '+' in chain names and '+' is an RE meta-character. Escape it.
    #
    pop @$rules2 unless $nojump; # Delete the jump to chain1
    if ( $blacklist2 && $blacklist1 ) {
 	#
 	# Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list
 	#
 	my $rule = shift @rules1;
 	my $chainb = $rule->{target};
 	assert( $chainb =~ /^black/ );
 	delete_reference $chain1, $chainb;
 	assert( ! --$chain1->{blacklist} );
 	$blacklist1 = 0;
    }
    #
    # Chain2 is now a referent of all of Chain1's targets
    #
@@ -1510,17 +1512,6 @@ sub copy_rules( $$;$ ) {
 	increment_reference_count( $tableref->{$_->{target}}, $name2 ) if $_->{target};
    }
    if ( $blacklist1 ) {
 	assert( $blacklist1 == 1 );
 	trace( $chain2, 'A', 1 , $rules1[0]) if $debug;
 	unshift @$rules2, shift @rules1;
 	$chain1->{blacklist} = 0;
 	$chain2->{blacklist} = 1;
    }
    if ( $debug ) {
 	my $rule = @$rules2;
 	trace( $chain2, 'A', ++$rule, $_ ) for @rules1;
@@ -1530,7 +1521,7 @@ sub copy_rules( $$;$ ) {
    progress_message "  $count rules from $chain1->{name} appended to $chain2->{name}" if $count;
-    unless ( --$chain1->{references}{$name2} ) {
+    unless ( $nojump || --$chain1->{references}{$name2} ) {
 	delete $chain1->{references}{$name2};
 	delete_chain_and_references( $chain1 ) unless keys %{$chain1->{references}};
    }
@@ -1556,7 +1547,8 @@ sub blacklist_chain($$) {
 #
 sub forward_chain($)
 {
-    $_[0] . '_fwd';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fwd';
 }
 #
@@ -1602,12 +1594,37 @@ sub use_forward_chain($$) {
    $interfaceref->{options}{use_forward_chain} && keys %{ zone_interfaces( $zone ) } > 1;
 }
 #
 # Input Option Chain for an interface
 #
 sub input_option_chain($) {
    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_iop';
 }
 #
 # Output Option Chain for an interface
 #
 sub output_option_chain($) {
    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_oop';
 }
 #
 # Forward Option Chain for an interface
 #
 sub forward_option_chain($) {
    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_fop';
 }
 #
 # Input Chain for an interface
 #
 sub input_chain($)
 {
-    $_[0] . '_in';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_in';
 }
 #
@@ -1668,7 +1685,8 @@ sub use_input_chain($$) {
 #
 sub output_chain($)
 {
-    $_[0] . '_out';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_out';
 }
 #
@@ -1676,15 +1694,17 @@ sub output_chain($)
 #
 sub prerouting_chain($) 
 {
-    $_[0] . '_pre';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
 }
 #
-# Prerouting Chain for an interface
+# Postouting Chain for an interface
 #
 sub postrouting_chain($) 
 {
-    $_[0] . '_post';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
 }
 #
@@ -1736,7 +1756,8 @@ sub use_output_chain($$) {
 #
 sub masq_chain($)
 {
-    $_[0] . '_masq';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_masq';
 }
 #
@@ -1751,7 +1772,8 @@ sub syn_flood_chain ( $ ) {
 #
 sub mac_chain( $ )
 {
-    $_[0] . '_mac';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_mac';
 }
 sub macrecent_target($)
@@ -1775,12 +1797,20 @@ sub notrack_chain( $ )
    $_[0] . '_notrk';
 }
 #
 # Load Chain for a provider
 #
 sub load_chain( $ ) {
    '~' . $_[0];
 }
 #
 # SNAT Chain to an interface
 #
 sub snat_chain( $ )
 {
-    $_[0] . '_snat';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_snat';
 }
 #
@@ -1788,7 +1818,8 @@ sub snat_chain( $ )
 #
 sub ecn_chain( $ )
 {
-    $_[0] . '_ecn';
+    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_ecn';
 }
 #
@@ -1798,7 +1829,17 @@ sub first_chains( $ ) #$1 = interface
 {
    my $c = $_[0];
-    ( $c . '_fwd', $c . '_in' );
+    ( forward_chain( $c ), input_chain( $c ) );
 }
 #
 # Option chains for an interface
 #
 sub option_chains( $ ) #$1 = interface
 {
    my $c = $_[0];
    ( forward_option_chain( $c ), input_option_chain( $c ) );
 }
 #
@@ -1826,7 +1867,6 @@ sub new_chain($$)
 		     log            => 1,
 		     cmdlevel       => 0,
 		     references     => {},
 		     blacklist      => 0,
 		     filtered       => 0
 		   };
@@ -2169,7 +2209,6 @@ sub new_builtin_chain($$$)
    $chainref->{policy}      = $policy;
    $chainref->{builtin}     = 1;
    $chainref->{dont_delete} = 1;
    $chainref->{dont_move}   = 1;
    $chainref;
 }
@@ -2220,6 +2259,21 @@ sub ensure_blacklog_chain( $$$$ ) {
    'blacklog';
 }
 sub ensure_audit_blacklog_chain( $$$ ) {
    my ( $target, $disposition, $level ) = @_;
    unless ( $filter_table->{A_blacklog} ) {
 	my $logchainref = new_manual_chain 'A_blacklog';
 	log_rule_limit( $level , $logchainref , 'blacklst' , $disposition , "$globals{LOGLIMIT}" , '', 'add',	'' );
 	add_ijump( $logchainref, j => 'AUDIT', targetopts => '--type ' . lc $target );
 	add_ijump( $logchainref, g => $target );
    }
    'A_blacklog';
 }
 #
 # Create and populate the passed AUDIT chain if it doesn't exist. Return chain name
 #
@@ -2396,7 +2450,7 @@ sub initialize_chain_table($) {
 	#
 	# Create this chain early in case it is needed by Policy actions
 	#
-	dont_move new_standard_chain 'reject';
+	new_standard_chain 'reject';
    }
 }
@@ -2612,6 +2666,25 @@ sub check_optimization( $ ) {
 #
 # Perform Optimization
 #
 # When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set.
 sub optimize_level0() {
    for my $table ( qw/raw rawpost mangle nat filter/ ) {
 	next if $family == F_IPV6 && $table eq 'nat';
 	my $tableref = $chain_table{$table};
 	my @chains  = grep $_->{referenced}, values %$tableref;
 	my $chains  = @chains; 
 	for my $chainref ( @chains ) {
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
 	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 	    }
 	}
    }
 }
 sub optimize_level4( $$ ) {
    my ( $table, $tableref ) = @_;
    my $progress = 1;
@@ -2619,7 +2692,6 @@ sub optimize_level4( $$ ) {
    #
    # Make repeated passes through each table looking for short chains (those with less than 2 entries)
    #
    # When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set.
    # When an empty chain is found, delete the references to it.
    # When a chain with a single entry is found, replace it's references by its contents
    #
@@ -2710,7 +2782,6 @@ sub optimize_level4( $$ ) {
 			    # Replace references to this chain with the target and add the matches
 			    #
 			    $progress = 1 if replace_references1 $chainref, $firstrule;
 			}
 		    }
 		}
@@ -2719,8 +2790,9 @@ sub optimize_level4( $$ ) {
    }
    #
-    # In this loop, we look for chains that end in an unconditional jump. If the target of the jump
+    # In this loop, we look for chains that end in an unconditional jump. The jump is replaced by
-    # is subject to deletion (dont_delete = false), the jump is replaced by target's rules.
+    # the target's rules, provided that the target chain is short (< 4 rules) or has only one
    # reference. This prevents multiple copies of long chains being created.
    #
    $progress = 1;
@@ -2741,7 +2813,7 @@ sub optimize_level4( $$ ) {
 		# Last rule is a simple branch
 		my $targetref = $tableref->{$lastrule->{target}};
-		if ( $targetref && ! ( $targetref->{builtin} || $targetref->{dont_move} ) ) {
+		if ( $targetref && ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
 		    copy_rules( $targetref, $chainref );
 		    $progress = 1;
 		}
@@ -2780,7 +2852,7 @@ sub optimize_level8( $$$ ) {
 	    }
 	}
-	$chainref->{digest} = $digest;
+	$chainref->{digest} = sha1 $digest;
    }
    for my $chainref ( @chains ) {
@@ -3979,16 +4051,47 @@ sub do_connbytes( $ ) {
 }
 #
-# Create a soft "-m helper" match for the passed argument
+# Validate a helper/protocol pair
 #
 sub validate_helper( $;$ ) {
    my ( $helper, $proto ) = @_;
    my $helper_base = $helper;
    $helper_base =~ s/-\d+$//;
    my $helper_proto = $helpers{$helper_base};
    if ( $helper_proto) {	    
 	#
 	#  Recognized helper
 	#
 	if ( supplied $proto ) {
 	    my $protonum = -1;
 	    fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );	
 	    unless ( $protonum == $helper_proto ) {
 		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
 	    }
 	}
    } else {
 	fatal_error "Unrecognized helper ($helper_base)";
    }
 }
 #
 # Create an "-m helper" match for the passed argument
 #
 sub do_helper( $ ) {
    my $helper = shift;
    return '' if $helper eq '-';
-    qq(-m helper --helper "$helper" );
+    validate_helper( $helper );
    qq(-m helper --helper "$helper" ) if defined wantarray;
 }
 #
 # Create a "-m length" match for the passed LENGTH
 #
@@ -4050,7 +4153,21 @@ sub do_headers( $ ) {
 	}
    }
-    "-m ipv6header ${invert}--header ${headers} ${soft}";
+    "-m ipv6header ${invert}--header ${headers} ${soft} ";
 }
 sub do_probability( $ ) {
    my $probability = shift;
    return '' if $probability eq '-';
    require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
    my $invert = $probability =~ s/^!// ? '! ' : "";
    fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
    "-m statistic --mode random --probability $probability ";
 }
 #
@@ -4796,6 +4913,8 @@ sub set_chain_variables() {
 	emit( 'IPTABLES_RESTORE=${IPTABLES}-restore',
 	      '[ -x "$IPTABLES_RESTORE" ] || startup_error "$IPTABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IPTABLES' );
    } else {
 	if ( $config{IP6TABLES} ) {
 	    emit( qq(IP6TABLES="$config{IP6TABLES}"),
@@ -4809,6 +4928,8 @@ sub set_chain_variables() {
 	emit( 'IP6TABLES_RESTORE=${IP6TABLES}-restore',
 	      '[ -x "$IP6TABLES_RESTORE" ] || startup_error "$IP6TABLES_RESTORE does not exist or is not executable"' );
 	emit( 'g_tool=$IP6TABLES' );
    }
    if ( $config{IP} ) {
@@ -5726,60 +5847,179 @@ sub expand_rule( $$$$$$$$$$;$ )
 }
 #
-# Where a zone sharing a multi-zone interface has an 'in' blacklist rule, move the rule to the beginning of
+# Returns true if the passed interface is associated with exactly one zone
 # the associated interface chain
 #
-sub promote_blacklist_rules() {
+sub copy_options( $ ) {
-    my $chainbref = $filter_table->{blacklst};
+    keys %{interface_zones( shift )} == 1;
 }
-    return 1 unless $chainbref;
+#
 # This function is called after the blacklist rules have been added to the canonical chains. It 
 # either copies the relevant interface option rules into each canonocal chain, or it inserts one
 # or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
 # present.
 #
 sub add_interface_options( $ ) {
-    my $promoted = 1;
+    if ( $_[0] ) {
    while ( $promoted ) {
 	$promoted = 0;
 	#
-	# Copy 'blacklst''s references since they will change in the following loop
+	# We have blacklist rules.
-	#
+	my %input_chains;
-	my @references = map $filter_table->{$_}, keys %{$chainbref->{references}};
+	my %forward_chains;
-	for my $chain1ref ( @references ) {
+	for my $interface ( all_real_interfaces ) {
-	    assert( $chain1ref->{blacklist} == 1 );
+	    $input_chains{$interface}   = $filter_table->{input_option_chain $interface};
 	    $forward_chains{$interface} = $filter_table->{forward_option_chain $interface};
 	}
 	#
 	# Generate a digest for each chain
 	#
 	for my $chainref ( values %input_chains, values %forward_chains ) {
 	    my $digest = '';
-	    my $copied = 0;
+	    assert( $chainref );
 	    my $rule   = $chain1ref->{rules}[0];
 	    my $chain1 = $chain1ref->{name};
-	    for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) {
+	    for ( @{$chainref->{rules}} ) {
-		unless ( $chain2ref->{builtin} ) {
+		if ( $digest ) {
 		    $digest .= ' |' . format_rule( $chainref, $_, 1 );
 		} else {
 		    $digest = format_rule( $chainref, $_, 1 );
 		}
 	    }
 	    $chainref->{digest} = sha1 $digest;
 	}
 	#
-		    # This is not INPUT or FORWARD -- we wouldn't want to move the
+	# Insert jumps to the interface chains into the rules chains
 		    # rule to the head of one of those chains
 		    $copied++;
 	#
-		    # Copy the blacklist rule to the head of the parent chain (after any
+	for my $zone1 ( off_firewall_zones ) {
-		    # filter rules) unless it already has a blacklist rule.
+	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
 	    if ( @input_interfaces > 1 ) {
 		#
-		    unless ( $chain2ref->{blacklist} ) {
+		# This zone has multiple interfaces - discover if all of the interfaces have the same 
-			splice @{$chain2ref->{rules}}, $chain2ref->{filtered}, 0, $rule;
+		# input and/or forward options
-			add_reference $chain2ref, $chainbref;
+		#
-			$chain2ref->{blacklist} = 1;
+		my $digest;
 	      INPUT:
 		{
 		    for ( @input_interfaces ) {
 			if ( defined $digest ) {
 			    last INPUT unless $input_chains{$_}->{digest} eq $digest;
 			} else {
 			    $digest = $input_chains{$_}->{digest};
 			}
 		    }
 		    @input_interfaces = ( $input_interfaces[0] );
 		}
 		$digest = undef;
 	      FORWARD:
 		{
 		    for ( @forward_interfaces ) {
 			if ( defined $digest ) {
 			    last FORWARD unless $forward_chains{$_}->{digest} eq $digest;
 			} else {
 			    $digest = $forward_chains{$_}->{digest};
 			}
 		    }
 		    @forward_interfaces = ( $forward_interfaces[0] );
 		}
 	    }  
 	    #
 	    # Now insert the jumps
 	    #
 	    for my $zone2 ( all_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
 		my $chain1ref;
 		if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
 		    if ( @input_interfaces == 1 && copy_options( $input_interfaces[0] ) ) {
 			$chain1ref = $input_chains{$input_interfaces[0]};
 			if ( @{$chain1ref->{rules}}  ) {
 			    copy_rules $chain1ref, $chainref, 1;
 			    $chainref->{referenced} = 1;
 			}
 		    } else {
 			for my $interface ( @input_interfaces ) {
 			    $chain1ref = $input_chains{$interface};
 			    add_ijump ( $chainref , j => $chain1ref->{name}, @input_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if @{$chain1ref->{rules}};
 			}
 		    }
 		} else {
 		    if ( @forward_interfaces == 1 && copy_options( $forward_interfaces[0] ) ) {
 			$chain1ref = $forward_chains{$forward_interfaces[0]};
 			if ( @{$chain1ref->{rules}} ) {
 			    copy_rules $chain1ref, $chainref, 1;
 			    $chainref->{referenced} = 1;
 			}
 		    } else {
 			for my $interface ( @forward_interfaces ) {
 			    $chain1ref = $forward_chains{$interface};
 			    add_ijump ( $chainref , j => $chain1ref->{name}, @forward_interfaces > 1 ? imatch_source_dev( $interface ) : () ) if  @{$chain1ref->{rules}};
 			}
 		    }
 		}
 	    }
 	}
 	#
 	# Now take care of jumps to the interface output option chains
 	#
 	for my $zone1 ( firewall_zone, vserver_zones ) {
 	    for my $zone2 ( off_firewall_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
 		my @interfaces = keys %{zone_interfaces( $zone2 )};
 		my $chain1ref;
-	    if ( $copied ) {
+		for my $interface ( @interfaces ) {
-		shift @{$chain1ref->{rules}};
+		    $chain1ref = $filter_table->{output_option_chain $interface};
-		$chain1ref->{blacklist} = 0;
+
-		delete_reference $chain1ref, $chainbref;
+		   if ( @{$chain1ref->{rules}} ) {
-		$promoted = 1;
+			copy_rules( $chain1ref, $chainref, 1 );
 			$chainref->{referenced} = 1;
 		    }
 		}
 	    }
 	}
    } else {
 	#
 	# No Blacklisting - simply move the option chain rules to the interface chains
 	#
 	for my $interface ( all_real_interfaces ) {
 	    my $chainref;
 	    my $chain1ref;
 	    $chainref = $filter_table->{input_option_chain $interface};
 	    if( @{$chainref->{rules}} ) {
 		move_rules $chainref, $chain1ref = $filter_table->{input_chain $interface};
 		set_interface_option( $interface, 'use_input_chain', 1 );
 	    }
 	    $chainref = $filter_table->{forward_option_chain $interface};
 	    if ( @{$chainref->{rules}} ) {
 		move_rules $chainref, $chain1ref = $filter_table->{forward_chain $interface};
 		set_interface_option( $interface, 'use_forward_chain' , 1 );
 	    }
 	    $chainref = $filter_table->{output_option_chain $interface};
 	   if ( @{$chainref->{rules}} ) {
 		move_rules $chainref, $chain1ref = $filter_table->{output_chain $interface};
 		set_interface_option( $interface, 'use_output_chain' , 1 );
 	    }
 	}
    }
 }
 #
-# The following code generates the input to iptables-restore from the contents of the
+# The following functions generate the input to iptables-restore from the contents of the
 # @rules arrays in the chain table entries.
 #
 # We always write the iptables-restore input into a file then pass the
@@ -5787,9 +6027,9 @@ sub promote_blacklist_rules() {
 # has (have) something to look at to determine the error
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
-# table entry may contain both rules (begin with '-A') or shell source. We alternate between
+# table entry may contain both rules or shell source, determined by the contents of the 'mode'
-# writing the rules ('-A') into the temporary file to be passed to iptables-restore
+# member. We alternate between writing the rules into the temporary file to be passed to 
-# (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
+# iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
 #
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -95,7 +95,8 @@ sub generate_script_1( $ ) {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
    }
@@ -162,27 +163,39 @@ sub generate_script_2() {
    push_indent;
    if ( $family == F_IPV4 ) {
 	emit( 'g_family=4' );
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
 		 );
 	}
    } else {
 	emit( 'g_family=6' );
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall'
 		 );
 	}
    }
@@ -461,6 +474,7 @@ sub generate_script_3($) {
    fi
 EOF
    pop_indent;
    setup_load_distribution;
    setup_forwarding( $family , 1 );
    push_indent;
@@ -473,14 +487,18 @@ else
    if [ \$COMMAND = refresh ]; then
        chainlist_reload
 EOF
    setup_load_distribution;
    setup_forwarding( $family , 0 );
    emit( '        run_refreshed_exit' ,
 	  '        do_iptables -N shorewall' ,
 	  "        set_state Started $config_dir" ,
 	  '    else' ,
 	  '        setup_netfilter' );
    setup_load_distribution;
    emit<<"EOF";
        run_refreshed_exit
        do_iptables -N shorewall
        set_state Started $config_dir
    else
        setup_netfilter
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
@@ -604,14 +622,9 @@ sub compiler {
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate );
-
+    #
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+    # Create a temp file to hold the script
-
+    #
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
@@ -620,7 +633,7 @@ sub compiler {
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
+    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
@@ -778,7 +791,7 @@ sub compiler {
    #
    # Process the rules file.
    #
-    process_rules;
+    process_rules( $convert );
    #
    # Add Tunnel rules.
    #
@@ -802,6 +815,8 @@ sub compiler {
 	#
 	generate_matrix;
 	optimize_level0;
 	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
@@ -844,13 +859,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	unless ( $test ) {
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;
 	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.footer';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.footer6';
 	    }
 	}
 	disable_script;
 	#
@@ -871,16 +880,18 @@ sub compiler {
 	    #
 	    generate_matrix;
-	    if ( $config{OPTIMIZE} & 0x1E ) {
+	    optimize_level0;
 	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }
 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -136,6 +136,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
 				       $currentfilename
 				       $debug
 				       %config
 				       %globals
@@ -287,6 +288,10 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
 		 CT_TARGET       => 'CT Target',
 		 STATISTIC_MATCH => 
 		                    'Statistics Match',
 		 IMQ_TARGET      => 'IMQ Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -366,7 +371,7 @@ my @actparms;
 our $currentline;            # Current config file line image
 my  $currentfile;            # File handle reference
-my  $currentfilename;        # File NAME
+our $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
@@ -404,6 +409,15 @@ use constant { MIN_VERBOSITY => -1,
 my %validlevels;             # Valid log levels.
 #
 # Deprecated options with their default values
 #
 my %deprecated = ( LOGRATE            => '' ,
 		   LOGBURST           => '' ,
 		   EXPORTPARAMS       => 'no',
 		   WIDE_TC_MARKS      => 'no',
 		   HIGH_ROUTE_MARKS   => 'no'
 		 );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -451,7 +465,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40426 ,
+		    CAPVERSION => 40501 ,
 		  );
    #
    # From shorewall.conf file
@@ -470,6 +484,7 @@ sub initialize( $ ) {
 	  LOGBURST => undef,
 	  LOGALLNEW => undef,
 	  BLACKLIST_LOGLEVEL => undef,
 	  RELATED_LOG_LEVEL => undef,
 	  RFC1918_LOG_LEVEL => undef,
 	  MACLIST_LOG_LEVEL => undef,
 	  TCP_FLAGS_LOG_LEVEL => undef,
@@ -567,6 +582,7 @@ sub initialize( $ ) {
 	  COMPLETE => undef,
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
 	  USE_PHYSICAL_NAMES => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -575,6 +591,7 @@ sub initialize( $ ) {
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
 	  SFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@@ -672,6 +689,9 @@ sub initialize( $ ) {
 	       CONDITION_MATCH => undef,
 	       IPTABLES_S => undef,
 	       BASIC_FILTER => undef,
 	       CT_TARGET => undef,
 	       STATISTIC_MATCH => undef,
 	       IMQ_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -966,10 +986,10 @@ sub emitstd {
 #
 # Write passed message to the script with newline but no indentation.
 #
-sub emit_unindented( $ ) {
+sub emit_unindented( $;$ ) {
    assert( $script_enabled );
-    print $script "$_[0]\n" if $script;
+    print $script $_[1] ? "$_[0]" : "$_[0]\n" if $script;
 }
 #
@@ -1790,7 +1810,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;
-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
    if ( $multiline ) {
 	#
@@ -1929,9 +1949,11 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
 	    $val = $actparms[$var];
-	} else {
+	} elsif ( exists $params{$var} ) {
 	    fatal_error "Undefined shell variable (\$$var)" unless exists $params{$var};
 	    $val = $params{$var};
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
 	    $val = $config{$var};
 	}
 	$val = '' unless defined $val;
@@ -2738,6 +2760,27 @@ sub Iptables_S() {
    qt1( "$iptables -S INPUT" )
 }
 sub Ct_Target() {
    my $ct_target;
    if ( have_capability 'RAW_TABLE' ) {
 	qt1( "$iptables -t raw -N $sillyname" );
 	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
 	qt1( "$iptables -t raw -F $sillyname" );
 	qt1( "$iptables -t raw -X $sillyname" );
    }
    $ct_target;
 }
 sub Statistic_Match() {
    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
 }
 sub Imq_Target() {
    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
@@ -2750,6 +2793,7 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CT_TARGET => \&Ct_Target,
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
@@ -2758,6 +2802,7 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
@@ -2791,6 +2836,7 @@ our %detect_capability =
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      RECENT_MATCH => \&Recent_Match,
      STATISTIC_MATCH => \&Statistic_Match,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
@@ -2926,6 +2972,9 @@ sub determine_capabilities() {
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
 	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
 	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
 	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
 	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 	qt1( "$iptables -F $sillyname" );
@@ -3048,15 +3097,6 @@ sub update_config_file( $ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
    #
    # Deprecated options with their default values
    #
    my %deprecated = ( LOGRATE            => '' ,
 		       LOGBURST           => '' ,
 		       EXPORTPARAMS       => 'no',
 		       WIDE_TC_MARKS      => 'no',
 		       HIGH_ROUTE_MARKS   => 'no'
 		     );
   if ( -f $fn ) {
 	my ( $template, $output );
@@ -3176,6 +3216,9 @@ sub process_shorewall_conf( $$ ) {
 		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
 		    warning_message "Option $var=$val is deprecated"
 			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -3441,11 +3484,13 @@ sub add_param( $$ ) {
 sub export_params() {
    my $count = 0;
-    while ( my ( $param, $value ) = each %params ) {
+    for my $param ( sort keys %params ) {
 	#
 	# Don't export params added by the compiler
 	#
 	next if exists $compiler_params{$param};
 	my $value = $params{$param};
 	#
 	# Values in %params are generated from the output of 'export -p'.
 	# The different shells have different conventions for delimiting
@@ -3514,7 +3559,6 @@ sub get_configuration( $$$ ) {
    get_capabilities( $export );
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
    if ( my $rate = $config{LOGLIMIT} ) {
@@ -3713,6 +3757,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'COMPLETE'                   , '';
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
@@ -3781,6 +3826,7 @@ sub get_configuration( $$$ ) {
    default_log_level 'MACLIST_LOG_LEVEL',   '';
    default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
    default_log_level 'RFC1918_LOG_LEVEL',   '';
    default_log_level 'RELATED_LOG_LEVEL',   '';
    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};
@@ -3815,6 +3861,23 @@ sub get_configuration( $$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }
    if ( $val = $config{RELATED_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
 	    $globals{RELATED_TARGET} = $val;
 	} elsif ( $val eq 'REJECT' ) {
 	    $globals{RELATED_TARGET} = 'reject';
 	} elsif ( $val eq 'A_REJECT' ) {
 	    $globals{RELATED_TARGET} = $val;
 	} else {
 	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
 	}
 	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
    } else {
 	$config{RELATED_DISPOSITION}  =
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }
    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -3929,6 +3992,13 @@ sub get_configuration( $$$ ) {
    } else {
 	$config{LOCKFILE} = '';
    }
    report_capabilities unless $config{LOAD_HELPERS_ONLY};
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 }
 #
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -55,6 +55,7 @@ our @EXPORT = qw( ALLIPv4
 		  DCCP
 		  IPv6_ICMP
 		  SCTP
 		  GRE
 		  validate_address
 		  validate_net
@@ -117,6 +118,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       GRE                 => 47,
 	       IPv6_ICMP           => 58,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -397,7 +397,6 @@ sub convert_blacklist() {
 	if ( supplied $level ) {
 	    $target = 'blacklog';
 	} elsif ( $audit ) {
 	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
 	}
@@ -691,6 +690,7 @@ sub add_common_rules ( $ ) {
    my $dynamicref;
    my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};
@@ -698,13 +698,14 @@ sub add_common_rules ( $ ) {
 	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
 	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
 	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_ijump $filter_table->{INPUT}, j => $dynamicref, @state;
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }
    setup_mss;
-    add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ) if ( $config{FASTACCEPT} );
+    if ( $config{FASTACCEPT} ) {
 	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
    } 
    my $policy   = $config{SFILTER_DISPOSITION};
    $level       = $config{SFILTER_LOG_LEVEL};
@@ -751,8 +752,8 @@ sub add_common_rules ( $ ) {
 	$target1 = $target;
    }
-    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
+    for $interface ( all_real_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
+	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
 	my $interfaceref = find_interface $interface;
@@ -760,33 +761,28 @@ sub add_common_rules ( $ ) {
 	    my @filters = @{$interfaceref->{filter}};
-	    $chainref = $filter_table->{forward_chain $interface};
+	    $chainref = $filter_table->{forward_option_chain $interface};
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		$interfaceref->{options}{use_forward_chain} = 1;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 		    unless( $config{ROUTE_FILTER} eq 'on' ||
 			    $interfaceref->{options}{routeback} ||
 			    $interfaceref->{options}{routefilter} ||
 			    $interfaceref->{physical} eq '+' );
 		$interfaceref->{options}{use_forward_chain} = 1;
 	    }
 	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
 	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
 	    $chainref = $filter_table->{input_chain $interface};
 	    if ( @filters ) {
 		$chainref = $filter_table->{input_option_chain $interface};
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 		$interfaceref->{options}{use_input_chain} = 1;
 	    }
-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
+	    for ( option_chains( $interface ) ) {
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
 		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
 	    }
 	}
    }
@@ -870,12 +866,9 @@ sub add_common_rules ( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
 	    set_interface_option $interface, 'use_input_chain', 1;
 	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
    }
@@ -925,14 +918,11 @@ sub add_common_rules ( $ ) {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';
 	for $interface ( @$list ) {
 	    set_interface_option $interface, 'use_input_chain', 1;
 	    set_interface_option $interface, 'use_forward_chain', 1;
 	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
 			     'dhcp',
-			     1 ) for input_chain( $interface ), output_chain( $interface );
+			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );
-	    add_ijump( $filter_table->{forward_chain $interface} ,
+	    add_ijump( $filter_table->{forward_option_chain $interface} ,
 		       j => 'ACCEPT', 
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
@@ -990,11 +980,9 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
 	    set_interface_option $interface, 'use_input_chain', 1;
 	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
    }
@@ -1023,7 +1011,7 @@ sub add_common_rules ( $ ) {
 	    progress_message2 "$doing UPnP" unless $announced;
 	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_chain $interface};
+		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
 		my $variable = get_interface_gateway $interface;
@@ -1172,12 +1160,9 @@ sub setup_mac_lists( $ ) {
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
-		for my $chain ( first_chains $interface ) {
+		for my $chain ( option_chains $interface ) {
 		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
 		}
 		set_interface_option $interface, 'use_input_chain', 1;
 		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
 		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
@@ -1382,6 +1367,7 @@ sub add_interface_jumps {
    our %output_jump_added;
    our %forward_jump_added;
    my  $lo_jump_added = 0;
    my @interfaces = grep $_ ne '%vserver%', @_;
    #
    # Add Nat jumps
    #
@@ -1393,7 +1379,7 @@ sub add_interface_jumps {
    addnatjump 'POSTROUTING' , 'nat_out';
    addnatjump 'PREROUTING', 'dnat';
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1407,7 +1393,7 @@ sub add_interface_jumps {
    #
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces ) {
 	my $forwardref   = $filter_table->{forward_chain $interface};
 	my $inputref     = $filter_table->{input_chain $interface};
 	my $outputref    = $filter_table->{output_chain $interface};
@@ -1487,58 +1473,19 @@ sub generate_matrix() {
    my  %ipsec_jump_added   = ();
    progress_message2 'Generating Rule Matrix...';
-    progress_message  '  Handling blacklisting and complex zones...';
+    progress_message  '  Handling complex zones...';
    #
-    # Special processing for complex and/or blacklisting configurations
+    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
 	next if  @zones <= 2 && ! $zoneref->{options}{complex};
 	#
-	# Handle blacklisting first
+	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
-	if ( $zoneref->{options}{in}{blacklist} ) {
+	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};
 	    my $blackref = $filter_table->{blacklst};
 	    insert_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , -1, @state for firewall_zone, @vservers;
 	    if ( $simple ) {
 		#
 		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
 		#
 		for my $zone1 ( @zones ) {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};
 		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 			insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
 		    }
 		}
 	    }
 	}
 	if ( $zoneref->{options}{out}{blacklist} ) {
 	    my $blackref = $filter_table->{blackout};
 	    insert_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , -1, @state;
 	    for my $zone1 ( @zones, @vservers ) {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
 		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 		    insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
 		}
 	    }
 	}
 	next if $simple;
 	#
 	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 	insert_ijump( $frwd_ref , j => $filter_table->{blacklst}, -1, @state ) if $zoneref->{options}{in}{blacklist};
 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
@@ -1776,7 +1723,6 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my @interfacematch;
 			my $use_input;
 			my $blacklist = $zoneref->{options}{in}{blacklist};
 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -2030,8 +1976,6 @@ sub generate_matrix() {
    add_interface_jumps @interfaces unless $interface_jumps_added;
    promote_blacklist_rules;
    my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -308,8 +308,7 @@ sub setup_interface_proc( $ ) {
    }
    if ( @emitted ) {
-	emit( '',
+	emit( 'if [ $COMMAND = enable ]; then' );
 	      'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,7 +21,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
+#   /etc/shorewall/rtrules and /etc/shorewall/routes files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -38,7 +38,9 @@ our @EXPORT = qw( process_providers
 		  setup_providers
 		  @routemarked_interfaces
 		  handle_stickiness
-		  handle_optional_interfaces );
+		  handle_optional_interfaces
 		  setup_load_distribution
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -53,11 +55,14 @@ my  @routemarked_providers;
 my  %routemarked_interfaces;
 our @routemarked_interfaces;
 my  %provider_interfaces;
 my  @load_providers;
 my  @load_interfaces;
 my $balancing;
 my $fallback;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
 my %providers;
@@ -86,10 +91,13 @@ sub initialize( $ ) {
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
    @load_providers         = ();
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -110,6 +118,8 @@ sub setup_route_marking() {
    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
    my $chainref  = new_chain 'mangle', 'routemark';
    if ( @routemarked_providers ) {
 	my $chainref1 = new_chain 'mangle', 'setsticky';
 	my $chainref2 = new_chain 'mangle', 'setsticko';
@@ -137,6 +147,28 @@ sub setup_route_marking() {
 	}
 	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
    }
    if ( @load_interfaces ) {
 	my $chainref1 = new_chain 'mangle', 'balance';
 	my @match;
 	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
 	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
 	for my $physical ( @load_interfaces ) {
 	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
 	    dont_optimize $chainref2;
 	    dont_move     $chainref2;
 	    dont_delete   $chainref2;
  	    add_ijump ( $chainref1,
 			j => $chainref2 ,
 		        mark => "--mark 0/$mask" );
 	}
    }
 }
 sub copy_table( $$$ ) {
@@ -366,8 +398,8 @@ sub process_a_provider() {
 	$gateway = '';
    }
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -408,6 +440,9 @@ sub process_a_provider() {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		$load = $1;
 		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -416,6 +451,12 @@ sub process_a_provider() {
    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;
    if ( $load ) {
 	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
 	fatal_error q(The 'fallback=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $default > 1;
 	$maxload += $load;
    }
    if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
@@ -488,6 +529,7 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
 			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
@@ -506,6 +548,8 @@ sub process_a_provider() {
 	push @routemarked_providers, $providers{$table};
    }
    push @load_interfaces, $physical if $load;
    push @providers, $table;
    progress_message "   Provider \"$currentline\" $done";
@@ -537,6 +581,8 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
    my $load        = $providerref->{load};
    my $dev         = chain_base $physical;
    my $base        = uc $dev;
    my $realm = '';
@@ -564,6 +610,22 @@ sub add_a_provider( $$ ) {
 	}
    }
    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
    emit( '', 
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
    emit_unindented 'case \$COMMAND in';
    emit_unindented '    enable|disable)';
    emit_unindented '        ;;';
    emit_unindented '    *)';
    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
    emit_unindented <<"CEOF", 1;
        rm -f \${VARDIR}/${physical}.status
        ;;
 esac
 EOF
 CEOF
    #
    # /proc for this interface
    #
@@ -599,8 +661,7 @@ sub add_a_provider( $$ ) {
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	} else {
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}";
+	    emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}";
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
@@ -631,7 +692,10 @@ sub add_a_provider( $$ ) {
 	$fallback = 1;
    }
-    emit ( qq(\nqt \$IP rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ) if $family == F_IPV6;
+    emit( qq(\n) ,
 	  qq(if ! \$IP -6 rule ls | egrep -q "32767:[[:space:]]+from all lookup (default|253)"; then) ,
 	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;
    unless ( $local ) {
 	emit '';
@@ -672,8 +736,11 @@ sub add_a_provider( $$ ) {
    my ( $tbl, $weight );
    emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
    if ( $optional ) {	
-	emit( 'if [ $COMMAND = enable ]; then' );
+	emit( '',
 	      'if [ $COMMAND = enable ]; then' );
 	push_indent;
@@ -701,6 +768,8 @@ sub add_a_provider( $$ ) {
 	    $weight = 1;
 	}
 	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
@@ -709,12 +778,13 @@ sub add_a_provider( $$ ) {
 	pop_indent;
-	emit( 'else' ,
+	emit( 'else' );
-	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
 	      qq(    progress_message "   Provider $table ($number) Started"),
 	      qq(fi\n)
 	    );
    } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
@@ -724,6 +794,8 @@ sub add_a_provider( $$ ) {
    push_indent;
    emit( qq(echo 1 > \${VARDIR}/${physical}.status) );
    if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );	    
@@ -782,6 +854,9 @@ sub add_a_provider( $$ ) {
 	emit (". $undo",
 	      "> $undo" );
 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
 	unless ( $shared ) {
 	    emit( '', 
 		  "qt \$TC qdisc del dev $physical root",
@@ -804,7 +879,7 @@ sub add_a_provider( $$ ) {
 }
 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
+    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
    our $current_if;
@@ -831,7 +906,7 @@ sub add_an_rtrule( ) {
    my $number = $providerref->{number};
    fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
-    fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
+    fatal_error "You must specify either the source or destination in a rtrules entry" if $source eq '-' && $dest eq '-';
    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
@@ -842,6 +917,8 @@ sub add_an_rtrule( ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
 	$source = 'from ' . record_runtime_address $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -992,7 +1069,6 @@ sub start_providers() {
 }
 sub finish_providers() {
    if ( $balancing ) {
    my $table = MAIN_TABLE;
    if ( $config{USE_DEFAULT_RT} ) {
@@ -1006,6 +1082,7 @@ sub finish_providers() {
 	$table = BALANCE_TABLE;
    }
    if ( $balancing ) {
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
@@ -1093,7 +1170,15 @@ sub process_providers( $ ) {
    }
    if ( $providers ) {
-	my $fn = open_file 'route_rules';
+	my $fn = open_file( 'route_rules' );
 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
 		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
 	}
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
@@ -1141,7 +1226,7 @@ EOF
 	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 		   "        start_provider_$provider",
 		   '    else',
-		   '        startup_error "Interface $g_interface is already enabled"',
+		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
 		 );
@@ -1173,11 +1258,11 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};
-	emit( "$providerref->{physical})",
+	emit( "$providerref->{physical}|$provider)",
 	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 	      "        stop_provider_$provider",
 	      '    else',
-	      '        startup_error "Interface $g_interface is already disabled"',
+	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 	      '    fi',
 	      '    ;;'
 	    ) if $providerref->{optional};
@@ -1220,7 +1305,7 @@ sub setup_providers() {
 	pop_indent;
 	emit "fi\n";
-	setup_route_marking if @routemarked_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
@@ -1492,10 +1577,17 @@ sub handle_stickiness( $ ) {
 	}
    }
-    if ( @routemarked_providers ) {
+    if ( @routemarked_providers || @load_interfaces ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
 }
 sub setup_load_distribution() {
    emit ( '',
 	   "        distribute_load $maxload @load_interfaces" ,
 	   '' 
 	 ) if @load_interfaces;
 }
 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -84,7 +84,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical".
+		  "    qt \$IP -6 route del $address/128 dev $physical",
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -36,12 +36,14 @@ our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';
 my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {
-    my ($source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
@@ -55,27 +57,73 @@ sub process_notrack_rule( $$$$$$ ) {
    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';
    my $target = $action;
    my $exception_rule = '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
-    expand_rule
+    unless ( $action eq 'NOTRACK' ) {
-	$chainref ,
+	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
 	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
 	if ( $option eq 'notrack' ) {
 	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
 	    if ( $option eq 'helper' ) {
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
 		$action = "CT --helper $args";
 		$exception_rule = do_proto( $proto, '-', '-' );
 	    } elsif ( $option eq 'ctevents' ) {
 		for ( split ',', $args ) {
 		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}
 		$action = "CT --ctevents $args";
 	    } elsif ( $option eq 'expevent' ) {
 		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
 	    } elsif ( $option eq 'zone' ) {
 		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
 	}
    }
    expand_rule( $chainref ,
 		 $restriction ,
-	$rule ,
+		 $rule,
 		 $source ,
 		 $dest ,
 		 '' ,
-	'NOTRACK' ,
+		 $action ,
 		 '' ,
-	'NOTRACK' ,
+		 $target ,
-	'' ;
+		 $exception_rule );
    progress_message "  Notrack rule \"$currentline\" $done";
    $globals{UNTRACKED} = 1;
 }
 sub process_format( $ ) {
    my $format = shift;
    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
    $format;
 }
 sub setup_notrack() {
    my $format = 1;
    my $action = 'NOTRACK';
    if ( my $fn = open_file 'notrack' ) {
 	first_entry "$doing $fn...";
@@ -83,14 +131,36 @@ sub setup_notrack() {
 	my $nonEmpty = 0;
 	while ( read_a_line ) {	    
 	    my ( $source, $dest, $proto, $ports, $sports, $user );
-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+	    if ( $format == 1 ) {
 		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
 		if ( $source eq 'FORMAT' ) {
 		    $format = process_format( $dest );
 		    next;
 		}
 		if ( $source eq 'COMMENT' ) {
 		    process_comment;
-	    } else {
+		    next;
 		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
 		}	    
 	    } else {
 		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
 		if ( $action eq 'FORMAT' ) {
 		    $format = process_format( $source );
 		    $action = 'NOTRACK';
 		    next;
 		}
 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
 		}	    
 	    }
 	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}
 	clear_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -116,7 +116,6 @@ my %auditpolicies = ( ACCEPT => 1,
 		      DROP   => 1,
 		      REJECT => 1
 		    );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -145,8 +144,7 @@ sub initialize( $ ) {
    #
    # These are set to 1 as sections are encountered.
    #
-    %sections = ( BLACKLIST   => 0,
+    %sections = ( ALL         => 0,
 		  ALL         => 0,
 		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
@@ -678,8 +676,6 @@ sub complete_standard_chain ( $$$$ ) {
    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }
 sub require_audit($$;$);
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
@@ -744,7 +740,7 @@ sub ensure_rules_chain( $ )
    my $chainref = $filter_table->{$chain};
-    $chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
+    $chainref = new_chain( 'filter', $chain ) unless $chainref;
    unless ( $chainref->{referenced} ) {
 	if ( $section =~/^(NEW|DONE)$/ ) {
@@ -765,10 +761,32 @@ sub ensure_rules_chain( $ )
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
    my $chain               = $chainref->{name};
    my $related_level       = $config{RELATED_LOG_LEVEL};
    my $related_target      = $globals{RELATED_TARGET};
    push_comment(''); #These rules should not have comments
    if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
 	if ( $related_level ) {
 	    my $relatedref = new_chain( 'filter', "+$chainref->{name}" );
 	    log_rule( $related_level,
 		      $relatedref,
 		      $config{RELATED_DISPOSITION},
 		      '' );
 	    add_ijump( $relatedref, g => $related_target );
 	    $related_target = $relatedref->{name};
 	}
 	add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
 	$state =~ s/,?RELATED//;
    }
    if ( $state ) {
 	add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
    }
    if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
@@ -1409,7 +1427,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
 #
 # Populate an action invocation chain. As new action tuples are encountered,
-# the function will be called recursively by process_rules_common().
+# the function will be called recursively by process_rule1().
 #
 sub process_action( $) {
    my $chainref = shift;
@@ -1697,9 +1715,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
-	if ( $param ne '' ) {
+	$current_param = $param unless $param eq '' || $param eq 'PARAM';
 	    $current_param = $param unless $param eq 'PARAM';
 	}
 	my $generated = process_macro( $basictarget,
 				       $chainref,
@@ -1741,7 +1757,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1807,7 +1823,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  CONTINUE => sub { $action = 'RETURN'; } ,
 			  WHITELIST => sub { 
-			      fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist; 
+			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; 
 			      $action = 'RETURN';
 			  } ,
@@ -2000,7 +2016,12 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    }
    unless ( $section eq 'NEW' || $inaction ) {
-	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
+	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless 
 		$section eq 'BLACKLIST' ||
 		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
 	}
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }
@@ -2285,15 +2306,15 @@ sub process_section ($) {
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
    $sections{$sect} = 1;
-    if ( $sect eq 'ALL' ) {
+    if ( $sect eq 'BLACKLIST' ) {
-	$sections{BLACKLIST} = 1;
+	fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
    } elsif ( $sect eq 'ESTABLISHED' ) {
-	$sections{'BLACKLIST','ALL'} = ( 1, 1);
+	$sections{ALL} = 1;
    } elsif ( $sect eq 'RELATED' ) {
-	@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
+	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
    } elsif ( $sect eq 'NEW' ) {
-	@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
+	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
    }
@@ -2438,9 +2459,84 @@ sub process_rule ( ) {
 }
 #
-# Process the Rules File
+# Add jumps to the blacklst and blackout chains
 #
-sub process_rules() {
+sub classic_blacklist() {
    my $fw       = firewall_zone;
    my @zones    = off_firewall_zones;
    my @vservers = vserver_zones;
    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $result;
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
 	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
 	    if ( $simple ) {
 		#
 		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
 		#
 		for my $zone1 ( @zones ) {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};
 		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
 	    }
 	    $result = 1;
 	}
 	if ( $zoneref->{options}{out}{blacklist} ) {
 	    my $blackref = $filter_table->{blackout};
 	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
 	    for my $zone1 ( @zones, @vservers ) {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
 		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		}
 	    }
 	    $result = 1;
 	}
 	unless ( $simple ) {
 	    #
 	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
 	    #
 	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
 	}
    }
    $result;
 }
 #
 # Process the BLRules and Rules Files
 #
 sub process_rules( $ ) {
    my $convert = shift;
    my $blrules = 0;
    #
    # Generate jumps to the classic blacklist chains
    #
    $blrules = classic_blacklist unless $convert;
    #
    # Process the blrules file
    #
    $section = 'BLACKLIST';
    my $fn = open_file 'blrules';
    if ( $fn ) {
@@ -2449,22 +2545,28 @@ sub process_rules() {
 			 my  $audit       = $disposition =~ /^A_/;
 			 my  $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
-			 progress_message2 "$doing $fn...";
+			 progress_message2 "$doing $currentfilename...";
 			 if ( supplied $level ) {
 			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
 			     ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET';
 			 } elsif ( $audit ) {
 			     require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 			     verify_audit( $disposition );
 			 } elsif ( have_capability 'AUDIT_TARGET' ) {
 			     verify_audit( 'A_' . $disposition );
 			 }
 		     } );
-	$section = 'BLACKLIST';
+			 $blrules = 1;
 		     }
 		   );
 	process_rule while read_a_line;
    }
    $section = '';
-    }
+
    add_interface_options( $blrules );
    $fn = open_file 'rules';
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -104,6 +104,9 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );
 my %designator = ( F => 'tcfor' ,
 		   T => 'tcpost' );
 my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
@@ -191,8 +194,15 @@ sub initialize( $ ) {
 }
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
-	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
+    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
 	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
 	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
    }
    our @tccmd;
@@ -207,38 +217,52 @@ sub process_tc_rule( ) {
    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
    my $chain    = $globals{MARKING_CHAIN};
    my $classid  = 0;
    if ( $remainder ) { 
 	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
 	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)";
+	    fatal_error "Invalid MARK ($originalmark)" 
 		unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
 			 $designator =~ /^([0-9a-fA-F]+)$/ && 
 			 ( $chain = $designator{$remainder} ) );
 	    $mark    = join( ':', $mark, $designator );
 	    $classid = 1;
 	}
    }
    my $chain  = $globals{MARKING_CHAIN};
    my $target = 'MARK --set-mark';
    my $tcsref;
    my $connmark = 0;
    my $classid  = 0;
    my $device   = '';
    my $fw       = firewall_zone;
    my $list;
    if ( $source ) {
 	if ( $source eq $fw ) {
-	    $chain = 'tcout';
+	    if ( $classid ) {
-	    $source = '';
+		fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
 	    } else {
-	    $chain = 'tcout' if $source =~ s/^($fw)://;
+		$chain = 'tcout';
 	    }
 	    $source = '';
 	} elsif ( $source =~ s/^($fw):// ) {
 	    fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
 	    $chain = 'tcout';
 	}
    }
    if ( $dest ) {
 	if ( $dest eq $fw ) {
 	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
 	    $chain = 'tcin';
 	    $dest  = '';
-	} else {
+	} elsif ( $dest =~ s/^($fw):// ) {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
 	    $chain = 'tcin';
 	}
    }
@@ -259,11 +283,16 @@ sub process_tc_rule( ) {
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 	} else {
 	    unless ( $classid ) {
 		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
 	    }
 	    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
 		$originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) );
-		fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
+		fatal_error "Unknown Class ($mark)}" unless ( $device = $classids{$mark} );
 		fatal_error "IFB Classes may not be specified in tcrules" if @{$tcdevices{$device}{redirected}};
 		unless ( $tcclasses{$device}{hex_value $designator}{leaf} ) {
@@ -278,9 +307,7 @@ sub process_tc_rule( ) {
 		}
 	    }
 	    $chain   = 'tcpost';
 	    $classid = 1;
 	    $mark    = $originalmark;
 	    $target  = 'CLASSIFY --set-class';
 	}
    }
@@ -433,6 +460,10 @@ sub process_tc_rule( ) {
 			} else {
 			    $target .= " --hl-set $param";
 			}
 		    } elsif ( $target eq 'IMQ' ) {
 			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
 			require_capability 'IMQ_TARGET', 'IMQ', 's';
 			$target .= " --todev $1";
 		    }
 		    if ( $rest ) {
@@ -478,7 +509,8 @@ sub process_tc_rule( ) {
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
-				     do_headers( $headers ) ,
+				     do_headers( $headers ) .
 				     do_probability( $probability ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -527,7 +559,7 @@ sub calculate_quantum( $$ ) {
 sub process_in_bandwidth( $ ) {
    my $in_rate     = shift;
-    return 0 if $in_rate eq '-';
+    return 0 if $in_rate eq '-' or $in_rate eq '0';
    my $in_burst    = '10kb';
    my $in_avrate   = 0;
@@ -1949,7 +1981,13 @@ sub setup_tc() {
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
-			} 
+			},
 			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
 			  target    => 'IMQ',
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
 			},
 		      );
 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -61,6 +61,7 @@ our @EXPORT = qw( NOTHING
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
 		  all_real_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -610,11 +611,14 @@ sub zone_report()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
 			if ( $hosts ) {
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;
 			    if ( $family == F_IPV4 ) {
@@ -625,7 +629,6 @@ sub zone_report()
 			    $printed = 1;
 			}
 		    }
 		}
 	    }
 	}
@@ -661,6 +664,7 @@ sub dump_zone_contents() {
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};
@@ -1305,6 +1309,13 @@ sub all_interfaces() {
    @interfaces;
 }
 #
 # Return all non-vserver interfaces
 #
 sub all_real_interfaces() {
    grep $_ ne '%vserver%', @interfaces;
 }
 #
 # Return a list of bridges
 #
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -28,13 +28,13 @@
 #      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
-    . /usr/share/shorewall6/lib.base
+    g_program=shorewall6
    . /usr/share/shorewall6/lib.cli
 else
-    . /usr/share/shorewall/lib.base
+    g_program=shorewall
    . /usr/share/shorewall/lib.cli
 fi
 . /usr/share/shorewall/lib.cli
 CONFIG_PATH="$2"
 set -a
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -31,6 +31,31 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
 checkkernelversion() {
    local kernel
    if [ $g_family -eq 6 ]; then
 	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
 	case "$kernel" in 
 	    *.*.*)
 		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 		;;
 	    *)
 		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
 		;;
 	esac
 	if [ $kernel -lt 20624 ]; then
 	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
 	    return 1
 	fi
    fi
    return 0
 }
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
@@ -47,7 +72,7 @@ if [ $# -gt 1 ]; then
    fi
 fi
 #
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
@@ -175,11 +200,12 @@ COMMAND="$1"
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
 	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
@@ -188,24 +214,27 @@ case "$COMMAND" in
 		    progress_message3 "done."
 		fi
 	    fi
 	fi
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
 	if checkkernelversion; then
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	fi
 	;;
    reset)
-	if ! shorewall_is_started ; then
+	if ! product_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	elif [ $# -eq 1 ]; then
+	elif checkkernelversion; then
-	    $IPTABLES -Z
+	    if [ $# -eq 1 ]; then
-	    $IPTABLES -t nat -Z
+		$IP6TABLES -Z
-	    $IPTABLES -t mangle -Z
+		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -214,7 +243,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-		    if qt $IPTABLES -Z $chain; then
+			if qt $IP6TABLES -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
@@ -226,10 +255,11 @@ case "$COMMAND" in
 		    fi
 		done
 	    fi
 	fi
 	;;
    restart)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
@@ -237,22 +267,27 @@ case "$COMMAND" in
 	    COMMAND=start
 	fi
 	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
 	    [ $status -eq 0 ] && progress_message3 "done."
 	fi
 	;;
    refresh)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    progress_message3 "Refreshing $g_product...."
 	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		[ $status -eq 0 ] && progress_message3 "done."
 	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -260,20 +295,25 @@ case "$COMMAND" in
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
 	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
 	    [ $status -eq 0 ] && progress_message3 "done."
 	fi
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
 	if checkkernelversion; then
 	    clear_firewall
 	    status=0
-	if [ $status -eq 0 ]; then
+	    if [ -n "$SUBSYSLOCK" ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
 	fi
 	;;
@@ -281,7 +321,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
-	if shorewall_is_started; then
+	if product_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
@@ -292,7 +332,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -306,14 +346,14 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $@
+	updown $1
-	status=0;
+	status=0
 	;;
    enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
@@ -323,7 +363,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -1,381 +0,0 @@
 ###############################################################################
 # Code imported from /usr/share/shorewall/prog.footer6
 ###############################################################################
 #
 # Give Usage Information
 #
 usage() {
    echo "Usage: $0 [ options ] <command>"
    echo
    echo "<command> is one of:"
    echo "   start"
    echo "   stop"
    echo "   clear"
    echo "   disable <interface>"
    echo "   down <interface>"
    echo "   enable <interface>"
    echo "   reset"
    echo "   refresh"
    echo "   restart"
    echo "   status"
    echo "   up <interface>"
    echo "   version"
    echo
    echo "Options are:"
    echo
    echo "   -v and -q        Standard Shorewall verbosity controls"
    echo "   -n               Don't unpdate routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -V <verbosity>   Set verbosity explicitly"
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
 checkkernelversion() {
    local kernel
    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
    case "$kernel" in 
 	*.*.*)
 	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 	    ;;
 	*)
 	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
 	    ;;
    esac
    if [ $kernel -lt 20624 ]; then
 	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
 	return 1
    else
 	return 0
    fi
 }
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 #
 # Start trace if first arg is "debug" or "trace"
 #
 if [ $# -gt 1 ]; then
    if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
    elif [ "x$1" = "xdebug" ]; then
 	DEBUG=Yes
 	shift
    fi
 fi
 #
 # Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
 # Map other old exported variables
 #
 g_purge=$PURGE
 g_noroutes=$NOROUTES
 g_timestamp=$TIMESTAMP
 g_recovering=$RECOVERING
 initialize
 if [ -n "$STARTUP_LOG" ]; then
    touch $STARTUP_LOG
    chmod 0600 $STARTUP_LOG
    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
 	#
 	# We're being run by a startup script that isn't redirecting STDOUT
 	# Redirect it to the log
 	#
 	exec 2>>$STARTUP_LOG
    fi
 fi
 finished=0
 while [ $finished -eq 0 -a $# -gt 0 ]; do
    option=$1
    case $option in
 	-*)
 	    option=${option#-}
 	    [ -z "$option" ] && usage 1
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
 			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
 			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
 			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
 			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    p*)
 			g_purge=Yes
 			option=${option#p}
 			;;
 		    r*)
 			g_recovering=Yes
 			option=${option#r}
 			;;
 		    V*)
 			option=${option#V}
 			if [ -z "$option" -a $# -gt 0 ]; then
 			    shift
 			    option=$1
 			fi
 			if [ -n "$option" ]; then
 			    case $option in
 				-1|0|1|2)
 				    VERBOSITY=$option
 				    option=
 				    ;;
 				*)
 				    startup_error "Invalid -V option value ($option)"
 				    ;;
 			    esac
 			else
 			    startup_error "Missing -V option value"
 			fi
 			;;
 		    R*)
 			option=${option#R}
 			if [ -z "$option" -a $# -gt 0 ]; then
 			    shift
 			    option=$1
 			fi
 			if [ -n "$option" ]; then
 			    case $option in
 				*/*)
 	    			    startup_error "-R must specify a simple file name: $option"
 				    ;;
 				.safe|.try|NONE)
 				    ;;
 				.*)
 				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
 				    exit 2
 				    ;;
 			    esac
 			else
 			    startup_error "Missing -R option value"
 			fi
 			RESTOREFILE=$option
 			option=
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
            ;;
    esac
 done
 COMMAND="$1"
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
 	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		if [ $status -eq 0 ]; then
 		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
 		    progress_message3 "done."
 		fi
 	    fi
 	fi
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
 	if checkkernelversion; then
 	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
 	    progress_message3 "done."
 	fi
 	;;
    reset)
 	if ! shorewall6_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
 	    else
 		shift
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
 			if qt $IP6TABLES -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
 			    status=2
 			    break
 			fi
 		    else
 			error_message "WARNING: Filter Chain $chain does not exist"
 		    fi
 		done
 	    fi
 	fi
 	;;
    restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
 	    progress_message3 "Starting $g_product...."
 	    COMMAND=start
 	fi
 	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
 	    [ $status -eq 0 ] && progress_message3 "done."
 	fi
 	;;
    refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
 	    progress_message3 "Refreshing $g_product...."
 	    if checkkernelversion; then
 		detect_configuration
 		define_firewall
 		status=$?
 		[ $status -eq 0 ] && progress_message3 "done."
 	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
 	fi
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
 	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    if [ -n "$SUBSYSLOCK" ]; then
 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
            fi
 	    [ $status -eq 0 ] && progress_message3 "done."
 	fi
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
 	if checkkernelversion; then
 	    clear_firewall
 	    status=0
 	    if [ -n "$SUBSYSLOCK" ]; then
 		rm -f $SUBSYSLOCK
 	    fi
 	    progress_message3 "done."
 	fi
 	;;
    status)
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
 	if shorewall6_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
 	    echo "$g_product is stopped"
 	    status=4
 	fi
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
 		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
 	else
 	    state=Unknown
 	fi
 	echo "State:$state"
 	echo
 	;;
    up|down)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	updown $1
 	status=0
 	;;
    enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
 	status=0
 	;;
    disable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
 	if shorewall6_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
 	status=0
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
 	echo $SHOREWALL_VERSION
 	status=0
 	;;
    help)
 	[ $# -ne 1 ] && usage 2
 	usage 0
 	;;
    *)
 	usage 2
 	;;
 esac
 exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -27,90 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 #
 # Set a standard chain's policy
 #
 setpolicy() # $1 = name of chain, $2 = policy
 {
    run_iptables -P $1 $2
 }
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 #
 # Generate a list of all network interfaces on the system that have an ipv4 address
 #
 find_all_interfaces1() {
    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
 find_device() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xdev ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
@@ -122,40 +38,6 @@ find_weight() {
    done
 }
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
 find_gateway() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xvia ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'mtu' in the passed arguments then echo the next value
 #
 find_mtu() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xmtu ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'peer' in the passed arguments then echo the next value up to
 # "/"
 #
 find_peer() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xpeer ] && echo ${2%/*} && return
 	shift
    done
 }
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
@@ -178,23 +60,6 @@ find_rt_interface() {
    done
 }
 #
 # Try to find the gateway through an interface looking for 'nexthop'
 find_nexthop() # $1 = interface
 {
    echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
 }
 #
 # Find the default route's interface
 #
 find_default_interface() {
    $IP -4 route list | while read first rest; do
 	[ "$first" = default ] && echo $(find_device $rest) && return
    done
 }
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
@@ -211,31 +76,6 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }
 #
 # Determine if Interface is up
 #
 interface_is_up() {
    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
 }
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -428,178 +268,6 @@ disable_ipv6() {
    fi
 }
 #
 # Clear the current traffic shaping configuration
 #
 delete_tc1()
 {
    clear_one_tc() {
        $TC qdisc del dev $1 root 2> /dev/null
        $TC qdisc del dev $1 ingress 2> /dev/null
    }
    run_tcclear_exit
    run_ip link list | \
    while read inx interface details; do
        case $inx in
            [0-9]*)
                clear_one_tc ${interface%:}
                ;;
            *)
                ;;
        esac
    done
 }
 #
 # Detect a device's MTU -- echos the passed device's MTU
 #
 get_device_mtu() # $1 = device
 {
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    if [ -n "$output" ]; then
 	echo $(find_mtu $output)
    else
 	echo 1500
    fi
 }
 #
 # Version of the above that doesn't generate any output for MTU 1500.
 # Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
 #
 get_device_mtu1() # $1 = device
 {
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    local mtu
    if [ -n "$output" ]; then
 	mtu=$(find_mtu $output)
 	if [ -n "$mtu" ]; then
 	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
 	fi
    fi
 }
 #
 # Undo changes to routing
 #
 undo_routing() {
    local undofiles
    local f
    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
 	if [ -f ${VARDIR}/rt_tables ]; then
 	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
 	    rm -f ${VARDIR}/rt_tables
 	fi
 	#
 	# Restore the rest of the routing table
 	#
 	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
 	if [ -n "$undofiles" ]; then
 	    for f in $undofiles; do
 		. $f
 	    done
 	    rm -f $undofiles
            progress_message "Shorewall-generated routing tables and routing rules removed"
 	fi
    fi
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {defroute=0;};
     /^default /  {deroute=1; print; next};
     /nexthop/    {if (defroute == 1 ) {print ; next} };
                  { defroute=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 replace_default_route() # $1 = USE_DEFAULT_RT
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
    result=1
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	while read route ; do
 	    case $route in
 		default*)
 		    replace_default_route $1
 		    default_route="$default_route $route"
 		    ;;
 		*)
 		    default_route="$default_route $route"
 		    ;;
 	    esac
 	done < ${VARDIR}/default_route
 	replace_default_route $1
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
 	rm -f ${VARDIR}/default_route
    fi
    return $result
 }
 #
 # Add an additional gateway to the default route
 #
@@ -675,20 +343,6 @@ find_mac() # $1 = IP address, $2 = interface
    fi
 }
 #
 # Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
 	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 	fi
    fi
 }
 #
 # Clear Proxy Arp
 #
@@ -735,124 +389,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }
 #
 # Issue a message and stop/restore the firewall
 #
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    stop_firewall
    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
    exit 2
 }
 #
 # Issue a message and stop
 #
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    case $COMMAND in
        start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
 	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
 	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
 	case $COMMAND in
 	    start)
 		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
 		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
 		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
    kill $$
    exit 2
 }
 #
 # Run iptables and if an error occurs, stop/restore the firewall
 #
 run_iptables()
 {
    local status
    while [ 1 ]; do
 	$IPTABLES $@
 	status=$?
 	[ $status -ne 4 ] && break
    done
    if [ $status -ne 0 ]; then
        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
 	stop_firewall
        exit 2
    fi
 }
 #
 # Run iptables retrying exit status 4
 #
 do_iptables()
 {
    local status
    while [ 1 ]; do
 	$IPTABLES $@
 	status=$?
 	[ $status -ne 4 ] && return $status;
    done
 }
 #
 # Run iptables and if an error occurs, stop/restore the firewall
 #
 run_ip()
 {
    if ! $IP -4 $@; then
 	error_message "ERROR: Command \"$IP -4 $@\" Failed"
 	stop_firewall
 	exit 2
    fi
 }
 #
 # Run tc and if an error occurs, stop/restore the firewall
 #
 run_tc() {
    if ! $TC $@ ; then
 	error_message "ERROR: Command \"$TC $@\" Failed"
 	stop_firewall
 	exit 2
    fi
 }
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -861,97 +397,6 @@ get_all_bcasts()
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #
 debug_restore_input() {
    local first second rest table chain
    #
    # Clear the ruleset
    #
    qt1 $IPTABLES -t mangle -F
    qt1 $IPTABLES -t mangle -X
    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
 	qt1 $IPTABLES -t mangle -P $chain ACCEPT
    done
    qt1 $IPTABLES -t raw     -F
    qt1 $IPTABLES -t raw     -X
    qt1 $IPTABLES -t rawpost -F
    qt1 $IPTABLES -t rawpost -X
    for chain in PREROUTING OUTPUT; do
 	qt1 $IPTABLES -t raw -P $chain ACCEPT
    done
    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
    run_iptables -t nat -F
    run_iptables -t nat -X
    for chain in PREROUTING POSTROUTING OUTPUT; do
 	qt1 $IPTABLES -t nat -P $chain ACCEPT
    done
    qt1 $IPTABLES -t filter -F
    qt1 $IPTABLES -t filter -X
    for chain in INPUT FORWARD OUTPUT; do
 	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
    done
    while read first second rest; do
 	case $first in
 	    -*)
 		#
 		# We can't call run_iptables() here because the rules may contain quoted strings
 		#
 		eval $IPTABLES -t $table $first $second $rest
 		if [ $? -ne 0 ]; then
 		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
 		    stop_firewall
 		    exit 2
 		fi
 		;;
 	    :*)
 		chain=${first#:}
 		if [ "x$second" = x- ]; then
 		    do_iptables -t $table -N $chain
 		else
 		    do_iptables -t $table -P $chain $second
 		fi
 		if [ $? -ne 0 ]; then
 		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
 		    stop_firewall
 		    exit 2
 		fi
 		;;
 	    #
 	    # This grotesque hack with the table names works around a bug/feature with ash
 	    #
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
 	    '*'nat)
 		table=nat
 		;;
 	    '*'filter)
 		table=filter
 		;;
 	esac
    done
 }
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -27,166 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 #
 # Set a standard chain's policy
 #
 setpolicy() # $1 = name of chain, $2 = policy
 {
    run_iptables -P $1 $2
 }
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 #
 # Generate a list of all network interfaces on the system that have an ipv6 address
 #
 find_all_interfaces1() {
    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
 find_device() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xdev ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
 find_gateway() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xvia ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'mtu' in the passed arguments then echo the next value
 #
 find_mtu() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xmtu ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'peer' in the passed arguments then echo the next value up to
 # "/"
 #
 find_peer() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xpeer ] && echo ${2%/*} && return
 	shift
    done
 }
 #
 # Try to find the gateway through an interface looking for 'nexthop'
 find_nexthop() # $1 = interface
 {
    echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
 }
 #
 # Find the default route's interface
 #
 find_default_interface() {
    $IP -6 route list | while read first rest; do
 	[ "$first" = default ] && echo $(find_device $rest) && return
    done
 }
 #
 # Determine if Interface is up
 #
 interface_is_up() {
    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 #
 # Determine if interface is usable from a Netfilter prespective
 #
 interface_is_usable() # $1 = interface
 {
    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
 }
 #
 # Get all interface addresses with VLSMs
 #
@@ -196,64 +36,6 @@ find_interface_full_addresses() # $1 = interface
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    run_ip route add default scope global table $2 $1
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
 #
 #  echo the list of networks routed out of a given interface
 #
 get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 {
    local address
    local rest
    $IP -6 route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
 		default)
 		    if [ $# -gt 1 ]; then
 			shift
 			fatal_error "$@"
 		    else
 			echo "WARNING: default route ignored on interface $1" >&2
 		    fi
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
 		2*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/128"
 		    echo $address
 		    ;;
 	    esac
        done
 }
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
@@ -438,172 +220,33 @@ detect_gateway() # $1 = interface
    [ -n "$gateway" ] && echo $gateway
 }
-delete_tc1()
+#
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    clear_one_tc() {
        $TC qdisc del dev $1 root 2> /dev/null
        $TC qdisc del dev $1 ingress 2> /dev/null
    }
    run_tcclear_exit
    run_ip link list | \
    while read inx interface details; do
        case $inx in
            [0-9]*)
                clear_one_tc ${interface%:}
                ;;
            *)
                ;;
        esac
    done
 }
 #
 # Detect a device's MTU -- echos the passed device's MTU
 #
 get_device_mtu() # $1 = device
 {
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    if [ -n "$output" ]; then
 	echo $(find_mtu $output)
    else
 	echo 1500
    fi
 }
 #
 # Version of the above that doesn't generate any output for MTU 1500.
 # Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
 #
 get_device_mtu1() # $1 = device
 {
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    local mtu
    if [ -n "$output" ]; then
 	mtu=$(find_mtu $output)
 	if [ -n "$mtu" ]; then
 	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
 	fi
    fi
 }
 #
 # Undo changes to routing
 #
 undo_routing() {
    local undofiles
    local f
    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
 	if [ -f ${VARDIR}/rt_tables ]; then
 	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
 	    rm -f ${VARDIR}/rt_tables
 	fi
 	#
 	# Restore the rest of the routing table
 	#
 	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
 	if [ -n "$undofiles" ]; then
 	    for f in $undofiles; do
 		. $f
 	    done
 	    rm -f $undofiles
            progress_message "Shorewall6-generated routing tables and routing rules removed"
 	fi
    fi
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {defroute=0;};
     /^default /  {defroute=1; print; next};
     /nexthop/    {if (defroute == 1 ) {print ; next} };
                  { defroute=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 replace_default_route() # $1 = USE_DEFAULT_RT
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
    result=1
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
    local route
    local weight
    local delta
    local dev
-	while read route ; do
+    run_ip route add default scope global table $2 $1
-	    case $route in
+}
 		default*)
 		    replace_default_route $1
 		    default_route="$default_route $route"
 		    ;;
 		*)
 		    default_route="$default_route $route"
 		    ;;
 	    esac
 	done < ${VARDIR}/default_route
-	replace_default_route $1
+#
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
-	if [ $result = 1 ]; then
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-	    #
+    gateway=$1
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
-	rm -f ${VARDIR}/default_route
+    dev=$(find_device $route)
-    fi
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
    return $result
 }
 #
@@ -625,20 +268,6 @@ find_echo() {
    echo echo
 }
 #
 # Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
 	if [ -n $(which conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 	fi
    fi
 }
 #
 # Clear Proxy NDP
 #
@@ -677,204 +306,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }
 #
 # Issue a message and stop/restore the firewall
 #
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    stop_firewall
    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
    exit 2
 }
 #
 # Issue a message and stop
 #
 startup_error() # $* = Error Message
 {
    echo "   ERROR: $@: Firewall state not changed" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    case $COMMAND in
        start)
 	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
 	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
 	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac
    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
 	case $COMMAND in
 	    start)
 		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
 		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
 		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
    kill $$
    exit 2
 }
 #
 # Run iptables and if an error occurs, stop/restore the firewall
 #
 run_iptables()
 {
    local status
    while [ 1 ]; do
 	$IP6TABLES $@
 	status=$?
 	[ $status -ne 4 ] && break
    done
    if [ $status -ne 0 ]; then
        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
 	stop_firewall
        exit 2
    fi
 }
 #
 # Run iptables retrying exit status 4
 #
 do_iptables()
 {
    local status
    while [ 1 ]; do
 	$IP6TABLES $@
 	status=$?
 	[ $status -ne 4 ] && return $status;
    done
 }
 #
 # Run iptables and if an error occurs, stop/restore the firewall
 #
 run_ip()
 {
    if ! $IP -6 $@; then
 	error_message "ERROR: Command \"$IP -6 $@\" Failed"
 	stop_firewall
 	exit 2
    fi
 }
 #
 # Run tc and if an error occurs, stop/restore the firewall
 #
 run_tc() {
    if ! $TC $@ ; then
 	error_message "ERROR: Command \"$TC $@\" Failed"
 	stop_firewall
 	exit 2
    fi
 }
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #
 debug_restore_input() {
    local first second rest table chain
    #
    # Clear the ruleset
    #
    qt1 $IP6TABLES -t mangle -F
    qt1 $IP6TABLES -t mangle -X
    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
 	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
    done
    qt1 $IP6TABLES -t raw    -F
    qt1 $IP6TABLES -t raw    -X
    for chain in PREROUTING OUTPUT; do
 	qt1 $IP6TABLES -t raw -P $chain ACCEPT
    done
    qt1 $IP6TABLES -t filter -F
    qt1 $IP6TABLES -t filter -X
    for chain in INPUT FORWARD OUTPUT; do
 	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
    done
    while read first second rest; do
 	case $first in
 	    -*)
 		#
 		# We can't call run_iptables() here because the rules may contain quoted strings
 		#
 		eval $IP6TABLES -t $table $first $second $rest
 		if [ $? -ne 0 ]; then
 		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
 		    stop_firewall
 		    exit 2
 		fi
 		;;
 	    :*)
 		chain=${first#:}
 		if [ "x$second" = x- ]; then
 		    do_iptables -t $table -N $chain
 		else
 		    do_iptables -t $table -P $chain $second
 		fi
 		if [ $? -ne 0 ]; then
 		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
 		    stop_firewall
 		    exit 2
 		fi
 		;;
 	    #
 	    # This grotesque hack with the table names works around a bug/feature with ash
 	    #
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
 	    '*'nat)
 		table=nat
 		;;
 	    '*'filter)
 		table=filter
 		;;
 	esac
    done
 }
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
--- a/Shorewall/Samples/README.txt
+++ b/Shorewall/Samples/README.txt
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -39,6 +39,8 @@ LOGLIMIT=
 MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -186,6 +188,8 @@ TRACK_PROVIDERS=Yes
 USE_DEFAULT_RT=No
 USE_PHYSICAL_NAMES=No
 ZONE2ZONE=2
 ###############################################################################
@@ -196,6 +200,8 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/Universal/zones
+++ b/Shorewall/Samples/Universal/zones
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -50,6 +50,8 @@ LOGLIMIT=
 MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -197,6 +199,8 @@ TRACK_PROVIDERS=Yes
 USE_DEFAULT_RT=No
 USE_PHYSICAL_NAMES=No
 ZONE2ZONE=2
 ###############################################################################
@@ -207,6 +211,8 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
--- a/Shorewall/Samples/three-interfaces/routestopped
+++ b/Shorewall/Samples/three-interfaces/routestopped
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -48,6 +48,8 @@ LOGLIMIT=
 MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -195,6 +197,8 @@ TRACK_PROVIDERS=Yes
 USE_DEFAULT_RT=No
 USE_PHYSICAL_NAMES=No
 ZONE2ZONE=2
 ###############################################################################
@@ -205,6 +209,8 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
--- a/Shorewall/Samples/two-interfaces/routestopped
+++ b/Shorewall/Samples/two-interfaces/routestopped
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -51,6 +51,8 @@ LOGLIMIT=
 MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -198,6 +200,8 @@ TRACK_PROVIDERS=Yes
 USE_DEFAULT_RT=No
 USE_PHYSICAL_NAMES=No
 ZONE2ZONE=2
 ###############################################################################
@@ -208,6 +212,8 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -4,5 +4,6 @@
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
-#SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+FORMAT 2
 #ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/route_rules
+++ b/Shorewall/configfiles/route_rules
@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - route_rules File
+# Shorewall version 4 - route rules File
 #
-# For information about entries in this file, type "man shorewall-route_rules"
+# For information about entries in this file, type "man shorewall-rtrules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
 ####################################################################################
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -9,7 +9,6 @@
 ######################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -39,6 +39,8 @@ LOGLIMIT=
 MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -186,6 +188,8 @@ TRACK_PROVIDERS=No
 USE_DEFAULT_RT=No
 USE_PHYSICAL_NAMES=No
 ZONE2ZONE=2
 ###############################################################################
@@ -196,6 +200,8 @@ BLACKLIST_DISPOSITION=DROP
 MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -9,6 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
+######################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
 #						PORT(S)	PORT(S)
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,11 +16,20 @@ startup=0
 #    wait_interface=
 #
-# Startup options
+# Global start/restart/stop options
 #
 OPTIONS=""
 #
 # Start options
 #
 STARTOPTIONS=""
 #
 # Restart options
 #
 RESTARTOPTIONS=""
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
 # a safe state rather than to open it
 #
 SAFESTOP=0
 # EOF
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -48,6 +48,7 @@ loadmodule nf_conntrack_netlink
 loadmodule nf_conntrack_pptp
 loadmodule nf_conntrack_proto_gre
 loadmodule nf_conntrack_proto_sctp
 loadmodule nf_conntrack_proto_udplite
 loadmodule nf_conntrack_sip         sip_direct_media=0
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -86,7 +86,7 @@ wait_for_pppd () {
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
  wait_for_pppd
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
@@ -104,7 +104,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -74,17 +74,17 @@ export SHOREWALL_INIT_SCRIPT=1
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 command="$1"
 shift
 case "$command" in
-    start|restart|stop)
+    start)
-	exec /sbin/shorewall $OPTIONS $@
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
 	;;
-    stop|restart|status)
+    restart|reload)
-	exec /sbin/shorewall $@
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
 	;;
-    reload)
+    status|stop)
-	shift
+	exec /sbin/shorewall $OPTIONS $command $@
 	exec /sbin/shorewall $OPTIONS restart $@
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -0,0 +1,618 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.core.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # The purpose of this library is to hold those functions used by the generated
 # scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
 # are found in prog.header and prog.header6).
 #
 #########################################################################################
 #
 # Conditionally produce message
 #
 progress_message() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 1 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 progress_message2() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -gt 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 progress_message3() # $* = Message
 {
    local timestamp
    timestamp=
    if [ $VERBOSITY -ge 0 ]; then
 	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }
 #
 # Set a standard chain's policy
 #
 setpolicy() # $1 = name of chain, $2 = policy
 {
    run_iptables -P $1 $2
 }
 #
 # Generate a list of all network interfaces on the system
 #
 find_all_interfaces() {
    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 #
 # Generate a list of all network interfaces on the system that have an ipvX address
 #
 find_all_interfaces1() {
    ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
 }
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
 find_device() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xdev ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'via' in the passed arguments then echo the next value
 #
 find_gateway() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xvia ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'mtu' in the passed arguments then echo the next value
 #
 find_mtu() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xmtu ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the value 'peer' in the passed arguments then echo the next value up to
 # "/"
 #
 find_peer() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xpeer ] && echo ${2%/*} && return
 	shift
    done
 }
 #
 # Try to find the gateway through an interface looking for 'nexthop'
 find_nexthop() # $1 = interface
 {
    echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
 }
 #
 # Find the default route's interface
 #
 find_default_interface() {
    $IP -$g_family route list | while read first rest; do
 	[ "$first" = default ] && echo $(find_device $rest) && return
    done
 }
 #
 # Determine if Interface is up
 #
 interface_is_up() {
    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    if [ $g_family -eq 4 ]; then
 	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
    else
 	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
    fi
 }
 #
 #  echo the list of networks routed out of a given interface
 #
 get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 {
    local address
    local rest
    local mask
    [ $g_family -eq 4 ] && mask=32 || mask=128
    $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
 		default)
 		    if [ $# -gt 1 ]; then
 			shift
 			fatal_error "$@"
 		    else
 			echo "WARNING: default route ignored on interface $1" >&2
 		    fi
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
 		[2-3]*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
 		    echo $address
 		    ;;
 		*)
 		    if [ $g_family -eq 4 ]; then
 			[ "$address" = "${address%/*}" ] && address="${address}/${mask}"
 			echo $address
 		    fi
 		    ;;
 	    esac
        done
 }
 #
 # Clear the current traffic shaping configuration
 #
 delete_tc1()
 {
    clear_one_tc() {
        $TC qdisc del dev $1 root 2> /dev/null
        $TC qdisc del dev $1 ingress 2> /dev/null
    }
    run_tcclear_exit
    run_ip link list | \
    while read inx interface details; do
        case $inx in
            [0-9]*)
                clear_one_tc ${interface%:}
                ;;
            *)
                ;;
        esac
    done
 }
 #
 # Detect a device's MTU -- echos the passed device's MTU
 #
 get_device_mtu() # $1 = device
 {
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    if [ -n "$output" ]; then
 	echo $(find_mtu $output)
    else
 	echo 1500
    fi
 }
 #
 # Version of the above that doesn't generate any output for MTU 1500.
 # Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
 #
 get_device_mtu1() # $1 = device
 {
    local output
    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
    local mtu
    if [ -n "$output" ]; then
 	mtu=$(find_mtu $output)
 	if [ -n "$mtu" ]; then
 	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
 	fi
    fi
 }
 #
 # Undo changes to routing
 #
 undo_routing() {
    local undofiles
    local f
    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
 	if [ -f ${VARDIR}/rt_tables ]; then
 	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
 	    rm -f ${VARDIR}/rt_tables
 	fi
 	#
 	# Restore the rest of the routing table
 	#
 	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
 	if [ -n "$undofiles" ]; then
 	    for f in $undofiles; do
 		. $f
 	    done
 	    rm -f $undofiles
            progress_message "Shorewall-generated routing tables and routing rules removed"
 	fi
    fi
 }
 #
 # Save the default route
 #
 save_default_route() {
    awk \
    'BEGIN        {defroute=0;};
     /^default /  {defroute=1; print; next};
     /nexthop/    {if (defroute == 1 ) {print ; next} };
                  { defroute=0; };'
 }
 #
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 replace_default_route() # $1 = USE_DEFAULT_RT
 {
    #
    # default_route and result are inherited from the caller
    #
    if [ -n "$default_route" ]; then
 	case "$default_route" in
 	    *metric*)
 	        #
 	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
 	        #
 		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		default_route=
 		;;
 	    *)
 		qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
 		result=0
 		default_route=
 		;;
 	esac
    fi
 }
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
    result=1
    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
 	while read route ; do
 	    case $route in
 		default*)
 		    replace_default_route $1
 		    default_route="$default_route $route"
 		    ;;
 		*)
 		    default_route="$default_route $route"
 		    ;;
 	    esac
 	done < ${VARDIR}/default_route
 	replace_default_route $1
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
 	    #
 	    if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
 	       #
 	       # But we added a default route with metric 0
 	       #
 	       qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
 	    fi
 	fi
 	rm -f ${VARDIR}/default_route
    fi
    return $result
 }
 #
 # Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {
    if [ -n "$g_purge" ]; then
 	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
 	fi
    fi
 }
 #
 # Issue a message and stop/restore the firewall.
 #
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
    stop_firewall
    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
    exit 2
 }
 #
 # Run iptables/ip6tables and if an error occurs, stop/restore the firewall
 #
 run_iptables()
 {
    local status
    while [ 1 ]; do
 	$g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
    done
    if [ $status -ne 0 ]; then
        error_message "ERROR: Command \"$g_tool $@\" Failed"
 	stop_firewall
        exit 2
    fi
 }
 #
 # Run iptables/ip6tables retrying exit status 4
 #
 do_iptables()
 {
    local status
    while [ 1 ]; do
 	$g_tool $@
 	status=$?
 	[ $status -ne 4 ] && return $status;
    done
 }
 #
 # Run ip and if an error occurs, stop/restore the firewall
 #
 run_ip()
 {
    if ! $IP -$g_family $@; then
 	error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
 	stop_firewall
 	exit 2
    fi
 }
 #
 # Run tc and if an error occurs, stop/restore the firewall
 #
 run_tc() {
    if ! $TC $@ ; then
 	error_message "ERROR: Command \"$TC $@\" Failed"
 	stop_firewall
 	exit 2
    fi
 }
 #
 # Run the .iptables_restore_input as a set of discrete iptables commands
 #
 debug_restore_input() {
    local first second rest table chain
    #
    # Clear the ruleset
    #
    qt1 $g_tool -t mangle -F
    qt1 $g_tool -t mangle -X
    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
 	qt1 $g_tool -t mangle -P $chain ACCEPT
    done
    qt1 $g_tool -t raw    -F
    qt1 $g_tool -t raw    -X
    for chain in PREROUTING OUTPUT; do
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done
    qt1 $g_tool -t filter -F
    qt1 $g_tool -t filter -X
    for chain in INPUT FORWARD OUTPUT; do
 	qt1 $g_tool -t filter -P $chain -P ACCEPT
    done
    while read first second rest; do
 	case $first in
 	    -*)
 		#
 		# We can't call run_iptables() here because the rules may contain quoted strings
 		#
 		eval $g_tool -t $table $first $second $rest
 		if [ $? -ne 0 ]; then
 		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
 		    stop_firewall
 		    exit 2
 		fi
 		;;
 	    :*)
 		chain=${first#:}
 		if [ "x$second" = x- ]; then
 		    do_iptables -t $table -N $chain
 		else
 		    do_iptables -t $table -P $chain $second
 		fi
 		if [ $? -ne 0 ]; then
 		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
 		    stop_firewall
 		    exit 2
 		fi
 		;;
 	    #
 	    # This grotesque hack with the table names works around a bug/feature with ash
 	    #
 	    '*'raw)
 		table=raw
 		;;
 	    '*'rawpost)
 		table=rawpost
 		;;
 	    '*'mangle)
 		table=mangle
 		;;
 	    '*'nat)
 		table=nat
 		;;
 	    '*'filter)
 		table=filter
 		;;
 	esac
    done
 }
 interface_up() {
    return $(cat ${VARDIR}/$1.status)
 }
 distribute_load() {
    local interface
    local totalload
    local load
    local maxload
    maxload=$1
    shift
    totalload=0
    for interface in $@; do
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
 EOF
 )
 	fi
    done
    if [ $totalload ]; then
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
 scale=8
 ( $load / $totalload ) * $maxload
 EOF
 )
 		totalload=$(bc <<EOF
 scale=8
 $totalload - $load
 EOF
 )
 		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
 	    fi
 	done
    fi
 }
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -702,7 +702,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -51,7 +51,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@@ -189,7 +189,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -292,7 +292,7 @@
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
    shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -67,7 +67,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -180,7 +180,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -148,12 +148,6 @@
              <term><emphasis role="bold">blacklist</emphasis></term>
              <listitem>
                <para>This option is deprecated in Shorewall 4.4.25 in favor
                of entries in <ulink
                url="shorewall-blrules.html">shorewall-blrules</ulink> (5) or
                in the BLACKLIST section of <ulink
                url="shorewall-rules.html">shorewall-rules </ulink>(5).</para>
                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
@@ -275,7 +269,7 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -166,7 +166,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -228,11 +228,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">blacklist</emphasis></term>
              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of
+                <para>Checks packets arriving on this interface against the
                rules in the BLACKLIST section of <ulink
                url="shorewall-rules.html">shorewall-rules</ulink> (5) or in
                <ulink url="shorewall-blrules.html">shorewall-blrules</ulink>
                (5). Checks packets arriving on this interface against the
                <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
@@ -379,11 +375,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">maclist</emphasis></term>
              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of
+                <para>Connection requests from this interface are compared
-                rules in the BLACKLIST section of <ulink
+                against the contents of <ulink
                url="shorewall-blacklist.html">shorewall-rules</ulink> (5).
                Connection requests from this interface are compared against
                the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC and must be up before Shorewall is started.</para>
@@ -432,9 +425,8 @@ loc     eth2            -</programlisting>
              <term>nosmurfs</term>
              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of the
+                <para>Filter packets for smurfs (packets with a broadcast
-                DropSmurfs standard action. Filter packets for smurfs (packets
+                address as the source).</para>
                with a broadcast address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -651,13 +643,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of the
+                <para>Packets arriving on this interface are checked for
-                TCPFlags standard action. Packets arriving on this interface
+                certain illegal combinations of TCP flags. Packets found to
-                are checked for certain illegal combinations of TCP flags.
+                have such a combination of flags are handled according to the
-                Packets found to have such a combination of flags are handled
+                setting of TCP_FLAGS_DISPOSITION after having been logged
-                according to the setting of TCP_FLAGS_DISPOSITION after having
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
                been logged according to the setting of
                TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
@@ -782,7 +772,7 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -120,7 +120,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -110,7 +110,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -35,7 +35,7 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-route_rules.html">shorewall-route_rules</ulink>(5) or
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
      PREROUTING entries in <ulink
      url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
      that.</para>
@@ -568,7 +568,7 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-modules.xml
+++ b/Shorewall/manpages/shorewall-modules.xml
@@ -89,7 +89,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -147,7 +147,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-nesting.xml
+++ b/Shorewall/manpages/shorewall-nesting.xml
@@ -207,7 +207,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -198,7 +198,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-notrack.xml
+++ b/Shorewall/manpages/shorewall-notrack.xml
@@ -23,15 +23,101 @@
  <refsect1>
    <title>Description</title>
-    <para>The notrack file is used to exempt certain traffic from Netfilter
+    <para>The original intent of the notrack file was to exempt certain
-    connection tracking. Traffic matching entries in this file will not be
+    traffic from Netfilter connection tracking. Traffic matching entries in
-    tracked.</para>
+    this file were not to be tracked.</para>
    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
    rules tht can be added in the Netfilter <emphasis
    role="bold">raw</emphasis> table.</para>
    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
    additional leading ACTION column. When an entry in the file of this form
    is encountered, the format of the following entries are assumed to be of
    the specified <replaceable>format</replaceable>.</para>
    <simplelist>
      <member><emphasis role="bold">FORMAT</emphasis>
      <replaceable>format</replaceable></member>
    </simplelist>
    <para>where <replaceable>format</replaceable> is either <emphasis
    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<replaceable>option</replaceable>[:<replaceable>arg,...</replaceable>]}</term>
        <listitem>
          <para>This column is only present when FORMAT = 2. Values other than
          NOTRACK require <firstterm>CT Target </firstterm>support in your
          iptables and kernel.</para>
          <para>Possible values for <replaceable>option</replaceable> and
          <replaceable>arg</replaceable>s are:</para>
          <itemizedlist>
            <listitem>
              <para><option>notrack</option> (no
              <replaceable>arg</replaceable>)</para>
              <para>Disables connection tracking for this packet, the same as
              if NOTRACK has been specified in this column.</para>
            </listitem>
            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>
              <para>Use the helper identified by the name to this connection.
              This is more flexible than loading the conntrack helper with
              preset ports.</para>
            </listitem>
            <listitem>
              <para><option>ctevents</option>:<replaceable>event</replaceable>,...</para>
              <para>Only generate the specified conntrack events for this
              connection. Possible event types are: <emphasis
              role="bold">new</emphasis>, <emphasis
              role="bold">related</emphasis>, <emphasis
              role="bold">destroy</emphasis>, <emphasis
              role="bold">reply</emphasis>, <emphasis
              role="bold">assured</emphasis>, <emphasis
              role="bold">protoinfo</emphasis>, <emphasis
              role="bold">helper</emphasis>, <emphasis
              role="bold">mark</emphasis> (this is connection mark, not packet
              mark), <emphasis role="bold">natseqinfo</emphasis>, and
              <emphasis role="bold">secmark</emphasis>.</para>
            </listitem>
            <listitem>
              <para><option>expevents</option><option>:new</option></para>
              <para>Only generate a new expectation events for this
              connection.</para>
            </listitem>
            <listitem>
              <para><option>zone</option>:<replaceable>id</replaceable></para>
              <para>Assign this packet to zone <replaceable>id</replaceable>
              and only have lookups done in that zone. By default, packets
              have zone 0.</para>
            </listitem>
          </itemizedlist>
          <para>When FORMAT = 1, this column is not present and the rule is
          processed as if NOTRACK had been entered in this column.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SOURCE ‒
        {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>
@@ -155,7 +241,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -131,7 +131,7 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -322,7 +322,7 @@
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -349,7 +349,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-policy(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-proxyarp.xml
+++ b/Shorewall/manpages/shorewall-proxyarp.xml
@@ -141,7 +141,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
-    shorewall-policy(5), shorewall-providers(5), shorewall-route_rules(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-routes.xml
+++ b/Shorewall/manpages/shorewall-routes.xml
@@ -86,7 +86,7 @@
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@@ -209,7 +209,7 @@
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
--- a/Show More
+++ b/Show More